Some notes on replacing Dropbox

Dropbox has slowly but surely nested itself as the go-to tool for a lot of file sharing and syncing, as well as coordinating apps over devices.
At the same time I always tried to do as little as possible with Dropbox (although I am a paying customer), but I never seriously looked for an alternative until the past days.

There are several reasons to stay away from Dropbox:

  • They have a rather unimpressive security record
  • There is no encryption other than for the connection, meaning anyone with access to their servers can read your files
  • They fall under US legislation including e.g. Patriot act, which is very likely used for economic purposes as well
  • I’d rather use a European service that adheres to European data protection regulations, and preferrably to more stringent national ones where they exist. I’ve taken a look at several possible alternatives.

  • CloudMe in Sweden, which online presence left me unimpressed, esp the connection to CloudTop their spin-off desktop client
  • Strato HiDrive in Germany. Does not offer offline sync
  • Wuala in Switzerland, encrypted, but falls under Patriot act
  • JottaCloud in Norway, not encrypted
  • SpiderOak in the US, fully encrypted
  • OwnCloud, OSS to run your own server
  • All have their own drawbacks so it is a decision on how to balance loss of ease with increased security. SpiderOak is in the US and otherwise similar to Wuala, so that one is out in comparison to Wuala. Strato HiDrive does not provide meaningful syncing services so after a quick test-run of their paid for services I cancelled that again. Their company and data centers are in Germany which has strict data protection laws, which counts in their favor.
    JottaCloud looks interesting in terms of features, although it seems to fall short in working with teams e.g. With the company and data center in Norway they are under a favorable legal data protection regime, but encryption is missing.

    Wuala, incorporated in Switzerland, is owned by LaCie (incorporated in France) which in turn is owned by Seagate (incorporated in Ireland). Their data centers are geo-redundant and in France, Switzerland and Germany. Although that looks good on paper Seagate HQ is in the US, placing Seagate under the Patriot Act, and thus Wuala ultimately too. Wuala for the desktop requires Java, which is a bad thing. Their encryption and syncing however are a plus, as is the ability to work in teams.

    OwnCloud is an open source solution you run on your own server. On the plus side this gives you full control, including checking the source code. It does mean maintaining your own server which is not for everybody, or alternatively renting a server elsewhere. The latter basically only pushes the selection question down from choosing a syncing service to choosing your server infrastructure. (although it may be easier to find a well protected server, than a syncing service)

    For now I have started using Wuala, as it is at least two steps up from Dropbox because of its encryption and their data centers in Switzerland, Germany and France. Their service is not ‘patriot act proof’ (and they know it, judging by their consistently vague and indirect answers in support fora), but the encryption helps address that. Of course there is no real way to check their encryption either.

    The purpose here is not to have a perfect solution, but one that is better than Dropbox on a few aspects, while not losing a lot in terms of ease of use. Next to Wuala, I will keep a Dropbox account for some app integration and to receive files from others that use it. I just don’t want to use it (and never have) for parts of my own business files.

    14 thoughts on “Some notes on replacing Dropbox

    1. Peter Rukavina

      I have been migrating my “cloud” from Google and Dropbox into Owncloud running on a Raspberry Pi sitting on the desk beside me as I type this. It’s not a “plug and play” solution to get Owncloud running – I outlined the process I went through in this blog post, and to make it web-accessible from a connection with a dynamic IP requires using a dynamic DNS provider like No-IP, but I have found it quite capable in service:

      1. I have replaced Google Calendar as the sync service for my personal calendar: Owncloud supports Caldav, and so do my iPad, my Mac, my Android mobile and my Firefox OS mobile. The only thing missing is Reminder-sync support, but otherwise it performs as you would expect: I add an event to my Calendar app on my Mac and it automatically shows up everywhere else (and vice-versa).

      2. I have replaced Google Contacts as the sync service for my personal contacts: Owncloud supports Carddav, and, as with Caldav, so do my iPad, my Mac and my Android phone (Firefox OS is missing Carddav support right now). Again, it “just works” and it’s done a solid job of keeping my contacts in sync for several months now.

      3. I have begun to replace Dropbox with Owncloud’s file sharing for my personal files. I don’t want to serve files to the public from the (relatively underpowered) Raspberry Pi, so I don’t use this for sharing with anyone else, so it’s not a complete replacement. But for my personal device-to-device sharing it’s working well. There is an Owncloud app for both iOS and Android, and both support auto-upload of photos taken with the device camera to the Owncloud server. And the Owncloud app for the Mac has Dropbox-like functionality: a local folder automatically mirrored as its contents (and the server’s and the devices’) contents change.

      Of course the “maintaining your own server which is not for everybody” issue is still there, and I remain responsible for the security and access to my Owncloud (a plus for many, including me; a downside for others). But the added responsibility is, net-net, a good thing because it makes me more aware of where my data is, and what’s protecting it.

      I still have the “app integration” issue that you face, and so I still maintain a Dropbox account, but I’m happy to have separated myself from parts of it, and almost completely from Google’s sync services.

      1. Ton Zijlstra Post author

        Hi Peter,
        Thanks for your comment! I hadn’t thought of using a Raspberry Pi yet. Probably as I am implicitly also looking for off-site solutions (adding an additional redundancy on top of our NAS back-ups ad Time Machines at home), but also because I am also looking to replace Dropbox for the way I use it with two teams for business. I will try my hand at using OwnCloud on a Raspberry Pi though, that sounds like a worthwile effort.

    2. Anu

      Ton, you should also look at Hubic (https://hubic.com/). They’re an offshoot of OVH, based in France, and explicitly state that they don’t fall under the Patriot Act. Also, the pricing is fairly amazing (€10 a month for 10 TB)

      1. Ton Zijlstra Post author

        Hi Anu,
        Thanks! Hubic looks useful. No file encryption it seems, though perhaps BoxCryptor will add them to their list of supported providers soon.

    3. Erik Jonker

      I think Google Drive is the best cloud service with all the mentioned drawbacks with regard to patriot act etc. For anything with higher security/privacy i use my private cloud with cloudstation on my Synology NAS.
      I think it’s important to keep focus on the whole chain of privacy/security. The patriot act is only part of a long string of elements that determine how secure your cloud is functioning. I have no illusions with regard to cloudservices under european law. The european security services are very silent during all NSA scandals and with reason. They probably do the same things.

      1. Ton Zijlstra Post author

        Yes, Erik, you’re absolutely right. Like I said I am not aiming for perfect. Security is highly contextual, and it comes in layers. Located in EU is better than located in the US (where as a non-US citizen I don’t have any legal rights to claim to begin with, nor fall under their constitution), encrypted better than not, fully under my control better than not, using multiple tools is better than using just one for everything. And all that weighed against ease of use, workflow compatibility, and being able to interact with the world.

    4. Tom Verhoeve

      I’ve been using copy.com lately (https://www.copy.com/about/privacy/). It’s from Barracuda, a service/firm with a track record. Have you investigated that one as well? I find it very useful as a user, but haven’t yet really investigated it on its security and privacy aspects. I ‘just’ trust the name so far. There isn’t any specific information shared yet ofcourse.

      1. Ton Zijlstra Post author

        Hi Tom. No had not looked at copy.com. A quick scan tells me they are located in the USA. They also treat various things as non-personal information:
        “employer, occupation, language, zip code, area code, unique device identifier, Internet Protocol (IP) addresses, browser and Device type, mobile network provider/carrier, websites visited before and after ours, search terms used, location, the time zone where Copy is used. Unless otherwise specified by local law, we consider Internet Protocol (IP) addresses or similar identifiers as Non-Personal Information.”

        Some of that, such as IP address, would fall under personal information in the EU.

    5. ole

      Since last year, I am a happy customer of OwnCube (http://www.owncube.com), an Austrian start-up which offers an OwnCloud-based solution. You are able to choose from a lot of different server locations (Germany, Switzerland, Iceland, USA, Hongkong…), they are relatively inexpensive and have a super-fast support team. One main focus of the company seems to be security and privacy. Besides the cloud solution, they offer VPN, XMPP accounts, Iceland-basied e-mail-accounts, an HDD send-in service and so on.

      For me, OwnCube was an alternative to looking for myself for a server infrastructure / data center, installing OwnCloud etc. And besides some OwnCloud-related issues, it was a good decision…

      1. Ton Zijlstra Post author

        Hi Ole, thanks for pointing me to OwnCube. That is certainly a very interesting offering, with choosing your own data center. Very well priced too. It uses owncloud so it is server side encryption (whereas Wuala does it client side). I will be certain to test it out. It is run by a single person registered as a natural person business.

      1. Ton Zijlstra Post author

        Hi Harold, yes I saw that too. But remember, you want syncing across devices, not just from your MacBook to the cloud drive. Also that needs to be easy and seamless, not having to create your own code. I have a new post in draft on the solution I am now trying out which does fit all my use cases.

    6. Pingback: Some more notes on replacing Dropbox | Interdependent Thoughts

    Comments are closed.