updated 07:00 pm EDT, Fri May 13, 2011
Dropbox accused of using deceptive trade practices
Dropbox has had a complaint (PDF) filed against it with the FTC by a well-known security researcher. The cloud-based file storage site, which recently clocked up 25 million users, is alleged to be falsely advertising the security of its services. The allegation comes against the backdrop of the Sony PSN data breach fiasco that exposed the personal information of over 77 million users, the result of apparently lax security. Since Sony's woes emerged, along with privacy concerns with Google and Apple, many have questioned the integrity of the masses of personal information stored on data servers around the world.
Dropbox is now the latest company to have the spotlight directed at its security practices. Ph.D student Christopher Soghoian, who has worked with the FTC, has accused Dropbox of making, "deceptive statements to consumers regarding the extent to which it protects and encrypts therir data." Previously, Dropbox has told users that their files are encrypted and even unreadable by its own employees. Soghoian has demonstrated that this is not the case and that user's information could be vulnerable to government searches and unscrupulous Dropbox employees.
On April 13, Dropbox revised its security claims from:
All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.
All files stored on Dropbox servers are encrypted (AES 256).
The change is particularly important because of the way Dropbox saves file storage space. When a user attempts to upload a file, Dropbox runs an algorithm that scans the file for a short signature to see if another user has already uploaded the same file. If it is the case, then Dropbox doesn't upload the "duplicate" file, but simply "adds" it to the user's Dropbox folder. Further, the keys used to encrypt and decrypt files remain with Dropbox and are not stored on each user's machines.
Consequently, Dropbox employees can see the content contained in every user's Dropbox and could potentially grant government access to those files if subpoenaed. Also on April 13, Dropbox revised this original statement from:
Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).
Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations).
Soghoian alleges Dropbox has engaged in deceptive trade practices in order to gain commercial advantage over similar sites who make similar claims to Dropbox, but which have more optimal security mechanisms. His complaint asks the FTC to force Dropbox to make appropriate disclosures and offer a refund to "Pro" users. [via Wired]