If you are looking for an extremely secure cloud storage solution, SpiderOak One Backup could be the answer you seek. It is rich in features and has a lot to offer. But no product is perfect, and there are a few things about SpiderOak One Backup that aren’t ideal. In this review, we’ll give the product a thorough investigation, and lay out the pros and cons so you can decide whether this is the secure cloud storage solution for you.
NOTE: To make this review easier to read, I will often shorten SpiderOak One Backup to, “SpiderOak One,” or simply “SpiderOak.” Unless I state otherwise, I will always be referring to SpiderOak One Backup.
- End-to-end encryption
- “No Knowledge” (zero knowledge) design
- Automatic, unlimited version tracking
- HIPAA and GDPR compliant
- Drag-and-drop backup through Hive
- Not open source software
- Based in the United States
- Poorly-rated mobile apps
- Browser interface breaks No Knowledge
- No file previews
- No 2FA support for new users
- Higher prices than many competitors
SpiderOak ONE Backup feature summary
Here is a quick summary of the core features of SpiderOak ONE:
- Runs on Windows, Mac OS, Linux, and major browsers
- Android and iOS apps with limited functionality
- Data in transit protected with TLS/SSL
- “No Knowledge” (zero knowledge) encryption using AES-256, HMAC-SHA-256, PBKDF2
- Automatic, unlimited file versioning
- Multiple file sharing options
- Synchronizes across all your devices and browsers
SpiderOak was founded in 2006 to develop online backup solutions. Beyond SpiderOak One Backup, they produce an enterprise-level backup product (SpiderOak Enterprise Backup) and other products.
The company is based in the United States, which you might consider a drawback thanks to the country’s status as the home of the NSA, CIA, and the heart of the Five Eyes intelligence alliance. However, as we will see, the design of SpiderOak One goes a long way toward mitigating any risk caused by the company’s geographic location.
Where does SpiderOak One store user data?
The SpiderOak One datacenters are located somewhere in the midwestern United States. That probably raises a red flag for you, since a rule of thumb in the privacy world is you do not want your data stored in the United States. It makes sense to assume that any data stored in the USA is accessible to the National Security Agency (NSA) and other US intelligence organizations.
So why are we even discussing this service? Because of their zero knowledge approach to your data.
What is zero knowledge encryption?
Most privacy-oriented services offer end-to-end encryption. This means that your data is encrypted before it leaves your device, and remains encrypted when it is on the service’s servers. Only you can see your data. However, just because your data is encrypted, that doesn’t mean that the service knows nothing.
When you store something, there is more to it than just the data itself. The data is probably stored in a folder. And the files that contain your data have names. A service could provide end-to-end encryption of your data, but still have access to this kind of information. For example, Tresorit provides strong end-to-end encryption for all your data. But information about Tresorit’s folders (called Tresors) is not encrypted. This information can include the name of the folder, its size, and which other users have access to that folder. Someone with access to their servers could find out a lot about your activities from this information, even without being to read your data.
NOTE: There is some controversy in the privacy community about the use of the phrase “zero knowledge.” The phrase is used in a very specific context in cryptography. Per Wikipedia,
a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x. The essence of zero-knowledge proofs is that it is trivial to prove that one possesses knowledge of certain information by simply revealing it; the challenge is to prove such possession without revealing the information itself or any additional information.
On ycombinator.com, in January 2017, there was a discussion of this issue and the use of zero knowledge in conjunction with SpiderOak’s use of the term. The discussion included participants from SpiderOak. While I haven’t tried to confirm this, if could be why the company now uses the phrase, “No Knowledge” to describe their products instead of the more commonly used term, “Zero Knowledge.”
How does SpiderOak One implement zero knowledge encryption?
SpiderOak One calls their implementation of zero knowledge encryption, “No Knowledge.” No Knowledge uses 2048 bit RSA and 256 bit AES encryption. Your data, folder names, and so on are all encrypted by the SpiderOak One apps before it leaves your device for their servers. Since the company doesn’t have access to the encryption keys your apps use, there is no way for them to decrypt your data. When your data arrives on their servers, it appears as a series of sequentially-numbered, encrypted containers. In other words, no folder names, no file names, nothing is exposed on the servers that discloses anything about your data. This is as private and secure as you can ask for.
However, there is a caveat. You must save your data with the SpiderOak One apps for No Knowledge to work. You can learn more about this, and why it can be a big problem, check out the One Web interface section later in this review.
SpiderOak One Terms of Service
SpiderOak publishes combined Terms of Service (ToS) that covers all their products, including SpiderOak One Backup. The current version of these terms was published June 4, 2016, and written in pretty clear English. I dug into them to see how it might affect your decision on whether or not to use this secure cloud storage service.
Points of interest in the ToS:
- Use of the service is governed by United States laws. This includes the controversial Digital Millennium Copyright Act (DMCA). See the Criticisms section of the Wikipedia entry for more information.
- SpiderOak claims the right to remove and review files for any reason. This likely has little impact on SpiderOak One users who are protected by the service’s No Knowledge encryption.
- The company asks all minors to refrain from using the service and will terminate the accounts of users under the age of 13.
- The company prohibits the following activities on the service and may terminate your account if you do not comply:
- Don’t use SpiderOak in a manner that violates any laws, regulations, ordinances, or directives.
- Don’t use SpiderOak contrary to our policies.
- Don’t use SpiderOak to do anything threatening, abusive, harassing, defamatory, tortious, obscene, profane, or invasive of another person’s privacy.
- Don’t interfere with the proper functioning of any software, hardware, or equipment on SpiderOak.
- Don’t engage in any conduct that inhibits anyone else’s use or enjoyment of our services, or which we determine may harm SpiderOak or our users.
- Don’t monitor or copy any material on SpiderOak, either manually or through automated means (i.e., scraping), without prior written consent.
- They may, “at any time—with or without notice—change, eliminate or restrict access to our services, and modify, suspend, or terminate a user account. SpiderOak is not liable for any damages as a result of these actions.”
- While they strive to protect your data, they do not 100% guarantee that third parties can’t defeat their security measures. This is reasonable as no company can guarantee that.
- To the fullest extent they legally can, they disclaim any warranties and conditions.
- You may sign in and cancel your account at any time. Unless required by law, they will not refund any subscription fees.
- Arbitration of disputes will be done a single arbitrator under the Commercial Arbitration Rules of the American Arbitration Association (AAA) including the Optional Rules for Emergency Measures of Protection and the Supplementary Procedures for Consumer-Related Disputes, or, by separate mutual agreement, to another arbitration institution.
- You cannot participate in a class action lawsuit.
The full SpiderOak ToS is found here.
- The company collects your username and passphrase when you create an account.
- If you select a paid plan, they collect billing information.
- They automatically collect, “data about your device, software, and the operating system you use when accessing our service, approximate amount of data stored on our service, your Internet Protocol address, system-generated error messages for your account, and the date and time of each request you make to SpiderOak.”
- They don’t sell or share your information with third-party advertisers.
- They may share your personal information
- With your consent.
- With third-parties that help them provide the service, including Stripe, PayPal, ZenDesk, and Base CRM. Those companies may have privacy policies that differ from those of SpiderOak.
- If they believe it is reasonably necessary to comply with a law, regulation, or valid legal process. They will notify you that they are going to disclose your information if not prohibited by law or court orders such as 18 U.S.C. § 2705(b), or if they believe it’s necessary to prevent imminent and serious bodily harm to a person.
- With other users if you share files with them.
- If the company is sold or merged with another organization.
- They may disclose aggregated, non-identifying information about their users. The policy doesn’t specify with whom this data may be shared.
SpiderOak One security audits & other third-party tests
I wasn’t able to find a lot of information on third-party testing or certifications. Here’s the info I came across on the SpiderOak website:
SpiderOak’s data centers are SAS 70 Type II compliant. Our data center is considered a Tier 3 data center by the Uptime Institute, with N+1 infrastructure, employs the SSAE-16 audit schedule, physically staffed 24/7.
Beyond that, I did come across this third-party assessment of SpiderOak ONE’s security published by researchers at Aarhus University in January, 2018. The report claimed that the analysis, “…uncovered several serious issues, which either directly or indirectly damage the confidentiality of a user’s files, therefore breaking the claimed Zero-or No-Knowledge property…” The report further states that SpiderOak fixed most of the problems found during the assessment, but that accounts created prior to those fixes could be compromised, even if the user immediately changes their password.
I’m not sure what to make of this assessment. It claims to go beyond previous work analyzing encrypted cloud storage services (ECS) by formally defining, “minimal security requirements for confidentiality in ECS which takes into account the possibility that the ECS actively turns against its users in an attempt to break the confidentiality of the users’ data.” Using these requirements, the report concludes with an indictment of any encrypted cloud storage system that doesn’t require the user to use two different passwords, one for authentication, and one for confidentiality.
If your threat model includes this kind of evil encryption service attacking their own users scenario, you’ll want to read, “Can You Trust Your Encrypted Cloud?” for yourself.
SpiderOak One user interfaces
You can get access to the data you store on the SpiderOak ONE servers through all the user interfaces we have come to expect: desktop apps, mobile apps, and web browsers. But there are issues with the mobile apps and the browser interface that make them less useful than they might be.
Let’s take a look at each of these interfaces now.
SpiderOak One desktop app
The desktop app is the heart of the system. It looks like this when you first launch it:
It is the control center for your piece of the SpiderOak One world. It contains the following five sections:
- Dashboard – A complete view of everything going on. It shows you which devices are connected, what has been, or is currently being synched, how much storage space you are using, and so on.
- Backup – This is where you tell SpiderOak One which files and folders you want it to back up. You can also select specific Categories of files to back up. In this case, SpiderOak ONE will back up the default locations for these types of files on the device, rather than seek out all files of a particular type on the device.
- Manage – Go here to download or delete specific files from whichever device they are on. This is also where you go to access past versions of files.
- Sync – Where you create new synchronizations, and modify or delete existing ones. The Hive (see below) is always synced. The synchronizations you set up here are in addition to that.
- Share – Create a ShareID (a public username) then add files you want to share into a ShareRoom so others can access them.
The SpiderOak One Hive
The Hive folder (Hive for short) is a new folder that gets added to your device when you install SpiderOak ONE. It is the default folder for synchronization. Anything you drop into the Hive is automatically synced to the SpiderOak cloud servers as well as the Hives of any other devices you have connected.
Functionally, these two elements of SpiderOak Once are comparable to their counterparts from other products, such as MEGA. Now we need to look at the other interfaces. In particular, we need to discuss the drawbacks that make them problematic for our purposes.
One Web interface
Due to the way using the SpiderOak One Web interface breaks zero knowledge encryption, I didn’t use this web interface for this review. For reference, here is what the One Web login page looks like. Note the warning circled in red:
If you log into SpiderOak ONE using a web browser, you give the company access to your password:
Logging in via the SpiderOak website does temporarily allow SpiderOak employees access to your password. Due to this exposure, we discourage users from entering your password online if they wish to fully retain No Knowledge privacy.
Combining this with the fact that the SpiderOak One servers are located in the United States means you have to make a decision:
Do you want the strongest possible protection for your data (zero knowledge encryption), or do you want to be able to log into the service from a web browser?
We have seen no reason to doubt SpiderOak’s honesty and desire to protect your data. But, the fact that they are located in the United States means they may have no choice in the matter. The US government can force them to surrender any data they have about you, including your password if you happen to expose it by logging in with a web browser.
In short, if you want the best privacy and security for your data, do not log into SpiderOak ONE from a web browser.
SpiderOak One mobile apps
You can get SpiderOak ONE apps for Android devices, as well as iPhone and iPad. However the apps get surprisingly bad reviews by users. Here’s what the Apple App Store page looks like:
iPhone & iPad
Apple fans clearly don’t like the SpiderOak ONE app for iPhone and iPad. The app only has 47 reviews, and a rating of 2.2 stars out of 5. That’s horrible.
But the picture is even worse on the Android side:
With over 2,200 reviews, the Android app gets a rating of 1.9 out of 5 stars.
What’s going on here? From skimming the reviews posted in both app stores, there seem to be two types of complaints. One complaint is that the apps have limited functionality. You can’t save files to your SpiderOak ONE account from the apps. You only have read access to files that have been saved using the desktop apps. While this is a big drawback in my opinion, it is clearly stated in the description of the app.
The other complaint is more damning. Apparently, many users find that the apps don’t work at all. Based on user comments, errors, crashes, and hangs seem to be extremely common.
If using your secure cloud service from your mobile device is important to you, you should probably look elsewhere.
SpiderOak hands-on testing for the review
For this SpiderOak review, I installed the desktop SpiderOak ONE client on systems running Microsoft Windows 10, and Ubuntu Mate 18.04.
Installing SpiderOak ONE
Installing the SpiderOak desktop client was simple on both the Windows and Ubuntu machines. Download the installer, launch it and let it install the desktop app and create the Hive folder. You’ll of course need to create an account with a username and passphrase.
NOTE: To be sure you have the latest version of SpiderOak ONE, download the installer from this page.
Once you have the desktop installed, you are all set to go, with anything you put into the Hive folder automatically being synced to the SpiderOak servers and any other device you are running the client on.
If your backup needs are more complicated, you can select specific files and folders to by synced, or categories like Documents, and Music. You can also do things like back up certain files or folders to the cloud and sync them to other devices by making adjustments in the Sync section of the desktop app.
I had no problems with this part of SpiderOak ONE. But after seeing the ratings and reading the reviews of the mobile apps, I opted out of testing them. Similarly, seeing that using the ONE Web interface can break security, I avoided that altogether.
Additional SpiderOak One features
We’ve covered the most interesting features of SpiderOak already in this review, but there are a couple of additional features I did want to point out:
1. Multiple file sharing options
Earlier we touched on one of SpiderOak’s file sharing options, ShareRooms. These are special folders that others can access even if they don’t have a SpiderOak account. Give them the ROOMKEY and they can download a copy of the folder and all its contents. But you don’t have to set up and populate a ShareRoom if all you want to do is share a single file.
In the Manage section of the desktop client you can select a file and have the app create a shareable link to it. Anyone can use this link; they don’t need to have a SpiderOak account. The link will expire automatically after three days.
2. Fine control over scheduling and file selection
SpiderOak can Backup files, Sync them, and Share them. You may use all these facilities, but depending on your use case, you may want control over how frequently each of them occurs. For example, you might want Backup to happen as soon as a file changes, but want to Sync or Share those changes on a more relaxed schedule. Similarly, you might not want to sync really large files, really old files, or certain types of files and folders.
These kinds of adjustments are easy to make through the Preferences option in the SpiderOak One desktop client. Open the Preferences dialog box and select the Backup option to set maximum file sizes and ages for backups. You can also exclude files and folders matching specific wildcard strings such as: “.iso,” or “Windows.”
Select the Schedule option to control how often Backups, Syncs, and Shares will occur.
SpiderOak One Support
SpiderOak Support is a single site that handles all the products published by SpiderOak (the company). The specific information we might need is in the One Backup section of the site. The site contains over 200 detailed articles covering most topics you might need information about.
This is great, since the company gives you only one way to get human support. If an article doesn’t give you the information you need, the page gives you the option to submit a support request. There is no telephone support or live chat support provided.
How secure and private is SpiderOak One Backup?
Let’s try to sum up the security and privacy provided by SpiderOak One.
Since SpiderOak is based in the United States and stores your data there, airtight security is very important. While there is no system in existence that can guarantee 100% security against every threat, SpiderOak’s No Knowledge design makes me more comfortable trusting them with important data than I would otherwise be.
There are two main security concerns here, both of which we touched on a bit earlier: the One Web interface, and the security assessment conducted by some university researchers in 2018. The first aspect is easy. If you use the One Web interface, you will break the security of your data. While there is no reason to think that SpiderOak would want to compromise your data, the fact that your password is available to them (or anyone else hacked into their systems) means that your data is not secure.
I don’t know enough about the internals of the SpiderOak system to know if two factor authentication (2FA) would fix this problem. But it doesn’t really matter, since SpiderOak doesn’t offer 2FA for new users.
The security assessment seems more a blanket indictment of the majority of secure cloud storage services. If you are concerned, check out the report for yourself.
SpiderOak One Backup gives you a free 21-day trial. You don’t need to enter a credit card or other payment information to take advantage of this plan.
If you want to go further with SpiderOak, you have four pricing plans to choose from. The prices are somewhat higher than those of competing products, especially when you consider the issues with their mobile apps and browser interface.
SpiderOak ONE Backup review conclusion
After examining everything for this SpiderOak review, I have very mixed feelings about the service. The core product and its desktop interfaces are smooth and cover all the bases. But when I look at the rest of the package, it throws up some big red flags. The mobile apps are very limited in capabilities. And judging from the comments posted by users in both the Google and Apple app stores, they just don’t work very well. The browser interface would probably be fine, except for breaking the No Knowledge design by exposing the password.
Even if you are okay with those drawbacks, the price per GB of storage is a lot higher than that for other services.
Is SpiderOak ONE right for you?
As someone looking for secure cloud storage, I can’t recommend this product to you. While there are definitely things I like about it, I think you can get better usability and better value with some of the other services I’ve reviewed.
Other cloud storage reviews from Restore Privacy:
SpiderOak One Backup Review