Should you trust your files to Mega? I'm not sure I would

Kim Dotcom's sequel to MegaUpload is up and running -- kinda sorta. But there are too many gotchas to trust important files to this "privacy" service.

Credit: REUTERS/Nigel Marple

He has a name like a cheesy cartoon superhero and a personality to match. Yet Kim Dotcom has Hollywood soiling its collective shorts over his latest adventure in file sharing, dubbed simply Mega.

In case you haven’t been following the news, Mega is Dotcom’s sequel to MegaUpload, the wildly popular digital locker service that got shut down last January by the Feds, which included a SWAT raid of Dotcom’s New Zealand megamansion worthy of a Schwarzenegger film.

welcome to mega-600p.png

Mega launched last Sunday, though “launch” is really inadequate to describe it. The service exploded off the launchpad but then sputtered and has been hovering in midair ever since, like a butterfly with a broken wing. Dotcom says so many people signed up so quickly that the service has not had a chance to find its footing. Maybe. I’ve been trying to use if for five days now, and it’s still extremely buggy and unreliable.

What’s noteworthy about Mega is that Dotcom has branded Mega a “privacy” service, thanks to its implementation of browser-based end-user encryption. If you sign up for Mega and upload files, they’re automatically scrambled using 2048-bit AES encryption, theoretically rendering them inaccessible to anyone who does not possess the key to decrypt them. You can get 50GB of storage for free (ads will come later), or store up to 4TB for $30 a month.

Sounds good, right? Well, maybe not. There a a ton of caveats. Here are the biggest ones.

* The encryption really only works if you use Chrome. Sure, you can sign up via Firefox or IE, but you won’t get the full benefit. And the accounts I've tried to set up in either browser just stop working shortly thereafter.

* There’s no way to recover or change your login data. Lose your password, lose your files. And in my tests, Mega routinely ‘lost’ the login info for the accounts I created in IE and Firefox.

* Most security experts who’ve looked at Mega’s code and methodology are saying either ‘You gotta be kidding me’ or ‘WTF?’. I’m not a crypto geek, so let me just summarize Ars Technica’s deep dive into the Mega’s encryption scheme: “Megabad.”

* When Dotcom talks about Mega as a “privacy” service, he’s not talking about your privacy, he’s talking about his.

MegaUpload got in trouble because it allegedly stored thousands of pirated movies. It was so good at it that clever users developed their own movie piracy businesses using MegaUpload as their service provider. In June 2010 the FBI raided a five-person startup called NinjaVideo that was doing just that.

Dotcom claims that when Hollywood came knocking with Digital Millennium Copyright Act complaints, he complied with their takedown requests. But apparently not often enough to keep the feds from raiding his home and taking MegaUpload down for the count.

With Mega’s encryption scheme, Dotcom claims that he will have no way of knowing whether content uploaded to his servers infringes someone’s copyright. This is the Sergeant Schultz defense, for you Hogan's Heroes fans out there: He sees nothingk, he knows nothingk, he does nothingk.

If you read Mega’s terms of service and privacy policy, you’ll see several admonitions against storing content you don’t own the rights to (as well as “unsuitable, offensive, obscene or discriminatory information of any kind”).

At the same time, though, Mega gives you several ways to share files, either by emailing a link to a file or folder to other Mega users, or simply posting the encrypted URL, which anyone can access with a click. So sharing copyrighted material is bit more work than with MegaUpload or a Bit Torrent site, but not much. Mega also stores your IP address and will comply with any warrants or takedown notices it receives if someone accuses you of sharing copyright content. It even offers copyright holders a form they can fill out to lodge DMCA infringement claims.

There’s another reason to not trust Mega. When its big brother got shut down last January, the feds confiscated terabytes of data, much of which was not infringing anyone’s copyrights. They still haven’t given it back. That’s why Mega’s terms strongly urge users to keep multiple copies of the data they upload, and it accepts no responsibility if something similar happens to your stuff down the road.

So, to recap: Mega is in the crosshairs. Feds are itching for an excuse to shut it down. Its encryption schemes are questionable at best, it offers no guarantees that your data is safe, and if something bad happens to you or your stuff it’s totally on you.

Why would anyone use this service for anything important?

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

The new MySpace: I like it, I really do. What's wrong with me?

What's the freakin' deal with all these LinkedIn endorsements?

Mickey Mouse knows what you did last summer

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon