With many service providers (I tested 4), once you enable “last status” in the dashboard, you can see all members and customers of the host. For the most part, this is unintentional in the case, but I also know no possibility as an admin to hide the accounts. So you can at least see who is using a service, if someone uses plain names it’s even worse as someone can create online activity profiles without the users consent. Is there a way to turn this off or has this been considered?
1 Like
What version of nc are you on?
It’s 21 but that was also possible with previous versions, so it didn’t started with 21.
Hi @k4te
I would never just open an account with some random Nextcloud provider and upload private files of mine. I would even go so far as to recommend Google, Apple or Microsoft services rather than a cheap or even free Nextcloud plan.
Don’t get me wrong. The problem is not Nextcloud here. The problem are these providers who use the product incorrectly or inadequately secured because they think they can make a few bucks with relatively little effort. But either they don’t have the necessary knowledge of how to set up a hosting platform properly or they simply don’t care.
If you want to use a hosted Nextcloud, you should make sure that you get a complete instance incl. Admin account, preferably on a separate VPS, and not just a simple user account on an instance with an unknown number of other users. This avoids things like you describe.
Of course, it is best to host your Nextcloud on premise. This is the only way you can really keep 100% control over your data. Cloud offers are always “someone else’s computer” and It doesn’t make much difference whether the offer says Google, Microsoft or Nextcloud. Maybe this Nextcloud service you subscribe to, even runs on a Google, Amazon or Azure plantform. However, there is one decisive difference: The big services like Google Drive or Microsoft One Drive are generally better positioned when it comes to security.
Conclusion:
Host it your self and if that’s not possible use a Hosting Provider who offers you a sperate VPS with your own private Nextcloud instance! Preferably with a well-known provider such as Linode, Hetzner, Digital Ocean etc., who has the experience and resources to set things up correctly. Of course, such offers are usually more expensive. And there is a reason for that.
Just my 5 cents to this topic
Hi @bb77
I am in IT Sec and a data privacy officer so I don’t use them myself. We have a lot of them in Germany for free (Open Source Community for politics) but I am also Admin of one in my company but we had to share users etc. with other companies, so not every user needs to know all users of the instance.
I tested other instances to see if someone else already fixed that, but couldn’t find one, that’s why I asked here as I can’t find a privacy-friendly solution to this.
Ah ok. I can see that this can be problematic under the circumstances you describe, for example if a company wants to create accounts for external partners or even with different departments internally. Unfortunately, I don’t know how to prevent this either…
In our case it’s exactly like this.
Someone decided once (before my time) to add another company and also partners and partly also private people.
This causes a lot of privacy problems.
Maybe someone has a solution, if not maybe this could be a future feature?
Check out the file sharing options if you haven’t already…
Especially this option:
Check Allow username autocompletion in share dialog to enable auto-completion of Nextcloud usernames.
I myself only use Nextcloud with my family, where it is explicitly desired that everyone can share things with everyone as easily as possible, and I have no experience of how fine-grained and how reliably users can be sealed off from each other. But this topic pops from time to time here in the forum. Maybe you could search the forums and GitHub for similiar topics and if necessary, place a feature request on GitHub, in which you describe your requirements in detail…
Please file a bug report / feature request! I think that is the best first step. One of these repositories looks promising:
Either main server repo or vue dashboard components. I searched through both and did not see this reported, but take a search and see if you find anything.
Nah, go with colocation in a high security datacenter. This usually works out to be MORE secure than keeping it on site, because they have things like steel doors and multiple layers of cages and access cards and security guards and stuff. Plus other reliability benefits like diesel backup generators and air conditioning/filtering. And pricing isn’t always all that bad, like ~$60/month for a 1U slot.
Yes, a dedicated baremetal server in a data center is of course a valid alternative to on premise hosting. And a much better alternative compared to cheap shared hosting offers.