Dropbox Can't See Your Dat– Er, Never Mind

bizwriter writes "Dropbox, the online backup and file sharing service claims to have hit 25 million users in a single year. But a change in terms, noting that Dropbox will give up data to law enforcement under a legal request, showed that the company's security claims couldn't be possible. It turns out that Dropbox claims in one place that encrypted data makes it impossible for employees to see into user files, but in another says that they're only 'prohibited' from doing so."

the love of cloud

[alphatel]

Everyday I get a corporate client asking me why they can't just do all their work on the cloud. Here's the perfect reason why.

Hmmm...

[boarder8925]

From Dropbox's new terms of service:

As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropboxâ(TM)s encryption from the files before providing them to law enforcement.

How does Dropbox define "valid legal process"? Do they mean something like, I don't know, receiving an actual search warrant? Or do they mean rolling over when the police say, "Hey, um, we'd just like to look at all these users' files. We have no warrant or real reason to do so, but we think someone might potentially be doing something illegal and we promise we're only working to 'protect' people and all that jazz."

Re:It is not impossible

[gkuz]

Of course it can be impossible. Encrypt the data yourself, using a well-known, open-source, trusted and verified program, and keep the keys yourself. Dropbox can't decrypt anything then. Why anyone would trust them in the first place, especially a smart guy like Miguel, is beyond me.

Re:the love of cloud

[danbuter]

I agree. The only people really pushing the cloud are the companies who want to supply the servers.

Re:the love of cloud

[gkuz]

So that law enforcement can't access his data? What is his "business" area to be exact?

I love the irony of this comment being posted by an AC. Tell you what, post using your real name, address and phone number, and I'll tell you a dozen reasons why privacy, even from law enforcement, can be a legitimate business need.

They Lied

[jarich]

The old policy said our files were encrypted with mil-spec encryption, etc etc. Now they're telling us they'll turn our files over if asked.

Dropbox lied. No two ways about it. But this why you never store anything sensitive in "the cloud" anyway.

The cloud is never secure ...

[Blade]

Maybe it comes from working in IT, but I always assume that if someone else is holding my data, they can access it. It doesn't interest me what they say - that's my basic starting assumption. So I always assumed that Dropbox could get to my data, and if I cared about the privacy of that data I just encrypted the files myself first.

It's my data, I'm in control of it. Giving it up to someone else and hoping they keep it safe is silly.

I'm surprised so many people are surprised (and I wonder if the people are are surprised haven't been in IT long?)

Seriously, you didn't see this coming?

[Thumper_SVX]

Seriously, is anyone really surprised by this? I use DropBox, and not once have I considered that my data in DropBox is completely private. Sure, I use it for transferring some documents that are potentially sensitive (a lot of documentation on a lawsuit I'm involved in for example) but where there's sensitive data I always encrypt the documents myself with TrueCrypt.

This is precisely why I think the "cloud" is a bad idea for corporations. Until there are guarantees and safeguards against data theft or loss there is no way that I would entrust my company's critical data to a third party provider. Yes, the costs of managing that data myself are higher but the risk of that data getting out of our control and management is greatly mitigated.

And what about a data breach? Loss of data due to crackers? Seriously... all it's going to take is for one of these cloud providers to become big enough that the majority of corporations using their services are completely without options when a breach occurs. The big provider can simply turn around and say "Well, crap happens but who else are you going to turn to?" and there's nothing the average corporation can do about it. There may be financial guarantees in place, but simply put the cat is already out of the bag at that point.

Re:the love of cloud

[MoeDumb]

That's the ticket. YOU do your own encryption before sending it up to the cloud. Then it doesn't matter what DB does.

Re:the love of cloud

[Rob the Bold]

Well it's not a perfect reason. Many companies traditionally send their backup tapes or their shred bins or boxes of old files to an operator like Iron Mountain to store / destroy them. I expect Iron Mountain would comply with a court order just as readily as a cloud operator. I suppose with cloud operators the jurisdictions are more likely to differ which could be considered an advantage or not depending on why the court order is being served.

I noticed that although you write "court order" here -- and probably a lot of us are making the same assumption -- that phrase is not used in the Dropbox terms quoted in TFA. Instead, it reads "...Dropbox cooperates with United States law enforcement when it receives valid legal process..." It certainly makes you consider that Dropbox -- like other service providers with access to you data -- would give up your files just for a request from the cops, the FBI, etc. without even the limited due process of an actual court order.

Re:Seriously, you didn't see this coming?

[Anonymous Coward]

There may be financial guarantees in place, but simply put the cat is already out of the bag at that point.

Which is why only data they can afford to lose will be stored in the cloud, e.g. customers' personal info and such, certainly not financial or business data.

Re:It is not impossible

[blueg3]

They're not lying, they're just being careful with their words and people can't read.

It should be obvious to any technically-minded person that they hold any encryption keys, since when you install Dropbox on a second computer, you don't need to provide a key in order for it to be successful.

So their claims are that they encrypt data in transit, encrypt data at rest, and that employees can't access the content of files. There's no claim that it's impossible for any employee to access the content of files because they're encrypted with a key Dropbox doesn't hold, which is what people seem to be imagining. It's simply saying that employees won't snoop on your files because in the normal course of business, they are not provided access with the contents of those files.

As far as providing the files to law enforcement upon a legally-valid request, they don't really have a choice in the matter, as they're a US company. For any company that exists primarily in country X, it is almost certain that there is a relatively easy procedure for law enforcement agents of country X to obtain any data about you that the company holds. If the country happens to be, say, Lithuania, and you don't travel to or do business in Lithuania, you probably don't care, but it's still true. The only way to prevent this is to make it so that the company is not holding any useful data of yours that they are able to access. In the case of Dropbox, you need to encrypt your files before they get to Dropbox.

Incidentally, if you have data that you don't want law enforcement to be able to obtain, you should be encrypting it even when it's stored locally. A search warrant for your computer is not really all that much harder to obtain.