Archive for category Technology

Bitcasa Review: Version

I have been looking for a cloud storage, backup, and syncing solution for some time.

This post reviews Bitcasa; hopefully future versions will fix some of these bugs.

This post reviews Bitcasa; hopefully future versions will fix some of these bugs.

I heard about Bitcasa’s much-hyped “infinite storage,” and decided to give it a chance. Here’s the high Level Take-away:

  • I do not yet regret paying Bitcasa $100: The value proposition of paying $100 per year to meet my ever increasing storage needs is compelling.
  • I really like that Bitcasa encrypts my data; for real.
  • I plan to use Bitcasa for video and image storage and backup. I’ll use Dropbox for syncing, sharing, and collaboration.
  • Bitcasa is a step beyond beta. It lacks the intuitive feature set and interface of Dropbox.
  • There is no “off” switch.
  • Bitcasa is not Enterprise-ready.
  • “Mirroring” is buggy.
  • Bitcasa is a memory hog, and will cause significant system degradation while uploading.
  • Once it’s on Bitcasa’s (Amazon) cloud, don’t ever count on being able to delete it.
  • I’m going to stick with Bitcasa for a while. I think it’s got a lot of potential.

Paying for the same hard drive every year doesn’t make sense

First, let me tell you why I find Bitcasa’s model so appealing. Once I purchase a hard drive, I shouldn’t have to buy it again next year. That’s why I’m an avid user of the free version of Dropbox. I’ve got somewhere around 11.5GB of free space, which I use to back up sync and share. But the idea of paying for the same storage again and again just doesn’t appeal to me. Yes, I know that I’m also paying for near universal access to my files, but that value proposition just doesn’t hold water for me.

I’ve found that the 99% of the files I need to access and share on a regular basis are primarily office documents—Word, Excel, PowerPoint, etc. These files tend to be relatively small, and I can easily fit them within my 11.5GB Dropbox allotment. But the remaining 1% of my files take up terabytes of hard drive space. I want a safe backup for family photos and videos, even though I’m not going to access them on a daily basis. Even if I theoretically purchased “unlimited” space from Dropbox, I would still be limitied to the size of my local hard drive, since Dropbox only syncs local drives and does not provide additional cloud storage.

Consequently, I’m not willing to pay a recurring fee for static storage every year. But I am willing to pay for ever-increasing storage needs every year, especially if I can free up local hard drive space for other needs. So the idea of paying $100 per year for unlimited storage makes sense to me.

Although I understand how Bitcasa offers “infinite” storage, I don’t quite understand how Bitcasa’s business model intends to deal with enterprise clients who will want to store Petabytes per month, assuming they have the bandwidth.

They’ve got the right idea about privacy

From my understanding, Bitcasa encrypts your files using a hash of the file itself as a key (please correct me if I’m way off base). This means that Bitcasa doesn’t actually know the contents of your files, but can still know if your file matches a file that has already been uploaded. This way, instead of storing 5,000 copies of Bieber’s latest hit, they can save space by storing just one and linking it to 5,000 accounts. In contrast to Dropbox, Bitcasa doesn’t know that it’s a Bieber MP3; they just know it’s the same file. I appreciate that.

This means that I’m much more likely to store sensitive documents on Bitcasa. Although I still have to worry about securing my Bitcasa username and password.

From a privacy perspective, Bitcasa has the right idea, though I think their privacy representations are a little over-the-top:

“To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to.”

(Bitcasa Legal Policy, emphasis added). Presumably Bitcasa won’t share your content with law enforcement because it can’t share it with law enforcement.

That’s actually a slight exaggeration. For example, let’s say that two parties are in a dispute. Party A says that Party B stole Document C and stored it on Bitcasa’s cloud. A court could certainly order Party A to give Document C to Bitcasa, which Bitcasa would upload, and its systems would instantly know how many other copies of Document C exist on the server, who owns it, when it was uploaded, etc. That information would then be open to discovery.

While I don’t really have a problem with that sort of particularized discovery, I could easily imagine Bitcasa having to build tools to allow parties like the RIAA to upload MP3s to see who has a copy, if ordered by a court. I think Bitcasa is on the right track with privacy and security; I just think that some of their promises are a little over-the-top.

Update below: Dom points out that blind encryption may be a fabrication, since Bitcasa can create low-res previews of files; this can’t be done without access to the original file.

“Mirroring” is not like Dropbox

“Mirroring” is when you designate a folder to be synced on Bitcasa. I thought it would work like Dropbox, but I was wrong.

All Folders in My Documents are mirrored... and I can't unmirror them

All Folders in My Documents are mirrored... and I can't unmirror them

When I installed Bitcasa, the setup asked whether I wanted to mirror my hard drive or key folders, like My Documents. I checked “yes,” and finished the installation. Very quickly I had second thoughts and decided to cancel the mirroring.

I unmirrored My Documents, then deleted the “Mirrored Documents” file, but somehow Bitcasa re-mirrored it and started uploading without my knowledge. I unmirrored again. Ironically, even though Bitcasa re-mirrored My Documents and uploaded it, the folder didn’t appear in my Infinite Drive.

Bitcasa helpfully stores daily versions of files; but won't let you delete them.

Bitcasa helpfully stores daily versions of files; but won't let you delete them.

Try as I might, I could not un-mirror the folders. On occasion Bitcasa would indicate that a folder was un-mirrored, only to re-mirror it moments later. I panicked, and deleted the “Mirrored” folder on my Infinite Drive, and expected the uploading to stop, but uploading continued at 5Mbps (my max FiOS upload speed at the time), for 10 more hours. I could not stop it. There was no “off” switch.

Even though I had unmirrored my files, the icons continue to be marked “Mirrored,” but if they were mirroring, I could not see where they were mirroring to, because there was no “Mirrored Files” folder on my Infinite drive. And in the online interface, the “Delete” option was grayed out. For several hours I felt like I had lost control of my computer, and that Bitcasa was sucking it to the cloud, and there was nothing I could do about it. For the record, I attribute this to an immature product UI and feature set, rather than any malicious intent.

If you want to unmirror a subfolder, you're out of luck.

If you want to unmirror a subfolder, you're out of luck.

I hopped on Twitter and engaged with @BitcasaSupport. Here is a synopsis of that conversation:

Me: How do I stop Bitcasa from mirroring my entire drive? Where’s the off switch? Should I just uninstall and reinstall?
BitcasaSupport: Sorry for the confusion – you can only unmirror via the desktop app, which you can download here: When you right click on the folders mirrored, select Stop Mirroring to Bitcasa from the Bitcasa contextual menu.
Me: That’s what I tried- “stop mirroring” is grayed out everywhere. I chose “Mirror whole computer” on install. But I don’t know all of the local locations that Bitcasa is mirroring. It’s quite frustrating.
I mirrored my computer, then unmirrored it, but @Bitcasa continues to suck 5Mbps from my computer for 10 hrs. Very concerned. Why does @Bitcasa continue to suck up 5Mbps of my files without my consent? Can I stop it?
I had to kill the process to stop it from uploading. I have no idea what its been uploading for the past several hours. Is there any record of what has been uploaded, and how long @Bitcasa keeps it?
I am able to see old versions of my files, but the Delete button is grayed out. That is a problem because there are uploaded files that I never intended to upload. Is there a way to get rid of those files?

Support then opened a ticket for me, and addressed some of my concerns. In short:

  • I had to completely uninstall Bitcasa, manually deleting folders. Fortunately I did not have to edit the registry.
  • There is no “off” switch. Bitcasa chooses when and whether to upload.
  • You cannot unmirror sub-folders. You must unmirror the top folder… if you can remember which one is the “top folder.”
  • I still have no idea what Bitcasa was uploading for 10 hours after I had told it to stop mirroring everything. And I won’t ever have a way of knowing for sure.
  • There is currently no way to delete old versions of documents, even if you didn’t want them online in the first place.

Bitcasa is a Resource Hog

Bitcasa will take over your machine while uploading.

Bitcasa will take over your machine while uploading.

I think this image says it all. Bitcasa significantly degrades performance when it’s uploading. To give you an idea of how much it affects performance, I am writing this article in Notepad right now, because my browsers and word processors are too painfully slow.

When I asked support about this issue, they replied that a recent instability fix created the memory problems. “We’re currently working to improving the memory usage of the application without hindering upload stability, and anticipate that improvements will be made very soon.”

You need a fat pipe to upload all of your junk

I mentioned earlier that I have a 15Mbps down/ 5Mbps upload internet connection. I learned that it takes a long time to upload several terabytes of data at 5Mbps. I upgraded to 50Mbps down/ 25Mbps up so that I won’t have to wait a month to upload (nevermind that my pipe is testing at 25 down/ 21 up–curse you, Verizon!). I thought this was worth mentioning because the cost of an Infinite drive may well exceed $100 per year, if you include the cost of additional bandwidth.

Even with a 21Mbps available, Bitcasa rarely uses that much. Occasionally uploads have spiked at 21Mbps, but as I type, my upload speeds are averaging 3Mbps. The last day or two, they’ve averaged 6Mbps. Not surprisingly, Bitcasa support is quick to point out the many factors that affect upload speed… none of which are them. While I have no problem blaming Verizon for many of my problems, I have a hard time believing that my ISP is solely responsible for a 85-90% degradation in my upload speeds. Sorry, Bitcasa, I still think you’re the choke point.

Still Hopeful

Notwithstanding the mild drama, I’m still hopeful that Bitcasa will pull through. As I mentioned earlier, I think they’ve got the value proposition right, and I think they’re on the right track for privacy and security. They can have my $100.

Update: More to Worry About

Since I originally posted, helpful commenters Dom and Craig (below) make a couple of sobering points that significantly undermine my confidence in Bitcasa:

  • Blind encryption may be a lie: Bitcasa publishes previews of files and videos. This cannot be done without access to the original file.
  • Security by URL Obscurity: There is no way to password protect, time limit or even know when someone downloaded a file links.
  • No list of shared URLS: You’d better remember which files you shared via link, because Bitcasa sure ain’t going to tell you!
  • Shared URLs are indexed: Even though the robots.txt requests no indexing, many search engines ignore the request, or liberally interpret the request. Bottom line- links may be searchable, so beware before you share.
  • Rookie Security Errors: Full error reporting is currently turned on by default, meaning that errors expose django configs, mysql dbs and password, and Apache configs, usernames etc. They fixed this error within 10 minutes of notification via Twitter. But their MySQL db username and password may still be in the wild.

Very unimpressed. Bitcasa, get your act together.

No Comments

PHP Code to Select an Option After a Form Post

I have a couple of php pages with $_POST[] forms which I validate (using PHP). If the form fails validation (ie, the user fails to enter an email address), then the user is brought back to the same page, where he is asked to re-submit the missing or incorrect information. The form also has radio buttons and drop-down forms, and I don’t want to make the user re-select those radio buttons or drop-down entries. So this is my solution: Read the rest of this entry »

No Comments

Privacy Commons for Government

Note: This article originally appeared on the The Security Catalyst Blog

Unconferences” (hat tip to identitywoman) are great opportunities to network, gather and share information. They attract bleeding-edge leaders on emerging problems and technologies. My most recent unconference was Congress Camp 2009, organized by the Open Forum Foundation. The gathering focused (broadly) on social networking tools and Web 2.0 for government. It was well attended by advocates who want to reach Congress, and over-worked hill staffers who use IE6 and must cope with information overload. We also got a preview of If you have an interest in social networking and government, I highly recommend looking at some of the blog articles.

Here’s my report: Don’t hold your breath for Congress to go Social-Web crazy in the immediate future.

I hosted a discussion on developing a Privacy Commons framework for government. In short, Privacy Commons will be a series of Privacy Policy Frameworks: A list of required, optional, and prohibited subject matter for privacy policies. Each framework will be tailored to particular industries (i.e., medical, financial, goods and services, social media, government, etc.). Adoption of a Privacy Commons Framework will require that your Privacy Policy address all subject matter in the framework, and make certain high-level disclosures in the form of iconography (i.e., a “$” symbol to indicate that you sell personal information to third parties).

I already knew that a government Privacy Commons policy would have to include disclosures about how personal information may be transmitted to other federal agencies, for example. But I was surprised to hear from staffers that Congressional privacy policies should also disclose how personal anecdotes may be used. Many constituents e-mail their elected representatives with poignant personal stories that often support draft legislation. Staffers must decide whether they can or should use the stories in a press release, on the House or Senate floor, or whether they can use the story and change the names.

A government Privacy Commons framework will also need to address the different rules that elected officials and their campaigns must follow. Elected officials must follow strict rules governing sharing personal and contact information. In contrast, campaigns (which may run full-time, even after an official is elected) can do almost anything with personal information. The distinction between “Congressman Jones” and “Congressman Jones’ Campaign” may be lost on the average constituent; but the effects on privacy might be substantial.

As I make the transition to full-time attorney (after I pass the bar… wish me luck), I’ll be able to continue developing Privacy Commons. In fact, at Congress Camp I hooked up with the ECitizen Foundation, which might help host Privacy Commons working groups. Stay tuned.

No Comments

FTC Says Bloggers Must Disclose Freebies

Note: This article originally appeared on the The Security Catalyst Blog

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

  1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
  2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
  3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
  4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

  1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
  2. Tell Your Bloggers: See above.
  3. Watch Your Bloggers: See above.

Tips for Bloggers:

  1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
  2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
  3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

No Comments

NJ Supreme Court: Attorney-Client Privilege in Personal Email at Work

Note: This article originally appeared on the J.C. Neu & Associates Blog

Yesterday the New Jersey Supreme Court heard arguments in the Stengart v. Loving Care Agency, Inc. case. The issue is whether the New Jersey attorney-client privilege is preserved, when an employee e-mails her attorney from a personal email account, on a company computer.

The first reaction from most lawyers is, "yikes, I hope so."

Maria Stengart was a senior employee at Loving Care, which provides Home Care Services for children and adults. Among other things, Loving Care’s employee handbook states that “Email and voice mail messages, internet use and communication, and computer files are considered part of the company’s business and client records, we work with many attorneys, each one specialized in each field, and 65% of our cases come for a family lawyer, and How long a divorce takes depends on many factors so it takes a much difficult time to contact our family lawyers. Such communications are not to be considered private or personal to any individual employee.” Stengart was issued a company laptop, on which she occasionally accessed her personal Yahoo account. She resigned in December, 2007 and shortly thereafter filed suit against Loving Care alleging constructive discharge due to sexual harassment and ethnic discrimination.

In April 2008 Loving Care sent an image of her laptop hard drive to a data recovery company, which recovered at least one personal Yahoo email between Stangart and her attorney, presumably from a recovered browser cache. Of course, this prompted Stengart to assert attorney-client privilege, demanding that all attorney communications be returned or destroyed. The company balked, and in essence argued that Stengart had waived the privilege by using a company computer.

The trial court found in favor of the employer, but the appellate court reversed.

If I were to play armchair quarterback for a second, I think that the New Jersey Supreme Court will probably find in favor of Stengart as a substantive matter, but the case raises several issues of legal, policy, and practical significance, with no apparent easy answers.

In general, employees have a diminished (ie, nearly zero) expectation of privacy on an employer’s network, especially when the employer has put the employee on notice of that fact. The trial court merely extended this well-established principle to attorney-client communications. After all, an employer must be able to control, protect, and secure its network against a range of threats.

On the other hand, most employers allow company computers to be used for personal reasons. It seems to be bad public policy that an employee would waive the attorney-client privilege simply because she uses a browser on her company computer during her lunch break, rather than a home browser. This is especially true if she happens to e-mail her lawyer about an action against the employer. It seems absurd that a distinction so technical should allow the employer to "rummage through and retain the employee’s e-mails to her attorney," as the appellate court put it.

But if an employee does enjoy some expectation of privacy in personal communications over a company network, how much, and how does an employer write a policy to manage it? Does an employee enjoy the same expectation of privacy for personal email transferred via POP3 or IMAP to a local company version of Outlook, compared to a email recovered from an HTTP browser cache? Does the employer have a duty to not attempt to recover deleted personal emails? Are employers allowed to snoop unless communication appears privileged? I don’t have a good answer, and it will be interesting to see what answer the court comes up with.

Surely an employee cannot enjoy an unqualified expectation of privacy by simply using non-company communications, because employers still have an interest in making sure that employees do not use personal accounts to transfer trade secrets, compete against the company, or download a virus.

We’ll keep an eye on this one.

No Comments