Here Are the Biggest Problems with Nextbit's Robin Smartphone

How a company whose phone automatically backs up customer data handles its security.

Feb 29 2016, 2:24pm

Image: Evan Rodgers/Motherboard

Nextbit Robin is supposed to make running out of storage a thing of the past. The device's marquee feature is its ability to automatically send unused apps and photos to the cloud, freeing up space on its built-in storage for the content its owner uses the most often. It's an interesting gimmick -- and it debuted right as the dispute between Apple and the FBI led many Americans to care more about how their private information is secured by the companies they trust most.

Data sent to the cloud is inherently less secure than data stored on a device. Backing that information up makes it easier for outside parties to access, whether it's via foul play or court order, and reduces the control people have over their personal information. Yet Nextbit has done little to inform its customers about where it stores their data or how that data is secured. Motherboard has reached out to the company to figure out how it's handling those issues.

Nextbit stores data on Amazon Web Services. This information can't be gleaned from the company's website or the Robin itself, and while a Nextbit spokesperson said via email that "this is not information we try to obscure in any way" and "it does not appear on our website because this has not been important information for most of our customers' decision to buy a Robin," not disclosing this to customers means that they have no idea who's responsible for their data.

The company says it encrypts customer data -- more on that later -- but the location of that encrypted data still matters. Amazon was given three out of five stars in the EFF's "Who Has Your Back?" report, which ranks large companies on their privacy and security practices, and didn't release its first transparency report until long after other companies started to do so. (When asked for comment, an Amazon spokesperson linked to public information and blog posts, but did not respond to a followup email with specific questions about customer data.)

All of which makes the encryption used to protect this data more important. Nextbit's website says that data is "transmitted securely and encrypted on our server." But what about the keys used to encrypt that data? "The keys are held encrypted on a Nextbit server," the spokesperson told me. "They are held in such a way that it would require a significant amount of development work for us to both recover the key and decrypt a user's data." That could pose a problem.

Encryption keys can be compromised. Mike McCamon, the president of SpiderOak, an online services company praised by NSA whistleblower Edward Snowden for its security features, says that company-held encryption keys can be less secure than keys controlled by consumers. "It's a boolean, yes or no question," he says. "Do you have access to the keys? Yes? If [a company] has access to the keys, there is any number of scenarios where the data can be compromised."

Nextbit points out that it doesn't currently handle app data. That information stays on the Robin even if an app itself is sent to AWS, which means that while a messaging app could be backed up, the conversations it facilitates wouldn't be. But that might change: The spokesperson said the company might sync app data if a feature introduced by Google in Android Marshmallow doesn't catch on with developers. (That feature uses Google Drive to store the information.)

All of which means that there are lingering concerns about Nextbit's security. Involving Amazon Web Services without informing consumers is unsettling; holding onto the encryption keys in a private server instead of leaving them with customers is even more so. Right now the only thing at stake are photos and apps, but if that changes at some point in the future, hackers and various law enforcement agencies might like Smart Storage even more than Robin's owners do.