|Price||$4.99/mo; 500 GB|
Today we’re going to look at pCloud, a secure file storage service with a number of interesting features, but some real drawbacks for the most security-conscious users.
We’ll start out this pCloud review by examining the Pros and Cons before diving into the details.
- Free 14-day trial
- 10GB free storage
- Optional end-to-end encryption with pCloud Crypto
- Includes 30-day version tracking
- Optional Extended File History (EFH) tracks 360 days of file versions
- GDPR compliant
- Drag-and-drop backup
- Company based in Switzerland
- Supports both encrypted and unencrypted files in the same account
- Can sync unencrypted data with Facebook and other services
- Drag and drop backup folder (pCloud Drive)
- Customizable sharing links
- Built-in media player
- Free version has limited features
- Data stored in the United States
- Extra charge for pCloud Crypto and Extended File History (EFH)
- Not open source software
- People under the age of 18 are not allowed to use the service
pCloud feature summary
Talking about pCloud is a little different than talking about other cloud storage services we’ve reviewed. That’s because pCloud allows for both encrypted and unencrypted data to appear in the same account. We’ll go into how this works later. For now, what you need to know is that many of pCloud’s features will only work on unencrypted (insecure) data. Here is a quick summary of the features of pCloud:
- Runs on Windows, Mac OS, Linux, Android, iOS, and major browsers
- All your data is encrypted when in transit between your devices and the pCloud servers
- Secure, zero-knowledge encryption is available through pCloud Crypto, an optional paid feature
- By default, the system maintains the last 30 days worth of file versions. You can extend that to 360 days with Extended File History (EFH), an optional paid feature
- There are cool features like the ability to play media files, but most only work on unencrypted (unsecure) files
- Synchronizes across all your devices and browsers
pCloud AG (the publisher of pCloud) is a privately held company based in Baar, Switzerland. Founded in 2013, this small company (approximately 30 employees) says they have over 10.5 million users around the world.
Being based in Switzerland is good for the security of your data. Switzerland is a neutral country that is not part of any international intelligence organizations (as far as I know). The country also has stronger privacy and security laws than most nations. However, as we are about to see, there is a potential problem.
Where does pCloud store user data?
While pCloud is based in Switzerland, their data center is in the United States.
This means the data center is subject to the less-privacy friendly legal system of the USA. Not to mention the United States is the home of the NSA and who knows how many other intelligence agencies. The country also is at the heart of the Five Eyes, Nine Eyes and various other international intelligence organizations.
So why review them? Because pCloud offers an optional zero knowledge encryption feature.
What is zero knowledge encryption?
As we discussed recently in our SpiderOak ONE review, a zero knowledge system is one where the cloud storage service knows nothing about your data. They can’t read the data itself, and they can’t see things like file names or sizes, folder names, or who is allowed to view files. While this usage doesn’t match the way the phrase is used in the cryptography community, it is close enough for our purposes here.
A zero knowledge system should make a cloud storage service secure, regardless of where the data center is located. The data center could be forced to turn over your data to the government (or hackers could steal it), but there is no way for them to glean any useful information from what they receive.
How does pCloud’s zero knowledge system work?
I have a few concerns about pCloud’s zero knowledge system. The system is called pCloud Crypto, and it is an optional feature available for an extra charge. With it, data gets encrypted on your device, using encryption keys you control. pCloud never sees your keys, meaning they have no way to decrypt your data. It appears to be pretty impressive tech (brief intro here). I have no reason to doubt that pCloud Crypto is secure. Indeed, a few years back they ran a challenge to see if anyone could crack their system.
2,860 participants from over 600 organizations had 180 days to hack the pCloud encryption software. The prize? $100,000. The result? 0 hacks.
That’s pretty impressive. My concern is that the code is not open source. That means there is no way to verify that it works as advertised, with no hidden back doors or other ways to get around the encryption. The ability to look into the code and see exactly how it works is one of the main reasons privacy-oriented people love open source code so much. As President Ronald Reagan liked to say, trust but verify (Doveryai, no proveryai). That you can’t do so with pCloud’s code counts as a strike against it.
My second concern about pCloud’s encryption has to do with the design of the service. By default, your data is encrypted in transit to and from pCloud’s servers, and encrypted at rest on those servers. But pCloud holds the encryption keys. This means that someone on their end could technically decrypt and read your data using those keys. Or the US government could force them to do so, perhaps including a gag order so you wouldn’t even know your data was compromised.
pCloud Crypto is a partial solution to this problem. I don’t say that because of any doubts about the capability of pCloud Crypto, but because it doesn’t get applied to all your files. Only files that you store in a special Crypto Folder get encrypted by pCloud Crypto. The rest of your files are encrypted with the keys that pCloud controls. This approach is necessary for the service to provide many of its features, including file sharing, but it does mean that only certain of your files will get the full zero knowledge treatment.
We’ll talk more about all this later. Right now we need to take a look at the legal stuff and decide if there is anything here that is a definite show stopper. We’ll start with the Terms of Service.
pCloud Terms and Conditions
The most recent pCloud Terms and Conditions are found on a long (over 6,300 words) and complicated Terms and Conditions page. This page was updated 17 March 2020.
Points of interest in the Terms and Conditions:
- You must be at least 18 years old to use pCloud.
- pCloud can cancel your account for any reason without compensation to you.
- They will make reasonable efforts to maintain at least 99.9% availability of the service, but they urge you to make your own backups of everything.
- You promise to not do anything bad to the service, use it for anything bad, use any of their trademarks, intellectual property, and so on without their permission.
- If any of your download links generate too much traffic (in pCloud’s opinion) they may limit the traffic for that link.
- By using the service, you give pCloud certain rights to use the content you post there. The User Content section of the document is complicated, so if you plan on putting your own content on pCloud, I suggest you read the User Content section of the ToS carefully.
- Since pCloud stores your data in the United States, they must comply with the DMCA (Digital Millennium Copyright Act). The Copyright and Intellectual Property Policy section of the page covers all the relevant details.
- There’s a dense Encryption section on your rights and responsibilities when using pCloud Crypto too.
- pCloud disavows any responsibility for any interactions or conflicts you have with other users of the service.
- There are large sections of legalese on Disclaimers and Limitation of pCloud’s liabilities, one for customers in the European Union and another for everyone else.
- The company collects your email address when you create an account.
- If you select a paid plan or optional features, they collect billing information.
- When you use the service they, “collect information about you such as length of visit, page views and navigation paths, as well as information about the timing, frequency and pattern of your usage, operating system, device information, behavior, visited pages, etc.” They state that this anonymous information can not be identified directly with you. Since their code is not open source, you need to take their work for this.
- They may collect personal data:
- From payment processors
- From or about friends you connect with through pCloud
- From third-party services you choose to back up using pCloud
- There is a long list of uses they make of the personal data they collect
- There is a long list of the circumstances under which they may disclose your personal information without your permission
- On the bright side, they do not share your personal information with third-parties for marketing purposes
- They do not sell your personal information to third parties
- They take reasonable steps to protect your unencrypted data, and will notify you if they get hacked
pCloud security audits, certifications, and compliance
I wasn’t able to find any published audits of pCloud security. They do however have some relevant certifications:
- ISO 9001:2015 – Quality Management Systems (QMS) – This ensures that customers get consistent, high quality products and services.
- ISO 27001:2013 – Information Security Management Systems (ISMS) – Helps businesses establish and maintain an effective information security management system.
- SSAE 16 SOC 2, Type II – “pCloud hosts user data through a leading certified data center via collocation. When using the pCloud service user’s data is transferred to our outsourced servers via TLS/SSL protocol and is copied on at least three server locations in a highly secure certified data center in Dallas, Texas, USA. Our collocated service provider is certified for SSAE 16 SOC 2, Type II that ensures the highest level of security.”
These are all good things to have, and ensure that pCloud is doing the right things. However, I would prefer to see even one third-party security audit. That would show that the security actually worked against real threats.
Finally, pCloud has a full GDPR compliance center that explains the benefits of GDPR for users.
pCloud user interfaces
pCloud does a great job of giving you access to your data through all the important channels: the desktop, mobile devices, and web browsers.
Let’s take a look at each of these interfaces now.
pCloud desktop app and pCloud Drive
As with most cloud storage services, when you install pCloud on your desktop, you are actually installing an app that runs in the system tray and handles synchronization tasks. Right-clicking the icon for this app gives you a menu of options:
The organization here is a little confusing, so stick with me and we’ll cover everything. The menu options include:
- Pause – Pauses synchronization of files and folders.
- Notifications – Opens a small window displaying any important info pCloud might have for you.
- An informational line of text that tells you how much of your available storage you are currently using.
- Preferences – Opens the main desktop control center for pCloud:
There are seven sections here that give you control over everything pCloud does. They are:
- Account – Gives you control over account settings, options to upgrade to a paid plan, buttons for access to pCloud Drive, the web interface for your account, and the Trash, where you will find all the files you deleted in the last 15 days (or longer if you have a paid plan). There’s also an unlink button which lets you disconnect this computer from the service.
- Sync – Lets you synchronize local folders on this machine with pCloud Drive. This way you can have those folders backed up to the pCloud servers, without having to change their locations.
- Shares – Allows you to share the contents of selected folders with other people. Be aware that there is a monthly download link traffic limit imposed on content other people download from your shared folders. The free version of pCloud has a 50 GB per month limit. Premium plans have a 500 GB per month limit, and Premium Plus plans have a 2 TB per month limit.
- Crypto – Work with pCloud Crypto. We’ll talk about this later.
- Settings – Adjust various pCloud settings to suit your own circumstances. You probably won’t have to touch these.
- Help – Links you to the pCloud FAQ (the main pCloud help resource) as well as their blog and customer support.
But what about pCloud Drive?
We’ve alluded to pCloud Drive a few times. This is a virtual disk drive that pCloud creates on your computer. Any files you store in pCloud Drive behave the same as if they are stored on your computer. However, they are actually stored on the pCloud servers, rather than locally on your computer.
pCloud Drive looks like a folder, just another disk drive on you computer. You can work with files in it as if they were stored on a local disk drive, but they don’t take up any space on your local drive since they are actually stored in the cloud.
This is in contrast to services like MEGA, which have a similar folder for synchronizing files. In the MEGA approach, the folder is a real folder on your computer. Anything you store in that folder is backed up to MEGA’s servers, but also retained in the folder on your computer.
In the pCloud approach, files you put in the pCloud Drive folder are stored on pCloud’s servers. The file doesn’t exist on the local machine. As a result, with the MEGA approach, you can work with the files even when not connected to the Internet. However, with pCloud, you must have an active Internet connection to work with your files.
What about pCloud Crypto?
pCloud Crypto is an optional component of pCloud. It provides client-side encryption. It uses an encryption key you create (called a Crypto Pass in pCloud jargon) that is used to encrypt the files before they leave your desktop or mobile device. pCloud has no access to your Crypto Pass, meaning that they cannot decrypt your files.
This is in contrast to the standard approach followed by pCloud. Normally, when you put a file into pCloud Disk, the app encrypts the file using the AES-256 encryption algorithm. Then it applies TLS/SSL, an additional layer of encryption that protects the file while it is in transit from your device to their servers. Once the file arrives at the pCloud servers, the TLS/SSL encryption is removed, leaving your file still encrypted with AES-256.
This sounds secure, and it is. But there is a hitch. To provide some of the features of the service, pCloud needs to be able to read your files. And they can do so because they control the encryption keys for the TLS/SSL and for the AES-256 encryption that protects the file when it is not in transit. In other words, with the standard pCloud approach, your files are secure against anyone, except pCloud.
pCloud Crypto eliminates this potential security issue by allowing you to encrypt the file yourself, before it goes through the regular pCloud process. There is no way for anyone at pCloud to read your files since you control the innermost layer of encryption.
Unfortunately, there are drawbacks to using pCloud Crypto to encrypt all your files. Since pCloud can’t read these files, you won’t be able to do things like play them or share them in pCloud. In addition, all files protected by pCloud Crypto have to be stored in a special crypto folder. The tradeoff here is stronger security vs convenience and features.
pCloud mobile apps
pCloud provides useful, attractive apps for both iOS and Android devices.
Here’s a screenshot of the pCloud Android app:
The pCloud Android and iOS apps get good marks in their respective app stores (4.4 out of 5.0 for the Android app and 4.1 out of 5.0 for the iOS). They both give you the full range of features you would expect. You can even use pCloud Crypto with the mobile apps.
pCloud web interface: my.pcloud.com
The pCloud web interface (my.pcloud.com) is likewise an attractive and functional interface to all your data.
Hands-on testing for the pCloud review
For this pCloud review, I tested the free trial version of pCloud desktop client on systems running Microsoft Windows 10 Home (version 1909) and Ubuntu 18.04. I tested the Android app on a Samsung Galaxy S9+.
Installing the pCloud desktop client on both the Windows and Ubuntu machines wasn’t hard. However, if you are a beginner, you might find it confusing. Let me explain…
pCloud on Windows 10
I downloaded the app from the pCloud website without problems. However, when I tried to run it, Windows 10 threw up this warning:
This looks ominous. But I downloaded pCloud from the company website, so I had to assume that it was legitimate. I clicked the Run anyway button. Everything went smoothly from there.
pCloud on Linux (Ubuntu)
The Ubuntu version of pCloud comes as an Appimage. An Appimage is a way of distributing Linux software (Ubuntu is a form of Linux) that works on many different versions of Linux, without requiring you to have superuser rights.
The way you install and run an Appimage is different than for a normal app. The instructions pCloud gives you are clear, but if you have never worked with an Appimage before, you might want to check out this page for more information.
pCloud offers you a lot of options, but you can use it without configuring anything. Once you have installed the desktop app, you will have the basics ready to go. To start storing your files on the pCloud server, simply move them to the pCloud Drive folder.
However, once again, things are a little confusing. You should see a pCloud Drive icon on your desktop that looks like this:
You might expect that double-clicking this icon would open the pCloud Drive folder – but it doesn’t. Instead, it opens the desktop app to the Crypto tab:
Switch to Settings to change any settings you wish.
At its most basic, using pCloud entails copying or moving files into the pCloud Drive folder. You have two options to get to the pCloud Drive folder:
- One is to navigate there using your operating system’s file manager.
- The other is to right-click the pCloud icon in the system tray and select the Open Drive menu option.
Remember that the pCloud Drive folder is actually virtual storage. The files and folders you see there exist on the pCloud servers, not on your computer. Depending on your threat model and the availability of a full-time Internet connection, you may want to make your own backups of files you store in pCloud Drive.
But there is more to pCloud than this virtual drive.
Syncing local folders
If you go to the Sync page in the desktop app you can set up local folders to be synchronized with pCloud Drive. For these folders, every file in the local folder is copied to a corresponding folder in pCloud Drive. This leaves you with a copy of the file in each location. Benefits to this include:
- You don’t have to move the files and/or folder from its current location on your local drive
- You will have access to the files in the local folder, even if you cannot connect to the pCloud servers through pCloud Drive
Drawbacks to this include:
- More disk space use since the files exist both on your local drive and on the pCloud servers
- Because the files are synched, rather than copied, if you delete a synched file on the local drive, it will be deleted in pCloud Drive as well
Using pCloud Crypto
If you invest in pCloud Crypto, you can use pCloud as end-to-end encrypted cloud storage. Once you sign up for pCloud Crypto, you can go to the Crypto page of the desktop app and create your Crypto Pass. Crypto Pass is the encryption key that will be used to encrypt files on your device. It is also the password that reveals a hidden Crypto Folder inside the pCloud Drive folder.
To encrypt a file with pCloud Crypto:
- Open the pCloud app and go to the Crypto page.
- Unlock the Crypto Folder using your Crypto Pass.
- Drop the file you want to encrypt into the Crypto Folder. The pCloud app will automatically encrypt the file.
Once you are done encrypting files, go back to the Crypto page in the app and lock the Crypto Folder. pCloud hides the folder. Not only are your files now encrypted so only you can decrypt them, but the Crypto Folder itself remains invisible until you unlock it with you Crypto Pass.
Sharing folders and files
pCloud makes it really easy to share files or folders. Simply right-click the file or folder you want to share. You’ll see a menu of options that includes two sharing options.
- One lets you share links to the file or folder.
- The other pops up a dialog box with a range of options for sharing, including sharing to nearby devices using WiFi or Bluetooth.
When you share your files, the pCloud Fair share system comes into play. This ensures that only the person shared folders only use space from the person who owns them.
This is definitely a great way to share files, but there is one problem. You can’t use the pCloud sharing options with files protected by pCloud Crypto.
Additional pCloud features
pCloud offers a lot of additional features, but you can’t use most of them with files that are encrypted using pCloud Crypto. That being the case, I’ll only touch on them here:
- Link Branding – You can customize your download link with your own title image, headline, and description.
- Automatic uploads from your mobile device camera.
- Built-in video player.
- Built-in video streaming.
- Unlimited file size.
- Remote uploads of files by entering their URL.
- The ability to back up files from Dropbox, Facebook, Instagram, OneDrive, and Google drive.
The pCloud team provides telephone and email support in English, French, German, and Turkish. They answered the question I emailed them in less than an hour, which is excellent.
They also provide a large FAQ, which serves as the online help center. It covers hundreds of topics, with detailed instructions and explanations where appropriate. It is definitely a good starting point when you need help.
Now let’s move on to the next important question…
How secure and private is pCloud?
To a large extent, the amount of security and privacy you get with pCloud depends on how you use it.
pCloud uses strong encryption for sending your files to and from their servers. And their corporate practices for protecting your data on their servers comply with industry standards. But once again, there is a twist in the plot.
pCloud claims that their approach to encryption is unique. What exactly that means, I have not been able to determine. What I have been able to determine (thanks to that email I sent to the support team) is that pCloud is not open source. That means we have to take the company’s word for how secure their encryption is.
The encryption challenge the company ran a few years ago makes me more comfortable about the security of their encryption. However, it would be better to have a third-party security audit we could refer to.
To its credit, being based in Switzerland is a privacy plus. This country doesn’t require cloud storage services to retain data about their users, and generally has strong privacy laws. This attracts other privacy-focused businesses to Switzerland as well, such as ProtonMail. Meanwhile, some services prefer to really go offshore, such as with NordVPN in Panama.
But back to pCloud in Switzerland. Technically, it would be possible to read your files when they are stored on pCloud’s servers in response to a government order or at the hands of a nosy pCloud employee. Only the files you protect with the option (extra charge) pCloud Crypto system would be truly private. This also means that you cannot share encrypted files, since files you want to share cannot be protected this way.
All this is particularly worrisome if your files are stored on a pCloud server in the United States. There are rumors that pCloud now has servers in Europe too, although I haven’t seen anything concrete on this subject.
pCloud offers a range of plans with multiple options. We’ll hit on each of them quickly.
pCloud Basic plan
The Basic plan is a free plan that gives you up to 10 GB of space. The amount of space you get depends on completing various activities such as verifying your email address or inviting friends to join the service. (We’ve seen this strategy before with some VPNs that offer a free trial and also other cloud storage services.) This account never expires, but if you need more space, or one of the optional additions to the service, you’ll need to upgrade to one of the paid plans.
Additionally, you can get a 14-day free trial of pCloud Crypto without upgrading. With the Basic plan you can track the most recent 15 days of revisions to your files, and restore previous versions.
pCloud Premium plans
There are two pCloud Premium plans:
- The Premium 500 GB plan offers 500 GB of space with 500 GB of download link traffic.
- There’s also the Premium Plus 2 TB plan with 2 TB of space with 2 TB download link traffic.
Both Premium plans include:
- Fair share, where shared folders only use storage from the owner of the folder. This means that sharing a 1 GB file with three users only uses on GB of storage, not 1 GB of storage from each user.
- Download link branding, which allows you to add your own title image, headline, and description to the links you share.
- 30 days trash history, which allows you to restore older versions of the files in your account. You can also browse through your account to a specific date and time, then restore or download all of your unencrypted files or deleted shared content.
You can add pCloud Crypto or Extended File History (EFH) to these accounts for an additional charge.
Although it isn’t obvious at first, you can pay for a Premium plan monthly, yearly, or in one lifetime payment. The yearly and lifetime payment plans are displayed prominently on the site and have the best pricing.
Here is what annual pricing looks like on the site as of the time of this review:
That works out to the equivalent of $3.99 per month for the Premium 500 GB plan (paid annually), and $7.99 per month for the Premium Plus 2 TB plan (again, paid annually). These prices compare well against competitors like Sync.com and MEGA, who charge the same or more for comparable amounts of storage.
If you could pay a one-time fee for secure cloud storage, would you do it? Your answer to that question probably depends on two factors:
- How much does a lifetime of storage cost?
- How likely is it that the provider (pCloud) will be around long enough to make this worthwhile?
In the case of pCloud, each lifetime plan costs less than 4 times the equivalent yearly plan. Assuming you stayed with pCloud, and the company stayed in business, you would be ahead of the game in 4 years. This seems like a good bet. The company is small, but the service seems solid, and if they make it through the COVID-19 madness, I don’t see any reason why they shouldn’t be around 4 years from now.
Other pCloud plans
Beyond the plans we’ve looked at so far, pCloud also offers pCloud for Family, and pCloud Business plans. Even a link to the mysterious monthly payment plans. All of these possibilities are found below the main plans, under the heading, “Looking for more?”
pCloud for Family
pCloud for Family is a lifetime, 2 TB plan. It supports up to four users and allows you to control how much storage each user has access to. Each user’s space is private. One thing that’s odd about pCloud for Family is that the pCloud Terms of Service state that no one under the age of 18 is allowed to use the service. This restriction seems to rule out using the family plan if any of your family are children. But that also assumes they are somehow enforcing this restriction.
If you want to hook your entire staff together, pCloud Business might fill the bill. Each pCloud Business user gets 1 TB of storage, and pCloud Crypto as part of the price. This plan supports many of the business features you will want, such as creating teams with group permissions, individualized access levels, shared folders, and activity monitoring. You can check it out here.
pCloud review conclusion
pCloud is an interesting hybrid system, and it may be the perfect cloud storage solution for your needs.
For features like sharing media or streaming videos, they provide a system that is secure against external threats, but potentially accessible to company employees. For true end-to-end security, you need to pay for the optional pCloud Crypto feature, store the files you want to be secure in a special folder, and accept that features like sharing media or streaming videos are simply not possible.
pCloud looks like a great service for content providers to preserve and distribute their products. But from my perspective as a security-first guy, there are too many ways you can go wrong with pCloud. Their software is closed source and their normal security model depends on the company controlling your encryption, not you. You can get better security for your data, but at extra monetary cost and only by giving up features like file sharing for that more secure data.
Is pCloud right for you?
If you are looking for secure cloud storage with complete control, you may want to consider alternatives. They do have the optional pCloud Crypto feature to secure data stored in the Crypto folder. But outside of this, the security of your data is in the hands of pCloud, not you. Given the range of end-to-end protected and completely zero knowledge cloud storage options available, you have other options to consider.
Other cloud storage reviews from Restore Privacy: