Services like Red Folder are encouraging consumers to store sensitive information on the cloud. But are passwords and account numbers actually safe there?
In the southeast corner of Kathy Burgess’ Woodinville living room sits an oak bookshelf. It holds many of the usual gathering-space knickknacks: scrapbooks, photo albums, gardening books, and the like. But for 30 years, the unassuming bookshelf also held information far more sensitive and far less shareable than family mementos. In the event of an emergency, Kathy knew to go to the red folder in the bookshelf.
Her husband, Christopher, traveled often for his job, but she couldn’t easily contact him while he was away — such is the lifestyle of a Central Intelligence Agency officer’s spouse. Christopher was often stationed across Latin America and Asia, and emergency instructions were held in the red folder. Some of those instructions were innocuous: how to shut off the water main, flip the breaker, start a generator, those types of things. Others were more consequential, such as how Kathy could gather all account information and execute Christopher’s will were he to die overseas.
“If you travel a lot — military and first responders know this — your employer tells you to get your affairs in order in the event of an unfortunate accident,” Christopher says. “Ours was more than just, ‘Gosh, what if I get hit by a truck tomorrow?’ It was more along the lines of, ‘How do we keep the house functioning when you can’t ask a question of me?’”
After his retirement from the CIA in 2005, Christopher Burgess found there was still a need for personal accounts and instructions to be centralized and available in case of an emergency. And while the bookshelf worked well for his wife, that wouldn’t do for friends and family members without access to the living room or in the event of a disaster such as a fire. Burgess’ centralized location of choice was the cloud, and in September he introduced Red Folder, a Web application that allows customers to store online account passwords, documents, instructions, and other personal information for $8 a month.
Products like Red Folder signal a changing tide in the privacy debate. For years, people were terrified of putting even their names on the Web, and instances of hacking still spook consumers. Nevertheless, people volunteer a great deal of personal information via social media, and knowing a username and password is all it takes to access bank accounts. In an attempt to be both convenient and secure, services like Red Folder are asking consumers to store their most personal data online, in the cloud. But is that approach really safe?
By online standards, Red Folder is secure. Anyone attempting to access data must enter a password, an SMS text code, and the encryption key. Only those designated by the owner can access the information, and Red Folder has a time lock feature that delays a designee’s ability to access the account by up to seven days, giving the owner a chance to revoke access. If the time lock passes — which would happen if the owner dies — the designee is let in, but only if he or she has the encryption key available. “We have chosen to be secure instead of overly convenient,” Burgess says. “We designed the security on the premise of ‘trust no one.’”
Burgess cites Edward Snowden’s leaks and the Target and Home Depot account breaches as reasons to back up information through secure online means, but those also highlight the risk of putting any information online.
“When you talk about developing the requirements for the Internet, security for the public was not a concern,” says Barbara Endicott-Popovsky, executive director of the University of Washington Center for Information Assurance and Cybersecurity. “Then on top of that, the Microsoft (Windows) operating system was never designed for that kind of a concern, either. So we started from the beginning with two very basic tools that never had security designed in.”
If you have information online that somebody wants bad enough, Endicott-Popovsky says, a hacker will eventually find a way in. Locked doors and guards provided physical security for mainframes. “But once you wire everything up, you have to assume every device is a potential problem,” she says. This is why companies and governments hire hackers: Someone will inevitably break into your stuff, so you hope your team does it first.
Encryption is not a failsafe deterrent. Endicott-Popovsky says that when storing personal information online, the best bet is to work with large institutions that have built reputation and revenue on security. (Red Folder stores its data on IBM and Amazon Web Services servers).
A service like Red Folder can never be completely secure, but Burgess says that’s no reason to throw your documents in a safe and bury it in the woods. A good deal of our information is online, whether we like it or not. “When I was younger, the Internet was a choice,” Burgess says, “and now everything is online.”
So consumers have to strike a balance. You want your accounts to be safe, but you want loved ones to access them in the event of an emergency. While Red Folder isn’t an end-all security device, it’s an acknowledgment of our online lives and safer than storing sensitive data on a thumb drive — or in a red folder in the bookshelf.