[brianpgordon]

I'm just guessing here but, given that Box doesn't use end-to-end encryption, I bet that their "grant access" button is meant for their support agents, and that [some subset of] their backend engineers could access your data at any time.

It's an interesting exercise to imagine an elaborate multi-custody arrangement where all data is encrypted with keys that live in hardware security modules and at least three of five senior people are required to join their secrets any time the KEK needs to be handled directly... but I can tell you that that kind of scheme where 100% of customer data is completely opaque would be a major inconvenience in a fast-moving SaaS startup. Not only is implementing an engineer-proof privacy scheme a massive undertaking but it makes debugging production issues much more difficult. If indeed they were going to go all-out on such a scheme I would kind of expect them to brag about it but I don't see claims like that in https://community.box.com/t5/How-to-Guides-for-Account/Data-....

I'm curious if anyone's worked at big-name cloud services providers and can speak to the practical effectiveness of privacy measures in place. My guess is that even at Google, for example, a rogue engineer working on a particular product (or maybe the infrastructure it runs on) could theoretically bypass organizational controls and look at user data.

To be clear, I don't really view this state of affairs as a big problem. I've commented before on why (https://news.ycombinator.com/item?id=20513055). Professionalism and integrity (in combination with organizational controls and the principle of least privilege) work fine IME, plus the fact that nobody except you really cares about your personal data. But I do think that your expectations are unrealistic if you think that backend engineers generally don't have the kind of access I'm talking about. Unless a service encrypts on the client with your encryption keys, you should expect that the company's "employees, or a subset, has unfettered access."