It is a world where everyone wants to know you better. Not because they love you but because they want to use you. There are government institutions snooping on you to find out your political inclinations. Marketing agencies follow you around the Internet to know your interests for advertising. Then there are hackers who want to use your accounts for their nasty jobs – thereby indicting you while they stay safe. In such a world, you need something to protect your data. This post explains what is CloudSweeper.
What is CloudSweeper
CloudSweeper is a research project that aims to figure out the potential risks of leaving emails with sensitive data (mostly passwords) in one of the folders of your online webmail account. Based on some algorithm,
- It calculates the net worth of your Gmail account (including Google Plus) if hackers were to sell the information;
- It then specifies what steps you should take to protect your account; and
- It helps with encryption of the sensitive data so that hackers cannot extract any of your personal info
However, I felt this service offers just a part of security as it emphasizes on email passwords. Our emails often contain many other sensitive data such as postal addresses. Sometimes even the email address of a person may be sensitive. For example, you use two email IDs – one for private conversations and one for business. In this case, if the private email ID is made public, your purpose is lost and there is a lot of possibility of this account containing much data about you and yours.
In short, CloudSweeper is a research project funded and implemented by the University of Illinois at Chicago. It checks your Gmail account (only) and tells you: a) the value of your information to hackers; b) how to protect your email account. In addition, if you choose to, CloudSweeper will encrypt your emails.
As explained above, it offers three services: 1) finding out your Gmail worth; 2) Suggesting how to protect your data; and 3) encrypt/decrypt your email on Gmail. As of now, it seems, the service works only with Gmail. It asks permission to read your Google+ account, so I guess it scans Google Plus account too.
In my case, when I ran the CloudSweeper Audit to find out my Gmail worth, it first presented me with a OAuth dialog asking permission to access my Gmail account and Google Plus account. It then presents you with an Informed Consent page that asks you permission to let it use non-personal data for its research purpose. You can either accept it or deny it. It does not affect the Audit process in any way. I did not see any harm so I accepted it.
To my surprise, it showed my Gmail Account worth as $0.00. I had messages containing my Amazon Account details and few more emails containing information about my address etc. registered with domain name registrars.
The above stresses the fact that CloudSweeper scans your emails only for the passwords and nothing beyond that. Please do let me know if you find it behaving different in your case.
The same results page also suggested I use a password manager to use different passwords at insecure sites and offered few more suggestions.
ClearText Password Audit
This is similar to the above except that instead of calculating your Gmail’s worth, it offers you a choice of encrypting your sensitive emails. This test found three passwords in my Gmail. So probably, the basic audit does not take care of all passwords or ignores simple websites. Anyway, I had three options:
- Encrypt the messages,
- In what it calls redact the messages, the option to remove passwords from emails
- Do nothing
If you choose to encrypt your passwords, you will be given the encryption key in the form of a QR code that you can print and later use a QR code reader to decrypt the messages. This part works well.
Review Of CloudSweeper – Verdict
A good privacy auditors in the field, CloudSweeper covers only Gmail as of now. Also, checks only for passwords and leaves out other information such as postal addresses etc. However, claims nothing more and does its job perfectly. Recommended to run at regular intervals to see if you are vulnerable. I would like the service to be extended to other email service providers as well so that one can be totally assured about his/her online safety.