Wednesday, April 20, 2011

Dropbox’s Lack of Security

Miguel de Icaza (via Ben Brooks):

There really are no more details on what procedures Dropbox has in place or how they implement the crypto to prevent unauthorized access to your files. We all had to just take them at their word.

This wishy-washy statement always made me felt uneasy.

But this announcement that they are able to decrypt the files on behalf of the government contradicts their prior public statements. They claim that Dropbox employees aren’t able to access user files.

The way their security works is pretty unsurprising given the sharing and deduplication features, and the fact that you can still access your data after resetting your password. However, this is another instance of Dropbox not communicating well, with the result being that most people think it works better than it actually does. I still think it’s better than the alternatives—and still wouldn’t use it to store sensitive files that aren’t already encrypted.

Of note, 1Password keychains are only partially encrypted. Your passwords and account numbers are theoretically secure, but anyone viewing the file can see which banks, credit cards, and Web site you have accounts with, which software products you’ve bought, etc.

Update (2011-04-21): Co-founders Drew Houston and Arash Ferdowsi respond:

Some concerns have been raised about our Help Center article and other statements that discuss employee access to user data. We agree that we could have provided more details and we will be updating these to make them more clear. Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. But that’s the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

In my view, the problem is not so much the policy as that the help page categorically says “Dropbox employees aren’t able to access user files,” and yet they very clearly can—under certain circumstances. It’s not that the help page was unclear but that it was untrue, in the same way that the FAQ used to specifically say that metadata was transferred over SSL—when it wasn’t.

1 Comment RSS · Twitter

[...] This is the same Christopher Soghoian from the Facebook/Google and boarding pass stories. I discussed the Dropbox security issue here. [...]

Leave a Comment