Carbonite Can Decrypt Your Data

October 2, 2009 – 11:01 AM

Yes, your data is encrypted before it gets sent up to their servers for storage (via an SSL connection), but Carbonite keeps a copy of the decryption key on their servers in case they need to decrypt it for various reasons.  It’s stated in their Privacy Policy so it’s not a huge secret, but I wanted to make sure that everybody knows that backing up your data with Carbonite is not as private as you may think.  Here’s the section of the Privacy policy that reveals this:

Carbonite encrypts the files that we process before they leave your computer. Carbonite uses SSL or similar Transmission Encryption technology before sending your files to our data centers. Your encrypted backup files transmitted to our servers are stored in facilities with access restricted to authorized personnel only. Carbonite does not encrypt the file names or file type information.

By Using the Carbonite Product that permits you to download your backed up files to any computer that has a connection to the Internet you understand that Carbonite will be decrypting these files before they leave Carbonite’s servers and that once decrypted these files can be reviewed by anyone who may be able to access them.

Carbonite will not decrypt your files unless i) it reasonably believes that it must do so to troubleshoot problems with the Carbonite Products or Services or ii) it reasonably believes it must do so in order to comply with a law, subpoena, warrant, order, or a certification requirement, such as the requirements of 18 U.S.C. § 2703.

However, if you elect to Use Carbonite Products or Services that permit you to access Backup Data from an Internet enabled computer other than by using Carbonite Software on your registered computer, then your Backup Data will be decrypted by Carbonite in its data center and sent to you in a decrypted form via public infrastructure. You election to use such products or services may make the contents of these files to accessible to individuals or entities other than you and those you intend. By using such products and services, you knowingly accept this risk.

Carbonite might still be the best choice for some users for an easy backup solution, but just understand the risks.  I never count out disgruntled, or just plain curious, employees that have full access to all of your files.