Dropbox user privacy/data security issues and how you can protect yourself

Dropbox is a popular cloud-storage service. It is loved by all and used by many. Heck, it is dotTech’s favorite and I personally use it too; I have even used – in conjunction with other file hosting services – to run some dotTech Promotions. However, recently some alarming accusations have been made against Dropbox; and as useful of a service Dropbox might be, it is always better to be informed rather than to be ignorant. I apologize in advance if I crush the hopes and dreams of any dotTechies with this post.

Image Credit: Dropbox

Dropbox Lies

Last week Christopher Soghoian, a Ph.D. student in the School of Informatics and Computing at Indiana University, filed a complaint with the FTC alleging Dropbox lied about how it protects user data. We all know Dropbox claims that it encrypts user data using “military-strength” AES-256 and using SSL when transfering data. The implication, then, is that no one has access to user data without the user’s password. In fact, this is more than an implication. Prior to April 13, 2011 Drop explicitly stated on their website:

All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.

Soghoian alleges Dropbox lied; he claims Dropbox actually does have access to unencrypted data and Dropbox employees (or anyone they give data to, like a governmental agency) can access the data without a user’s password. Simply put, Soghoian claims that in order to save disk space and bandwidth – and by saving disk space and bandwidth Dropbox saves money – Dropbox “deduplicates” user data. In other words, whenever a user uploads a file Dropbox runs a hash of the file. If the hash matches the hash of another file already uploaded onto Dropbox (by any user), the new file is not re-uploaded nor are two copies of the same file stored. Rather, Dropbox “places” the same file into the account of the two (or more) users in question. (Presumably one user modifying the file in any way would force Dropbox to make duplicate copies of the file and would not affect the other users.)

The user privacy/data security issue is that in order to do this deduplication process, Dropbox must have access to unencrypted data. If Dropbox did not have access to the unencrypted data they could not hash files because the hashes would come out to be different every time.

The Truth

When accused of wrongdoing, some companies confess (yeah, right) while others deny (the American way). Dropbox falls somewhere in the middle.

Officially, Dropbox has said they have done nothing wrong; they never claimed Dropbox employees could not access user data but rather meant that Dropbox has checks and balances in place to prevent unauthorized access. Since Dropbox never made the claim, they can’t be held accountable for it. However – and here comes the “confession” part – Dropbox has indirectly admitted fault by modifying its Terms of Use to be more “transparent”, changing various statements made on their website (such as the one quoted previously in this article), and launched a PR campaign (statements to technology websites, blog posts, etc.) to clarify their position.

You Decide

Why take anyone’s word for it? In my opinion one can easily determine Dropbox’s guilt (or lack thereof) with a quick analysis of their website:

  • As mentioned previously, on their website – prior to April 13, 2011 – Dropbox used to claim:

All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.

Now it says:

All files stored on Dropbox servers are encrypted (AES 256).

  • Similarly, Dropbox’s website used to say:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).

But now it says:

Dropbox employees are prohibited from viewing the content of files you store in your Dropboxaccount, and are only permitted to view file metadata (e.g., file names and locations).

  • Another claim…

Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder.

has been changed to:

Other Dropbox users can’t see your private files in Dropbox unless you deliberately invite them or put them in your Public folder.

  • Lastly, one statement has been removed…

Online access to your files requires your username and password.

…while another statement has been added:

Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

Although some – if not most – of the changes highlight above are subtle, they provide significant insight on Dropbox’s state-of-mind regarding this user privacy/data security issue.

How To Protect Yourself

While some may disagree, to me it is clear Dropbox isn’t as “secure” as I was lead to believe when I first signed up. Therefore, I feel it is important to outline steps users can take to protect themselves.

Leave Dropbox

The most effective way to avoid this Dropbox user privacy/data security issue is to stop using Dropbox. You can either use other backup/file hosting services, or you can stop trusting the cloud completely.

Only Upload Non-Important Data

Don’t upload anything on Dropbox that you don’t want others to see.

Never Let a Firm Do a Man’s Job

Why leave it up to Dropbox to encrypt your data? If you encrypt your data yourself, it doesn’t matter what Dropbox does – they won’t be able to access your data.

Encryption can be done multiple different ways. There are programs out there – such as SecretSync – that specialize in Dropbox encryption, streamlining the process for you. Then there are other generic encryption programs, such as TrueCrypt or AxCrypt, that can be used to manually encrypt data before it is uploaded onto Dropbox.

The thing to note about encryption, however, is it will be less convenient to use Dropbox on multiple computers or devices because you will have to decrypt data every time you want to access it. In some cases, such as on smartphones, you may not even be able to decrypt without first accessing a computer.

Complain

Word of mouth campaign is often the most effective in bringing about change. Complaining to anyone and everyone – including friends, family, senators, representatives, watchdog agencies, etc. – about Dropbox lies can go a long way in forcing them to change their ways.

Final Words

I love Dropbox. Even after this shocking revelation about their (alleged) deception, I still love Dropbox. For me, Dropbox is too convenient to stop using, especially since it is free and cross-platform. Without a doubt one of the biggest reasons I keep using Dropbox is because of its support for Android. Therefore, instead of leaving Dropbox, I am one of those people that will start to encrypt (important) data before I upload it onto Dropbox. Others may find a better solution to Dropbox woes; what will you do?

Article sources: Wired, FTC Complaint, Soghoian’s Blog Post, Dropbox Blog Post

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

16 comments

  1. nbape

    Dear Ashraf,

    Sept 2013

    What about this: if Dropbox after checking that you are the actual owner of the account let you reset your password when you lost it and then access your files, isn’t it enough to prove that they store the files unencrypted ? .. they have to, because if not, how could it be that they can deliver the files unencrypted again.

    Security speaking, probably the only solution is to use an open source (i.e. 100% reliable) solution (like for example Truecrypt), do the encryption offline, AND never sends important data unencrypted to the cloud.

    Note: even using an online service to get a random strong password would be a bad idea because who can be 100% sure that the online service doesn’t save the delivered password in a large dictionary of delivered passwords .. whch can be re-used by some bad guys or hackers ?

    So one should always encrypt important data locally with a user-created-strong-password. And, as anybody knows, if you lose this password, yes, your data is definitely lost ! The price to pay for a 100% reliable solution

    Final word : coming back to Dropbox, If you accept the fact that they can reset your password, then it implies that somehow the data can be accessed

    Am I wrong in all this ?

  2. Aidan Roberts

    Don’t put it anywhere on the web if it’s important, it’s that simple. For everything else, I suggest using expressvpn.biz. Users need to take responsibility for their own security.

  3. Himagain

    Just for a moment let’s say you people were against the Government and sneakily encrypted all your secrets: here is the scenario:
    1. According to my source who cannot be named…… the only files that NSA/Echelon really care about are the encrypted ones. Logical?
    2. If Big Brother wants your passwords/access you can be compelled to give it to him or go to jail by default.
    3. They really ONLY zero in on known sources. All the main collection is just stored in case someone asks for it. Nobody reads it till then.
    4. The dirty hackers who want your Bank details don’t bother with passwords of any strength – there are millions who use simple English words and I remember seeing a list once of the 100 most used and asking by how many are those 100 used and the answer was millions and millions…………
    and finally, it seems most professional/commercial breakins are from the inside anyway.

  4. miky

    I think that everything you send to the “cloud” is risky!

    Guys, does anyone have a link or can send me “Akira” program? (remote control for dropbox). I don’t find a working link, every link i find is broken. Even in the official site (macobex.wordpress(dot)com)/

    Thanks

  5. roger

    I’m with Ashraf on this one. Once a company like Dropbox has been shown to have lied about something as integral to it’s purpose as security, then it is only sensible to question all it’s assurances, old and new.

  6. Ace

    I’ll stick with the service..After all, as you point out, we should be encrypting our stuff anyway if we don’t want others to see it..and NOBODY should be so dumb as to upload to the cloud anything they don’t want anyone else to see..Ace.

  7. jumbi

    Agreed with above comments.
    I have been using dropbox for many years also and I love it too.
    From day 1 also, I have separated my data to critical and non critical and been using axcrypt just fine (axcrypt uses temporary files outside dropbox! be careful for other programs if they do the same or not!)

    Last month I read an interesting article for sugarsync.
    It has the option to choose which folders to synchronise among computers, which maybe important to some people.
    Has anyone used it?
    Perhaps a review for it?

  8. Jimmy

    I have never used dropbox or any other cloud storage system; I just do not trust them. When I need to send something over the net, I always encrypt, then zip with password and encrypt again. Many of you will think I am paranoid, I say safe than sorry. Big brother wants to peek at what I send, let them work for it.

  9. Dave

    I love dropbox too and have used it for a couple years now but from day one I have always encrypted those files I need to be most secure. It’s always best to play it safe since crap can happen if you base your security entirely on others.

  10. Ashraf
    Author/Mr. Boss

    @Dan Corkery: While I would disagree that it is common sense (remember that not everyone is tech-savvy), I think the biggest issue is that Dropbox lied. It wouldn’t be as big of an issue if they were upfront about it from the get-go. People feel betrayed about being mislead. If I had known what I know now, I would still be using Dropbox; others, however, may not be. This is compounded for those people that paid for the service.

  11. Dan Corkery

    Like you, Ashraf, I’ll stick with the service.. To me it’s a case of “you say tomato and I say tomato”..and although some may get angry over this, I think common sense should have told us all before we found out this, that they would have “backdoor access” to our data / files..in fact, I would expect them to..and I don’t mind this..as long as that access is restricted and used only to help in matters to do with legal issues, such as suspected crime and such.

    After all, as you point out, we should be encrypting our stuff anyway if we don’t want others to see it..and NOBODY should be so dumb as to upload to the cloud anything they don’t want anyone else to see..that’s the same as printing stuff up and then throwing it out your window onto the street outside, for everyone and their pals to pick up and read!

    It all comes down to a case of “keeping things simple”..just use the service as it was intended to be used..to store stuff online so you can get at it with ease..not as a some kind of ultra-secure virtual vault, where you can stash stuff away from the rest of the world. IF that is what you want..then go out and buy an external drive..copy over your files and encrypt them..simple as that.

    Dan