How secure is Windows Live SkyDrive?
One of the most notable features of Office 2010 is that you can save directly to the Web, without any fuss. In most of the applications this option is accessed via the File menu and the Save & Send submenu. Incidentally, this submenu used to be called Share, but someone decided that was confusing and that Save & Send is less confusing. I think they are both confusing; I would put the Save options under the Save submenu but there it is; it is not too hard to find.
Microsoft does not like to be too consistent; so OneNote 2010 has separate Share and Send menus. The Share menu has a Share On Web option.
What Save to Web actually does is to put your document on Windows Live SkyDrive. I am a fan of SkyDrive; it is capacious (25GB), performs OK, reliable in my experience, and free.
The way the sharing works is based on Microsoft Live IDs and Live Messenger. You can only set permissions for a folder, not for an individual document, and you have options ranging from private to public. Usually the most useful way to set permissions is not through the slider but by adding specific people. Provided they have a Live ID matching the email address they give, they will then get access.
You can also specify whether the access is view only, or “add, edit details, and delete files” – a bit all-or-nothing, but still useful.
SkyDrive hooks in with Office Web Apps so you can create and edit documents directly in the browser – provided it is a supported browser and that the Web App doesn’t detect you are on a mobile device, in which case it is view-only. The view-only thing is a shame when it comes to a large screen device like an iPad, though the full version nearly works.
Overall it’s a major change for Office, even though similar functionality has been around for a while from the likes of Zoho and Google Docs. This is Office, after all, the most popular Office suite; and plenty of users will be trying out these features because they are there, and thinking that they could be pretty useful.
There is one awkward question though. Is Windows Live SkyDrive secure? It turns out that this is not an easy question to answer. Of course it cannot be 100% secure; but even assessing its security is not easy. If you try to find out you are likely to end up here – the Microsoft Service Agreement. Which says, in bold type so you don’t miss it:
13. WE MAKE NO WARRANTY.
We provide the service ‘as-is,’ ‘with all faults’ and ‘as available.’ We do not guarantee the accuracy or timeliness of information available from the service. We and our affiliates, resellers, distributors and vendors (collectively, the ‘ Microsoft parties’) give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws that this contract cannot change. We exclude any implied warranties including those of merchantability, fitness for a particular purpose, workmanlike effort and non-infringement.
14. LIABILITY LIMITATION.
You can recover from the Microsoft parties only direct damages up to an amount equal to your service fee for one month. You cannot recover any other damages, including consequential, lost profits, special, indirect, incidental or punitive damages.
I guess Clause 13 could be called the unlucky clause. If you are unlucky, don’t come crying to Microsoft.
There are two big questions here. One is how secure your documents are against unauthorised access. The other is how reliable the service is. Might you log on one day and find you cannot get access, or that all your documents have disappeared?
Three observations. First, despite clause 13, Microsoft has a lot to lose if its service fails. It has to succeed in cloud computing to have a profitable future, and a major data-losing catastrophe is costly, in that it drives customers away. The Danger episode was bad enough; though even then Microsoft eventually recovered the data it said initially had been lost.
Second, it may well be that the biggest security risk is from careless users, not from Microsoft. If your password (or that of a friend to whom you have given read or write access) is a favourite football team it won’t be surprising if somebody guesses.
Third, I have no idea how to quantify the risk of Microsoft losing data or denying access to my documents. That suggests it would be foolish to keep data there without backing it up elsewhere from time to time. The same applies to other cloud services. I guess if you pay for a service, and know how it is backed up to a different location, and have tested the effectiveness of that backup, and know that there are archives as well as backups – in other words, you can go back in time – I guess that then you might reasonably feel more confident. Otherwise, well, see clause 13 above.