With the small drop of faith I have left in Google, I want to believe they don't read my files and use encryption. Is there any evidence to the contrary?
They use encryption in transit and at rest, but not in between.
So, your data is uploaded over TLS or similar, gets decrypted on the server and then is re-encrypted before it's stored on hard drives.
So yeah, this does mean that they have access to your data. Since the at-rest-encryption happens on the server, Google has the encryption key for that somewhere and can at any point decrypt your data.
Presumably not everyone at Google gets your data for reading at home, but that's about as much comfort as you should assume.
The NSA, CIA, FBI can also request Google to decrypt your data and hand it over. They could not do the same, if Google used proper end-to-end-encryption.
There is one point to be made for not using E2EE, which is that you can't offer a "Forgot Password?"-link. If the user forgets their password, you can't decrypt their data either. All you can do is wipe their data and let them start anew.
If you use your cloud only for syncing, that's probably not a problem (for example Firefox Sync does exactly that on a scale of millions), but if you use it as a backup or to preserve hard drive space, it can certainly be.
So, you'll have to decide for yourself, if you think being allowed to forget your password is worth the surveillance and lowered security.
If not, use a different service. Spideroak, SeaFile and Mega.nz are a few that do E2EE.
If you do think so, at least use a service that's not at home in a surveillance state and surveillance company...
Was in the midst of doing some work and it was one of the first results I found on Google, I figured some of the commentary might provide more context, not fully familiar with that sub though.
So, your data is uploaded over TLS or similar, gets decrypted on the server and then is re-encrypted before it's stored on hard drives.
So yeah, this does mean that they have access to your data. Since the at-rest-encryption happens on the server, Google has the encryption key for that somewhere and can at any point decrypt your data.
Presumably not everyone at Google gets your data for reading at home, but that's about as much comfort as you should assume.
The NSA, CIA, FBI can also request Google to decrypt your data and hand it over. They could not do the same, if Google used proper end-to-end-encryption.
There is one point to be made for not using E2EE, which is that you can't offer a "Forgot Password?"-link. If the user forgets their password, you can't decrypt their data either. All you can do is wipe their data and let them start anew.
If you use your cloud only for syncing, that's probably not a problem (for example Firefox Sync does exactly that on a scale of millions), but if you use it as a backup or to preserve hard drive space, it can certainly be.
So, you'll have to decide for yourself, if you think being allowed to forget your password is worth the surveillance and lowered security.
If not, use a different service. Spideroak, SeaFile and Mega.nz are a few that do E2EE.
If you do think so, at least use a service that's not at home in a surveillance state and surveillance company...