You Can't Control Your Data in the Cloud

There is this well cited argument that cloud companies like Google, Apple, Amazon, Facebook, and you-name-it are able to protect your personal data much better than you are able to. They have military grade security restrictions, better backup methods, and are able to do this much cheaper. Everybody is doing it so it seems to be OK to put your data into the cloud.

While this argument being absolutely true, people seem to forget that giving away your data to any third party is the root of many problems in the first place. It is not relevant to whom you are giving your data to. Yes, this also holds true for Apple's iCloud where many people think it's a save heaven.

Let me explain by examples.

Please note that the links provided are only a small selection of numerous facts on how the cloud is damaging your privacy in an enormous amount. This article mostly refers to personal data and not business-related data.

If a link is not available any more, please do use the Internet Archive WaybackMachine to find archived versions for a given date. Drop me a line if you do spot a source that should be not relied on.

The incidents collected on this page is only a tiny fraction of all incidents reported. Please use other sources like this for an overall picture. I'm just collecting distinctive incidents that support my point.

Disclaimer especially for tech-savvy people: Please note that I am using a simplified term of "cloud" which refers to storing data or metadata of us in the public cloud. I am specifically not referring to cloud-computing in terms of putting my own (encrypted) data in an S3 container or processing nodes that may be even stateless. With the exception of cloud processing services that turn bought devices into bricks after discontinuing their service. You see, it's complicated. If you know what a threat model is, you most probably know these things here already.

Losing Control

No matter, how secure your cloud vendor is storing your data, you are going to lose control. Same holds true for the European cloud.

With cloud-connected devices in your house, you might even lose basic services like heating or your lights. If this doesn't scare you already, how about losing control over your cloud-connected car? Even your cloud-connected sex toys record your "private sessions" to the cloud.

Not every data is lost or stolen on purpose. Mistakes happen. Whole MS Office suite apps might not be available all the time. Or cloud storage like Apple iCloud are offline from time to time.

Particular widespread hobby: people tend to buy smart home devices that turn into expensive waste after losing support from the vendor. Cloud-based car alarm system? Well, it's actually the perfect tool to locate and steal your high-class car.

You're losing exclusive access on the logs to your data. This is subtle but nonetheless important when it comes to sensible data.

This site collects the biggest data breaches (or leaks). It contains over 30,000 reports of incidents including Facebook, Microsoft, Yahoo, Twitter, Friend Finder Network, and so forth.

2025-07: Microsoft manager had to confess under oath that according to US laws, Azure cloud data of EU citizens is stolen by US on request. (senat.fr with original minutes, heise with English and German article, German golem, German Standard)
- Therefore, this is further proof that the location of an US cloud server is irrelevant for its (in)security.
2025-06: Hack Turns Nissan Leaf Into Giant RC Car (hackaday)
2025-05: 184 Million login credentials leaked from "Apple, Discord, Facebook, Google, Instagram, Microsoft, Roblox, Snapchat, Spotify, WordPress, Yahoo, and a variety of other online services and email providers" (Wired, PCMag)
2025-03: LGBTQ+ and BDSM dating apps leak nearly 1.5 million private photos (Cybernews, German heise)
2025-01: Presumably health data of 130,000 danish people got leaked from a health-care service company in Denmark (German heise)
2024-12: VW collected and leaked location data of 800,000 electric cars by VW, Seat, Audi, Škoda and more. (German Wikipedia, German CCC, German CCC talk, …)
- Tracking data is suitable to detect visits to brothels, track officials, identify people working for high-security organizations, …
2024-10: "UnitedHealth says Change Healthcare hack affects over 100 million, the largest-ever US healthcare data breach" (techcrunch)
- "The stolen data varies by individual, but Change previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver’s license numbers, and passport numbers. The stolen health data includes diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information — as well as financial and banking information found in claims and payment data taken by the criminals."
2024-10: Contact details of all Dutch police personnel were stolen including undercover agents. (novinite.com, DutchNews, German heise)
2024-09: Meta (facebook) was fined 91 Million Euros because they got caught storing facebook and instagram passwords unencrypted in plaintext, ready to be read by thousands of employees. (Reuters, German heise)
2024-08: USA: "Social Security numbers, death certificates, voter applications, and other personal information were accessible on the open internet" 4.6 Million voters exposed. (wired, German Der Standard)
2024-08: Massive data leak may include the personal data of every person in the US, UK, and Canada incl. social security numbers. (9to5mac)
2024-05: Ticketmaster hacked. Breach affects more than half a billion users. (Mashable)
- "The group allegedly has Ticketmaster customers' full names, addresses, phone numbers, email addresses, and order history information including ticket purchase details and Ticketmaster event information. In addition, hackers also allegedly have customers' partial payment data which includes names, the last four digits of their credit card numbers, and card expiration dates."
2024-05: Dropbox Sign got compromised: attackers stole API keys, MFA & hashed passwords (Dropbox announcement, Cyber Security News, Forbes, German heise)
2024-04: again Microsoft: a server containing source code, logins, keys and passwords(!), scripts and configuration files was public without any authentification. It took Microsoft four weeks(!) to get it off the public network. (techcrunch, German heise and another German heise with more details)
2024-02: 200k Facebook Marketplace records with "email addresses alongside names, phone numbers, Facebook profile IDs and geographic locations" leaked. (haveibeenpwned.com, German heise)
2024-02: Health data of 33 Million people from France (half of the population!) are compromised (German heise, CNIL)
2024-01: 15,115,516 user records from the popular Altlassian Trello got stolen. Presumably with "emails, usernames, full names, and other account information". (German heise, haveibeenpwned)
2023-10: Hackers got into the Okta identity management of 1password (1password, German heise)
- People still putting their passwords in the public cloud after we've had so many public incidents (see LastPass below) should really learn how to handle private data properly. I'm sorry, that was always a very bad idea in the first place.
- 2023-11: not 134 customer accounts got stolen but all customers who were in contact with customer support are affected. Okta claims that the data that got stolen was not that sensitive. (German heise)
2023-08: Fitbit (owned by Google) is transferring data of Millions of European users to the US cloud, violating GDPR to protect personal information. (noyb.eu)
2023-08: 2.6 Million customer data from Duolingo got public. (haveibeenpwned.com, German heise)
2023-08: UK Electoral Commission got hacked "including the name and address of anyone in the UK who was registered to vote between 2014 and 2022". (electoralcommission.org.uk)
- The hack took place 2021-08. They didn't realize until 2022-10. Starting with 2023-08 they began to inform the people who were affected. That's way too slow.
2023-08: Again Microsoft, again Azure: "unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets)". If you aren't tech-savvy: this is very bad. (tenable)
- A reoccuring pattern emerges more and more: Microsoft didn't fix the issue in months and as of 2023-08-03 it is still an open vulnerability in Azure, risking the data of all Azure customers.
- related:
  - Microsoft comes under blistering criticism for “grossly irresponsible” security | Ars Technica
  - BrianKrebs: "The CEO of Tenable just ripped Microsoft a new on…" - Infosec Exchange
2023-08: Due to a leak in the data transfer software MOVEit, at least 8 to 11 Million people lost their mostly health-related data. (German heise)
- 2024-11: Hackers got access to data of employees from Amazon, HP, HSBC, and many more via MOVEit Transfer (German heise)

Intermission: there was a severe Microsoft incident in 2023-07 which is probably the incident with the most impact worldwide of all times. Hackers had access to more or less all important systems of Microsoft for at least three years. Microsoft got extremly strong pushback from US government organizations. During the aftermath (2024-01), Microsoft got hacked by yet another hacker group, again accessing innermost systems. However, it did not get that much press coverage in the general media. The nature of this incident is a total security desaster for Microsoft which can not be trusted any more. This is because Microsoft can't replace all of their key infrastructure and their services (with potential backdoors) at once. This affected not only Azure, O365, all Windows hosts, GitHub, but all MS services and products.

I wrote a longer article on that Microsoft incident and included many external links, reports and sources to check the claims mentioned: Read That Before You Trust Anything by Microsoft Once Again

2023-07: VanMoof bicycles declared bankrupt. Without their cloud servers and the app, bike owners can't control the light, driving speed and auto-unlock on approaching the bike. (German heise)
2023-05: Microsoft Hosted Exchange by United Hoster (Germany) is offline because of ransomware (German heise)
2023-02: Very sensitive data from over 2200 members of the German Last Generation was found on Google Drive. (German golem)
2023-01: Microsoft 365 services down (German winfuture)
- 2023-04: again (German winfuture)
2023-01: Thousands accounts of NortonLifeLock customer accounts (cloud password storage) breached. (yahoo.com, German heise)
2023-01: Are you driving a Kia, Honda, Hyundai, Nissan, Infiniti, Acura, Ferrari, Mercedes-Benz, Porsche, Toyota or BMW? Well, other people do get your personal data and might even remote control your cloud-connected car. (samcurry.net, German heise)
2022-12: Personal data from over 400 Million Twitter users leaked. (breached.vc, German heise)
2022-12: Hackers hacked LastPass and, copied sensitive clear-text user data and even downloaded the encrypted password-database. (lastpass.com, German heise)
- All passwords may likely be hacked in future (using brute-force or yet unknown algorithm weaknesses).
- Users who re-use passwords with other accounts most probably got hacked right away.
- What’s in a PR statement: LastPass breach explained → great insight from their press release statement which is not reassuring. Furthermore, LastPass did fail to update the password security of their existing customers big time.
- Older LastPass passwords can be cracked in approximately one minute.
- 2023-02: You could say that this won't happen at LastPass again. Unfortunately, it did. (arstechnica, German heise)
- 2023-09: People seems to use data from the LastPass hack to steak millions of crypto money. No pity there. (krebsonsecurity.com, German heise)
2022-12: The FBI is running a social network: InfraGard. Personal data of more than 80,000 very-high-profile members (CEOs, …) got hacked. (krebsonsecurity.com)
- So even the FBI can't control a high-secure cloud network.
2022-12: The Smart-Vehicle-platform of Hyundai, Toyota and Nissan has severe security holes: hackers gain access to personal data and are able to control the cars. (German heise with links to Twitter)
2022-11: Attackers who hacked 5 million unique passengers and all employees of AirAsia Group were "irritated" because of the chaos of their computer systems and "very, very weak" network protection. (databreaches.net)
2022-11: Massive 2021 Twitter data breach was far worse than reported: 5.4 Million phone numbers, email addresses. (9to5mac)
2022-11: WhatsApp data leak: 500 million user records for sale (cybernews.com, German heise)
2022-11: Australian Medibank lost almost 500,000 health claims, along with personal information. (theguardian.com)
2022-09: Older photographs in Google Photos gets corrupted. (Google)
2022-08: The recent Cisco hack started with a hacked Google account where a Cisco empolyee synced his browser passwords to. (talosintelligence.com)
2022-07: Microsoft Teams worldwide down for five hours (bleepingcomputer.com)
2022-07: A writer of a one million word novel was locked out of her book by her online word processing software. (technologyreview.com)
2022-07: Marriott does seem to have a serious problem. At least the third leak went public. (databreaches.net, German heise)
2022-07: Names, addresses, national ID numbers, mobile numbers, all crime/case details of one Billion(!) chinese residents leaked. (breached.to)
2022-03: Wyze knew hackers could remotely access your camera for three years and said nothing. (theverge.com)
2022-03: All accounts of all 15.000+ global customers of Okta (Identity and Access Management; cloud SSO) were hacked for months. (CNN)
2022-02: Over 350 blind people with eye implants in their eyes lost them completely because the IoT company got issues (spectrum.ieee.org)
2021-12: Gravatar lost 167 million names, usernames and MD5 hashes of email addresses. (haveibeenpwned.com, German heise)
2021-09: 61 Million sensitive records of many different fitness trackers, mostly by Fitbit und Apple HealthKit (websiteplanet.com, German heise)
2021-08: Default permissions on Microsoft Power Apps exposed 38 Million data records. (upguard.com; German heise)
2021-08: T-Mobile US loses 50 Million data on customers. (German heise, wsj.com)
2021-06: 700 Million LinkedIn users exposed. (restoreprivacy.com)
2021-04: Data of over 533 million Facebook users leaked: Phone number, Facebook ID, full name, location, past location, birthdate, (sometimes) email address, account creation date, relationship status, and personal bios. (techradar.com)
2021-03: IT security experts of Eset: Severe security issues may cause data leak or ransom attacks via sex toys. (German heise)
2020-06: Issues with vacuum cleaner robot of Vorwerk Kobold VR200 and VR300 due to cloud issues. (German heise)
2020-01: Smart homes will turn dumb overnight as Charter kills security service. (arstechnica)
2019-12: iCloud outages. (German heise)
2019-11: Microsoft Office 365 down worldwide. (Comment)
2019-05: Nest is disabling their APIs. (home-assistant.io)
2019-04: Hacker finds he can remotely kill car engines after breaking into GPS tracking apps. (Vice)
2019-03: Car alarms can make your vehicle even less secure, affecting 3 million vehicles globally. (pentestpartners.com, demo video)
2018-03: Facebook and Google store everything that was sent to you or you sent to somebody else. (Twitter)
2018-02: FedEx Customer Records Exposed: more than 119 thousands of scanned documents of US and international citizens, such as passports, driving licenses, security IDs etc. (kromtech.com)
2017-11: Sex toy company admits to recording users' remote sex sessions, calls it a 'minor bug'. (theverge.com)
2017-02: Google, unlike Microsoft, must turn over foreign emails. (Reuters)
2016-05: Apple is deleting your local music files without notifying. (apple.slashdot.org)
2011-12: Apple vs. Google Client Platforms How you end up being the Victim. (CCC talk video recording)
2010-10: "Customers of Google cloud services who are concerned about security better get used to being unable to check out first-hand how well their data is being protected". (cio.com)

This article is discussing this notion from a different angle.

Data Gets Used Against You

You can't be sure how your cloud vendor is analyzing your data "for your best experience" or enforce arbitrary policies like the avoidance of nudity or strong language. And of course they sell the results of this analysis to third party companies. Same holds for user reviews. And of course your online purchases. Using a dating service should scare you when they give away your most sensitive data to advertisers.

Cloud companies consider you as their product, not their customer. They sell your data. Sometimes, they are not even interested in fixing security issues of your cloud.

Companies do give access to collected user data to their "business partners". Research shows that companies are exposing sensitive data with and without noticing more and more.

Steve — Tweet by misterbrilliant with a video on Alexa's inability to get help.

2024-10: Three of the world's most important leaders have been put in danger due to their security guards' use of a sports social media app, Strava. (LeMonde, German heise)
- see incident from 2018-01 below → this is still an issue although it was widely reported over five years ago
2022-10: Health data got stolen from Medibank (3.7 million customers) and was used for blackmailing Medibank for publishing data of its 1000 most prominent customers. (smh.com.au)
2022-05: Twitter has been fined $150 million after it used phone numbers submitted by users to set up two-factor authentication… for targeted advertising. (grahamcluley.com)
2020-03: Report shows that companies are exposing sensitive data with and without noticing more and more. (PDF: McAfee report)
2020-01: Grindr and OkCupid Spread Personal Details, Study Says. (NY Times)
2019-11: Facebook had an open hole via their API. (Facebook's announcement of the fix)
2019-03: Millions of online photos scraped without consent. (NBC News)
2018-12: Internal documents show that [Facebook] gave Microsoft, Amazon, Spotify and others far greater access to people’s data than it has disclosed. (NY Times)
2018-12: Amazon reveals private Alexa voice data files. (heise)
2018-08: Google found the perfect way to link online ads to store purchases: credit card data. (Bloomberg)
2018-03: Tweet on Zuckerberg's answer to the question "How do you know there are no hundreds of firms like Cambridge Analytica?". (Tweet, referred CNN interview)
2018-03: Microsoft prevents users from using bad language from their services. (German heise)
2018-02: Is it ethically OK to participate in review sites at all? (Spoiler: Yeah, sometimes, but definitely not on Google Maps.) (Tim Bray blog)
2018-01: US military bases are clearly identifiable and mappable within public Strava data. (Tweet)
2017-12: Microsoft "Dynamics 365" endangered private keys of customers and first denies that there is a problem. (golem)
2016-07: Data-journalist Marco Maas has 130 smart home devices that send 600MB of data back home each single day. (German heise)
2016-07: A Michigan man can’t sue Pandora for violating his privacy by publicly disclosing his musical preferences on social media because the service is free. (eu.freep.com)
2012-12: Xkcd comic on people's expectations of using services for free. (Comic, Explanation)

You can't be sure of any malicious employee who is mis-using or leaking data. Employees sell sensitive data.

2019-11: Twitter employees selling sensitive data. (PDF: Criminal Complaint at US District Court)
2017-12: Virtual keyboard developer leaked 31 million of client records. (kromtech.com)
2017-06: China arrests 22 over sale of Apple private data. (scmp.com)
2016-12: Uber said it protects you from spying. Security sources say otherwise. (revealnews.org)
2015-05: FBI arrests JP Morgan Chase former employee for selling account data. (nakedsecurity.sophos.com)
2015-04: AT&T fined $25 million after call center employees stole customers’ data. (arstechnica)
2014-08: Amtrak employee sold customer data to DEA for two decades. (arstechnica)

Inability To Delete

If you delete data in your cloud, nothing gets deleted for real. Truth is, the cloud vendor disables your access permission. Therefore, "deleted" data is used in the background and even re-appears from time to time.

2017-01: Deleted Dropbox folder re appeared after a couple of years. (dropboxforum.com)
2014-09: Data you serve up to the cloud can be stored out there indefinitely, no matter how hard to try to delete it. (red-gate.com)
2010-04: Facebook does not erase user-deleted content. (zdnet.com)

Losing (Access to) Your Data

You can't be sure that you don't get locked out of your own data. This fortunate

People got locked out of their own cloud infrastructure. Sometimes you get locked out of your house. You even can get locked out from your cloud-connected shoes. Sometimes, your ISP is threatening to turn off your heating when you are using the Internet in a way they don't like. Politics can lock you out of your rented cloud-driven software products. Somebody is probably able to kill your pet over the Internet. Whole companies go offline when your cloud vendor wants.

You can't be sure that even cloud vendors are losing data.

2025-08: AWS deleted my 10-year account and all data without warning: "AWS gave me a present I’ll never forget: proof that no amount of redundancy matters when the provider itself goes rogue."
- Lessons learned by the author:
  1. Never trust a single provider—no matter how many regions you replicate across
  2. “Best practices” mean nothing when the provider goes rogue
  3. Document everything—screenshots, emails, correspondence timestamps
  4. The support theater is real—they literally cannot help you
  5. Have an exit strategy executable in hours, not days
- "The cloud isn’t your friend. It’s a business. And when their business needs conflict with your data’s existence, guess which one wins?"
- "Every conversation revealed I wasn’t alone in being targeted by AWS—especially MENA. Hundreds of Reddit threads, websites, forums, all telling similar stories." "AWS didn’t just delete their data; they deleted their careers."
2025-06: Some further reports of getting locked out of their Microsoft cloud (German blog entry with links to further sources)
2024-05: Google Cloud accidentally deletes UniSuper’s online account due to ‘unprecedented misconfiguration’. (Guardian)
2024-05: Google locks out an author from Google Docs because an AI thinks that the content is "inappropriate". (wired, fefe German)
2023-08: CloudNordic lost all customer data including backups for good after ransomware attack. (The Register, German heise)
2023-07: reddit lost all chat messages before 2023 in a migration process. (reddit, German heise)
2023-06: Amazon customer gets wrongly accused of being rude and Amazon locks him out of his home devices. (Medium)
2022-08: A dad and his doctor both lose their Google account and their cloud data after they tried to take and exchange photos of physical illness. (NY Times, German heise)
- Never use cloud services to backup your data. Use self-hosted services like Syncthing which is easy to set up.
2022-07: Sony’s PlayStation Store Pulling Access to Purchased Studiocanal Movies. (Variety, German heise)
2022-04: Smart-home company Insteon shuts down servers without warning leaving users with broken smart home setups. (PCmag)
2022-04: After pushing customers to their cloud solution, Altlassian deleted data of approx. 400 customers and takes weeks to restore (Atlassian, German heise)
2022-03: Google disables tens of millions of accounts every year without warning, giving the recipient a reason why, or providing a way to get it back. (nextcloud.com)
2021-12: Amazon AWS us-east-1 down for seven hours (HN, German heise)
2021-12: "Do not get too attached to your Apple account; it belongs to Apple, NOT YOU!" (merecivilian.com)
2021-11: Tesla drivers can't use their car because Tesla's servers were down (BBC)
2021-10: The whole Facebook ecosystem is dowon for six hours, affecting thousands of other services (engineering.fb.com)
2021-07: All backups of WD MyBook Live worldwide are gone (arstechnica)
2021-01: Losing access to your penis: malware that locks IoT male chastity devices (securityreport.com)
2020-01: What you lose when you get the "Your account has been suspended" email from Google. (kylepiira.com)
2019-10: Vendor of "Nello One" cloud-connected lock bankruptcy turns all products into expensive trash. (German heise)
2019-10: Cloud-connected animal feeders might kill your pets. (Russian source, Google translation)
2019-10: Adobe is cutting off users in Venezuela due to US sanctions. (theverge.com, Adobe notification)
2019-07: For an entire afternoon and into the night, Google’s cloud was broken. (wired)
2019-02: Nike just bricked its $350 app-connected Adapt BB self-tying shoes by accident. (mashable)
2019-01: Telekom Entertain 303 Media Receiver got deprecated, accessing the personal, locally stored video recordings of many years is no longer possible for all customers. The video data is proprietary encoded and can not be converted. (German Telekom)
2018-05: Google took down a whole company that uses G Suite because one single employee was mis-using his personal Android phone. (Reddit comment)
2018-01: Don’t pirate or we’ll mess with your Nest, warns East Coast ISP. (engadget)
2017-08: Cloud-connected lock vendor accidentally bricks hundreds of locks through a failed firmware update. (techspot, Vendor notice)
2017-02: GitLab melts down after wrong directory deleted, backups fail. (theregister.com)
2016-07: Google deletes artist's blog and a decade of his work along with it. (splinternews.com)
2014-05: Owners of Apple devices across Australia are having them digitally held for ransom by hackers demanding payment before they will relinquish control. (smh.com.au)
2014-01: Gmail bug made some users accidentally delete emails. (theverge.com)
2013-07: Dilbert comic on the realistic scenario of losing a complete data-center. (Dilbert)
2013-04: How getting locked out of Gmail made me kick the Google habit. (asabharwal.com)
2012-08: "In the space of one hour, my entire digital life was destroyed." Hackers used cloud accounts to remotely erase all of the data on iPhone, iPad, and MacBook. (wired)
2012-02: Microsoft's Azure cloud down and out for 8 hours. (theregister.com)

Tweet: @GitHubHelp, you blocked our entire company account after one employee opened his laptop while visiting is parents in Iran. We are completely blocked from deploying!

(Good) Cloud Providers Turning Bad

You can't be sure that the business model of your cloud vendor is changing so that they act differently compared to past statements. Sometimes your cloud vendor gets bought by a bigger fish. Or he is deciding to share your private data with others without your consent. Or he is introducing "quality of service" to storage performance which drags you down in production stage. Governments are beginning to sell sensitive data for profit as well.

If I ever get to interview a Google Cloud exec, I have one question — Tweet by QuinnyPig about the trustworthiness of Google's cloud availability.

Even your cloud-connected vacuum cleaner is selling information on your home to the highest bidder. Or it is providing a perfectly fine spying tool for the bad guys. Or it simply opens your door for the bad guys.

Furthermore, there is always the possibility of cloud vendor employees, who give away your data to interested parties as happened with Twitter 2022-12 (German heise). You have to trust every employee who has access to your data. All of them. Do you?

2025-03: 23andMe (an American personal genomics and biotechnology company) filed for Chapter 11 bankruptcy. All DNA data could be sold. (German Standard)
2022-08: Apple Is Tracking You Even When Its Own Privacy Settings Say It’s Not, New Research Says (gizmodo)
2022-05: Google stops all 3rd party apps from accessing GMail unless they pay for an expensive audit for each version (pmail.com)
2021-01: Flo health sells sensitive health data like pregnancies of its customers (Court Agreement PDF)
2020-01: Everalbum processes uploaded user photographs with face detection against their will (Court Agreement PDF)
2020-12: Google acquires Fitbit, getting all of its sensitive customer health data (European Commission)
2020-10: Zoom said since 2016 it offered “end-to-end, 256-bit encryption” which was a total lie. (ftc.gov)
2020-07: A so-called "Non-logging VPN provider" leaked massive logs of its 20 Million users including "plain text passwords and information that could be used to identify VPN users and track their online activity". (comparitech.com)
2017-11: Australian coalition could allow firms to buy access to facial recognition data. (theguardian.com)
2017-11: Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera. (wired)
2017-10: Vulnerability in LG's smart home infrastructure exposing it to critical house systems takeover. (Video)
2017-07: Roomba's next big step is selling maps of your home to the highest bidder. (gizmodo)
2017-06: Docker operations slowing down on AWS on purpose. (jeremyeder.com)
2016-10: LinkedIn accesses Gmail contacts via "auto-authorization". (Original article (offline as of 2020-06-05), hacker news thread)
2016-10: Google has quietly dropped ban on personally identifiable web tracking. (propublica.org)
2016-01: My blog article on an education platform that got bought and fired our university.
2016-01: Del.icio.us taken over and changes business model. (techcrunch.com)
2015-03: Bankrupt Radio Shack will sell the customer data they promised to keep private. (boingboing.net)

My favorite analogy here is the old sex education trope "wear a condom or you are exposed to all of the STDs of all of your partner's partners". Only in the cloud, the arrow of time is reversed. Everything you share you have to trust the company to steward, and not just the company as currently constituted, but all future versions, ownerships, partners and employees of the company.
/truffdog on HN/

You're the Product

Your privacy is of no concern for cloud companies. They don't care about the security of your data at all. Cloud vendors are even willingly hurting your privacy or health.

Many times, your data gets public because of a simple error. Also passwords. Even kids toys become spyware.

You don't have any idea on how manipulated cloud data is used to do psychological experiments with you.

2020-03: Internet-connected smart-TVs are spying: Samsung and others (flatpanelshd.com)
2019-05: Google stored G Suite passwords in an insecure way. (Google notification)
2019-05: A Twitter iOS bug enabled collection and sharing of location data. (Twitter notification, dailymail.co.uk)
2018-03: Facebook accepts the risk of enabling terror attacks and causing deaths. (buzzfeednews.com)
2017-02: Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages. (troyhunt.com)
2017-02: Cloudflare reverse proxies are dumping uninitialized memory, leaking arbitrary customer data. (chromium.org)
2017-02: Vizio televisions spied on 11 million TV sets since 2010. (ftc.gov)
2016-12: German Telekom provided access to address book entries of other business customers. (German heise)
2016-11: AppleCare leaks secret phone numbers of high-ranked politicians and police persons. (German heise)
2016-07: Cloud-connected fittness-tracker give away your data. (German av-test.org)
2016-01: Chinese authorities had hacked into Hotmail email accounts, targeting minorities in particular. Microsoft decided not to tell the victims. (Reuters)
2014-06: Research: Experimental evidence of massive-scale emotional contagion through social networks. (Paper)

Inability to Control What Goes into the Cloud

You don't even know what data is really uploaded to the cloud. And if you put documents in the cloud, you can never be sure if others can access it or not. Or how your data is processed and re-used by others.

2025-07: "Copilot Vision is an extension of Microsoft's divisive Recall […] is designed to analyze everything you do on your computer […] by capturing constant screenshots and feeding them to an optical character recognition system and a large language model for analysis – but where Recall works locally, Copilot Vision sends the data off to Microsoft servers." (TheRegister)
2025-07: Authorities get access to Amazon Ring doorbell footage without a warrant or consent of the user. (EFF, German Standard)
2025-01: About 40.000 mobile apps collected location data that got laked from 47 Million people: weather apps, Flightradar24, Candy Crush, Grindr, Kik, Hornet, Tumblr, tracking apps for menstrual cycle or muslime prayers, VPN-apps, … (wired, techcrunch, German Standard, …)
- Some location data was collected not by using the OS permission for location data. Instead, it was collected by Real-Time-Bidding (RTB) advertisement processes that track via IP addresses.
2025-01: iOS 18 sends your photos to Apple with a more or less hidden feature (lapcatsoftware.com, German heise)
2024-08: Many dating apps (Tinder, OKCupid, Grindr, Badoo, …) leak very personal information including detailed location profile (Blackhat talk, PDF paper, techcrunch, German Der Standard, German heise)
2024-07: Avast anti-malware software copied customer data to their cloud, sold it to 3rd parties and now Avast is sentenced to pay 16.5 Million Dollar fine. (FTC.gov, FTC document (PDF), German heise)
2024-06: Microsoft is now automatically enabling Windows 11 OneDrive folder backup without asking permission. (Neuwin)
2024-03: USA considers Chinese cars with recording and surveillance features as a threat and China does this for Tesla, locks them out of sensitive areas of national security. (German heise)
2023-11: Biometrical/personal Aadhaar data of 815 Million Indian residents are for sale after being stolen (again?). (resecurity.com, German heise)
2023-09: Microsoft accidentially published secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages via Azure and GitHub. (wiz.io, German heise)
- "SAS tokens pose a security risk, and their usage should be as limited as possible."
2023-09: Users of Google Authenticator (TOTP) were not aware that their secrets are copied to the cloud. Guess what happened next. (retool.com)
2023-01: Photographs of people on the toilet and similar were collected and given away by Roomba. Roomba says that customers agreed. (German heise)
2023-01: Representative for many cloud services: Adobe is using your content for their purposes: all of your pictures may be processed and used. (Adobe content analysis FAQ, archived version from 2023-01-05, German heise)
2022-12: Anker’s Eufy lied about the security of its security cameras, sending personal data to the cloud. (theverge.com, German heise)
2022-08: Apple Is Tracking You Even When Its Own Privacy Settings Say It’s Not, New Research Says (gizmodo)
2022-11: Apple Says Your iPhone's Usage Data is Anonymous, but New Tests Say That's Not True (gizmodo)
2022-10: Key to access personal data of 290,000 Toyota customers was public for five years (German heise, Japenese source)
2021-05: US soldiers expose nuclear bomb process and facility details on learning platforms. (Bellingcat)
2020-01: A home security technician observes sex of customers via their security cameras. (arstechnica)
2020-08: You can no longer operate Oculus devices without a Facebook account. (oculus.com)
2020-08: Google Home devices record every word and sound without your permission or authorization. (protocol.com)
2020-04: Apple transferred call logs to their cloud without telling the users. (German golem with links to various original sources)
2020-02: IBM report: In 2019 alone, 8.5 billion data-sets were stolen and used against businesses. (newsroom.ibm.com)
2020-02: Clearview AI: Face-collecting company database hacked (3 billion images). (BBC)
2020-01: An Avast antivirus subsidiary sells 'Every search. Every click. Every buy. On every site.' (data from 100 million devices). (Vice)
2020-01: 250 million Microsoft customer service and support records exposed on the web. (comparitech.com)
2019-12: Facebook collects positional data despite disabled permission. (German heise)
2019-10: FBI's use of surveillance database violated in tens of thousands of cases. (wsj.com)
2019-06: Database leaks data on most of Ecuador's citizens, including 6.7 million children. (zdnet.com)
2018-09: Facebook: security issue affecting almost 50 million accounts. (about.fb.com)
2018-08: Google tracks Android movements although users disabled it. (apnews.com, German report on the cheap penalty)
2018-01: Data-breach of biometric data of one billion Indians by Aadhaar. (tribuneindia.com)
2017-12: A popular virtual keyboard app leaks 31 million users' personal data. (zdnet.com)
2017-07: Using anti-virus software to steal personal data. (Source code)
2017-06: Sensitive personal details of over 198 million American voters was left exposed to the internet. (upguard.com)

Losing Cloud Service

You don't have any influence on whether or not cloud services are discontinued by big companies like Microsoft. Game over. Lights go black. Your TV set as well.

Home automation is a potential risk in most cases. And if a service is not discontinued, it happens that years of data get lost somehow. Like twelve years of music files.

Cloud-connected devices destroy the internet and become expensive junk. Don't be surprised: any cloud-dependent device is going to stop working sooner or later. Even expensive ones.

Even temporary down-times of the cloud affect your life in many ways.

Thinking Public Cloud is “cheap” is a fallacy. I address some of the reasons why here — Tweet by tcrawford with link to https://avoa.com/2017/07/18/why-are-enterprises-moving-away-from-public-cloud/

2024-12: Some Microsoft 365 users were cut off from their service (Microsoft, derStandard.at)
2024-11: Sol-Ark, Chinese manufacturer of PV inverters disables Deye inverters in the US (solarboi.com)
2024-06: Paramount deleted 25+ years of Daily Show clips. (LateNighter)
2022-05: Amazon permanently disables Cloud Cam which also had severe privacy issues, replacing with different products. (Macrumors)
2022-05: Related: even implants may stop working for a variety of reasons including discontinued vendor support. (German heise)
2022-03: Our Incredible Journey collects some company acquisitions that led to services being discontinued.
2020-10: Bought a security system from Google that turned out to be a potential spyware? Well, say good buy to it in 2020. (androidpolice.com)
2020-02: Downtime of: Gmail, Drive, Docs, Presentations, Sites, Groups, Chat, Meet, Notes and Voice. (Google)
2020-06: Wikipedia lists 78 entries in the category of discontinued services and software by Microsoft. (Wikipedia)
2020-06: The Google Cemetery - Dead Google products lists 166 discontinued Google services
2020-06: Google Graveyard - Killed by Google lists 200 discontinued Google services
2020-03: Azure appears to be full: UK punters complain of capacity issues on Microsoft's cloud. (theregister.com)
2019-12: Sonos announced a "Recycle Mode" which bricks old devices. (Wikipedia)
2019-03: MySpace lost all music uploaded from 2003 to 2015. (reddit)
2019-01: World-wide downtimes of Microsoft Azure cloud. (German heise)
2019-01: Microsoft accidentally deletes customer DBs. (theregister.com)
2018-11: Thousands of customers in Seoul are cut off from the Internet due to a fire. (koreatimes.co.kr)
2018-03: Logitech is killing its Harmony Link service (smart remote) and the hardware will die with it. (popsci.com)
2017-04: Cloud-connected devices can be bricked by PDoS attacks. (security.radware.com)
2016-12: Google cloud print is turning off Epson printers. (PCmag)
2016-10: Don't Buy and Run Cloud-Connected Devices That Are Un-Patchable
2016-04: Google is intentionally bricking Nest hardware. (arlogilbert.com)
2016-01: DotCloud, the cloud service that gave birth to Docker, is shutting down. (venturebeat.com)
2015-12: Philips Locks Purchasers Out Of Third-Party Bulbs With Firmware Update. (techdirt.com)
2015-12: LG Cloud TV app service got discontinued. (Screenshot on twitter)
2015-11: Sony is ending support for the PlayStation Portable’s digital storefront. (digitaltrends.com)
2014-04: Xkcd-comic that makes fun of Google's rigorous service killing strategy. (Comic, explanation/context)

It's Not Always Bad Intention

You cannot possibly have any idea how many bugs or false configurations are exposing your data to any third party.

2025-07: Microsoft outsourced the administration of classified DoD data to chinese cheap minimum wage workers. (ProPublica, German heise)
- In my opinion, it's not this particular incident that should worry us. It's the company culture and mangement decisions that made that incident possible.
- Related: Read That Before You Trust Anything by Microsoft Once Again
2024-07: 33 Million phone numbers got stolen from a multi-factor authentication service provider. (bleepingcomputer)
- Avoid using your phone number for multi-factor authentification. Avoid giving away your phone number in general.
2023-12: Around 10,000 DNA datasets of Estonians got stolen. (German heise)
- Please not that in case DNA analysis data gets stolen, this also affects all of their families and in parts all of their wider relatives because of strong DNA similarities within the same kin.
2023-10: Imagine you're submitting your DNA sample to a company like 23andMe and then all of your data gets stolen including your DNA. It can't be more personal than that. (wired)
- Please not that in case DNA analysis data gets stolen, this also affects all of their families and in parts all of their wider relatives because of strong DNA similarities within the same kin.
- 2023-10: Reports of four Million published datasets of customers. (German heise)
- 2023-12: Data of 14,000 accounts and Millions of relatives were stolen (engadget, US government)
- 2023-12: "Hackers stole ancestry data of 6.9 million users, 23andMe finally confirmed" (arstechnica)
- 2023-12: A German comment on why sharing DNA data with cloud services is a severe issue (German heise)
- 2024-10: 23andMe doesn't seem to delete user DNA data if users delete their accounts (Malwarebytes, German heiser)
2023-09: Microsoft Sharepoint allowed access to data with very primitive (and embarrassing) authentication bypass (Starlabs)
2022-10: Microsoft Azure: Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket (socradar.io, Microsoft statement, German comment by fefe)
2022-01: You get a copyright violation when storing files with content 1, 500, 833, 174, 285, 302, 186, 451, 336, 173, 266, 448, 289, 120, 643 or 556 on Google Drive (German heise)
2021-11: Microsoft Azure account credentials were stored in plain-text and accessible to all AAD users (netspi.com, German heise)
2021-09: Over half of all Microsoft Azure instances running Linux expose root access without authentification (wiz.io, German heise)
2018-08: Abbyy OCR software dev exposes 200,000 customer documents. (bleepingcomputer.com)
2015-06: German security researchers find 56 Million data records lying unprotected in cloud back-end databases. (darkreading.com)
Many, many network-connected cameras are insecure. (German heise article on Samsung, reolink.com: List of insecure webcams, …)

Forced Insecurity by Law and Agencies

The USA has laws forcing (cloud) providers to include back-doors that circumvent cryptographic protection. There are secret laws for secret agencies which force cloud vendors to secretly give away your information.

International cloud vendors ignore local legislation that is here to protect your personal data.

2022-09: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data: "[it] covers over 90 percent of the world’s internet traffic" (Vice)
2018-03: US CLOUD Act demands security backdoors. (EFF)
2015-02: NSA is making fun of US laws. (The Atlantic)
2014-04: US judge: forced access to emails on servers hosted by Microsoft. (PDF: Memorandum and order)
2015-05: Secret law is a 'direct threat' to Americans' privacy, says NSA whistleblower. (ZDnet)
2020-05: Senate votes to allow FBI to look at your web browsing history without a warrant. (Vice)
2018-09: GCHQ data collection regime violated human rights, court rules. (theguardian.com)
2019-11: Federal court rules suspicionless searches of travelers’ phones and laptops unconstitutional. (EFF)

No Such Thing as Anonymity

There is no anonymity. You can be identified by the way you are doing videos, your hardware, your software configuration, your mouse movements, your geographical position, and so forth.

Wikipedia: Device fingerprint
coveryourtracks - testing the uniqueness of your browser
2021-09: Apple "App Tracking Transparency made no difference in the total number of active third-party trackers […]" (blog.lockdownprivacy.com)
2021-03: Using smart speakers to contactlessly monitor heart rhythms + Pentagon is able to identify people using their heart rhythms
2014-11: "We show that camera motion, as can be computed from the egocentric video, provides unique identity information. The photographer can be reliably recognized from a few seconds of video captured when walking." (Paper)
2014-10: Whisper app tracks anonymous users. (theguardian.com)
2007-05: Mouse Movements Biometric Identification. (PDF: research paper)

What To Do About It?

If you're still thinking of using public cloud services for your data, make sure to read about the conditions to do so you should be aware of.

There is no "undo" here. Once your data is out, your role in controlling this game is over. Outsourcing security has it's price whose currency is not Euros or Dollars but loss of privacy, control, and to its final degree: security.

Reclaim you digital life. Follow my postings on this blog and on Twitter - I am trying my best to stay independent and to own my own data.

You've got something to hide - even when you are not aware of it. And that's nothing that anybody is allowed to hold against you.

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say. Edward Snowden

So in case someone tells you that he is pretty witty to let a cloud vendor host his data "because it's more secure", you can reply to this argument that the NSA has also a one of the biggest military grade cloud full of data scraped from your personal (cloud) data. Not against terrorism. Not at all: The leaked NSA selectors are not reflecting any focus on terror-related data. So much for this red herring.

"Hosting" your very private data there is nothing you're going to enjoy. As any cloud vendor, they now more about you than you might think of: your porn profile, you health history including all of your past, present and future diseases, what you're thinking about politics, products, people, or anything else, you whole set of social contacts, your wife and your secret girlfriend as well, and so on, and so on. Still don't care whether or not data like this gets exposed, archived, or leaked without your control?

Comment 2025-08-19 Via Email

While it is somewhat understandable from a business perspective, some users were mislead into doing a chargeback, not thinking it would lead to consequences. In the source below, someone lost a Google account of 15 years.

Sources:

Regarding Reddit: Yes, I don't like it too. They are now taking measures to block archives, which will destroy lots of history.

Moderators have always been unaccountable. They get to delete whatever they like and block whomever they like, anonymously, without providing a reason.

Sources: