It is funny how the smallest posts turn into a big and pretty serious conversation. Not long ago, I wrote a short post about RoboForm. It isn’t even that spectacular a post but it generated a lot of conversation because of the mere fact there are many more tools than RoboForm that does the same thing. As with a lot of software these days, they are becoming more and more web-based. That’s a good thing. I love it.

In fact, I dream of the time when I need only carry a very light weight ‘dumb terminal’ much like the dumb terminals of the past and do all the processing and heavy lifting on the web. The only thing that holds me back, actually stops me dead in my tracks is the fact that with the advancement of Internet technologies is also more crime. More people trying to steal my stuff.

I can’t help that of course and I can’t live in fear either. But yet, I am one that subscribes to the thinking that some fear is healthy and keeps me alive. So what am I talking about here?

It’s about your data on third party servers. The good honest truth of the matter is, as long as you have a web site, use web based emails, Google Apps, or even post stuff on social networks, you are putting your data on third party servers. Your web host may be your web host but they very likely lease/purchase/rent the server itself from another company who has the infrastructure. In fact, that’s a big part of the way web hosting works. Google uses cloud computing heavily. What does that mean? Basically, the data you think is at Google may not necessarily be there at all but on someone else’ server, whom you will likely never know and it could be clear across the globe and who abide to a very different set of laws.

But like I said, it has all come to a point where it is almost unavoidable. Especially for us small (micro) businesses who need or rely on the ease of such applications and of course is easy on our budgets too. I’m not the type of person who sweats this stuff. Seriously. To me, if you don’t want it out there, never put it online. I don’t care what type of encryption or security setting, if it is really life or death, 100% private, don’t put it online. If you put something online, you should have some expectation of a breach now or later and you should be prepared to accept a reasonable risk of loss. I have a blog, I put my products out there there, I put my content out there because I want them to be out there. What’s there to sweat?

However the conversation about RoboForm Online and it’s competitor products like XMarks and LastPass brings up one type of data which I am very reluctant to place online. Sure, I worry about my own personal data like credit cards and banking information. That on its own stops me from syncing my passwords across the Internet. But the truth is, I have more than my own data to protect.

Like most service providers, clients entrust me with a lot of passwords from shopping carts to entire dedicated web servers. I just cannot bring myself to put that stuff outside of my own network, onto computers whom I have no idea who controls. True, there are security measures, the data is encrypted and nobody holds the ‘keys’ to the data but me since the ‘keys’ are installed on my computer. I have absolutely no qualms about that.

But encryption is only one side to this. The weakest link in any computer system is humans. The person sitting behind this screen and the person sitting behind the screen on the other end. In 2007, Salesforce.com fell prey into a phishing attack where a staff was duped into revealing passwords. The Veteran’s Administration – can’t rely on government with anything let alone your sensitive data – has leaked our personal information so many times I’ve lost count. All because of someone losing their laptops or put data onto a USB stick. Then, you hear of reports where disgruntled employees stealing information to sell it or even plant viruses onto employer’s systems.

Just because you and I don’t have employees physically in our offices doesn’t mean you won’t be a victim to such things. You will especially when we rely on third party systems.

Ok, I get it that the data can only be unlocked by me. But if a software is designed to interact with the server, what’s to say an infected server won’t install something on my computer to access my keys?

Who has access to my data?

In the end, while I do sing praises of apps that can help make our lives easier at a reasonable cost. At this point in time, I will continue to stand my ground that some kinds of data especially, when it is a collection of data, is not meant to be transmitted online. There may be a gazillion other ways people can get to my passwords right now as I write but at least it is on my home turf and the problem is not distributed elsewhere.

What do you think? Would love to hear your thoughts.