If this is not the right community for this question please inform me where to ask :-)
I am talking about:
I found many reviews confirming it's true but none of them provides with security audit details. How can we know MEGA does really not have any access to our data and that the security protocols they use are almost unbreakable?
EDIT: there exist any 3rd-party audit available for MEGA?
You don't know what Mega (or any other cloud service) is actually doing on their servers.
There is rarely any way to verify the security claims of a cloud service unless they let you examine their internal systems.
From time to time there is such question popping-up in this site, "How can trust this company?", because it is what your question is up to: can you trust Mega (or put here any other company name, even a not IT-related one).
As long as it just you and this company, I will call it the provider from now on, then you just cannot trust them. They may tell you truth or bullshit. They may tell you things which are true today, but will become bullshit tomorrow due to an internal management change for instance. Would you even be able to investigate their internal system, what prove that this system is really the one hosting your data, what prove that the procedure shown on shiny powerpoints are actually applied internally, etc.?
So, if it just between you and the company, you have to measure the risks. What could happen in case the service is not as advertised, what is the risk and how can you mitigate or handle it?
In conditions where trust is really a requirement (this concerns mostly corporate than individuals, best example being company which will have to handle medical or financial data), here comes trusted third-party which will certify that the provider comply to specific requirements. These requirement correspond to specific standards depending on the concerned domain, certification companies are specialized and habilitated to inspect and certify other companies.
So, in such case where trust is required, instead of (or in addition of...) using a lot of marketing words, the provider will tell that he has been certified as being compliant with this and this standards. This will give you a good measure concerning the trust relationship you can have with the provider, as long as the mentioned certifications are known to be trustable and really match your needs.
In the case of Mega we should look at (recent) history to see what their motivation for end-to-end encryption is. The founder, Kim Dotcom, previously ran Megaupload which was continuously under attack by governments for "digital piracy." After about 7 years of operation, in 2012 an international police force arrested Dotcom and seized his assets. In 2013 Dotcom launched Mega as a replacement for Megaupload and implemented end-to-end encryption so that Mega would not know the contents of the files they store and they could not be accused of knowingly distributing copyrighted material. So with Mega, encryption is there to protect them just as much (or more than) it is there to protect the users. This reason makes me more likely to believe that their intentions really are to only host files that they can't "see."
Remember, this is not a proof of security but rather some background into the company. You have to determine for yourself who you trust and if a service meets your security requirements. Kim Dotcom's businesses seem to make their money from copyright infringement and it would be hard for me to trust a business based on breaking the law. However, I believe that after his arrest in 2012 he is likely to go to extreme measures to protect himself from a repeat of that situation.
And of course, if you want to use Mega but you don't trust them you could always encrypt the file yourself before you upload it.
