Dropbox: A Privacy Black Box

by on December 12, 2009 · 34 comments

cloudA colleague apparently suggested that the nice people at Dropbox should email me with an invitation to use their services. The concept appears simple enough—remote storage that makes users’ files available on any laptop, desktop, or phone.

I was intrigued by it because it’s a discrete example of a “cloud” computing service. How do they handle some of the key privacy challenges? A cloud over remote computing and storage is the likelihood that governments will use it to discover private information with dubious legal justification, or without any at all. (Businesses likewise can rightly worry that competitors working with governments might access trade secrets.)

Well, it turns out they don’t handle these challenges. Dropbox is a privacy black box.

I homed right in on their “Policies” page, looking for assurance that they would protect the legal rights of users to control information placed in the care of their service. There’s precious little to be found.

There’s no promise that they would limit information they share with authorities to what is required by valid legal process. There’s no promise that they would notify users of a warrant or subpoena. They do reserve the right to monitor access and use of their site “to comply with applicable law or the order or requirement of a court, administrative agency or other governmental body.”

Is there protection in the fact that files are stored encrypted on their service? The site—though not the terms of service—says “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” Not if Dropbox is willing to monitor the use of the site on behalf of law enforcement. They can simply gather your password and hand it over.

National Security Letter authority and the impoverished “third party doctrine” in Fourth Amendment law puts cloud-user privacy on pretty weak footing. Dropbox’s policies do nothing to shore that up. It’s not alone, of course. It’s just a nice discrete example of how “the cloud” exposes your data to risks that local storage doesn’t.

There are a few other problems with it. They don’t promise to notify users directly of changes to the privacy policy. (“[W]e will notify you of any material changes by posting the new Privacy Policy on the Site…”) And they reserve the right to change their terms of service any time—without giving you the right to access and remove your files. When they decide to make their free service a paid service, they could hold your files hostage unless you sign up for x years. Data liberation is an important term of services like this.

Golly, even as I’ve been writing this, friends have tweeted that they like Dropbox. It sounds like a fine service for what it is. I just wouldn’t put anything on there that you wanted to keep private or that you really wanted to be sure you could access.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Zounds! It's time to reform Fourth Amendment Privacy Doctrine. Jim, if only you had written a law review article on that subject!

    Oh, wait, you already did!

  • chris

    your comments on data liberation and risk of data being held hostage are moot. all data remains on your local device and is simply synced to the dropbox service. basically it is a poor mans cvs/svn/git

  • Guest

    Local encryption and backup prior to storing data in the cloud is one way of addressing these concerns. (Use a public key/private key architecture if you need to share encrypted data.) Unfortunately this introduces logistical problems…c'est la vie.

  • cryptozoologist

    surely you don't think that any website's 'policy' regarding privacy, which likely can be changed at any time offers you any real protection? so that when you suspect that website has violated your privacy you can take them to court? you did save a copy of the policy from the day you signed up right? dropbox is a useful service that i enjoy and use, but i do not expect any level of actual privacy. what i get is convenience and i am sure to not include my plans for world domination there (unless i encrypt them first!)

  • cryptozoologist

    surely you don't think that any website's 'policy' regarding privacy, which likely can be changed at any time offers you any real protection? so that when you suspect that website has violated your privacy you can take them to court? you did save a copy of the policy from the day you signed up right? dropbox is a useful service that i enjoy and use, but i do not expect any level of actual privacy. what i get is convenience and i am sure to not include my plans for world domination there (unless i encrypt them first!)

  • Jamie

    Anyone looking for a Dropbox referral link (gives you & me free extra storage space), feel free to use mine here: https://www.dropbox.com/referrals/NTE4NjM0NDY5

    Thanks!

  • webcoyote

    Check out DropBox competitor SpiderOak (http://www.spideroak.com) which encrypts files on the client-side before upload (and doesn't retain the password) so that the company has no access to your personal data.

  • Axel

    I am a SpiderOak user myself and love it, moved from DtopBox due to their 'sync folder' where you have to sync everything from one place. SpiderOak allows you to sync any number of folders, and keep the current folder structure.

  • http://www.ifamarketing.com/ willamtarker

    This sounds interesting as i have never used this
    kind of black box before, so please send me the
    invite so that i can get the benefit of the service.

  • http://softwarecritics.info software_critics

    I have tried using Dropbox in two separate instances but it was a complete failure. It doesn't even sync files uploaded on multiple PCs contrary to what it brags as capable of doing.

  • http://zdwiel.myopenid.com/ Zach Dwiel

    I've been using Wuala for a little while now and like it so far. The client encrypts data with strong keys before it is sent to the cloud. Data is stored in a P2P network as well as on Wuala servers so nothing ever gets lost, but Wuala doesn't have to pay for all of the bandwidth. You get cloud storage equal to the amount of disk space you donate * the % of time you are connected. Its the only cloud storage solution I've found which has a free solution that allows more than 1 or 2 GB.

  • http://zdwiel.myopenid.com/ Zach Dwiel

    I've been using Wuala for a little while now and like it so far. The client encrypts data with strong keys before it is sent to the cloud. Data is stored in a P2P network as well as on Wuala servers so nothing ever gets lost, but Wuala doesn't have to pay for all of the bandwidth. You get cloud storage equal to the amount of disk space you donate * the % of time you are connected. Its the only cloud storage solution I've found which has a free solution that allows more than 1 or 2 GB.

  • http://www.advancedraidrecovery.co.uk Raid Recovery

    I agree to you. And also love to use dropbox.

  • http://www.advancedraidrecovery.co.uk Raid Recovery

    I agree to you. And also love to use dropbox.

  • Pingback: Dropbox Encryption | Six Lines

  • Pingback: How to Astral Project

  • Pingback: look here

  • Pingback: Sarah Doucette

  • Pingback: http://www.YOUTUBE.com

  • Pingback: topsail nc rentals

  • Pingback: Ibiza Spanje

  • Pingback: NJ Lottery

  • Pingback: Encontrar aquí

  • Pingback: http://www.youtube.com/watch?v=5j9cuU93RKc

  • Pingback: http://www.youtube.com/watch?v=OZdN5r46iOI

  • Pingback: 401k to gold

  • Pingback: Florida Lottery

  • Pingback: seozen Review

  • Pingback: https://twitter.com/NHCPS

  • Pingback: candy crush saga cheats

  • Pingback: roulette system

  • Pingback: mon blog

  • Pingback: How To Make A Million Dollars

  • Pingback: payday loans jacksonville nc

Previous post:

Next post: