Dropbox Lands in Hot Water

Popular cloud data storage company Dropbox is in a bit of trouble over some questions about the security policy given to customers with regards to their accounts.  It has recently come to light that Dropbox provides their technical staff with tools that allow them to access private information.  Until recently, their security policy conveniently left that little tidbit out. In addition to some very angry end users, Dropbox can now add a complaint filed with the FTC to their list of troubles.

University of Indiana PhD and security researcher Christopher Soghoian’s claims about the file storage system’s shortcomings brought forth a variety of responses from Dropbox, starting with a very confident

“All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.”

When Soghioan persisted, Dropbox changed their statement on the product’s data security to a more generic

“All files stored on Dropbox servers are encrypted (AES 256).”

The difference between these two statements?  Huge.  Dropbox boasts super-efficient file storage by analyzing each document before it is uploaded, allowing their system to simply overwrite changes or additions to a document, instead of creating duplicate versions of the same document on their servers.  In theory, this is great.  However, this efficient upload method carries across from user to user.  If a Dropbox user attempts to upload a document that another user already has in the system, Dropbox won’t upload the new file; it will simply update the existing version and add it to the new user’s account.

The architecture behind this storage method means that Dropbox employees can see any file uploaded to the system.  In addition, they have access to the nonencrypted versions of all of the files.

Questioning from users brought about some changes to the help section on Dropbox’s website.

On April 13, the statement

“Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).”

Was changed to read

“Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.”

The complaint asks that Dropbox further clarify the text on their website in order to prevent misleading users.  It is also requesting that the FTC require Dropbox contacts all its users to alert them that Dropbox can see their data in the clear, offer refunds to “Pro” users and prohibit the company from making deceptive claims about security practices in the future.

Our take?  Dropbox isn’t doing anything that other file storage companies aren’t doing.  If they’d been up front about their security practices up front (and maybe in the middle), this wouldn’t be news.  Yet another vote from us for transparency.