Cloud storage is nearly universal. Dropbox, OneDrive, Google Drive, and iCloud collectively hold a staggering portion of the world’s personal files — documents, photos, tax returns, medical records, contracts, private notes. Most people assume these services are private in the way a safety deposit box is private: the provider holds it, but can’t see inside.
The analogy doesn’t hold. Here’s what the major cloud storage providers actually have the right to do with your files — and why their “encryption” doesn’t change that.
What “Encrypted at Rest” Actually Means
Every major cloud storage provider encrypts files at rest. This is widely advertised as a privacy feature. It protects against one specific threat: an external attacker who physically steals drives from a data centre. Against that scenario, encryption at rest is meaningful.
Against the scenario most users are actually concerned about — the provider reading or using your files — it provides no protection at all.
Why not? Because the provider holds the encryption keys.
When Dropbox, OneDrive, or Google Drive encrypts your files, they generate and store the keys used for that encryption. They can decrypt your files whenever they choose. You are trusting them not to — which is a different thing from them being technically unable to.
This distinction matters more than most users realise. “Encrypted” in a cloud storage context almost always means “encrypted with the provider’s keys.” You are the beneficiary of their security practices, not the holder of the keys. The lock is on their side of the door.
What the Privacy Policies Actually Grant
Cloud storage privacy policies are long documents that most users never read. They contain language that would surprise most people who assume their files are private.
Dropbox’s privacy policy grants them a licence to “access, use, store, cache, reproduce, transmit, display, copy, modify, and create derivative works” of your files. The licence exists “to provide the services” — but it’s a broad grant that goes well beyond simple storage.
Google Drive’s terms include a licence to “host, store, reproduce, modify, create derivative works” of your content. Microsoft’s OneDrive terms include provisions that allow Microsoft to access content “when required to enforce their policies, comply with applicable law, and resolve disputes.”
None of this means these companies are actively reading your files. It means they can — and their legal obligations to governments, their business interests in AI development, and their own policy enforcement needs all create scenarios where they might.
The key question isn’t whether a provider chooses to read your files today. It’s whether anything prevents them from doing so tomorrow, under different circumstances, with different business incentives, or under legal compulsion.
Government Requests and Your Files
One of the most concrete consequences of provider-held encryption keys is what happens when governments request your data.
In the US, under Section 2703 of the Stored Communications Act, law enforcement can obtain stored cloud data with a subpoena (no warrant required for content older than 180 days), a court order, or a warrant. Similar mechanisms exist in the EU, UK, Australia, and most other jurisdictions where major providers operate.
When a storage provider holds your encryption keys, they are legally able to provide plaintext content in response to a valid legal order. They cannot say “the data is encrypted and we can’t access it” — because they can.
All major providers publish transparency reports disclosing how many government requests they receive and honour. The numbers are not small. Google receives hundreds of thousands of requests per year globally; Microsoft and Dropbox receive fewer but still substantial numbers. The overwhelming majority are granted.
This is not a criticism of providers’ compliance teams — they are following applicable law. The point is that your files are exposed to whatever legal process applies to the provider you’ve chosen, regardless of your own relationship with law enforcement.
If you work as a journalist, a lawyer, an activist, or in any field where professional privilege or source protection matters, this exposure is not theoretical.
AI Development and Incentive Structures
A more recent concern: cloud storage providers are also AI companies, or are deeply partnered with AI companies.
Microsoft invested billions in OpenAI. Google builds frontier AI models. Dropbox has integrated AI features throughout its product. All of these companies have strong incentives to use the data they hold to train, fine-tune, and evaluate AI systems.
The question of whether files stored on cloud services are used in AI training is often left deliberately ambiguous in privacy policies. “Improving services” and “developing new features” are standard terms that have been interpreted to cover a wide range of internal uses. Providers generally claim they don’t use personal files for AI training. But voluntary commitments made under competitive and regulatory pressure are different from architectural constraints that make the practice impossible.
The pattern in adjacent areas — photo storage, email, browsing data — is of companies finding that the broad language in their terms permitted uses that users would not have consciously accepted. By the time enforcement catches up, the data has already been used.
Zero-Knowledge Encryption: What Private Storage Actually Looks Like
Some storage providers — Tresorit, Proton Drive, and a few others — offer what’s called zero-knowledge or client-side encryption. This is meaningfully different from what the major providers offer.
In a zero-knowledge system, your files are encrypted on your device before they’re uploaded, using keys derived from your password or stored locally. The provider’s servers receive only ciphertext. The provider never has your encryption keys. They cannot decrypt your files even if compelled to — because they technically cannot.
This is the standard that “private cloud storage” should mean, and mostly doesn’t.
The trade-offs are real. Zero-knowledge encryption generally means no server-side search, no server-side AI features, and no account recovery if you lose your key. These are meaningful limitations. They’re also the price of genuine privacy — the kind that doesn’t depend on trusting the provider.
Understanding this distinction is the first step toward choosing storage that matches your actual privacy needs, rather than the privacy story a marketing page tells.
What Happens When a Provider Is Breached
Provider-held keys also matter in breach scenarios. If a cloud storage service is compromised and an attacker gains access to both encrypted files and the keys used to decrypt them, users’ content is exposed.
Dropbox disclosed in 2022 that attackers accessed employee credentials through a phishing attack, compromising customer data. Similar incidents at other providers have exposed records at scale. The relevant question in any breach is what the attacker obtained — encrypted files alone, or encrypted files plus the keys needed to read them.
When the provider holds the keys for operational reasons (as all major providers do), the keys and the files typically reside in related infrastructure. A sufficiently sophisticated attacker who can reach one can often reach the other.
This makes external attackers a meaningful risk, though in practice a lower-probability risk for most users than the structural issues described above. But it adds to the overall picture of what “encrypted cloud storage” with provider-held keys actually protects against.
The Business Model Question
There’s a structural reason why free and inexpensive cloud storage tends not to be genuinely private: the economics don’t work otherwise.
Storing data at scale costs money — servers, bandwidth, redundancy, engineering, support. When a service is free, or priced at a few dollars per month below cost, those expenses must be covered somehow.
For the major providers, that “somehow” involves advertising (Google), ecosystem lock-in and enterprise upselling (Microsoft), and feature upselling (Dropbox). In all these models, knowing more about what you store makes the core business more effective. Your files are an asset to the extent that the provider can derive value from knowing about them.
Privacy-first storage requires a business model funded by storage fees — one where the revenue comes from users paying for the service, not from the service extracting value from user data. These models exist but are less convenient than the defaults.
The Practical Standard for Private Storage
If you’re evaluating cloud storage with privacy as a genuine criterion, here’s the minimum standard to apply:
Zero-knowledge or client-side encryption. Your files should be encrypted before they reach the provider’s servers, with keys only you control. “Encrypted at rest” is table stakes, not a privacy feature.
Explicit, categorical policy on AI training. The provider should state clearly that your content is never used to train AI models — for them or for third parties. Generic claims about “not selling data” are insufficient; AI training doesn’t require selling.
No advertising revenue. Providers funded by advertising have structural incentives to learn more from your files. Subscription-funded providers have fewer such incentives by design.
Clear data retention and deletion policies. When you delete a file, when does it actually stop existing on the provider’s systems? Many providers retain deleted data for “backup” periods measured in months. A provider committed to genuine privacy should answer this specifically, not vaguely.
Jurisdiction. Where a provider’s servers are located determines which governments can issue legal process against them. For most users this is a secondary consideration; for high-risk users it’s a primary one.
How daftei Fits Into This Picture
daftei is a personal memory and file vault for photos, voice notes, and documents. Every file is encrypted at rest with AES-256 and in transit with TLS 1.3. daftei doesn’t run advertising, doesn’t sell user data, and doesn’t use your files to train AI models for third parties — these are categorical commitments, not aspirational marketing claims.
daftei uses server-side encryption rather than zero-knowledge client-side encryption — a distinction worth being transparent about. This means daftei holds encryption keys, and daftei’s commitments are matters of trust and policy rather than technical impossibility.
The difference between daftei and the major providers is the business model: daftei’s revenue comes from subscription fees, not from deriving value from user data. There is no structural incentive to access your content.
The 5 GB free tier lets you evaluate the product without a financial commitment. Unlimited storage is available on Pro at $5.99/month or $44.99/year. daftei is GDPR and CCPA compliant, meaning you have verifiable rights over your data — including the right to delete it permanently, with a 30-day grace window before irreversible erasure.
Making an Informed Choice
The larger point is this: most people have never consciously decided where their files live. They accepted the defaults — iCloud because they have an iPhone, Google Drive because they use Gmail, OneDrive because their work laptop came with Windows. The major providers have benefited enormously from this passivity.
The default choice is a legitimate choice if it’s made with understanding. If you’ve considered what your cloud storage provider can access, how it’s used, and under what circumstances it might be shared — and you’ve decided the convenience trade-off is worth it — that’s a reasonable conclusion for many users.
The problem isn’t that the major providers are deceptive. It’s that most users believe their files are private in a sense that the providers’ own terms don’t support. Closing that gap requires reading the fine print once and deciding accordingly.
Where your files live is a decision that affects what you can share privately, what governments can access about you, and what an AI company might know about your life. It deserves to be made deliberately.