Dropbox Security System Doesn't Lock Down Files, Says FTC Complaint
Dropbox may have some serious explaining to do if the FTC decides to undertake an investigation into its security practices requested by prominent blogger Christopher Soghoian. Among other things, the company lied to its customers about its privacy and security practices, he alleges, claiming that its encryption methods prevented employees from being able to access their stored files.
05/17/11 11:03 AM PT
The cloud-based storage system Dropbox is the most recent online provider to be criticized for misleading customers in terms of of privacy and security, according to an FTC complaint filed last week.
The complaint, brought by popular security blogger and Ph.D. student Christopher Soghoian, claims that Dropbox deceived customers by making them believe that its employees did not have access to their data.
In Terms of Service posted on its website, Dropbox previously stated that "all files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password."
Additionally, the company said that "Dropbox employees aren't able to access user files."
However, AES256 encryption doesn't mean that files are secure, Soghoian points out.
Dropbox designed its backup system to deduplicate in order to cut pricey bandwidth costs, he suggests. What that means, basically, is that if two or more users were to upload the same file, Dropbox would save just one copy. That strategy saves on space used by the company, but it also calls into question Dropbox's privacy claims. In order to deduplicate, it must have encryption access keys to user downloads, contrary to what it was maintaining in its security statement.
Soghoian first identified that inconsistency in a blog post last month, which apparently prompted Dropbox to reword the language in its Terms of Service. Instead of maintaining that files are "inaccessible without your account password," the ToS simply mention the encryption key the company uses.
DropBox addressed the concerns raised in Soghoian's blog post in a lengthy blog post of its own. In its defense, Dropbox claims its terms of service are "very similar" to those of Google, Apple, Skype and Twitter.
There are "a small number of employees who must be able to access user data when legally required to do so," Dropbox acknowledged in the post -- for example, when answering a subpoena.
"We believe this [FTC] complaint is without merit," DropBox spokesperson Julie Supan told the E-Commerce Times. "Millions of people depend on our service every day, and we work hard to keep their data safe, secure, and private." She declined further comment, pointing to the company's blog post.
It's unknown yet what kind of impact this could have on DropBox's business. At least one well-known security professional, John Callas, has deleted his Dropbox account. The former chief technology officer of PGP Corporation cited security concerns and company lies as reasons for getting rid of his account in a tweet last month.
Not all experts believe this is a sign of the times. Two Dropbox competitors, Spideroak and Tarsnap, use encryption keys known only to the user, Soghoian pointed out. It costs them more storage space, but privacy is guaranteed.
Consumers Will Rise Up
This is yet another wake-up call to consumers, said Avivah Litan, vice president and distinguished analyst at Gartner Research.
Consumers won't stand for a lack of privacy to become a byproduct of the increasingly de-privatized digital world, she maintained.
"I think they are slowly getting a rude awakening to just how insecure and privacy-invasive online services and social networks can be," Litan told the E-Commerce Times. "Over time, consumers will demand compliance with stronger security and privacy standards by their service providers."
This is a problem that extends beyond one data storage company, she noted. "This is not unique to just DropBox."