Updated April 2 at bottom.

My main beef with Dropbox is that it’s not secure, not adequately encrypted, and there’s been a little too much indication that Dropbox is spying on user data.

Ever since I decided to lock down my cyber-life, I had Dropbox in my sights. It was going to be a pain to replace it, I thought, so it took a while before I got around to doing so. I finally did do so today.

The longest step of this process was deciding what I wanted to do. At first, I thought I’d set up my own lightweight cloud server using my desktop, which would sync files on all my devices, something like NextCloud. A great bonus is that this makes it particularly easy to sync things like your address book and passwords. This doesn’t seem like a bad idea and is now my fallback. But I ultimately decided to pass because (a) setup might end up being very bothersome, (b) it might eat up desktop resources, and (c) I’d have to keep my computer on all the time, which seems suboptimal.

All of the problems with installing my own NextCloud—bothersome setup, resources constraints, and always-on system—are taken care of by getting my own server or, less ambitiously, what is called a NAS, or Network-Attached Storage system. I spent several hours yesterday researching all about NASes, and came close to getting either a QNAP or a Synology NAS, because they’re so frickin’ cool. I mean, jeez, it’s actually a fully-functioning standalone web server with a zillion apps (especially Synology), and sure, you can use it to sync your files. But the more I thought about it, the more I thought, “This is a lot of work (and yet another giant attack surface for hackers), when all I really want is a Dropbox replacement.” If I were just hacking and exploring, I would have gotten a NAS in a heartbeat, they’re so cool. But I have other things to do, so…

I also semi-seriously considered getting a zero-knowledge encryption system, like SpiderOak. The premise seems solid: your files are all saved in the cloud, but 100% encrypted, and the key needed to decrypt them is only on your machine (or in your head). SpiderOak (and many other similar services) cannot scan your files because it lacks the keys to read them. I guess my experience with being hacked and seriously disaffected with storing data in the cloud generally turned me off even to this. If I don’t have to trust a company (as I do if, e.g., I want to use a VPN), then I’d prefer not to.

So, how do you get cloud functionality without the cloud? With syncing apps. These use different technologies to sync your devices directly with each other, through the Internet, but not stored on the Internet, and without any one of them acting as a server to the others (so they’re all peers of each other in your little device network). It turns out that there are several options available here, and I came close to going with Syncthing because it’s open source (and therefore, more trustworthy) but…no iPhone app. But the next best thing is Resilio Sync, which is also based on (the UPDATE: closed-source) Bittorrent Sync. Now, the fact that it uses Tor doesn’t mean your data is stored in the dark web. It simply makes use of the Tor network, which is perfectly legal and legit, that is required for accessing the dark web (something I’ve never even tried to do, by the way). The beauty of the system is that in transit through cyberspace, your data is end-to-end encrypted through a decentralized network. It’s hard to get more secure, or that’s my understanding.

Resilio Sync is pretty easy to install if you’re not using Linux. It was a bit of a pain (they could work harder on the setup, I mean really, guys) but still doable, if like me you’re reasonably adept with vague Linux instructions. It didn’t take longer than an hour to completely set up and test (my son did it in half the time), and then I started moving folders over, one by one, from Dropbox to my new Sync folder. This was quite satisfying, not unlike that satisfying feeling of changing my account email addresses from gmail.com to sanger.io. And because Resilio updates via your LAN directly from device to device, it syncs much faster than Dropbox. Like Linux, the slightly geekier alternative turns out to be just better, all the way around.

I got the $100 one-time deal so my family could all use it. Since this is roughly what I’ve been paying to Dropbox yearly for the last decade or whatever it’s been, I was very happy to pay this.

How does it work? Well, once it’s set up, it’s just like Dropbox. Create a new file in your work folder? It’s practically instantly synced to any other devices that are on, as soon as you save it. (Of course, it does have to be on, in order to sync. And your phone won’t sync the file and folder contents; it will only sync the index, and then, as with the Dropbox mobile app, you can download the item one-by-one.)

There is one very small change this might require to your routine. Since your files aren’t in the cloud but only on other machines, before you leave one machine with files on it you might want to access elsewhere, you’ll want to make sure either (a) that machine will stay on while you’re away from it, or (b) you’ve synced before you leave while they’re in close proximity (the LAN connection will make syncing faster, too).

Love it so far. Buh-bye Dropbox! Any regrets so far? Not really. While LAN syncing for me is significantly faster than Dropbox, it uses only 10% of my available LAN bandwidth, and I wasn’t able to get it to go faster; I’m not sure what’s up with that. I tried to fix it but didn’t dare do too much, since it involved a lot of fiddly changes to settings that, it seems, need to be undone. Your mileage may vary.

Also, they didn’t make Linux GUI other than a browser-based one, which is OK; it works well enough. They didn’t even bother to create a tray icon, but they do have an API, so my 12-year-old son made one for them and I’m already using it. (Want the code, Resilio? I can set that up.)

Of course, if you haven’t taken the Linux plunge, Resilio Sync is probably going to be a lot more usable for you—not that, at the end of the day, it isn’t extremely usable for Linux users, too. And, as I’ve indicated, there are many, many other options available to you if you want to ditch Dropbox. You should consider them for yourself.


April 2 update:

I’ve been using Resilio Sync for the last two weeks, and my son and I have a few concerns. The first is one we knew about going in: it’s not a cloud solution. Syncing works only if both devices are on. This means syncing isn’t exactly “set it and forget it.” You have to pay attention to whether something is syncing, and if you forget…you won’t be synced. After using Dropbox for years, this turns out to be quite annoying.

This, in turn, means I have to worry more about losing files. I can back up files on my main machine, which is always a great idea (of course), but if I haven’t synced because two machines haven’t been on at the same time (or because I need to reboot Sync, which is also an annoyance), then I might still lose laptop files because I only back up my desktop.

Backing up is all the more important because it is possible to inadvertently delete a bunch of files from one machine…leading them to be deleted everywhere. That would be a disaster. It’s like automatically deleting all your backups. Of course, the stuff might be rescuable in Trash, but do you really want to rely on Trash as a fallback solution?

To pour salt in the wound, if I really want peace of mind, I have to make sure the the backup program is fantastic. I can’t rely on Resilio Sync as a backup program. And the default Ubuntu backup program kind of sucks (which is surprising to me). This isn’t a count against Resilio, but it does make switching, if I’m going to switch, more urgent.

So it’s back to the drawing board. A zero-knowledge encryption cloud solution is sounding better now, but there are two sticking points for me: (a) I don’t want to have to trust an external vendor if I don’t have to, and (b) I’m not confident that I know what’s going on well enough to be able to say that my data is truly secure and private.

Last time, I came very close to getting a NAS, but I didn’t. I’m now 90% sure I will get a NAS after all.

The reason I didn’t get a NAS the first time is that it sounded like just too much trouble to set it up and maintain it, not to mention having another attack surface to lock down. But the more I think about it, the more I think it might be worth it.

After all, another rather huge advantage of a NAS is that I don’t have to rely on any cloud service I don’t control myself, at least for my personal purposes, for a range of purposes we now use different cloud services for. That means I can maintain my own synced contacts, passwords, bookmarks, etc., as well as supporting collaborative documents (a la Google Docs) I want to work on with others (such as a Declaration of Digital Independence). I might still have to rely on Google Docs (or something like it) for work, but at least my private life would be more locked down.

Any one of the latter advantages certainly wouldn’t be enough to justify getting a NAS. But taken together, and combined with an always-on Dropbox alternative that I can “set and forget,” it’s looking better and better.

Stay tuned. I’m not done yet.

Another installment in my series on how I’m locking down my cyber-life.