privacytools/privacytools.io

๐Ÿ†• Software Suggestion | Cozy Cloud

fgamess opened this issue ยท 5 comments

fgamess commented

Basic Information

Name: Cozy Cloud
Category: Provider/Cloud Storage
URL: https://cozy.io/en/

Description

I do believe that Cozy Cloud should be mentioned on your website as it provides multiple secure cloud services (bank aggregator, cloud storage, notes, password manager). They seem pretty transparent and concerned about the privacy of their customer.

Why I am making the suggestion

Cozy Cloud is a set of open-source services that give you the ability to store and manage multiple data that you own on the cloud.

Cozy Cloud seems to give detailed information about how they collect and process our data and with who on the Privacy page

It provides multiple services:

Cozy Cloud is located in France and so will be your data when stored on their servers. Might be a source of concern?

My connection with the software

I am simply an early adopter. I used it several times.

  • I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.
ph00lt0 commented

Self hosting is possible: https://docs.cozy.io/en/tutorials/selfhost-debian/

I am a bit concerned about their privacy page. The link @fgamess included is not the actual privacy policy. The actual privacy policy is listed at the bottom can be found here: https://files.cozycloud.cc/TOS-4.41.1.pdf. This is actually the full TOS, but they are only available in French. Under GDPR it is required to provide a privacy policy in the language of the countries you are active.
The TOS under 4.11.1 mentions that Cozy still shares data to countries in the Privacy Shield scheme. This has abandoned by the EU court of Justice (Schrems II) and may no longer be used. Sharing EU personal data with companies in the US such as Stripe and Mailchimp are still a tricky business. The only options to do so are with a BCR or SCC contract and because the US does not offer the same level of data protection, additional measures are required. (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN). The fact that they have no mention of this and the TOS is either outdated or against the law should raise a red flag.

fgamess commented

These are good points @ph00lt0 I am not so rigorous yet when checking because I just started to be concerned by privacy in fact. Then perhaps cozy isn't a good suggestion

ph00lt0 commented

@fgamess hey no worries. It's good to look into these. I am not saying that they should not be recommended but it would require some changes on their side.

lynn-stephenson commented

I am taking a look at the source code, but I don't immediately see how this is any more private than other cloud providers. There does not appear to be any E2EE. Besides, I already have a plan to develop a self-hostable file management server (ahem, "cloud storage") with E2EE.

fgamess commented

@lynn-stephenson good catch https://help.cozy.io/article/110-does-cozy-encrypt-my-data
They say Cozy encrypts passwords and connections. The data stored in Cozy is not encrypted, as this would negatively affect the overall user experience. We are considering implementing partial encryption of data stored in Cozy.
So I don't know the ETA on this point for today. I will try to contact them to know about the progress.
additional link: https://blog.cozy.io/en/encryption-cozy/

@ph00lt0 about this Under GDPR it is required to provide a privacy policy in the language of the countries you are active.
I will notice them about that once have some free time.

@ph00lt0 @lynn-stephenson we need to see if they are open to suggestion and improvements about security and privacy