A complaint has been filed with the FTC that Dropbox has deceived its users about the security and encryption of its popular online storage system. The complaint was submitted by Christopher Soghoian, who in April blogged about how Dropbox deduplicates the files that users store online and concluded that Dropbox would require access to unencrypted data in order to detect duplicate data across different user accounts.
As reported on Wired:
The FTC complaint charges Dropbox with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file ...
Soghoian, who spent a year working at the FTC, charges that Dropbox "has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data," which amounts to a deceptive trade practice that can be investigated by the FTC.
Interested readers can assess a copy of the complaint hosted by Wired here (pdf).
It is noteworthy that the original April 12 report by Soghoian led to Dropbox revising the wordings of its claims relating to security and privacy on the very next day. However, Dropbox has taken pains to emphasize that it was only a "clarification for users, not a policy update." In effect, the technical architect of Dropbox remains unchanged.
On its part, Dropbox has fired back that the company has represented anything beyond the fact that "Dropbox employees aren't able to access user files." And in response to the Wired report, Dropbox elaborated that user privacy is maintained by the use of access-control mechanisms on the back end in tandem with "strict policy prohibitions."
Dropbox spokesperson Julie Supan has written in with the following remarks:
We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21, 2011. Millions of people depend on our service every day and we work hard to keep their data sae, secure, and private.
Cutting To the Heart of the Issue
There is no doubt that Dropbox is a wildly popular service, as can be evidenced by the large number of blog comments voicing support for the company or heaping derision at users who expressed dismay at the privacy and security revelation. Some of the recurring themes on this front range from "What's the big deal?" to "So what do you have to hide anyway?" Of course, there were also users who were sufficiently disgusted as to delete their Dropbox accounts, as well as others who scoffed at the idea that privacy is even possible for an online service.
Amidst the highly charged emotions and name calling are a couple of truths that small- and mid-sized businesses need to focus on. For one, SMBs must understand that the digital keys used to encrypt and decrypt data on Dropbox are stored on the company's servers. While the presence of encryption does provide some level of defense against data leakage, it is not implausible that hackers could one day penetrate Dropbox and successfully make off with both the decryption keys and your business data. Related to the fact that Dropbox holds the decryption key is the logical conclusion that Dropbox can, when presented with a subpoena, hand over your unencrypted files to the government or other companies.
Ultimately, it is up to individual SMBs to decide if they want to continue hosting with Dropbox, and whether to ban their employees from using Dropbox for confidential materials. Of course, companies that made their decision to go with Dropbox on the mistaken assumption (or misrepresentation - if the allegations bear out) that Dropbox has absolutely no way of accessing their data may want to re-evaluate their decision.
For now, other online storage companies such as EMC's Mozy, which actually encrypts your files prior to uploading, is probably getting a shot in the arm right now from defecting Dropbox users who have decided that they require higher levels of protection.