Dropbox 'insecure and misleading' – crypto researcher
Soghoian, PGP founder say no bargepole is long enough
Updated Popular cloud storage service Dropbox is misleading users into thinking it is more secure than it really is, says a security researcher and academic, who has asked for the FTC to investigate.
Dropbox has around 25 million users. It's often used as an escape hatch by owners of Apple's iPhone and iPad: the iOS slabs don't expose the device's local file system or provide the end user with a way of manipulating files.
"Dropbox's customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices," says Christopher Soghoian, who filed the complaint. Soghoian is a researcher at the Center for Applied Cybersecurity Research at Indiana University. He explains that unlike other cloud services – he names SpiderOak and Wuala – Dropbox allows its employees to access unencrypted copies of users' encrypted data.
Soghoian says Dropbox made specific changes in response to a blog post highlighting the practice last month, removing the claim that no employee can access the data.
"Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder" was modified to be "Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder".
A statement claiming that "Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata" was changed to "Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (eg, file names and locations)".
Dropbox also added the disclaimer that:
PGP Inc co-founder Jon Callas says he deleted his DropBox account after the changes, which don't go far enough to clarify the situation, according to Soghoian in his FTC filing.
Dropbox has yet to respond to the FTC submission, which you can read in full here (16-page PDF/482KB). ®
Dropbox has sent us the following the statement: "We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21, 2011. Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private.”
dont qoute me
" why would you buy a, quote-unquote, computer, that doesn't have a file system or any USB ports?"
FYI When writing as opposed to talking you can use actual "quote" symbols :)
Only file in my dropbox account is a TrueCrypt container.
Encrypt/protect it yourself and it doesn't matter if other (free) services don't protect your data as well as you would like.
When I store things in my Dropbox account, it's usually just to transfer between my home and work computers. It's things like artwork I use for backgrounds, grocery lists, a short story I wrote, wishlists... basically, things I don't care if anyone sees.
I do store some sensitive stuff there, too... but it's encrypted. think of it like email; anyone between the sender and the receiver can read the email, if they wanted. That's what PGP is for, right? Encrypt your email, and no one else will read it. All you need to do is encrypt your data. Oh, sure, someone might be able to crack it, but if it's something that is that important... don't put it in Dropbox.
I understand the concern - Dropbox should make sure that user files are already encrypted - but for goodness sake, people. If you're concerned about security, shouldn't you already be encrypting any files that aren't chained to your wrist?