Your desire to look at people's data is irrelevant. That the data is there and is unencrypted is the death knell for cloud vendors. If it's in the so-called cloud then it absolutely has to be encrypted from prying eyes of today or some AI in the future. A company's ethics are not worth anything. Purely PR fluff. All that matter is whether the data can be accessed with a court subpoena.
Actually, it is encrypted, just not where you'd think it would be encrypted. I hope you are familiar with the term VPN, or virtual private network, if not I suggest you read up on it a bit as it is pertinent to knowing how the Cloud works.
Each user on a Cloud has a private folder where they can store files, they along with the file server administrators are the only ones with access. (more on the admins in a sec)
When you log in to your cloud storage, you are encapsulated in an SSL tunnel, the strength of this tunnel varies between cloud providers, once you connect to the gateway of the cloud provider you are load balanced to an internal VPN tunnel which routes you to your file server shared folder that no other
user has access to, likewise you don't have access to their shared folder either. This is a
chroot jail, meaning you aren't going anywhere else due to permissions.
Since most websites today use the
MVC pattern with their website architecture, this becomes even more difficult to break through as it separates the user facing content from the underlying data structure of the file server/database. In the MVC pattern you talk to the View, the View asks the Controller for data and depending on how many tiers are involved, the Model provides the Controller the data or asks an underlying layer to talk to the file server/database, to retrieve the files, which then push to the Model, then through the Controller and finally to the View for you to get them. The View has no idea of what is in the Controller, it just knows that it can call some method from the controller and expect something back. The controller acts the same way when it talks to the view, and the view talks the same way when it asks the persistence layer (file server/database code) for the data.
MVC = Model View Controller but is more logically stated in terms of who can talk to who as Model -> View -> Controller -> Model <-> Persistence Layer <-> Data.
The entire folder structure for where you place your data is encrypted, but backing up encrypted data isn't a great solution because in some cases if the user changes their password their encryption key changes and they are locked of out their data, which is why most cloud providers keep your data unencrypted at the file level until it is backed up for cold/warm storage. Also in order to manipulate the file structure admins have to have permissions to these folders in order for the job to succeed in copying your data around to multiple servers guaranteeing you 99.99...% uptime.
Even with a court subpoena, the company can still decide on whether or not they wish to comply, they have the right to decline as Apple has shown us by throwing out thousands of search requests with their own legal loopholes.
I figured I'd just throw out the non proprietary stuff of cloud computing so that you may get a better idea of how your data is secured and why anyone other than you would have access to it. If you don't like it that's fine, but at the end of the day, the data is as secure as your banking information. Even if you write a check, that check is sent over the Internet for verification with the other bank, if you go to an ATM to pull out cash, you just sent banking data over the Internet. All of your data at the bank is shared between each of the bank locations using the same technology that you'd get on the inside of that data center, for online banking, you typically get RSA(2048-bit) encryption, iCloud uses the same encryption.
Here's another factor, since Apple has Health, Wallet, customer data, and minor (kids) customer data, they have to follow several compliance laws such as HIPAA, PCI-DSS, COPPA, FOIA, ECPA, FERPA, FIPS, and GLBA. So they have to adhere all of their products to uphold these standards. In case you didn't know HIPAA is used by hospitals and PCI-DSS is used by financial institutions. With having to hold to those same standards across their entire platform, I'd say you don't have much to worry about.
I know this is long but there are people working on this stuff that know more about data protection than you and I both, and if I feel pretty good knowing what I know, I'd say we are in safe hands.
finally got it working!
