@tuxcrafting i just think recommending unencrypted cloud storage on a privacy-focused site is a terrible idea + nextcloud is a buggy piece of shit
@animeirl @tuxcrafting but security and privacy are two different concepts.
@animeirl @tuxcrafting I would argue that unencrypted data I have on an inaccessible storage unit is private.
@animeirl @tuxcrafting now I have to ask - what part of nextcloud is "unencrypted" in a way that makes a practical difference to privacy?
@xiao @tuxcrafting all your data is stored either unencrypted or encrypted with a server-side key meaning anyone with access to the server can view all your data (vps provider, people in your house if it's a local machine, hackers who gain access to the system in any other way)
@animeirl @tuxcrafting for which hosting project is this not the case? And how do you propose nextcloud to solve the problem?
@xiao @tuxcrafting end to end (client-side) encryption. data is encrypted and decrypted on the local device and only ever stored in the cloud encrypted. encryption keys are only ever stored locally as well (derived from the user's password) The other cloud provider listed on privacytools, S4, makes use of this as well as several other cloud storage providers such as mega, keybase, sync.com and others.
@xiao @tuxcrafting nextcloud actually claims to have end to end encryption on their website: https://nextcloud.com/endtoend/ but this is "aspirational" (aka a lie). There's an alpha e2e module but it doesn't work and has been abandoned for around a year and hasn't supported the last 2-3 major versions of nextcloud.
@xiao @tuxcrafting this brings up another reason not to like nextcloud: the devs are liars. I would not trust anything made people who lie so blatantly to be secure or private.
@animeirl @tuxcrafting they do state that it is only in the "testing phase", so I don't think it's fair to say that they promise the feature. It is unfortunate marketing speech that can mislead people, and that is generally unacceptable, but not something that breaks trust in the technology amongst tech people, I think.
@animeirl @tuxcrafting that is unfortunately at odds with regulations in many countries where you as a company have to take ownership over the data you host (remember that a big part of nextcloud's users are companies). In that sense I agree that the users of the deployed system doesn't have a proper expectation of privacy, but the users (companies) of the product (nextcloud) can have their privacy. I don't see any solution to this though.
@xiao @tuxcrafting What countries are you referring to? There are numerous cloud hosting providers around the world that offer end to end encryption. privacytools.io is based in france where e2e encryption is definitely legal. There are only a handful of authoritarian dictatorships that ban e2e encryption.
@animeirl @tuxcrafting if you base your company on nextcloud in the EU, then you have to be be sure that your coworkers don't store customer information in violation with GDPR - just as a quick example.
@xiao @tuxcrafting The company account would have access to the encryption keys. The cloud provider wouldn't. mega and sync, and s4 are all gdpr compliant
@animeirl @tuxcrafting then I am not aware of what encryption scheme they are using :)
@xiao @tuxcrafting i would argue that that is only ever arguably the case if said storage is not connected to the internet