Jan 31, 2017 ยท 6 minutes

Late last week, New York Times deputy tech editor Quentin Hardy announced he was leaving that job to become “head of editorial for Google Cloud.”

Hardy was clearly in a rush to get started with his new job - so much so that he wrote his first piece stumping for Google while still employed at the Times.

Roughly four hours before Hardy made his big career announcement, he wrote and published a Times Insider article titled “Where Does Cloud Storage Really Reside? And Is It Secure?” The piece encouraged readers to trust their data to cloud services, including those provided by his new employer. Absent from Hardy’s love letter to the cloud was any disclosure of Hardy’s new role, or the gigantic conflict created by a (soon to be) Google employee promoting Google in the paper of record.

The reason? According to the Times’ office of the public editor, Hardy hadn’t told his editors about his new gig when he published the piece.

“Unfortunately Mr. Hardy did not tell the editors he would be leaving for Google when the interview took place,” the Times told me.  I was then pointed to this update appended to the bottom of the article:

Update, Jan. 24: Since this article was posted, Mr. Hardy has announced he is leaving The Times for a position at Google Cloud.

So, conflicts aside, is Hardy right to encourage readers to trust the cloud? Specifically, is he right to argue that private information might be more secure up in the cloud than on people’s own devices?

This assertion, and Hardy’s use of his position at the Times to make it, are both worrisome at best.

Here’s the crux of Hardy’s argument that people should trust cloud services:

The same way that your money is probably safer mixed up with other people’s money in a bank vault than it is sitting alone in your dresser drawer, your data may actually be safer in the cloud: It’s got more protection from bad guys. In the case of the big public clouds, the protection is the work of some of the world’s best computer scientists, hired out of places like the National Security Agency and Stanford University to think hard about security, data encryption and the latest online fraud. And they’re pretty good at keeping things safe online.

That paragraph can be unpacked like a Russian nesting doll of facile claims. Not because the metaphor is inaccurate — Hardy’s right to compare saving personal information via cloud services to stashing money inside a bank vault. But neither problem is as clear-cut as he suggests. It all comes down to how people answer questions about what they’re afraid of, how they define “safe,” and how much trust they put in other people. Answer the questions differently than Hardy, or merely value some things more than others, and the larger question of whether or not to use these services becomes far more complicated. Let’s consider the options for each one.

First is the question of what you’re afraid of. Cybersecurity experts call this a “threat model.” Nothing is ever completely secure; the best you can hope to do is protect it from some people. Storing information on a personal device, like piling up hundred dollar bills in a sock drawer, is a good way to prevent someone from stealing from you without your knowledge. But it’s a bad way to keep that money away from a friend, family member, or someone else with physical access to whatever you’re trying to protect. Then you’re probably better off storing your treasure off-site. Which option you choose depends on whether you’re more worried about threats near or far.

And there are many threats from afar. The most infamous are intelligence agencies, such as the National Security Agency, which was revealed in 2013 to have compromised the links between Google’s data centers. This access  — which was part of other mass surveillance programs revealed by Booz Allen Hamilton contractor Edward Snowden — affected both Gmail and Google Docs. Hardy doesn’t mention this revelation in his assurances that the cloud is safe. People know someone with physical access to their information (or money) can steal it. Someone looking to the Times for answers to these questions might not have known about the NSA disclosure.

Next is the question about how people define “safe.” Data stored by cloud services is often encrypted, and the same can’t always be said about information kept on local storage, which means the actual files could be safer up in the cloud. But local storage also can’t be accessed with little more than compromised usernames and passwords. Hackers don’t have to break encryption to access information  — as vulnerabilities in Apple’s iCloud showed, they can also use stolen credentials or brute-force attacks to get the same access. Cloud services aren’t always better at stopping those attacks than vaults are at preventing identity theft or credit card fraud.

Finally, there’s the question about how much trust should be put in other people. Banks can often be trusted because the government insures their accounts, because there are strict regulations in place, and because most bankers only steal from their customers in spirit, not in broad daylight. It’s also easier to tell when a bank account has been compromised  — its contents are shown with simple numbers that rise and fall with each deposit or withdrawal. If this were a more primitive time, the biggest issue would be that more people try to steal from banks than from individuals, but even that concern has all but vanished in this modern era. Why not trust the bank?

Some of those things are true for cloud services. Watchdogs at least attempt to keep companies honest, privacy regulations do exist, and tech companies don’t steal information so much as they make it hard for people to notice what they’re sharing. But there’s no easy way to verify that information saved in the cloud hasn’t been verified; someone could steal that information without leaving a trail for the average person to follow. They’re also still attractive targets. Hackers stole account information from more than 60 million Dropbox users, which was probably a better use of their time than targeting a single person. This all makes it harder to trust these services.

None of which is to say that people shouldn’t use these tools. They’re great! But, again, Hardy’s answer to Times readers lacked nuance. None of these hacks or breaches were mentioned in his piece. This is the closest Hardy comes to recognizing any of these privacy or security concerns:

Nowadays, computing clouds are everywhere — which is one reason people worry about their security. We hear more and more often about hackers coming over the internet and looting the data of thousands of people.

Most of those attacks hit traditional servers, though. None of the most catastrophic hacks have been on the big public clouds.

Hardy didn’t respond to my request for comment, nor has he said anything elsewhere about the apparent conflict of interest, so far as I can tell.

Yet he has tweeted about how proud he is to be joining Google following its response to President Donald Trump’s ban on some immigrants and refugees. Given concerns about how Trump will also attempt to create a surveillance state, perhaps it would be wise to let Times readers know that they should think twice before trusting anyone else with their private information. These are not theoretical concerns, nor are they yesterday’s problem, and it turns out that a dresser drawer is sometimes better than a bank vault.