When people talk about privacy-oriented cloud storage services, the name MEGA is sure to come up. This New Zealand based service offers end-to-end encryption that not even MEGA themselves can read, a very generous free account, sync clients for any device (or devices) you are likely to have, and much more.
Could this be the cloud storage service you are looking for? Let’s take a closer look in this MEGA cloud storage review.
- End-to-end encrypted with AES-128, TLS
- GDPR compliant for all users worldwide
- Supports 2FA
- Free and paid plans
- No data stored in United States
- Transparent source code
- Massive amounts of storage available
- File versioning
- Annual transparency reports
- Not open source
- Confusing free plan
- No live chat or phone support
- No published third-party audits or testing
To kick off this MEGA review, we’ll first cover the main features.
MEGA feature summary
Here is a quick summary of the major features of MEGA. Note that some of these features are only available to users with PRO or Business accounts.
- Supported platforms include Mac, Windows, and Linux desktops
- Android, iOS, Chrome, Firefox, and Opera browser extensions
- End-to-end data encryption using AES-128 and TLS
- Storage ranging from 15GB to 16TB
- Synchronizes across all your devices and browsers
- Administrative reports & analysis
- 2FA support
- File versioning
MEGA was launched in 2013 in New Zealand by Kim Dotcom. Mr. Dotcom severed all ties with MEGA in 2015, but the company has continued to grow and thrive. At the time of this review, the service has over 166 million registered users worldwide.
Where is MEGA cloud storage data stored?
…we store Your Files and make them available from servers that are owned and controlled by us, in secure facilities in Europe or in countries (such as New Zealand) that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR, depending where you are based. None of Your Files are stored in, or made available from, the United States of America.
While New Zealand is officially part of the Five Eyes surveillance alliance, it is a far better location for privacy than the United States.
If you aren’t comfortable with MEGA being based in New Zealand, you may want to check out Tresorit, which is based in Switzerland. (See our Tresorit review.)
MEGA Terms of Service
I reviewed the most recent MEGA Terms of Service (ToS). This long, detailed document had an effective date of 17 December 2018. Everything in the ToS is governed by New Zealand law, including any arbitration that might be necessary.
Points of interest in the ToS:
- The service is governed by New Zealand law and arbitration (paragraphs 2 and 49)
- You are required to comply with the Harmful Digital Communications Act 2015 (NZ) or any similar law in any jurisdiction (paragraph 13.6.3)
- You will not store, use, download, upload, share, access, transmit, or otherwise make available, unsuitable, offensive, obscene or discriminatory information of any kind (paragraph 13.6.4)
- You are held responsible for the use of your account, even if someone else hacks into it (paragraph 14)
- You may not infringe any copyright or other proprietary rights of any person or entity (paragraph 18)
- MEGA assumes that any and all takedown notices are presented in good faith and will act on them as if they are valid. You will have to fight to get your content restored (paragraphs 21-28)
- You and MEGA are both bound by their Privacy & Data Policy as well as their Takedown Guidance Policy. Among other things, these documents discuss MEGA’s right to disclose data and other information as required by law or any competent authority (paragraphs 58 and 59)
While in general, the ToS is reasonable, some clauses give me pause. How could you possibly know if the data you store might be considered unsuitable, offensive, obscene or discriminatory under any law similar to the Harmful Digital Communications Act 2015 (NZ) anywhere in the world? Then there is the takedown policy of assuming you are guilty of infringing others’ rights just because they say so. These requirements are similar to those in the United States DMCA. See this Electronic Frontier Foundation (EFF) article for the potential problems.
I understand that MEGA is governed by New Zealand law, so it must implement these policies. You’ll need to decide for yourself if your use of this service might result in problems.
- Your data is encrypted on your device and MEGA has no way to decrypt it (paragraph 5.2)
- Your files are stored in secure facilities in countries the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR, depending where you are based. None of Your Files are stored in, or made available from, the United States of America (paragraph 5.4)
- Any chats you conduct with within MEGA are encrypted, although some metadata must remain in the clear to enable the service to function (section 6)
- MEGA collects unencrypted metadata related to your account, including browser type, operating system, IP address and similar information (paragraph 7.3)
- MEGA collects Website Usage Data, and use that data for advertising and marketing purposes as well as to improve their business (section 8)
- MEGA can share the data they have about you with law enforcement, related or affiliated entities, payment processors, and resellers, but will never sell your data (paragraphs 14-16)
The collection of IP addresses may be concerning to some. If you are using a good VPN service, then your real IP address will remain hidden.
MEGA security audits and other third-party tests
I have not been able to find any published information about third-part audits or certifications. They did launch a Vulnerability Reward Program in 2013, paying up to €10,000 per bug discovered. Unfortunately, there have been no updates on this in several years. Either that program has either gone inactive, or MEGA has decided to keep test results to themselves, or no one has found any bugs in several years.
MEGA also publishes the source code for their client-side apps (see Transparent Source Code later in this review). This gives at least some visibility into what the code is doing.
In short, while I have no reason to doubt that the service functions as advertised, there doesn’t seem to be any third-party verification that MEGA does what it claims it does.
With over 160 million registered users, you would expect that MEGA would offer a complete set of sync apps. And they do.
MEGA users get:
- Full-featured iOS and Android apps
- Chrome, Firefox, and Opera browser extensions
- Mac OS, Windows, and Linux desktop apps
- MEGAapp for Windows 10, a UWP (Universal Windows Platform) that runs on Windows 10 desktops, tablets, and mobiles
Hands-on testing for the MEGA review
Now let’s take a short look at MEGA in action.
Installing MEGA is easy. Go to their site and set up an account. You’ll need to give them an email address and password, as well as your first and last name. The email address has to be a real one, since you need to reply to a confirmation message as part of the process.
Once you log in, you’ll want to download the apps you want to use, and install them on your device. Log in to the app and you are ready to go.
Once MEGA is running on your device, you will need to tell it what you want it to sync. Click the Syncs button, then Add Sync to open the Add Synchronized Folder dialog.
Choose the Local folder on your device you want to sync and the MEGA folder in the cloud and click OK. MEGA will copy files to the cloud, and keep everything in sync from then on. Repeat the process for each local folder you want MEGA to sync.
Clicking Settings in a MEGA client opens an attractive window where you can see the status of your account and make any additional adjustments. In most cases, you won’t ever even need to open this window.
If all you want is for MEGA to back up your files to the cloud, you’re done.
If you want to work with the files and folders you are syncing, you can easily do so using the web client. Select Cloud Drive in the left-hand menu to navigate through your files and folders quickly and do things like upload, download, and preview (certain types of) files by right-clicking them.
Note: You’ll also receive hints relevant to where you are within the app, as shown below.
The left-hand menu also gives you access to MEGAchat and your contacts.
MEGA file sharing
Sharing files is an increasingly important feature of cloud storage apps. MEGA’s web app lets you generate a link to any file you want to share. You can specify that the link has a security key, meaning you need to provide the key to someone if they want to view the file. The key can either be attached to the link (meaning anyone who gets a copy of the link can see it), or you can send the key to the recipient separately.
Going back to that handy menu on the left, you can open the Shared with me window. In the past, MEGA was criticized for only tracking incoming shares. Now, despite the name, the Shared with me window can display Incoming Shares, Outgoing Shares, and Public Links (links that don’t have an associated key).
Speaking of things that MEGA used to get criticized for. Until recently, they did not support two-factor authentication (2FA). Today, MEGA does support 2FA. You should strongly consider activating 2FA on any cloud service you use, as it can greatly increase the security of your account. To activate 2FA on MEGA, go here.
Additional MEGA features
MEGA offers several useful features beyond the basics we’ve already discussed. Here are some of the most interesting:
Business accounts include MEGAdrop. It lets you create a folder where people outside your organization can securely upload files to your account, without themselves having a MEGA account.
MEGAcmd is a Mac, Windows, and Linux command line interface. Use it to:
- Configure automatic backups
- Interact with WebDAV clients
- Configure FTP access to MEGA files
and more, all from the command line.
MEGAbird is a tool that lets the Thunderbird email client send large files through the MEGA network.
MEGAchat is a chat system built into the MEGA service. It employs user-controlled end-to-end encryption, meaning that only the people in the chat can decrypt the content. It supports secure text, voice, and video calls with a single contact, or do group text chats.
Transparent source code
MEGA makes much of their source code available here. You can freely review their code, which is a plus. However, they only provide access to the client-side code, not their servers. In addition, while you can view the source code, it is licensed under custom licenses and doesn’t really qualify as Open Source. You can see a more detailed discussion of the situation here.
MEGA offers both email support and a good-sized Help Centre. The Help Centre is well-organized and can answer most basic questions. If you don’t find an answer in the Help Centre, you can fill out a support request at https://mega.nz/support. MEGA does not offer live chat support or telephone support. This is a definite strike against them.
Users with paid accounts get priority for support requests, but even requests from Individual account users are usually answered quickly. I have never had problems getting support from MEGA. But I’ve seen lots of griping about their support on review sites. Whether those complaints are due to lack of chat and phone support, or actual problems with the answers provided, is unclear.
How secure and private is MEGA?
With easy access to large amounts of cloud storage, you will likely stash a lot of important files in the MEGA cloud. This being the case, let’s see how secure and private this service really is.
MEGA provides end-to-end encryption of your data, using keys that only you know. They use AES-128 encryption to protect the data when at rest, and double-down by adding a layer of TLS encryption when your data is in transit. In other words, your data is secure.
You may be wondering if it is a problem that MEGA uses AES-128 instead of the stronger AES-256 for encryption. I wouldn’t worry. While AES-256 is technically stronger, as far as we know today, the fastest computers available today would still need many centuries to crack even AES-128.
MEGA complies with the European Union’s GDPR (General Data Protection Regulation) policies. This provides good privacy protections. I particularly like that they apply GDPR protections to all their customers, anywhere in the world.
I also like that they explicitly do not store any of your data in the United States. The USA is the home of some of the most powerful intelligence-gathering agencies in the world, and is not the best place to be if you value your privacy.
In 2015, MEGA began publishing a yearly Transparency Report. These reports provide information about the number of requests for user data, number of files taken down, users suspended for repeat violations of MEGA ToS, and similar issues.
The latest report shows that MEGA takes down hundreds of thousands of files a year in response to takedown requests it receives. While this sounds like a lot, only a tiny fraction of the 63+ billion files on the system are affected.
MEGA also receives more than 1,000 requests for user information from law enforcement and civil complainants. Hundreds of these requests were filled with an automated tool that provides subscriber information directly to New Zealand police in certain cases.
While the system can’t provide the actual content of your files (MEGA can’t decrypt them), related metadata can still disclose information you might want to keep private.
MEGA offers a range of accounts, from the free Individual account, to 4 PRO accounts, up to a Business account. Their accounts differ somewhat from other cloud storage services in that they limit the amount of data you can transfer over a given time period. The transfer limit (often referred to as bandwidth) applies for a given time period. For example, a PRO LITE account offers 1TB of bandwidth (they call it transfer) per month. All of your transfer is available immediately.
There are pros and cons to this approach. The pros are that you have control of your usage. If you need to use all the bandwidth at once you can. You won’t be stuck waiting until the next day for some files to move because you exceeded the daily quota. And you don’t have to worry about what would happen if you needed to move a file that is larger than the day’s share of your transfer.
The drawback to this approach is that you could overdo it at the beginning of the period. Upload all your family videos at the beginning of the month and you might not be able to view them until the following month because you used up your entire transfer quota.
With these considerations in mind, let’s look at the MEGA accounts in more detail:
The Individual account is a free plan that offers 50 GB of storage. This was an incredible offer when I signed up for it a few years ago. But today, if you look closely at the following image, you’ll notice an asterisk next to that big, bold 50 GB FREE.
MEGA free storage?
Sometime in 2018, MEGA did away with the 50GB free for new users. Today, you get 15GB permanent free storage, and an additional 35GB bonus for signing up for an account. That bonus 35GB expires after 30 days. Without going into detail, Individual account members need to perform various actions in the achievements program to get additional storage (install the MEGA client, invite a friend to join, etc.) to get additional storage. That additional storage comes with an additional transfer quota, which is good. But none of the additional storage or transfer is permanent. When your additional storage expires, the service will encourage you to complete more “achievements” or to upgrade to a PRO account.
Unless you plan on continually jumping through hoops to earn additional storage and transfer, your best bet is to treat the Individual plan as offering 15GB of free storage. While 15GB free storage is certainly not bad, the marketing of 50GB feels kind of like a bait and switch deal.
Note: This is the freemium business model, which we also see with many secure email providers. For example, ProtonMail offers limited free storage for free, with more features and storage with paid accounts. We also see this with some free trial VPN services.
Okay, so you’ve got 15GB of permanent storage with an Individual account. You’ll notice that I didn’t tell you the transfer quota for this type of account. That’s because this number is kind of squishy. Here is the explanation MEGA gives:
FREE accounts are provided with a transfer quota (uploads plus downloads) that varies depending on our system utilization. Transfer quota is provided over a dynamic sliding window that is typically less than 24 hours but depends on time of day, ISP, country etc. Once you exhaust your FREE account’s allowance you will have to wait to accrue more or purchase more quota.
In other words, there is no way to know exactly what your transfer quota is if you have an Individual account. This uncertainty, more than anything, was what motivated me to move to a PRO account.
MEGA offers 4 PRO accounts, each with its own monthly or yearly storage amount and transfer quota. To get a PRO account, you first need to create an Individual account. Once you do that, you’ll have the option to upgrade. By offering 4 PRO accounts, MEGA allows you to pay for only the storage you need. However, as you can see in the following image, there is a lot of incentive to subscribe to the larger accounts. Each step up at least doubles the amount of storage and transfer quota you have.
Now let’s look at business accounts.
MEGA offers a single Business account. It requires a minimum of three users, and is billed at 10€ per user per month. A Business account gives you a lot more than just end-to-end encrypted storage. It includes voice and video conferencing, secure team messaging, file versioning, and user management capabilities. You also get MEGAdrop, and of course mobile access on phones and tablets.
The MEGA Business account includes unlimited storage and transfer. This is a great deal, but once again, there is a catch. The account must be used only for genuine business purposes. Wondering what “genuine business purposes” means, and who decides? That’s covered in section 54 of the MEGA ToS. In particular, paragraph 54.5 lays out the details. It starts off with “Each user’s use of the business service must be fair, reasonable and not excessive, as reasonably determined by us…” with ‘us’ being MEGA. If you are considering a Business account, you’ll want to read this section of the ToS carefully to ensure that your usage will be considered fair, reasonable, and not excessive.
MEGA review conclusion
MEGA has earned a reputation for being one of the best privacy-oriented cloud storage services. Your data is completely protected while in transit and at rest thanks to end-to-end encryption that you control. You can even share documents in encrypted form so that only those with whom you share the key can read them.
The service offers accounts for every user, from people looking for masses of free storage up to businesses and teams. They’ve addressed issues like the lack of 2FA and file versioning, making the service even better. All of which begs the question:
Is MEGA right for you?
I think MEGA is a strong choice for individual users. It is hard to beat 15GB of permanent free storage, particularly if you don’t mind occasional delays in uploading or downloading files.
The PRO accounts offer increasingly vast amounts of secure, private storage at decent prices. This is one of the main areas where cloud storage services compete, so if price per GB (or TB) is one of your major concerns, you’ll want to compare the lastest prices when you are ready to buy.
If you are someone who wants cloud storage for stashing your copies of ripped songs, or want to back up “controversial” materials, MEGA may not be the place for you.
If you are looking for business storage, the situation is also unclear. Unlimited storage and transfer capacity sounds wonderful. And the built-in chat, contacts, and file preview capabilities could be very useful. But the previews are limited to certain file types, not including biggies like Microsoft Office. And with MEGA reserving the right to decide if your use of that unlimited storage is “acceptable” or not, I’m not sure I would build my business around it.
Other secure cloud storage reviews (but more to come in 2020):