BT Sync / Resilio Security Concerns


xtraeme

Recommended Posts

I recently did a contract with a Fortune 500 client that requires SAS 70 Type II, SSAE 16, ISAE 3402, and/or SOC2/3 certifications amongst other guarantees like 99.9% SLAs and so on and so forth when working with external vendors. Moving data securely is always a sensitive issue. The company required AES256 at rest and during data transmission. BT Sync (now Resilio) only currently supports AES-128, which is problem number one, but I still floated BT Sync for transmitting large assets that weren't mission critical. During a security review legal called attention to a clause in Resilio's Terms of Use. The proposal to use BT Sync was ultimately shot down because the wording in Resilio's Terms of Use suggested there might be a backdoor in the BitTorrent Sync / Resilio software that allows Resilio and/or its partners to access user assets through an undisclosed channel.

The exact complaint was with the wording in the "Terms" as seen when installing or upgrading to Resilio for the first time:

AfPfAdJ.png

https://getsync.com/legal/terms-of-use/

The specific complaint was with section 7.a and 7.b (Investigations).

Quote

7. Investigations:
a. Resilio, in its sole discretion, may (but has no obligation to) monitor or review the Services and Materials at any time. Without limiting the foregoing, Resilio shall have the right, in its sole discretion, to remove any of Your Content for any reason (or no reason), including if it violates the Terms or any Law.

I pointed out that "Materials" was defined as:

Quote

Materials means those Materials that are made available through the Services by Resilio or its licensors and specifically do not include Materials made by you or other users of the Services.

The problem is that "Your Content" and "User Content," defined in section 2.b, are still open to interpretation in the ToS since "Service" is broadly defined (in section 1.a) as:

Quote

By (i) using our products, our web site or any other web sites (each, a Site) or other online service of Resilio, Inc., its affiliates and agents (Resilio) with links to these Terms of Use (the General Terms) (collectively, the Services)

Section 2.b (Use of Services & Materials) then states:

Quote

Unless expressly agreed to by Resilio in writing elsewhere, Resilio has no obligation to store any Materials that you upload, post, email, transmit or otherwise make available through your use of the Services (Your Content). User Content means any Materials uploaded by you or the other users of the Services. Resilio has no responsibility or liability for the deletion or accuracy of any Materials, including Your Content, the failure to store, transmit or receive transmission of Materials, or the security, privacy, storage or transmission of other communications originating with or involving use of the Services. Certain Services may enable you to specify the level at which such Services restrict access to Your Content. You are solely responsible for Your Content. You agree that Resilio retains the right to create reasonable limits on the use of the Materials, including Your Content, such as limits on file size, storage space, processing capacity, and similar limits described in the web pages accompanying the Services and as otherwise determined by Resilio in its sole discretion.

This was the deal breaker because "Service" includes the software used to transfer data (aka BitTorrent Sync or now Resilio), not just the web site(s) and emails.

Moreover, the Privacy Policy didn't categorically state that Resilio is incapable of tracking and accessing user files merely that Resilio doesn't -- which could be a matter of choice.

I would like to recommend BitTorrent Sync again in the future, but I know many of the clients I work with will go through the same process and ultimately voice the same concerns.

Are there any plans to provide clearer language that categorically states Resilio / BitTorrent Sync has no known backdoors that would allow the company or any outside parties from snooping on clients data and no known mechanisms to subvert the security of the software?

Edited by xtraeme
Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.