MEGA Cloud Storage Review
|Based in||New Zealand|
|Price||$5.45/mo; 400 GB|
When people talk about privacy-oriented cloud storage services, the name MEGA is sure to come up. This New Zealand based service offers end-to-end encryption that not even MEGA themselves can read, a very generous free account, sync clients for any device (or devices) you are likely to have, and much more.Could this be the cloud storage service you are looking for? Let’s take a closer look in this MEGA cloud storage review.
- End-to-end encrypted with AES-128, TLS
- GDPR compliant for all users worldwide
- Supports 2FA
- Free and paid plans
- No data stored in United States
- Transparent source code
- Massive amounts of storage available
- File versioning
- Annual transparency reports
- Not open source
- Confusing free plan
- No live chat or phone support
- No published third-party audits or testing
MEGA feature summaryHere is a quick summary of the major features of MEGA. Note that some of these features are only available to users with PRO or Business accounts.
- Supported platforms include Mac, Windows, and Linux desktops
- Android, iOS, Chrome, Firefox, and Opera browser extensions
- End-to-end data encryption using AES-128 and TLS
- Storage ranging from 15GB to 16TB
- Synchronizes across all your devices and browsers
- Administrative reports & analysis
- 2FA support
- File versioning
Company informationMEGA was launched in 2013 in New Zealand by Kim Dotcom. Mr. Dotcom severed all ties with MEGA in 2015, but the company has continued to grow and thrive. At the time of this review, the service has over 166 million registered users worldwide.
…we store Your Files and make them available from servers that are owned and controlled by us, in secure facilities in Europe or in countries (such as New Zealand) that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR, depending where you are based. None of Your Files are stored in, or made available from, the United States of America.While New Zealand is officially part of the Five Eyes surveillance alliance, it is a far better location for privacy than the United States. If you aren’t comfortable with MEGA being based in New Zealand, you may want to check out Tresorit, which is based in Switzerland. (See our Tresorit review.)
MEGA Terms of ServiceI reviewed the most recent MEGA Terms of Service (ToS). This long, detailed document had an effective date of 17 December 2018. Everything in the ToS is governed by New Zealand law, including any arbitration that might be necessary. Points of interest in the ToS:
- The service is governed by New Zealand law and arbitration (paragraphs 2 and 49)
- You are required to comply with the Harmful Digital Communications Act 2015 (NZ) or any similar law in any jurisdiction (paragraph 13.6.3)
- You will not store, use, download, upload, share, access, transmit, or otherwise make available, unsuitable, offensive, obscene or discriminatory information of any kind (paragraph 13.6.4)
- You are held responsible for the use of your account, even if someone else hacks into it (paragraph 14)
- You may not infringe any copyright or other proprietary rights of any person or entity (paragraph 18)
- MEGA assumes that any and all takedown notices are presented in good faith and will act on them as if they are valid. You will have to fight to get your content restored (paragraphs 21-28)
- You and MEGA are both bound by their Privacy & Data Policy as well as their Takedown Guidance Policy. Among other things, these documents discuss MEGA’s right to disclose data and other information as required by law or any competent authority (paragraphs 58 and 59)
- Your data is encrypted on your device and MEGA has no way to decrypt it (paragraph 5.2)
- Your files are stored in secure facilities in countries the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR, depending where you are based. None of Your Files are stored in, or made available from, the United States of America (paragraph 5.4)
- Any chats you conduct with within MEGA are encrypted, although some metadata must remain in the clear to enable the service to function (section 6)
- MEGA collects unencrypted metadata related to your account, including browser type, operating system, IP address and similar information (paragraph 7.3)
- MEGA collects Website Usage Data, and use that data for advertising and marketing purposes as well as to improve their business (section 8)
- MEGA can share the data they have about you with law enforcement, related or affiliated entities, payment processors, and resellers, but will never sell your data (paragraphs 14-16)
MEGA security audits and other third-party testsI have not been able to find any published information about third-part audits or certifications. They did launch a Vulnerability Reward Program in 2013, paying up to €10,000 per bug discovered. Unfortunately, there have been no updates on this in several years. Either that program has either gone inactive, or MEGA has decided to keep test results to themselves, or no one has found any bugs in several years. MEGA also publishes the source code for their client-side apps (see Transparent Source Code later in this review). This gives at least some visibility into what the code is doing. In short, while I have no reason to doubt that the service functions as advertised, there doesn’t seem to be any third-party verification that MEGA does what it claims it does.
MEGA appsWith over 160 million registered users, you would expect that MEGA would offer a complete set of sync apps. And they do. MEGA users get:
- Full-featured iOS and Android apps
- Chrome, Firefox, and Opera browser extensions
- Mac OS, Windows, and Linux desktop apps
- MEGAapp for Windows 10, a UWP (Universal Windows Platform) that runs on Windows 10 desktops, tablets, and mobiles
Hands-on testing for the MEGA reviewNow let’s take a short look at MEGA in action.
Installing MEGAInstalling MEGA is easy. Go to their site and set up an account. You’ll need to give them an email address and password, as well as your first and last name. The email address has to be a real one, since you need to reply to a confirmation message as part of the process. Once you log in, you’ll want to download the apps you want to use, and install them on your device. Log in to the app and you are ready to go.
Configuring MEGAOnce MEGA is running on your device, you will need to tell it what you want it to sync. Click the Syncs button, then Add Sync to open the Add Synchronized Folder dialog. Choose the Local folder on your device you want to sync and the MEGA folder in the cloud and click OK. MEGA will copy files to the cloud, and keep everything in sync from then on. Repeat the process for each local folder you want MEGA to sync. Clicking Settings in a MEGA client opens an attractive window where you can see the status of your account and make any additional adjustments. In most cases, you won’t ever even need to open this window.
Using MEGAIf all you want is for MEGA to back up your files to the cloud, you’re done. If you want to work with the files and folders you are syncing, you can easily do so using the web client. Select Cloud Drive in the left-hand menu to navigate through your files and folders quickly and do things like upload, download, and preview (certain types of) files by right-clicking them. Note: You’ll also receive hints relevant to where you are within the app, as shown below. The left-hand menu also gives you access to MEGAchat and your contacts.
MEGA file sharingSharing files is an increasingly important feature of cloud storage apps. MEGA’s web app lets you generate a link to any file you want to share. You can specify that the link has a security key, meaning you need to provide the key to someone if they want to view the file. The key can either be attached to the link (meaning anyone who gets a copy of the link can see it), or you can send the key to the recipient separately. Going back to that handy menu on the left, you can open the Shared with me window. In the past, MEGA was criticized for only tracking incoming shares. Now, despite the name, the Shared with me window can display Incoming Shares, Outgoing Shares, and Public Links (links that don’t have an associated key). Speaking of things that MEGA used to get criticized for. Until recently, they did not support two-factor authentication (2FA). Today, MEGA does support 2FA. You should strongly consider activating 2FA on any cloud service you use, as it can greatly increase the security of your account. To activate 2FA on MEGA, go here.
Additional MEGA featuresMEGA offers several useful features beyond the basics we’ve already discussed. Here are some of the most interesting:
MEGAdropBusiness accounts include MEGAdrop. It lets you create a folder where people outside your organization can securely upload files to your account, without themselves having a MEGA account.
MEGAcmdMEGAcmd is a Mac, Windows, and Linux command line interface. Use it to:
- Configure automatic backups
- Interact with WebDAV clients
- Configure FTP access to MEGA files
MEGAbirdMEGAbird is a tool that lets the Thunderbird email client send large files through the MEGA network.
MEGAchatMEGAchat is a chat system built into the MEGA service. It employs user-controlled end-to-end encryption, meaning that only the people in the chat can decrypt the content. It supports secure text, voice, and video calls with a single contact, or do group text chats.
Transparent source codeMEGA makes much of their source code available here. You can freely review their code, which is a plus. However, they only provide access to the client-side code, not their servers. In addition, while you can view the source code, it is licensed under custom licenses and doesn’t really qualify as Open Source. You can see a more detailed discussion of the situation here.
MEGA supportMEGA offers both email support and a good-sized Help Centre. The Help Centre is well-organized and can answer most basic questions. If you don’t find an answer in the Help Centre, you can fill out a support request at https://mega.nz/support. MEGA does not offer live chat support or telephone support. This is a definite strike against them. Users with paid accounts get priority for support requests, but even requests from Individual account users are usually answered quickly. I have never had problems getting support from MEGA. But I’ve seen lots of griping about their support on review sites. Whether those complaints are due to lack of chat and phone support, or actual problems with the answers provided, is unclear.
How secure and private is MEGA?With easy access to large amounts of cloud storage, you will likely stash a lot of important files in the MEGA cloud. This being the case, let’s see how secure and private this service really is.
MEGA securityMEGA provides end-to-end encryption of your data, using keys that only you know. They use AES-128 encryption to protect the data when at rest, and double-down by adding a layer of TLS encryption when your data is in transit. In other words, your data is secure. You may be wondering if it is a problem that MEGA uses AES-128 instead of the stronger AES-256 for encryption. I wouldn’t worry. While AES-256 is technically stronger, as far as we know today, the fastest computers available today would still need many centuries to crack even AES-128.
MEGA pricesMEGA offers a range of accounts, from the free Individual account, to 4 PRO accounts, up to a Business account. Their accounts differ somewhat from other cloud storage services in that they limit the amount of data you can transfer over a given time period. The transfer limit (often referred to as bandwidth) applies for a given time period. For example, a PRO LITE account offers 1TB of bandwidth (they call it transfer) per month. All of your transfer is available immediately. There are pros and cons to this approach. The pros are that you have control of your usage. If you need to use all the bandwidth at once you can. You won’t be stuck waiting until the next day for some files to move because you exceeded the daily quota. And you don’t have to worry about what would happen if you needed to move a file that is larger than the day’s share of your transfer. The drawback to this approach is that you could overdo it at the beginning of the period. Upload all your family videos at the beginning of the month and you might not be able to view them until the following month because you used up your entire transfer quota. With these considerations in mind, let’s look at the MEGA accounts in more detail:
Individual accountThe Individual account is a free plan that offers 50 GB of storage. This was an incredible offer when I signed up for it a few years ago. But today, if you look closely at the following image, you’ll notice an asterisk next to that big, bold 50 GB FREE.
MEGA free storage?Sometime in 2018, MEGA did away with the 50GB free for new users. Today, you get 15GB permanent free storage, and an additional 35GB bonus for signing up for an account. That bonus 35GB expires after 30 days. Without going into detail, Individual account members need to perform various actions in the achievements program to get additional storage (install the MEGA client, invite a friend to join, etc.) to get additional storage. That additional storage comes with an additional transfer quota, which is good. But none of the additional storage or transfer is permanent. When your additional storage expires, the service will encourage you to complete more “achievements” or to upgrade to a PRO account. Unless you plan on continually jumping through hoops to earn additional storage and transfer, your best bet is to treat the Individual plan as offering 15GB of free storage. While 15GB free storage is certainly not bad, the marketing of 50GB feels kind of like a bait and switch deal. Note: This is the freemium business model, which we also see with many secure email providers. For example, ProtonMail offers limited free storage for free, with more features and storage with paid accounts. We also see this with some free trial VPN services. Okay, so you’ve got 15GB of permanent storage with an Individual account. You’ll notice that I didn’t tell you the transfer quota for this type of account. That’s because this number is kind of squishy. Here is the explanation MEGA gives:
FREE accounts are provided with a transfer quota (uploads plus downloads) that varies depending on our system utilization. Transfer quota is provided over a dynamic sliding window that is typically less than 24 hours but depends on time of day, ISP, country etc. Once you exhaust your FREE account’s allowance you will have to wait to accrue more or purchase more quota.In other words, there is no way to know exactly what your transfer quota is if you have an Individual account. This uncertainty, more than anything, was what motivated me to move to a PRO account.