Kevin writes about Zamzar, a free web-based service that converts audio, video and documents from one format to another (via Download Squad). Sounds cool, but would you trust them with your sensitive data? I don't know about you, but I barely trust Google or Microsoft with this information. Should I trust what appears to be a UK-based startup whose company page provides little, if any, information about the company?
Storage of User Files
When users upload files to be converted Zamzar stores those files on its servers until such time as those files have been converted to the new file format. As soon as this has been done Zamzar removes the original user files from its servers. The converted files remain in place on the servers for users to download, until such time as they expire, at which point they are deleted. Files stored for download are only accessible by Zamzar and through the clickable link generated for download.
Notably absent from their TOS and other policies is any assurance that your link and/or data will not be shared. In fact, they claim limited liability for "unauthorized access to or alteration of your transmissions or data".
There is no mention of how they plan on keeping this "clickable link generated for download" private. The link that is sent includes a UID, which I'm guessing refers to a specific file, and a targetID, which I'm guessing is a hash based on the UID and the e-mail address or something similar.
The real problem is that the link is portable - I can give you the link I created and you can get my document. If you have the link, you have access - it doesn't seem to be tied to e-mail address, IP address, or a password. Worse yet, this link is sent in clear-text in an e-mail, a notoriously insecure communication method. This is inherenly insecure, even before we look at what hashing algorithm they use and so on.
So, I'll ask it again - would you trust Zamzar with your data? Because I certainly won't, sensitive or not.
Another curious thing did catch my eye: they claim UK law and but also assert to be an OSP under the DMCA, which is obviously a US statute. I've looked at a few UK-based ISPs and none have this kind of language in their agreements. If any of my readers know the answer, I'm curious if this would have any implications.