Contact Me By Email

Saturday, April 23, 2011

Dropbox addresses privacy concerns | Storage | MacUser | Macworld

Image representing Dropbox as depicted in Crun...Image via CrunchBaseDropbox addresses privacy concerns | Storage | MacUser | Macworld

Cloud-storage service clarifies who has access to your files
Posted on Apr 21, 2011 1:03 pm by Dan Moren, Macworld.com
In the wake of recent changes to the wording of its terms of service, cloud-storage service Dropbox has come under fire for claims it made about exactly who has access to your files. On Thursday, Dropbox took to its blog and attempted to clarify details about its security and privacy practices.
Concerns first arose after Dropbox recently reworded the section of its terms of service about compliance with law enforcement. According to Dropbox, that change was made to narrow the scope of that section, and to specify the situations in which the company might reveal information about its users. Itʼs worth noting, as the company does, that this clause isnʼt unique to Dropbox: Google, Skype, Twitter, and Apple all have terms of service that say they are required to comply with government investigations if requested.

Private lives However, as the new terms clearly say that Dropbox will give law enforcement access to usersʼfiles stored in Dropbox when legally required to do so, thereʼs a question of exactly who has access to those files.

Prior to Thursday, the features page on Dropboxʼs Website contained the pretty straightforward claims that “All files stored on Dropbox are encrypted (AES-256)” and “Dropbox employees are unable to view user files [emphasis added].”
ThatDropbox's features page prior to Thursday (left) and on Thursday (right).
sentiment is reinforced by a Dropbox help center document, which states that both “Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder” and “Dropbox employees arenʼt able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).”

Those claims suggest that technological factors prevent Dropbox employees from accessing user files. However, that would seem to conflict with Dropboxʼs statement that it will provide access to files for law enforcement—after all, what good are files that canʼt be viewed?
In a statement provided to Macworld, Dropbox Chief Technology Officer Arash Ferdowsi said the claim that Dropbox employees couldnʼt access files “is not an intentionally misleading statement —it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the userʼs permission.”

However, Ferdowsi acknowledged that the claim could be misinterpreted, especially in the context of Dropboxʼs statement that it encrypts all files. As a result, Ferdowsi said the company would change the text to read “Dropbox employees are prohibited from accessing user files.”
As of Thursday, the features page has been updated to remove the statement about employees not being able to access files; the updated version of the text has yet to appear, though. The help center document remains unchanged for the moment, though Dropboxʼs blog post says that it
will be updated with more details as well. Keys to the kingdom Still, the fact that Dropbox can access files to provide to law enforcement means that the keys to those encrypted files are held not by the user, but by Dropbox itself. Ferdowsi confirmed that in a statement to Macworld:
The keys are known to Dropbox alone—Dropbox servers must be able to decrypt files in order to allow users to view their own files on our website. As with almost every other online service, there are a limited number of employees who must be able to access user data when legally required to do so, and to help troubleshoot usersʼ accounts with their consent.

Without possession of the decryption keys, the security of usersʼ files depends on just how much you trust Dropbox; itʼs a bit like your landlord having a key to your apartment. Dropbox claims, though, that itʼs only received about one government request per month over the last year—thatʼs 12 requests for more than 25 million users—and that its legal team vets all requests before taking any action.
So, is there reason for concern? It depends on your level of comfort. As always, convenience and security exist in a balance—the more you get of one, the less you get of the other. Certainly, nothing has materially changed between yesterday and today: Itʼs just as hard (or easy) to access Dropbox files now as it was then.
Overall, though, the concerns are less about the security of Dropbox than it is about the misleading claims—intentional or not—that the company made, versus the reality of the situation. In the case of a service on which many users store personal and private information, that lack of transparency may not exactly be reassuring.
Those who do store sensitive information on their Dropbox—and would rather that really only they can access it—should consider encrypting the files before putting them into Dropbox (for example, by using Mac OS Xʼs Disk Utility feature to create an encrypted disk image). That has its own drawbacks though, since it interferes with some of Dropboxʼs features, like easy access to versioning control—youʼll have multiple versions of the disk image, but not individual files— and you wonʼt be able to view those files via the serviceʼs mobile applications.

In the end, though, it all comes down to one of the cardinal rules of the Internet: If youʼve got something you donʼt want to see on the front page of The New York Times, then donʼt let it out of
your sight.

Updated at 11:23 a.m. PT to clarify the downsides of encrypted disk images.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.