The Register® — Biting the hand that feeds IT

Feeds

Dropbox 'insecure and misleading' – crypto researcher

Soghoian, PGP founder say no bargepole is long enough

By Andrew Orlowski, 16th May 2011
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Updated Popular cloud storage service Dropbox is misleading users into thinking it is more secure than it really is, says a security researcher and academic, who has asked for the FTC to investigate.

Dropbox has around 25 million users. It's often used as an escape hatch by owners of Apple's iPhone and iPad: the iOS slabs don't expose the device's local file system or provide the end user with a way of manipulating files.

"Dropbox's customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices," says Christopher Soghoian, who filed the complaint. Soghoian is a researcher at the Center for Applied Cybersecurity Research at Indiana University. He explains that unlike other cloud services – he names SpiderOak and Wuala – Dropbox allows its employees to access unencrypted copies of users' encrypted data.

Soghoian says Dropbox made specific changes in response to a blog post highlighting the practice last month, removing the claim that no employee can access the data.

"Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder" was modified to be "Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder".

A statement claiming that "Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata" was changed to "Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (eg, file names and locations)".

Dropbox also added the disclaimer that:

"Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy."

PGP Inc co-founder Jon Callas says he deleted his DropBox account after the changes, which don't go far enough to clarify the situation, according to Soghoian in his FTC filing.

Dropbox has yet to respond to the FTC submission, which you can read in full here (16-page PDF/482KB). ®

Update

Dropbox has sent us the following the statement: "We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21, 2011. Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private.”

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (37)
Highly Rated
mark 63
Reply Icon

dont qoute me

" why would you buy a, quote-unquote, computer, that doesn't have a file system or any USB ports?"

FYI When writing as opposed to talking you can use actual "quote" symbols :)

12
0
Andrew Waite

No Problem

Only file in my dropbox account is a TrueCrypt container.

Encrypt/protect it yourself and it doesn't matter if other (free) services don't protect your data as well as you would like.

11
0
ArmanX
Reply Icon

But why?

When I store things in my Dropbox account, it's usually just to transfer between my home and work computers. It's things like artwork I use for backgrounds, grocery lists, a short story I wrote, wishlists... basically, things I don't care if anyone sees.

I do store some sensitive stuff there, too... but it's encrypted. think of it like email; anyone between the sender and the receiver can read the email, if they wanted. That's what PGP is for, right? Encrypt your email, and no one else will read it. All you need to do is encrypt your data. Oh, sure, someone might be able to crack it, but if it's something that is that important... don't put it in Dropbox.

I understand the concern - Dropbox should make sure that user files are already encrypted - but for goodness sake, people. If you're concerned about security, shouldn't you already be encrypting any files that aren't chained to your wrist?

10
1

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
124
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
57
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13