Ubuntu One Client

Is it safe to sync private/personal tomboy notes with ubuntuone?

Asked by Stuart Metcalfe

Previous questions have asked about the file service and it seems transfers are encrypted but the files on the server aren't unless I encrypt them myself on my local system first. Apparently the uploaded files are protected by a password, but how about my notes and other couch-based data? Is it safe to sync private, personal or otherwise sensitive data with ubuntuone? Who will have legitimate access to that data on the servers, what are the internal policies about accessing user data and just how secure are your servers from attack?

Thanks

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu One Client Edit question
Assignee:
Elliot Murphy Edit question
Solved by:
Elliot Murphy
Solved:
Last query:
Last reply:
Whiteboard:
Elliot, I'm assigning this one to you as I think you're likely the best person to answer Stuart's question.
Revision history for this message
Best Elliot Murphy (statik) said : 		#1

Hi! Sorry for the delay on answering this, I looked back at answers that need attention and see that there are a bunch that have not yet been answered.

So these questions are pretty open-ended and hard to quantify, but I'll do my best to describe the current policies and let you draw your own conclusions.

The only people who have access to the notes data on the servers are the handful of sysadmins who perform the backups and other necessary system maintenance, with all the types of checks, balances, and logging of activity that you would expect.

Access to your databases in couchdb is governed by OAuth done over SSL, and anyone is welcome to audit that couchdb code by looking at the oauth_authentication_handler in couchdb source code. The CouchDB that we run on Ubuntu One servers is the same codebase that runs on your laptop, just configured for a server environment. When you get an OAuth token authorizing one of your computers to access Ubuntu One, that same OAuth token grants desktopcouch replication access to your desktopcouch databases in the cloud.

We don't allow internal developers to have access to the production servers or user data, and if diagnosis needs to be done on a production machine it's always done using scripts that have been code reviewed to ensure user privacy is preserved. A developer can probably see the name of your desktopcouch databases in the log files (this is useful to identify problems with replication, for example), but they can't see the names of your notes or the contents of your notes or your oauth tokens.

Nothing is ever foolproof, so I wouldn't store highly sensitive items like secret keys in tomboy notes that are replicated into the website, but I'm personally comfortable putting personal info into my notes that get synced with the service. For legal reasons we have a Terms of Service document that limits our liability if something goes wrong, but of course we are all doing our best to make a system that is reliable and safe.

Revision history for this message
Stuart Metcalfe (stuartmetcalfe) said : 		#2

Thanks Elliot Murphy, that solved my question.