Dropbox user privacy/data security issues and how you can protect yourself

Dropbox is a popular cloud-storage service. It is loved by all and used by many. Heck, it is dotTech’s favorite and I personally use it too; I have even used – in conjunction with other file hosting services – to run some dotTech Promotions. However, recently some alarming accusations have been made against Dropbox; and as useful of a service Dropbox might be, it is always better to be informed rather than to be ignorant. I apologize in advance if I crush the hopes and dreams of any dotTechies with this post.

Image Credit: Dropbox

Dropbox Lies

Last week Christopher Soghoian, a Ph.D. student in the School of Informatics and Computing at Indiana University, filed a complaint with the FTC alleging Dropbox lied about how it protects user data. We all know Dropbox claims that it encrypts user data using “military-strength” AES-256 and using SSL when transfering data. The implication, then, is that no one has access to user data without the user’s password. In fact, this is more than an implication. Prior to April 13, 2011 Drop explicitly stated on their website:

All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.

Soghoian alleges Dropbox lied; he claims Dropbox actually does have access to unencrypted data and Dropbox employees (or anyone they give data to, like a governmental agency) can access the data without a user’s password. Simply put, Soghoian claims that in order to save disk space and bandwidth – and by saving disk space and bandwidth Dropbox saves money – Dropbox “deduplicates” user data. In other words, whenever a user uploads a file Dropbox runs a hash of the file. If the hash matches the hash of another file already uploaded onto Dropbox (by any user), the new file is not re-uploaded nor are two copies of the same file stored. Rather, Dropbox “places” the same file into the account of the two (or more) users in question. (Presumably one user modifying the file in any way would force Dropbox to make duplicate copies of the file and would not affect the other users.)

The user privacy/data security issue is that in order to do this deduplication process, Dropbox must have access to unencrypted data. If Dropbox did not have access to the unencrypted data they could not hash files because the hashes would come out to be different every time.

The Truth

When accused of wrongdoing, some companies confess (yeah, right) while others deny (the American way). Dropbox falls somewhere in the middle.

Officially, Dropbox has said they have done nothing wrong; they never claimed Dropbox employees could not access user data but rather meant that Dropbox has checks and balances in place to prevent unauthorized access. Since Dropbox never made the claim, they can’t be held accountable for it. However – and here comes the “confession” part – Dropbox has indirectly admitted fault by modifying its Terms of Use to be more “transparent”, changing various statements made on their website (such as the one quoted previously in this article), and launched a PR campaign (statements to technology websites, blog posts, etc.) to clarify their position.

You Decide

Why take anyone’s word for it? In my opinion one can easily determine Dropbox’s guilt (or lack thereof) with a quick analysis of their website:

  • As mentioned previously, on their website – prior to April 13, 2011 – Dropbox used to claim:

All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.

Now it says:

All files stored on Dropbox servers are encrypted (AES 256).

  • Similarly, Dropbox’s website used to say:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).

But now it says:

Dropbox employees are prohibited from viewing the content of files you store in your Dropboxaccount, and are only permitted to view file metadata (e.g., file names and locations).

  • Another claim…

Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder.

has been changed to:

Other Dropbox users can’t see your private files in Dropbox unless you deliberately invite them or put them in your Public folder.

  • Lastly, one statement has been removed…

Online access to your files requires your username and password.

…while another statement has been added:

Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

Although some – if not most – of the changes highlight above are subtle, they provide significant insight on Dropbox’s state-of-mind regarding this user privacy/data security issue.

How To Protect Yourself

While some may disagree, to me it is clear Dropbox isn’t as “secure” as I was lead to believe when I first signed up. Therefore, I feel it is important to outline steps users can take to protect themselves.

Leave Dropbox

The most effective way to avoid this Dropbox user privacy/data security issue is to stop using Dropbox. You can either use other backup/file hosting services, or you can stop trusting the cloud completely.

Only Upload Non-Important Data

Don’t upload anything on Dropbox that you don’t want others to see.

Never Let a Firm Do a Man’s Job

Why leave it up to Dropbox to encrypt your data? If you encrypt your data yourself, it doesn’t matter what Dropbox does – they won’t be able to access your data.

Encryption can be done multiple different ways. There are programs out there – such as SecretSync – that specialize in Dropbox encryption, streamlining the process for you. Then there are other generic encryption programs, such as TrueCrypt or AxCrypt, that can be used to manually encrypt data before it is uploaded onto Dropbox.

The thing to note about encryption, however, is it will be less convenient to use Dropbox on multiple computers or devices because you will have to decrypt data every time you want to access it. In some cases, such as on smartphones, you may not even be able to decrypt without first accessing a computer.

Complain

Word of mouth campaign is often the most effective in bringing about change. Complaining to anyone and everyone – including friends, family, senators, representatives, watchdog agencies, etc. – about Dropbox lies can go a long way in forcing them to change their ways.

Final Words

I love Dropbox. Even after this shocking revelation about their (alleged) deception, I still love Dropbox. For me, Dropbox is too convenient to stop using, especially since it is free and cross-platform. Without a doubt one of the biggest reasons I keep using Dropbox is because of its support for Android. Therefore, instead of leaving Dropbox, I am one of those people that will start to encrypt (important) data before I upload it onto Dropbox. Others may find a better solution to Dropbox woes; what will you do?

Article sources: Wired, FTC Complaint, Soghoian’s Blog Post, Dropbox Blog Post

Related Posts