Everybody likes Mozy--except me. Part 2

This is a continuation of Tuesday's posting (Everybody likes Mozy--except me. Part 1), which introduced the Mozy online backup service and software and where I started offering my opinions. Since Tuesday, I came across two more positive Mozy reviews.

In April, Serdar Yegulalp, writing for InformationWeek, reviewed Online Vault, Carbonite, eSureIT, iBackup and Mozy (Five Online Backup Services Keep Your Data Safe, April 9, 2007). He concluded that "The all-around winner for regular users and small business from this bunch was definitely Mozy, both for its plan structure and its unobtrusive client."

Also in April, BusinessWeek had a short article by Arik Hesseldahl about the beta release of Mozy for the Mac where he said "I've used Mozy on the Windows machine at the office, and actually came to like it a great deal" (Mozy Comes To Mac Today! April 25, 2007).

Encryption

Anyone considering backing up sensitive files has to be concerned with security and encryption. Walter Mossberg barely mentioned security, but David Pogue warned:

"Then there's the security thing. All four companies insist that your files are encrypted before they even leave your computer. But if you still can't shake the image of backup-company employees rooting through your files and laughing their heads off, then this may not be the backup method for you."
Note: He was referring to the idea of off-site backups, not specifically to Mozy.

At first glance, Mozy security sounds impressive--files are encrypted on your PC using 448-bit Blowfish encryption and then transferred over the Internet to Mozy using 128-bit Secure Socket Layer (SSL) encryption. But let's take a step back.

• Mozy software encrypts the files on your computer
• To do this, the Mozy software needs to know the encryption key (basically a password)
• Mozy stores your files on Mozy's computers

The problem here is that Mozy is doing everything. In effect, Mozy makes the key, the lock and the safe.

How files are transferred between the PC and Mozy has nothing to do with the real security issue, as I see it. The SSL encryption used during the transfer offers protection from interception while the files are in transit, but no protection from Mozy.

There are two ways the Mozy software learns the encryption key/password--either you pick one and type it into the program, or the program will chose a password on its own. As they explain:

"You have the option of using a Mozy key, or your own private key to encrypt your data. Note, that if you use your own private key, you must be very careful about not losing it, because if you do, we won't be able to help ... Most users opt to use the Mozy key, but it's up to you."
Note: "key" can be thought of as a password and "private key" can be thought of as you're choosing the password.

Using a key/password generated by the Mozy software may not sound so bad, but it means your sensitive files are not secure.

In Part 1, I quoted Walter Mossberg as saying "Both companies encrypt the backed-up files and say they don't view them." Not that they can't view them, but that they don't view them. And the Mozy warning--do not lose your key/password or they can't help you--implies that when their software chooses the password, they can help you. They must know the password.

Even if you choose the encryption password, you are trusting the Mozy software not to externalize it, either on purpose or by accident. When it comes to backing up sensitive files, there is no place for trust in the equation.

This situation is not at all unique to Mozy. Other online storage companies also provide software that encrypts your files. I suggest using a backup scheme where software from one company does the encryption while an unrelated company stores the files.

Restoring Files

When it comes to restoring files, Mozy can be slow. You can't simply go to their Web site, navigate to your needed files and download them. Instead, you have to request all the files you need up front (don't forget any) and wait. In Mozy's own words:

"Depending on how large the restore is, it could take a few minutes or a few hours for Mozy to prepare the data for you. When it's ready, you will be emailed letting you know you can download it. When you get the email, go to your Account page and from there you can download the restored data."

If you can imagine a situation where you need to access your off-site backup files quickly, Mozy might not be an optimal fit. Joe Hruska at Ars Technica described his experience restoring files using the Web-based interface: "When I requested a restore build as a free user, it took Mozy 36 hours to make my restore file available versus only 18 minutes when I requested the same service as a paying customer."

Only 18 minutes? With the nothing-special backup service I use, it takes less than 18 seconds to start downloading files, and e-mail is not involved at all. And 36 hours seems excessive, even for a free service.

More Gripes

There are a couple things I don't like about the way Mozy backs up files.

For one, their software copies open and locked files. No thanks, I prefer my files closed and unlocked when they are backed up. Why they do this, I don't know. What problem are they solving? Since the Mozy software runs all the time, there should be very little delay between when a file is closed and when it's sent off-site. I prefer backup software that issues a warning when it tries to copy an open or locked file.

Part 1 of this blog had a discussion of why Mozy is motivated to store as little data as possible. This may explain why Mozy doesn't always back up entire files. They try to be smart about it and only back up the pieces of a file that changed, a feature they call "block level incremental backups". I'm a pessimist, and this strikes me as just something else that can go wrong. I prefer my backups simple, and backing up pieces of files and later putting all the pieces together, is complicated.

The Ars Technica review had this gripe: "Unlike several of the other programs we tested, Mozy doesn't offer a 'Backup this file' option when an item is right-clicked inside Windows Explorer."

Being a computer nerd, I'm comfortable using FTP to transfer files. Mozy does not allow uploads or downloads via FTP.

Warranty

Ed Foster writes The Gripe Line column for InfoWorld. Back in February, he wrote a memorable article called Backup Service EULAs Warrant a Closer Look (alternate link). A reader of his column reviewed the terms of service for Mozy, Iron Mountain, Carbonite, Xdrive, and SOSonlinebackup. According to Ed, "All disavowed that the product had to actually function at all except Iron Mountain, which in its warranty promises to at least try to fix bugs..."

The unnamed Gripe Line reader said it well: "The availability of data, in essence, completely defines the service itself. Yet, all of the online backup companies I surveyed expressly disclaim any responsibility for actually delivering on the service they claim to offer." Three of the companies, Mozy being one of them, disavow damages for their own negligence.

And here's an analogy that really puts it in perspective: "Who would buy life insurance if the carrier's terms of service has a clause that says that if you die, they have no real obligation to pay the claim?"

Finally, on a (much) lighter note, some people may have a hard time complying with parts of Mozy's End User License Agreement. In the LIMITATION OF LIABILITY section it says:

"FURTHERMORE, YOU AGREE TO USE THE SOFTWARE OR SERVICE
EXCLUSIVELY FOR GOOD AND FOR AWESOME."

Talk about restrictive. And then there is this, in the next paragraph:

"DO NOT TAUNT HAPPY FUN BALL."

Wikipedia has an explanation of Happy Fun Ball. As lawyer jokes go, this one is pretty good.

To end on a legal note, that's my case.