As reported by By Ellen Nakashima, Washington Post Staff Writer, on Friday, August 1, 2008, Federal agents may take a traveler's laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. An increasing number of international travelers have reported that their laptops, cellphones and other digital devices had been taken -- for months, in at least one case -- and their contents examined.

Personally, I'd be pretty bent out of shape if Homeland Security took my laptop the next time I came through customs. But apparently this is happening with increasing frequency and with no explanation and no requirement that it be returned in any reasonable period of time. Putting civil liberties and privacy issues aside, I've got a lot of valuable stuff on my laptop that I need for my business, not to mention family pictures and all the music I love to listen to while traveling. Plus, I'd have to go out and get a new laptop because I couldn't be sure when I'd be getting the other one back – that would set me back $1500, not including the software that I've purchased.

So a word of caution for anyone traveling outside the US – back up your PC online. If you have Carbonite and you open your laptop in the Hong Kong airport, Carbonite will automatically back up the work you've been doing while you're on the road. At least then you can be back in business quickly if your computer gets taken by our government on your return.

And if you're really worried about the privacy of your files, encrypt them on your laptop (I wonder if they can force you to give them the key?) and when signing up for Carbonite, choose to keep your own encryption key. That way, if they come to us with a court order, all we'll be able to turn over are your encrypted files. With the kind of encryption we use, these would be pretty useless without a huge effort. (But, if you choose to manage your own key, don't lose it, because there's no way to get your files back without it.)

Me personally, I'm going to write to my representatives. I don't like the idea that the government can go on a fishing expedition on a US citizen without probable cause. It's chilling!

— Dave
CEO, Carbonite

Recently, online storage space startup divShare announced on their blog a recent security breach by "a malicious user." Lucky for them, only basic profile information available through the database was accessed during the intrusion. But the important question here is what else could have been taken by a more skilled trespasser?

Many people think that backup is a simple application – what's so hard about backing up a PC?   I remember one of my MIT students grousing about Google's success: "Anyone can write a search engine," he said.  Backing up the data is not the problem. The problem is dealing with huge volumes, millions of database transactions, hundreds of thousands of customers, and all the complexity that this implies – all while making sure that there is 100% security.  Carbonite backs up over 50 million new files every day without losing any of them.  Like any other web site, we constantly get attacked by hackers, but we have enough security measures in place that these attacks are always unsuccessful. As I mentioned in a previous post, Carbonite was one of only two backup services that the guys at Heise Security weren’t able to crack. 

If you’re doing your engineering properly, online backup can be made to be extremely secure.  For instance, Carbonite starts with encrypting the data BEFORE it leaves your PC so that by the time we get it, it's already useless to an intruder in the very unlikely event that someone acutally gains access to our system. We also make sure that the authentication is rock solid, so that there are no "man in the middle" vulnerabilities.  And, we actually pay people to constantly test our defenses. 

After we get your encrypted files, we want to make sure that we don't lose them, so we store all your data on RAID-6 redundant arrays that are 36 million times more reliable than a single drive.  The main Carbonite data center is located in a "bomb-proof" building, alongside those of major Boston financial institutions and telco companies.

Online backup is a hot area right now and you'll see more startups entering the space over the next couple of years.  Not all of them will know enough about security to be really bullet-proof.  It isn't easy or cheap, but I can tell you that for Carbonite it's a live-or-die proposition. 

— Dave
CEO, Carbonite

Several people have asked me to post a description of our infrastructure. As I mentioned in my previous post about HP’s infrastructure difficulties, "HP Upline and the challenge of large scale backup," keeping billions of files safe is no small task.

The first thing you should know about our architecture is that we never handle unencrypted data. Carbonite encrypts all files before they leave your PC. We use 448-bit Blowfish encryption. I’ve been told that Blowfish has never been cracked. It is the strongest commercial encryption on the market.

Carbonite employs the most sophisticated firewalls and intrusion detection systems available. We pay a professional hacker firm to attack the data center constantly, looking for security holes. I think our defenses are as good as most banks. Heise Security recently wrote about how they hacked into many of our competitors’ backup systems but were unable to hack into Carbonite Their so-called “Man-In-The-Middle” test attack is something we designed against from the beginning. Frankly, I was amazed that most of the other vendors were so easily hacked by these guys and backed up files either compromised or deleted.

At our secure data center, your data is stored on arrays of 1-terabyte enterprise-grade drives. Carbonite uses RAID-6 redundant arrays which spread copies of the data across multiple hard drives. Each array has 16 drives. Three of the 16 would have to fail simultaneously and the user’s PC would have to crash at the same time before any data would be lost. These RAID-6 arrays are 36,000,000 times more reliable than the hard drive in your computer. We have redundant power, redundant Internet connections, redundant Web servers and so forth. The data center is guarded 24 hours a day, seven days a week; and admission is controlled by fingerprint ID locks.

As you can imagine, we use a lot of bandwidth. We currently back up over 40 million new files every day and we have over 7 billion already backed up. Given the amount of bandwidth we use, it’s best to be located in a major telecoms center where multiple carriers converge. Therefore, we chose to build our data center in one of those so-called “bomb-proof” buildings with all the major Boston financial institutions and telcos.

— Dave
CEO, Carbonite