Yesterday Dropbox, the popular file storage Web application that enables users to easily sync a folder from their local computer with the the cloud, made a small change to its terms of service. Dropbox made it clear that it would decrypt and hand-over files if the U.S. government requested it.
The issue is not so much that Dropbox is willing to hand over user data to the feds if requested – as RedMonk co-founder and analyst James Governor points out, the company doesn’t have much choice: “given I understand it runs on Amazon Web Services, which would give up the data if asked anyway.”
The real issue, it seems, is that Dropbox has the ability to snoop on your encrypted files at all.
Other Web-based backup services, such as JungleDisk (owned by Rackspace) and Mozy (owned by EMC and managed by VMware) give customers control over their encryption keys. That means that employees working on these services won’t be able to snoop on customers’ files, or turn it over to any government body.
But as Governor points out, these services don’t do what Dropbox does. I use JungleDisk to backup my local files to the cloud. I use Dropbox to make it easy for me to access a smaller set of files on any device I happen to be using – my laptop, my Android phone or someone else’s computer.
There’s still the option for users to encrypt their files themselves using a tool like Truecrypt before putting them in their Dropbox folders. You can learn how to do this here. But it seems this creates an opportunity for a competitor – like Box or Syncplicity – to offer and advertise simple encryption that the companies can’t access.
For some background reading on why Dropbox has the ability to decrypt users’ files, see this article by Christopher Soghoian.
For an enterprise look at the same issue – storing encrypted files in the cloud – see our article 5 Resources for Migrating to the Cloud Securely.
Small businesses will want to take a look at our article How to Keep Company Data Safe on Employees’ Personal Devices.
Update: Dropbox has issued the following statement in response:
Every Dropbox employee understands that the most important value of the company is maintaining users’ trust. Employees are prohibited by company policy from accessing users’ files and there are technical access controls to prohibit unauthorized access by employees. As with almost every other online company, there are a limited number of employees who may access user data when legally required to do so, and to help troubleshoot users’ accounts with their consent.
Let me know if you have any questions and thanks for considered Dropbox’s side of the story!
I didn’t mean to imply that Dropbox employees were allowed to snoop through your files willy nilly. I never doubted whether Dropbox had explicit policies regarding who could access customers’ files, or that it only a very small number of people had the technical capability to do so. But having anyone able to decrypt your files and hand them over to anyone, legal order or not, is a problem here.