Everyone agrees you should have multiple, geographically dispersed backups but most don't do anything about it. I thought I'd post some ideas here, inspired by Martin Focazio's "mutual assistance" post from last week.
First of all everyone should read the site
The Tao of Backup to get some general understanding of backup issues. Yes, it's a sales site for a specific product, but it's entertaining and informative.
The next obvious thing is you can get free email accounts from Google, Yahoo, etc. that wil hold up to 1GB of files. So if you have something important you can just email it to yourself and that gives you one level of protection. Of course for privacy you should encrypt it:
www.gnupg.org . And it can't hurt to use multiple such accounts. But this is only really practical for small, individually important files.
For whole-system backups I've been using hard drives. Just buy a new drive once or twice a year, copy my whole system to it, and stash it. Safe deposit boxes are good places (rental space in a bank vault!) for that. Again, encrypt.
Finally I'd like to discuss an idea for mutual assistance with geographic dispersal. The idea is you'd set up reciprocal agreements with say five other people (people you know, ETS members, or whoever), at least a couple of them in distant states and at least one on another continent. The idea is you send them your backups for safekeeping, and they send you theirs. I'll spell out a concrete proposal based on the idea of sending out a backup once a week. So you'd send a backup to person A the first week, person B the second week, etc., cycling around to person A after 5 weeks so each person would get a backup from you about once a month. The backups would be differential backups on CD-R or DVD-R, usually not more than one or two discs per mailing. When Blu-ray or HD-DVD becomes available, you can use that.
The basic agreement would work like the following. I'm describing a protocol between a "sender" (who sends out these discs) and a "receiver" (who stores them) but the idea is it's a reciprocal agreement, so each participant would be both a sender and a receiver and therefore carry out both parts of the protocol. Comments and improvements are requested. The idea is to come up with something standard that ETS members can use among each other, if they so desire. Obviously individual participants can come up with their own modifications as well.
====
1. Receiver obtains an empty CD-ROM "cake box" container (cylindrical case that holds 50 cd-r) and writes sender's name on it (not too visibly). Receiver puts this container someplace reasonably secure (e.g. in a drawer or on a bookshelf, where it won't get easily lost) in his home or office. It's not necessary to go to great lengths (like a fireproof safe) to protect the container--that's why it's a /redundant/ backup.
2. Every now and then (say once a month), sender mails a differential backup (normally one or two discs) to receiver. Receiver puts these discs into sender's container. Receiver doesn't have to keep any records or confirm that the disks have arrived. The idea is to keep this as simple as possible. Receiver should probably confirm getting the first set of discs (so sender knows the system is working) but after that sender should just assume that it works, maybe exchanging status messages by email once or twice a year.
3. If the container gets full, receiver simply throws away the oldest 20 or so discs from the container to make space for new ones, and notifies the sender by email that this has happened.
4. (Recovery): If sender requests it, receiver will mail sender up to 3 discs at receiver's expense (having the receiver pay avoids pre-funding or reimbursement headaches, and 3 discs should weigh just a few ounces. Since it's a reciprocal arrangement, it's fair) to any address (worldwide) specified by the sender. Receiver will use ordinary postal first class mail or air mail as applicable. Sender can invoke this provision only once. If sender wants more than 3 discs or more than one recovery, sender must get receiver's agreement and may be required to pay any mailing expenses in advance. (In practice, sender would normally just reimburse the receiver after a recovery, and ask for an agreement to reset the protocol). Sender should avoid special requests (like overnight shipping) that cause inconvenience for the receiver unless absolutely necessary, or unless agreed to at the very beginning.
5. (Privacy) Sender and receiver will keep their participation in the agreement confidential (i.e. I won't tell anyone that I have your backups, and vice versa). They will keep each other's personal contact info confidential. Receiver won't attempt to read sender's discs. Sender should, however, encrypt any info on the discs, in case they fall into the wrong hands (such as when receiver throws away old ones). Exception: sender can include receiver's contact information in sender's will, so sender's estate can request recovery if sender is deceased.
6. (More privacy--optional) Any recovery requests should be accompanied by a security password preagreed at the start of the agreement. That includes requests from sender's survivors if sender is deceased--sender should supply them with the password (write it into the will).
6a: Sender's instructions for disposal of the discs if sender is deceased are: [-----fill in-----].
7. (Disposal--optional) If sender requests it (accompanied by password), receiver will dispose of all of sender's discs, preferably with minimal delay (imagine the sender being hassled by stalkers) and unrecoverably (i.e. physically destroy the discs if convenient, and throw them away at multiple locations reasonably distant from receiver's home). This can only be invoked once without setting up a new agreement.
7. (Performance): The basic standard of performance in this agreement is that if you've said you'll do X, that means you'll do it if it doesn't cause significant inconvenience. Heroics are not expected. If you have to bug out, don't take other people's discs with you--you have much more important stuff. If you have an earthquake, you don't need to search the rubble afterwards for other people's backups, just bulldoze it. Sender is responsible for having enough redundant agreements like this to withstand such losses. If you're supposed to do X but you don't manage to do it or don't get around to it, or if you lose someone's discs, etc., try to notify the other person. If the other person notifies you that he was supposed to do X for you but didn't, don't get upset. If you think the other person has gotten flaky, don't lose your cool, just set something up with someone else instead. Please do notify other participants of things like address changes or if you need to exit the agreement. Also, try to accomodate the other person's schedule. If he says he'll be exploring Antarctica for the next 3 months and won't be able to fulfill your recovery requests during that time or accept discs from you til he gets back, but he wants you to meanwhile keep storing his discs, try to accomodate if the request is reasonable. If things get too one-sided, back out gracefully. Use common sense.
8. (Liability) This agreement describes an informal exchange of personal favors, and personal favors don't always work out. Its complexity is just to spell out precisely what's expected. It's not a business document and it's not a legal contract. It implies no guarantees that any expectations that it spells out will actually be met (though they normally will be, assuming participants are basically responsible people, which is another one of those risky expectations). Businesses needing disaster data recovery should sign up with professional disaster recovery services and not rely on a loose (but cheap) scheme like this. Participants accept no liability whatsoever for anything that might happen with the another person's backups, including through negligence. However, participants are still responsible in the case of deliberate, improper privacy breaches.
9. (More liability) No participant is expected to do anything illegal and this takes priority over everything else. If you get a valid judicial or law enforcement order to hand over someone's discs, then hand them over. If you get a disposal request and you have concrete reason to think sender is trying to illegally destroy evidence of something, refuse the request. If you read in the newspaper that sender has gone on a terror spree and is being hunted by the FBI, call the FBI and give them whatever you have (assuming you think the manhunt is legitimate). But except in such extreme cases, if you don't have concrete reason to think laws are being broken, then follow the agreement according to your best judgement, favoring the other person's privacy when possible. E.g., if you get a civil subpoena for someone's discs, try to promptly notify the sender so he has a chance to oppose it in court, rather than just handing them over (normally there's a several day deadline in these situations, so wait til the end). Note that the confidentiality provision is intended to avoid most of these situations--if no one knows you have the discs, they can't hassle you for them.
10. (Termination) Any participant can terminate the agreement by notifying the other party, preferably with some advance warning (say 1 month). After termination, no new discs will be accepted but if possible, old discs should still be retained and recovery requests honored, for an additional 3 months or by agreement with the other person. After that, receiver should dispose of any stored discs. If a receiver hears nothing from a sender for 6 months and sender doesn't respond to contact attempts, that should be considered a termination. Receiver should retain the discs for another 3 months, then dispose of them unless contact is reestablished.
Previous Topic
Index
