Data Privacy Week Spotlight: Backups
This week is Data Privacy Week. To celebrate, this week I will be making a series of short blog posts highlighting tools, services, products, and techniques that I feel are underrated to help improve your privacy.
Today I want to highlight backups. This is a little more security than privacy, but there’s still some privacy involved here, too. First off, let me say: backups are important. A lot of us overlook having good backup practices because it’s one of those things that you never really think about until you need it. Even I’m guilty of occasionally being late with making my backups. It happens to the best of us. There’s two good practices to follow with backups. First is the 3-2-1 rule: 3 copies of your data (one being your “live” in-use copy), 2 different mediums (like an external hard drive and a USB stick) and 1 offsite (such as a cloud). The second “best practice” is to use automatic backups if that’s available to you. This way you don’t have to worry about accidentally putting off your backups for too long and having outdated, useless backups when disaster strikes. I talk all about how to design good backup strategies on this page.
This is where privacy comes in. If you’re following the 3-2-1 rule, then you’re supposed to have at least one copy of your data stored offsite. How can you do this privately? There’s a few options. What I do is I have an encrypted 4 TB external hard drive that I keep at home where I store every backup, going back as far as possible, at least one year. Then, at my day job office, I store an encrypted USB with only the latest, most recent backup on it. It’s encrypted so that if we ever got robbed, if one of my coworkers started snooping, or if I just got suddenly fired and never returned to the office again, my data would still be safe. I’m usually in the office at least once per week, so I can keep that USB updated regularly. If you are 100% “work from home” or don’t work in an environment where it’s feasible to store your backup device you could also consider storing at a close friend’s house or something like that. Of course, these are just offline backup ideas. Storing on the cloud is much simpler and direct.
No matter where you choose to store your data – be it at a physical location you frequent and update or on the cloud – the biggest concern is keeping it private. When I make my backups, EVERYTHING is there. I’ve mentioned before that I have a small interest in disaster prepping, which means that in addition my password database I also have lots of sensitive documents like scans of passports and social security cards, digitized medical records, and documentation on things like insurance and leases. (There’s also things like backups of emails with consulting clients and other confidential communications.) I don’t want this information exposed, so no matter how I decide to backup my data, I have to make sure this stuff is protected. As I said, my preferred solution is to be entirely offline, but others may want something more convenient and readily accessible for any number of reasons: aka, “The Cloud.” My ideal recommendation for cloud backups is something zero-knowledge. Nextcloud is the poster child for the privacy community, but ProtonDrive, Sync.com, or even Filen.io are all popular choices. However, as noted on the page I listed earlier, each of these services comes with drawbacks. While you may decide these are not dealbreakers, some may want to pick more vetted, reliable services like Google Drive or Dropbox. In this case, I recommend the use of a service like Cryptomater or Veracrypt to ensure that your files are hidden from possible rogue employees, unwanted snooping, and automated scanning. Again, I go in-depth on how to set up an encrypted container on the Backups page of my website, so consult that for details.
No matter what option you go with, remember to keep regular backups and keep them protected from prying eyes. This is a critical but frequently overlooked technique in the privacy community. Happy Data Privacy Week!