What "private" actually means, layer by layer

Before comparing providers, you need to understand what privacy means in cloud storage. It is not one thing — it is a stack of architectural layers, and providers can implement some without others. Most privacy problems come from confusing the layers.

Layer 1: Encryption at rest

This is the most basic layer. Your files are stored in encryptedencrypted form on the provider's servers. If someone hacks the provider's infrastructure, your files appear as scrambled data without the decryption key.

Almost every cloud storage provider offers this. It is table stakes. It is also the layer that is most often confused with actual privacy.

Layer 2: Encryption in transit

Your files are encrypted during upload and download. Intercepting them while they travel between your device and the provider's servers produces scrambled data.

This is also nearly universal among reputable providers. The HTTPS connection you use to upload files provides this automatically in most cases.

Layer 3: Provider-controlled encryption

This is where most providers stop. Your files are encrypted on the server, but the provider holds the decryption key. This means the provider can technically access your files. Their terms of service, legal obligations, or internal policies may or may not allow them to do so — but the architectural capability exists.

This is the layer that Dropbox, Google Drive, OneDrive, Box, and iCloud operate at. They are securesecure from outside attackers. They are not private from the provider.

Layer 4: Zero-knowledge / end-to-end encryption

This is the layer that actually means private. The provider does not hold the decryption key. Only you do — stored locally on your device, never transmitted to the server. The provider stores encrypted blobs that it cannot read, cannot decrypt, and cannot be compelled to decrypt without your cooperation.

This is the layer that fii.one, MEGA, and Internxt implement at different levels. It is architecturally different from the layers above it — not a better version of the same thing, but a fundamentally different model.

The two questions that determine actual privacy

For any cloud storage provider, there are exactly two questions that determine whether your files are actually private:

Provider privacy audit

fii.one: Layer 4 — Zero-knowledge

fii.one implements zero-knowledge end-to-end encryption. The provider does not hold the encryption keys. Files are encrypted client-side before upload, and the provider stores only encrypted blobs that it cannot read. This means fii.one cannot access your files, cannot scan them for AI, and cannot be compelled to provide access without your cooperation.

The privacy architecture is clean and consistent. There are no known exceptions or workarounds documented in the provider's terms of service. This is Layer 4 implemented correctly.

Compare: fii.one vs Google Drive, fii.one vs OneDrive, fii.one vs Dropbox.

MEGA: Layer 4 — Zero-knowledge, with jurisdiction caveats

MEGA implements end-to-end encryption. The technical implementation is genuine — the provider cannot read files in storage. MEGA's privacy story is structurally stronger than provider-controlled encryption in most respects.

The caveat is jurisdiction. MEGA is based in New Zealand, a Five Eyes intelligence sharing country. New Zealand law allows for specific legal demands for data that MEGA may be compelled to respond to. The technical architecture prevents access to file content, but metadata — who is storing what, when, and how much — may still be accessible to authorities.

For most users, this is not a practical concern. For users with specific threat models — journalists, activists, or users in legally sensitive situations — the New Zealand jurisdiction is a relevant factor.

Compare: fii.one vs MEGA.

Google Drive: Layer 3 — Provider-controlled encryption

Google Drive uses encryption at rest and in transit. Google holds the encryption keys. This means Google can access, read, and process your files. Google's terms of service explicitly state that files may be processed for AI features, content analysis, and indexing.

This is not a security failure — Google Drive is well-protected against outside attackers. It is a privacy architecture choice. Google has built a business on data processing, and Google Drive is part of that business.

If you are comfortable with Google processing your files for AI features and advertising infrastructure, Google Drive is convenient and well-engineered. If you want storage that is not part of an advertising data ecosystem, it is the clearest example of a provider that is technically securesecure but architecturally not private.

OneDrive: Layer 3 — Provider-controlled with AI processing

OneDrive uses encryption at rest and in transit. MicrosoftMicrosoft holds the encryption keys. Microsoft has been aggressively integrating Copilot AI features into OneDrive — features that scan, summarize, and generate content from stored files.

For organizations that want AI-powered document tools, this is a feature. For organizations or individuals who want storage without AI processing of their files, this is a meaningful privacy concern that is not addressed by the provider's encryption marketing.

Dropbox: Layer 3 — Provider-controlled

Dropbox uses encryption at rest and in transit. Dropbox holds the encryption keys. The company has explored zero-knowledge features in the past but has not implemented them as a core offering. Files may be processed for internal product improvement and, under legal compulsion, shared with authorities.

Dropbox is securesecure from outside attackers. It is not private from Dropbox.

iCloud: Layer 3 — Provider-controlled, Apple-specific

iCloudiCloud uses encryption at rest and in transit. Apple holds the encryption keys. Apple's privacy model is generally more privacy-respecting than Google's, and Apple's business model is less directly dependent on data processing. However, Apple can access iCloud files under legal demand, and Apple's terms of service allow for specific types of processing.

iCloud is more private than Google Drive or OneDrive in practice, but it is not zero-knowledge private. The distinction matters for users with specific privacy requirements.

pCloud: Layer 3 with optional Crypto add-on

pCloud's default offering is provider-controlled encryption. The company offers a Crypto add-on that provides zero-knowledge encryption for an additional fee. This is a notable architectural choice — privacy is an add-on rather than the default, which means most pCloud users are on Layer 3, not Layer 4.

For users who want zero-knowledge privacy with pCloud, the Crypto plan is a real solution. For users who do not actively seek out and pay for the Crypto add-on, their files are provider-controlled.

Internxt: Layer 4 — Decentralized zero-knowledge

Internxt is built on a decentralized architecture with zero-knowledge encryption as a core design principle. The technical implementation is genuine — files are encrypted client-side, and the provider cannot access them. Internxt's open-source approach means the encryption implementation can be independently audited.

The trade-off is performance. Decentralized storage introduces latency that is noticeable for large files and slower for some access patterns compared to centralized alternatives. For users with strong privacy requirements and moderate performance expectations, Internxt is one of the more credible options.

Compare: fii.one vs Internxt.

What the law can actually compel

A common misconception is that zero-knowledge encryption makes a provider immune to legal pressure. It does not. Here is what the law can actually compel:

• Provider-controlled encryption (Layer 3): Law enforcement can compel the provider to provide access to decrypted files. The provider must comply, and the user has no technical recourse.
• Zero-knowledge encryption (Layer 4): Law enforcement can compel the provider to provide the encrypted data. The provider cannot decrypt it. The user holds the only key. The practical result is that legal compulsion produces encrypted data that is not useful without the user's key.
• Metadata: Even with zero-knowledge encryption, metadata is often accessible. Who is storing files, when, and how much storage is being used can still be compelled in many jurisdictions, even when file content is protected.

The important distinction is that Layer 4 does not make legal access impossible — it makes file content access impossible without the user's key. That is a meaningful difference, not an absolute guarantee.

Frequently asked questions