Dropbox Drops the Ball on Security


InfoWorld posted a great story about Dropbox getting caught doing the old slight of hand routine on the real nature of how secure your files are in their cloud storage system.

Sharp-eyed doctoral candidate Christopher Soghoian caught Dropbox in a bit of, uh, let’s call it an inconsistency. Here’s what he found.

Even though Dropbox claimed, “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” Yet the company also claimed, “If we detect that a file you’re trying to upload has already been uploaded to Dropbox, we don’t make you upload it again. Similarly, if you make a change to a file that’s already on Dropbox, you’ll only have to upload the pieces of the file that changed.”

How, Soghoian asked, could Dropbox find duplicate files — or detect which pieces of a file had changed — if it didn’t have access to the contents of those files? Dropbox responded with a resounding thud.

I’ve been praising Dropbox to anyone who would listen since I signed up over a year ago. I even paid for a year’s worth of service not too long ago. I’m starting to have some serious second thoughts about that.

So Dropbox’s site went from claiming:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)… All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.

to:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata… we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances… All files stored on Dropbox servers are encrypted (AES-256)

Wait, it gets worse. They also added a new “provision” to their TOS:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights.

It went from they absolutely can’t access users files to ok, they can to well we’d only access them if the nice authorities at the DHS or the County Sheriff’s office asked them to.

Honestly my mind is still reeling about this. The guy who discovered this monumental gaffe filed a 16-page complaint with the Federal Trade Commission.

As a result, Soghoian has filed a 16-page complaint with the U.S. Federal Trade Commission, which asks the FTC to have Dropbox admit that it can get at Dropbox data, making your data vulnerable to an attack on Dropbox’s servers; require Dropbox to email its 25 million customers to warn them of the potential problem and suggest that customers encrypt their data independently; force Dropbox to refund money to people who paid for “Pro” service, if they felt they were deceived; and enjoin Dropbox from making future deceptive statements.

So, anyone have any SECURE alternatives to Dropbox?

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s