Sugarsync are removing their Folder sharing links
I just received an interesting mail from Sugarsync
As part of this change, we are removing the ability to share a universal link to a shared folder (the “Get Link” feature). The universal link is less secure since you can’t control who might gain access to the link (e.g., an intended recipient might accidentally forward the link to other unintended recipients). We’re also removing the password option since the new model is inherently more secure by allowing only specified recipients to accept the folder, preventing a password from being shared without your consent. And don’t forget that you can add or remove folder members at any point in time.
Now – call me a cynic, but this sounds more like Sugarsync trying to increase its registered user base by forcing everyone you send folders to, to sign up for an account, than to improve security.
I’ve found the flexibility of being able to send a link to a person very useful… simply because it requires less inconvenience for the person I’m sending it to, but is still a bit more secure than generating a completely public link. Everyone I know has ‘Web 2.0 account fatigue’, and if I’m sending a file to a customer, I’d rather just be able to include a quick link in my email to them, rather than send them a blaring bannered service invite via a proxied service requiring them to sign up for an online account, before they get the file I was sending them. There’s still plenty of branding and sign-up options at the other end of the download link, without sending them that mail. And what if his enterprise decides Sugarsync is out of policy, and blocks all emails from the site?
Folder passwords are also very handy against the threat of someone accidentally discovering a public link, since they still need the password to access it. Sending the password out of band (ie. in a text message, rather than in the same email/invite as the link itself) gives some insurance against data leakage, and makes the recipient feel more personally responsible for the security of that data: they can’t say “oh, nothing to do with me, someone must have stumbled across that link on the internet”, if they’re the only one with the password. Losing this feature, for me, is a step backwards for Sugarsync against some of its competitors, such as Dropbox.
Now… I’m not completely adverse to getting recipients to sign up for accounts. Let’s face it, viral spread is core to the business model. I keep singing the praises of Sugarsync to my colleagues, and I’ve managed to refer 28 people, most of whom I’d only met once, by sending them documents that required signup. I’m not entierly adverse to it. But I would like to have the option.
If we want to improve security, how about auditing access? That’s something I would really rather see. If we’re scared of who might be able to see our folders without our knowledge, then what I’d really like is to be able to run an audit report to see who read/wrote which file, at which time, using which link/password, from which IP address. It lets me see that people are using the links I send them. It lets me see who accessed a public link. It lets me detect if someone has tried to access files from unlikely/suspicious IPs.
OK – a big proviso here; this is my kneejerk reaction. I’ve not fully explored how this will change things, and there may be some benefits. I’ve also only just jumped into the forums here, which I visit very occasionally, and perhaps this has been discussed to death elsewhere. But I thought it might be a useful discussion kickstarter to vent here and now, and gauge different viewpoints 🙂