Dropbox under fire for lying to its customers about security

Posted by Bradley Wint on 16/05/2011

The popular file cloud sharing service is in a bit of hot water after an official complaint was filed at the FTC (Federal Trade Commission) over concerns of Dropbox actually misleading the public regarding the actual level of security offered versus what they claim to offer.

Ph.D. student Christopher Soghoian filed the claim against Dropbox claiming that data encryption keys are stored on their servers, allowing for employees to potentially decrypt stored data and view it. This means that data can be extracted and published by rogue officials or be used in government matters, which could lead to heavy legal implications put against the users uploading files (if they are deemed illegal).

In a further update, they did admit that a few staff members have total access to files on the server if they ever are required for legal purposes.

Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

Clearly this opens a can of worms since the policy itself means that these employees can inadvertently access the files for their own illicit purposes if they wish to. For those trying to avoid legal implications like those related to data being extracted from Facebook and Google, the case is no different here.

On another note, because they have total control over the data encryption/decryption keys, they scan the hash content of all uploaded files to prevent occurrences of data duplication, thus allowing them to save space and save money, but at the expense of file security. This allows them an unfair competitive advantage over their two major competitors SpiderOak and Wuala.

The data transfer protocol also seems to be up for question because Dropbox claims to use HTTPS connections for all transfers, but their mobile apps actually use regular HTTP protocol, which means that any unencrypted data being transferred could be intercepted and decoded. Since data encryption only takes place on the Dropbox end, it leaves users in the open during transfers on mobile devices.

The complaint requests that Dropbox go further to clarify their security policies and update their information listings, because even high profiles tech experts seemed to have been misled by the current policies put in place. Even after a recent update of their security policies on April 13th, Soghoian believes there is still a lot to be accounted for.

You can read the entire complaint below.