In the wake of recent changes to the wording of its terms of service, cloud-storage service Dropbox has come under fire for claims it made about exactly who has access to your files. On Thursday, Dropbox took to its blog and attempted to clarify details about its security and privacy practices.
Concerns first arose after Dropbox recently reworded the section of its terms of service about compliance with law enforcement. According to Dropbox, that change was made to narrow the scope of that section, and to specify the situations in which the company might reveal information about its users. It’s worth noting, as the company does, that this clause isn’t unique to Dropbox: Google, Skype, Twitter, and Apple all have terms of service that say they are required to comply with government investigations if requested.
However, as the new terms clearly say that Dropbox will give law enforcement access to users’ files stored in Dropbox when legally required to do so, there’s a question of exactly who has access to those files.
Prior to Thursday, the features page on Dropbox’s Website contained the pretty straightforward claims that “All files stored on Dropbox are encrypted (AES-256)” and “Dropbox employees are unable to view user files [emphasis added].”
That sentiment is reinforced by a Dropbox help center document, which states that both “Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder” and “Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).”
Those claims suggest that technological factors prevent Dropbox employees from accessing user files. However, that would seem to conflict with Dropbox’s statement that it will provide access to files for law enforcement—after all, what good are files that can’t be viewed?
In a statement provided to Macworld, Dropbox Chief Technology Officer Arash Ferdowsi said the claim that Dropbox employees couldn’t access files “is not an intentionally misleading statement—it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user’s permission.”
However, Ferdowsi acknowledged that the claim could be misinterpreted, especially in the context of Dropbox’s statement that it encrypts all files. As a result, Ferdowsi said the company would change the text to read “Dropbox employees are prohibited from accessing user files.”
As of Thursday, the features page has been updated to remove the statement about employees not being able to access files; the updated version of the text has yet to appear, though. The help center document remains unchanged for the moment, though Dropbox’s blog post says that it will be updated with more details as well.
Keys to the kingdom
Still, the fact that Dropbox can access files to provide to law enforcement means that the keys to those encrypted files are held not by the user, but by Dropbox itself. Ferdowsi confirmed that in a statement to Macworld:
The keys are known to Dropbox alone—Dropbox servers must be able to decrypt files in order to allow users to view their own files on our website. As with almost every other online service, there are a limited number of employees who must be able to access user data when legally required to do so, and to help troubleshoot users’ accounts with their consent.
Without possession of the decryption keys, the security of users’ files depends on just how much you trust Dropbox; it’s a bit like your landlord having a key to your apartment. Dropbox claims, though, that it’s only received about one government request per month over the last year—that’s 12 requests for more than 25 million users—and that its legal team vets all requests before taking any action.
So, is there reason for concern? It depends on your level of comfort. As always, convenience and security exist in a balance—the more you get of one, the less you get of the other. Certainly, nothing has materially changed between yesterday and today: It’s just as hard (or easy) to access Dropbox files now as it was then.
Overall, though, the concerns are less about the security of Dropbox than it is about the misleading claims—intentional or not—that the company made, versus the reality of the situation. In the case of a service on which many users store personal and private information, that lack of transparency may not exactly be reassuring.
Those who do store sensitive information on their Dropbox—and would rather that really only they can access it—should consider encrypting the files before putting them into Dropbox (for example, by using Mac OS X’s Disk Utility feature to create an encrypted disk image). That has its own drawbacks though, since it interferes with some of Dropbox’s features, like easy access to versioning control—you’ll have multiple versions of the disk image, but not individual files—and you won’t be able to view those files via the service’s mobile applications.
In the end, though, it all comes down to one of the cardinal rules of the Internet: If you’ve got something you don’t want to see on the front page of The New York Times, then don’t let it out of your sight.
Updated at 11:23 a.m. PT to clarify the downsides of encrypted disk images.