A complaint filed with the FTC last week charges that the popular cloud-based storage system Dropbox misled its users about the security and privacy afforded by its services. Although security and privacy have been some of Dropbox’s selling points, the complaint alleges that the company deceived users into thinking their files were completely encrypted and that Dropbox employees could not see the contents of the file.
At issue, in part, were Dropbox’s Terms of Service that stated that “all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” Dropbox recently revised these terms to read simply “All files stored on Dropbox servers are encrypted (AES 256).
Who Holds the Encryption Key?
The problems with Dropbox’s security claims first came to light last month when PhD student Christopher Soghoian published information revealing that Dropbox employees could indeed see the contents of users’ files. That’s because, in part, Dropbox makes sure that files uploaded to the storage site are de-duplicated. In other words, when a user stores a file on Dropbox, the system checks to see if that user or others have already uploaded that file. If that’s the case, then Dropbox simply links to the original file.
As Soghoian points out, other storage sites like Spideroak and Tarsnap do encrypt users’ data with a key known only to that person, rather than to one key known just to Dropbox. The trade-off for better privacy and security here is duplicate files – in other words, taking up more storage space. But Dropbox has presented itself as offering customers security and cheap storage, something that the complaint says was actually misleading and confusing to customers.
Soghoian a PhD Candidate at the School of Informatives and Computing at Indiana University filed the complaint with the FTC last week, claiming that Dropbox has misled users and that clarifications made by Dropbox are insufficient. As he noted in his blog post that preceeded the claim, “While the decision to deduplicate data has probably saved the company quite a bit of storage space and bandwidth, it has significant flaws which are particularly troubling given the statements made by the company on its security and privacy page.”
Will Dropbox Customers Care?
For its part, Dropbox spokesperson, Julie Supan says that “We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21.”
Although the issue still has to play out before the FTC, there’s the chance that it will also have repercussions among Dropbox customers. But as Soghoian noted in his own blog posts, “it would be easy for anyone but a crypto expert to get the false impression that Dropbox does in fact protect the security and privacy of users’ data.” Whether or not Dropbox customers will care that the encryption isn’t quite what was advertised remains to be seen.
