FidSafe – free online storage for your documents  at first sounds like a nice free service.  Keep your important documents in the cloud.  From there, you can share your will, financial information, and stuff, with people you give the access to.

During the signup process, though, you have to provide your email address, your phone number, and answers to a number of questions about your background (your high school, first job, etc,) presumably to help with password recovery.

Then in the ToS (terms of service), you accept full responsibility for your account and password:

You agree that you will be the only user of your specific Unique ID and FidSafe password, that you will not transfer or disclose your FidSafe password to any other person, and that you will be solely responsible for all usage of the FidSafe Service through such Account login whether or not authorized by you. If you believe that your FidSafe password may have been lost or stolen, or that someone has uploaded, viewed, downloaded, shared or deleted any of your Content from your Account without your authorization, or if you know of or suspect any unauthorized activity in your Account, you agree to immediately notify XTRAC at the email address:

FidSafe doesn’t promise to do anything to help, though.  Only after you die, can another person be permitted to access your account, after you activate that option.

The user of the service may find they have no documents, or recourse at any time:

We may suspend or terminate your access at any time if you violate any provisions herein or for any other reason, in our sole discretion, without prior notice to you. If your access is suspended or terminated by us, we reserve the right to permanently destroy your Content.

As with other legal processes, it is possible that your content is turned over to authorities without notifying you:

All information and electronic files are subject to valid legal process, as determined by XTRAC and its third-party service providers.

Examples of “legal process” include but are not limited to a subpoena, warrant, government request for information, forfeiture, or seizure, injunction, or restraining order. You generally will not be notified of the receipt of, or response to, such legal process unless required by law. You understand that copies of your Content (excluding passwords), associated communications and our audit logs may be reviewed and produced in response to legal process. XTRAC and/or our third-party service providers reserve the right, but do not assume the obligation, to investigate any issues related to your use of FidSafe and to report such issues to the authorities.

FidSafe’s Privacy Policy comes right out and says you will be tracked, and all your information is permitted to be shared with “affilated companies” including such information as how much time you spent looking at a file called “Last Will and Testament”.

When you use FidSafe, we collect some personal information about you, such as your name, date of birth, telephone number and email address. If you decide to use FidSafe’s sharing functionality, you provide similar information about your sharing partner, such as name and email address. In addition to this information, we may also collect technical and navigational information such as computer or other device, browser type, Internet Protocol address, web pages visited and time spent on the FidSafe website, and Content-related information such as document file name, size and type.

FidSafe may use information about you, such as your name, email address and date of birth, to service and protect your Account, communicate with you and make you aware of new FidSafe products and services. This information may also be shared with affiliated Fidelity Investments companies to perform administrative and other services for FidSafe. The technical and navigational data collected may be used by FidSafe and its affiliates for analytical purposes, improving the FidSafe product and customer experience and to protect your Account.

It is at least honest that FidSafe comes right out and says they will use cookies to track your activities, and the tracking information is shared among “third party service providers” who are allowed to use other means to track you as well.

When you access FidSafe from a computer or other device, we may collect certain information from that device about your browser type, location and Internet Protocol address through cookies or similar technologies.

Cookies are small amounts of data that a website sends to a web browser or application on a visitor’s computer or other device. We use cookies to support the operation of this site and other FidSafe applications. For example, our session cookies are used for authentication purposes, which are necessary to provide you with the services available through our website and to use certain features such as access to secure areas. We do not link the information we store in cookies to any personal information you submit while on our site or other FidSafe applications. If you reject cookies, you will not be able to access our website or other FidSafe applications.

Our third-party service providers also use cookies to collect information that is analyzed in aggregate form to help us understand how our website is being used. Our third-party service providers may also employ clear gifs, images, and scripts that help them better manage content on our site. These third party cookies or similar technologies may be able to recognize your computer or device both when you visit our website or another website serviced by that third party. The use of cookies by our third party service providers is covered by this Privacy Policy. We do have access and control over these cookies.

FidSafe also uses tools, such as Google Analytics, to help us analyze how you and other visitors use our website and to improve its functionality. FidSafe does not provide any personal information about you to Google Analytics and any information collected by Google is done anonymously without identifying an individual user. We do not associate information collected by Google Analytics with information you may have provided to us. For more information on Google Analytics, including how to opt-out, click here.

It’s possible that if we actually read through the Privacy Policy and Terms of Service for every service we use, we might find that they promise to be deeply invasive of customers’ personal privacy.   Perhaps FidSafe is “no worse than the average bear”.  One thing to keep in mind is this:  in an earlier blog post I have already mentioned “if you are not paying for a service, you (your information and your behavior) are the product being sold”.  FidSafe is “free” if you grant them access to your information and behavior, along with your email and phone number.

Does it sound like I’m overly critical of this service?  I don’t think it is particularly bad at all.  As long as you enter that agreement with eyes wide open, this could be a really nice service.   They do make a list of important documents that you should know where they are, as part of overall record keeping anyway, whether you keep it on your USB drive in your desk drawer / safe deposit box, or on their website.

Is it even possible to maintain one’s privacy today (maintain the confidentiality of documents stored on electronic systems, or online)?  There are some interesting developments in consumer-friendly software where consumers / users generate their own encryption keys, so only they themselves and others designated as the authorized viewers or users of that private information.  Even the holder of the (encrypted) file in cloud storage, shouldn’t and can’t view the contents.  Filename, yes but contents, no.   Some cloud storage services that allow you to select your own encryption keys include SpiderOak; there are comparisons of features where you as a consumer really need to decide what you want.  Some systems even work with others in tandem, such as Sookasa working with DropBox and Google Drive:   DropBox stores the files, but Sookasa encrypts the files before they are even written to Dropbox, acting as a CASB  (cloud access security broker).  I’ve mentioned that has a very clever security model.

The good news is, excellent tools supporting strong encryption are becoming more readily available for regular people, allowing consumer-generated encryption keys so even the cloud storage provider can’t view or leak your files.  Be on the lookout, or drop me a line and we can chat about it.