Hello again DONATION advisors. Thanks to all of you who responded to my post yesterday about proposed backup and restore improvements.
Unfortunately, I thought of something else significant after making that post, which I’d also like to ask you about.
I considered this some time ago, and rejected it in favour of the email backups option I added, but I’m again considering adding an option to backup to “the cloud”, i.e. remote Internet-based storage. It might be on my own web server, or I might use a service like Amazon’s S3 (Simple Storage Service).
The idea would be that as an option, following every regular backup, an encrypted version of your backup would also be sent to the online storage. Obviously this would slow things down, depending on your Internet speed and the size of your database backups, but it would give an additional enormous level of security for your backups.
One big concern would be distinguishing everyone’s backups from everyone else’s. My thought is that the first time you went to use an online backup, a special guaranteed unique ID would be generated for you, and stored in your database. That key would be used to identify your backups online. It would also be transmitted to me (the first time) so that if you somehow lose everything on your computer and all local backups you have made, you can request the key from me, re-enter it into a new copy of the program, and then retrieve that online backup.
There are a couple of options for how the encryption could work. Obviously, it would have to be based on an encryption key.
One option is to just have you provide the key, and also store it in your database for re-use each time you do an online backup (or restore). That’s like how the current email backups work – you provide the key, and if you forget it, you are completely out of luck. It would be the same with this. (I would not suggest that you send me the key – I should have no access to your data.)
Another option would be for me to have a secret way of generating the key from your unique ID, and just use that generated encryption key.
Both methods are succeptible to cracking (though with significant difficulty!). If someone knew your unique ID, they could enter it into a copy of DONATION, and get back your encrypted database. At that point, with the first option (you provided the key), standard methods could be used to guess obviously bad keys (like “password”!) which some percentage of users always use. With the second option (I create the key in a secret way from your unique ID), a very skillful programmer might be able to reverse engineer my program to determine what my secret way was.
And of course, anyone with access to your current database could also get access to your backups stored online. But that doesn’t seem like a big concern, since they already have access to your current database!
There are also privacy concerns in terms of national legislation like the US Patriot Act, which as I understand it gives the US government the right to inspect any data that is stored in the USA, and to demand any required encryption keys from the data’s owner. Apparently there is somewhat similar legislation here in Canada, and Canadian privacy legislation may forbid the storage of such information in the USA. One option with Amazon’s storage is to store the data in their facility in Ireland. I’m guessing that could cause slightly longer transmission times, but might address this issue. Or perhaps users just aren’t that concerned – generally the IRS in the USA or the CRA in Canada would have the right to audit you, including seeing any donation information, anyways!
My web server is in Vancouver, so storing the data there (or in some Canadian cloud storage provider) would at least eliminate the Patriot Act concerns.
Because there is a cost to online data storage (though it’s quite minimal!) I don’t see retaining unlimited numbers of backups from each user online. Perhaps the last 3?
Any thoughts about all of these points, and the general idea? Many thanks!