In 2017, hackers stole the private financial records of some 156 million people from servers belonging to Equifax, while the 2018 Facebook-Cambridge Analytica scandal revealed how personal data belonging to up to 87 million Facebook users was harvested without their consent.
A litany of high-profile data breaches has led to a growth of interest in peer-to-peer (P2P) cloud storage solutions. Instead of storing your data on centralized servers that can be hacked, these store multiple instances of your data on the drives of a decentralized network of other users.
Several Proton users have asked us whether we considered a decentralized architecture for our end-to-end encrypted cloud storage service, ProtonDrive, which will be released later this year.
In this article we will examine the pros and cons of P2P storage, and explain why we have opted for a centralized end-to-end encrypted security model instead.
For a technical overview of ProtonDrive security, please see our ProtonDrive security model.
What is peer-to-peer (P2P) cloud storage?
The classic centralized storage model is used by all the “big name” providers, including Google Drive, Dropbox, and Apple iCloud. Users’ data is stored on physical servers that are owned and operated by the cloud provider.
This means that when you upload files to a centralized storage account, you upload them to a server center run by the service provider, and download them from the server center when you want to access them (or when they are synced across your devices).
Under the peer-to-peer model, there is no centralized server. Files are instead distributed and stored on the drives of different users. When you “download” a file, individual parts may be received from multiple sources (“peers”) and reassembled on your device.
Advantages of P2P
No single point of failure
Without a centralized server, there is no single point of failure for P2P systems. There is no one server that can suffer a catastrophic failure, accidentally burn to the ground, or be seized by a third party.
Resistant to censorship
With P2P systems, your data is stored on the disks of multiple (possibly even hundreds of) people, who may be located all over the world. As demonstrated by the success of the P2P BitTorrent protocol, this makes P2P systems almost impossible to censor, block, or shut down, as there is no central organization which can be pressured or coerced.
Downloading data from a P2P network can be very efficient when the recipient is able to obtain data from multiple sources (peers) simultaneously.
Reduced infrastructure requirements
P2P storage does not need expensive centralized servers that require continual maintenance and monitoring. Files are instead stored on users’ devices.
Advantages of centralized cloud storage
Lower latency, predictable performance
Many centralized systems use expensive high-speed server networks with enterprise-level internet connections. This is in sharp contrast to many P2P systems, where data is typically stored on users’ PCs with home internet connections.
It is also worth noting that while P2P networks can offer good performance in terms of throughput, this can come at a cost of latency, due to the fact that file pieces must often be retrieved from the other side of the world — and possibly even over dial-up connections — at substantial performance cost.
A centralized system, on the other hand, allows developers to design systems for maximum performance and provides a level of predictability that is simply not possible with a decentralized system in which a huge number of variables (such as the distance between users, each peer’s connection speeds, and device capabilities) are outside of anyone’s control.
There are many useful features that users of traditional storage platforms take for granted that are very difficult, if not impossible, to implement using a P2P model.
In the section below, for example, we discuss features that ProtonDrive offers that are only possible using a centralized approach.
Why ProtonDrive uses a centralized approach
Offering a centralized service instead of a P2P one is always going to involve some trade-offs. We recognize, for example, that the decentralized nature of the P2P model makes it highly effective at defeating censorship. There are, however, many compelling reasons for us to go with a centralized model.
ProtonDrive is built upon Proton’s existing infrastructure, which is both extensive and highly robust. It includes multiple redundancies, and data is stored at multiple geographically distributed locations across our server network. Even if one of our data centers were to be completely destroyed, no user data would be lost.
Resilience and fault tolerance are already built into Proton’s infrastructure, which we believe makes ProtonDrive inherently much more reliable and less susceptible to technical faults than many P2P systems.
Our servers are also powerful, feature high-speed internet connections, and are completely under our control. This allows us to offer much greater performance and stability than P2P solutions can offer, while also providing scalability.
With data breaches hitting headlines with almost monotonous regularity, it’s clear that centralized servers are vulnerable to hacking. The difference with ProtonDrive, however, is that all data stored on our servers is end-to-end encrypted, so even if the files are breached, they cannot be decrypted and accessed.
As with ProtonMail and ProtonCalendar, your data on ProtonDrive is encrypted on your device before being uploaded to our servers, and only you can decrypt it on your device. This ensures your data is always safe from hackers, the authorities, and even from us.
End-to-end encryption is a key differentiator between ProtonDrive and most other centralized services. Unlike Google, Dropbox, Microsoft, or Apple, we simply can’t access and hand over your files.
One advantage of P2P systems is that their decentralized nature means there is no centralized server to break into or otherwise compromise. For us, however, this is simply not an issue. Our centralized servers hold the encrypted data, but the decryption keys are tied to user passwords that we do not know.
The resistance of any system to hacking is based on the security measure it uses. If a hacker can compromise a system, then it matters little if the system is centralized or decentralized.
Proton is famous for taking security seriously. The robustness of our security practices and design principles are well-known, while our open source code is fully and independently audited for security issues.
And, again, in the unlikely event that our systems were to be hacked, end-to-end encryption ensures your data will be safe anyway.
Based in Switzerland
The geographically distributed nature of P2P cloud storage systems makes them highly resistant to censorship. This is undoubtedly one of the strongest arguments in their favor.
However, Proton has a high level of censorship resistance through legal protections and technical innovations, such as Alternative Routing. Our company is based in Switzerland, a democracy with strong rule of law, no ties to the United States-led Five Eyes surveillance network, and it enjoys some of the strongest data privacy laws in the world.
If one of our servers (or even all of them) were to be seized, the fact that all data is end-to-end encrypted so that not even Proton can see it ensures the adversary would be unable to access any of the files or other data stored on it.
Using a centralized model allows us to offer a wealth of features to our users that are simply not possible using a P2P model. These include:
Advanced sharing options
ProtonDrive allows you to share individual files with multiple other users, assigning granular permissions (such as read-only, write-only) to each “Share.”
Everything is encrypted
All data stored on ProtonDrive is end-to-end encrypted. This means all the contents of your files are inaccessible to anyone but you.
End-to-end encrypted sharing via URL
You can share files stored on ProtonDrive with non-Proton users via a simple URL. The files remain end-to-end encrypted, so Proton never gets to see them. You can choose to include the password required to decrypt your files in the URL for ease of use, or you can share it via another means for maximum security.
More information on these features can be found in our ProtonDrive security model blog post. As with all our software, the ProtonDrive clients will be made open source and submitted for third-party auditing in accordance with our usual roadmap.
ProtonDrive uses the same zero-knowledge authentication system that we use to secure ProtonMail accounts. This allows us to verify your password without ever knowing what it is or anything about it. If our servers were ever compromised then no password information could be stolen because there is nothing to steal.
The Secure Remote Password (SRP) protocol that we use to achieve this is also highly resistant to attempts to brute force the password, as each guess requires further interactions with our servers, which makes the entire process arduous (we also block IPs that make too many login attempts).
Easy access to your data from multiple devices
A centralized approach prevents synching conflict between multiple devices.
We are very excited about ProtonDrive as we move toward the beta launch, and as a community-powered project we’re grateful to you for supporting this important addition to Proton services. With ProtonDrive, we will be able to increase overall access to privacy, security, and freedom online by bringing more of our users’ data inside an end-to-end encrypted ecosystem.
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy. ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.
Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit. Note that while blog comments also remain open, questions and feedback will not be responded to individually. Where relevant, we will incorporate the most frequently asked questions or comments into a blog update.