Printed from http://www.electronista.com

Dropbox faces possible FTC investigation over security

updated 07:00 pm EDT, Fri May 13, 2011

Dropbox accused of using deceptive trade practices

Dropbox has had a complaint (PDF) filed against it with the FTC by a well-known security researcher. The cloud-based file storage site, which recently clocked up 25 million users, is alleged to be falsely advertising the security of its services. The allegation comes against the backdrop of the Sony PSN data breach fiasco that exposed the personal information of over 77 million users, the result of apparently lax security. Since Sony's woes emerged, along with privacy concerns with Google and Apple, many have questioned the integrity of the masses of personal information stored on data servers around the world.

Dropbox is now the latest company to have the spotlight directed at its security practices. Ph.D student Christopher Soghoian, who has worked with the FTC, has accused Dropbox of making, "deceptive statements to consumers regarding the extent to which it protects and encrypts therir data." Previously, Dropbox has told users that their files are encrypted and even unreadable by its own employees. Soghoian has demonstrated that this is not the case and that user's information could be vulnerable to government searches and unscrupulous Dropbox employees.

On April 13, Dropbox revised its security claims from:

All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.

to:

All files stored on Dropbox servers are encrypted (AES 256).

The change is particularly important because of the way Dropbox saves file storage space. When a user attempts to upload a file, Dropbox runs an algorithm that scans the file for a short signature to see if another user has already uploaded the same file. If it is the case, then Dropbox doesn't upload the "duplicate" file, but simply "adds" it to the user's Dropbox folder. Further, the keys used to encrypt and decrypt files remain with Dropbox and are not stored on each user's machines.

Consequently, Dropbox employees can see the content contained in every user's Dropbox and could potentially grant government access to those files if subpoenaed. Also on April 13, Dropbox revised this original statement from:

Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).

to:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations).

Soghoian alleges Dropbox has engaged in deceptive trade practices in order to gain commercial advantage over similar sites who make similar claims to Dropbox, but which have more optimal security mechanisms. His complaint asks the FTC to force Dropbox to make appropriate disclosures and offer a refund to "Pro" users. [via Wired]



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. hayesk

    Professional Poster

    Joined: Sep 1999

    +6

    Be careful

    Even with popular cloud services, you have to be careful with sensitive data.

  1. TRRosen

    Fresh-Faced Recruit

    Joined: May 2002

    +1

    Good service bad security

    Remember if you ever lose a device with dropbox on it whomever has has permanent access to your files.

    Change the password you say, doesn't work, if you change your password it is automatically updated on all the devices currently setup. This is just STUPID!

  1. growlf

    Fresh-Faced Recruit

    Joined: Jun 2007

    +5

    Re: Good service bad security

    1. Dropbox files are local, so if you lose a device, you're obviously going to have to deal with someone having access to them unless your device is password protected and encrypted.
    2. To stop a machine from syncing, you go to Account, Manage, My Computers, and unlink the computer. THEN you can change the password.

    That hardly seems stupid to me. Seems a bit more like "didn't read the instructions."

    I've kept all of my sensitive files in an encrypted disk image on dropbox. That works for me.

  1. Freddy1

    Fresh-Faced Recruit

    Joined: May 2011

    +2

    So What?

    It is foolish to upload anything sensitive to "the cloud" without first encrypting it yourself. Relying on other's assurances of keeping your data private is just silly. It's like handing your super-secret diary to someone you don't know after they assure you they won't share your private thoughts.

    If we're old enough to post here, and old enough to understand how to implement Dropbox in the first place, we should be smart enough to not trust every stranger who says they won't spy on us or says they have free candy in their van with darkened windows.

    Dropbox does a wonderful job of storing one's data if one understands these simple, everyday commonsense limitations. Real life is a wonderful analog for the digital domain when contemplating what information one should trust with strangers.

    Simply create encrypted sparse disk images on your desktop and drop your sensitive information in them. Place these in Dropbox.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

JBL Synchros E40BT headphones

For all the different configurations of headphones on the market, it's always a tough choice for buyers to get something that is just ...

Razer Taipan mouse

The list of gaming devices is growing larger with each passing day. A large number of companies have entered the gaming input arena, a ...

Cambridge Audio DacMagic XS

Every computer with a microphone or headphone port has one -- a digital to analog converter (DAC). There are nearly as many chipsets a ...

Sponsor

toggle

Most Commented

 
toggle

Popular News