Viewing Story

Dropbox under fire for lying to its customers about security

Posted by on 16/05/2011

7
2

The popular file cloud sharing service is in a bit of hot water after an official complaint was filed at the FTC (Federal Trade Commission) over concerns of Dropbox actually misleading the public regarding the actual level of security offered versus what they claim to offer.

Ph.D. student Christopher Soghoian filed the claim against Dropbox claiming that data encryption keys are stored on their servers, allowing for employees to potentially decrypt stored data and view it. This means that data can be extracted and published by rogue officials or be used in government matters, which could lead to heavy legal implications put against the users uploading files (if they are deemed illegal).

In a further update, they did admit that a few staff members have total access to files on the server if they ever are required for legal purposes.

Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

Clearly this opens a can of worms since the policy itself means that these employees can inadvertently access the files for their own illicit purposes if they wish to. For those trying to avoid legal implications like those related to data being extracted from Facebook and Google, the case is no different here.

On another note, because they have total control over the data encryption/decryption keys, they scan the hash content of all uploaded files to prevent occurrences of data duplication, thus allowing them to save space and save money, but at the expense of file security. This allows them an unfair competitive advantage over their two major competitors SpiderOak and Wuala.

The data transfer protocol also seems to be up for question because Dropbox claims to use HTTPS connections for all transfers, but their mobile apps actually use regular HTTP protocol, which means that any unencrypted data being transferred could be intercepted and decoded. Since data encryption only takes place on the Dropbox end, it leaves users in the open during transfers on mobile devices.

The complaint requests that Dropbox go further to clarify their security policies and update their information listings, because even high profiles tech experts seemed to have been misled by the current policies put in place. Even after a recent update of their security policies on April 13th, Soghoian believes there is still a lot to be accounted for.

You can read the entire complaint below.

7
2
  • Bcrescente

    “ We have strict policy and technical access controls that prohibit employee access…”

    “…the policy itself means that these employees can inadvertently access the files for their own illicit purposes if they wish to”

    Are you stupid?? You’re contradicting yourself. This article looks like it was written by a glue sniffing 2nd grader.

    “…they scan the hash content of all uploaded files to prevent occurrences of data duplication, thus allowing them to save space and save money, but at the expense of file security”

    You don’t have to have access to a file to read the hash data. It’s simply a total of all bits in a file. A total of 1′s and 0′s. I don’t see a security breach here.

    I’d suggest hiring an elementary student to do your proofreading. It might help catch the blatant factual errors and hyperbole.

  • https://www.blogtechnical.com Bradley Wint

    When you can tell the difference between a quoted paragraph (i.e. what they said) vs. what I have to say about the matter, then we can talk about who sniffs glue. Also, when using the guise of a famous blogger, at least learn to spell his name correctly? Nice rant though.

  • Argent

    I hope you are a troll because stupidity this high would be sad.

  • Argent

    I hope you are a troll because stupidity this high would be sad.

More in Computing, Featured, Policies/Ethics (19 of 70 articles)