Researcher Questions Dropbox Security in FTC Complaint

According to InformationWeek, University of Indiana Ph.D. and security researcher Christopher Soghoian has filed a complaint with the Federal Trade Commission, claiming that the Dropbox file-sharing service has been misleading users about the security and privacy of their files. Techworld.com quotes the letter Soghoian sent to the FTC:

Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data ... Dropbox's customers face an increased risk of data breach and identity theft because their data is not encrypted.

InformationWeek explains the particulars:

Dropbox ... uses file deduplication when files are first uploaded. As a result, when a user uploads a file, the Dropbox site first studies the file to see if it's been uploaded by a different user. If so, Dropbox just links to the previously uploaded file.

Soghoian takes issue with the deduplication process, saying it makes it easy for outsiders to know what's on Dropbox's servers, since the website examines a file to see if it's seen it before. Second, Soghoian questions Dropbox's use of a single encryption key for all stored user data. The problem with that, explains PCPro, is that employees have access to the keys allowing them to access users' data - despite the site previously claiming otherwise. In his complaint, Soghoian urges Dropbox to forgo data deduplication and assign each user their own strong encryption key.

For its part, Dropbox says the complaint is without merit.