Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Dropbox accused of deception by security researcher

Sends letter to FTC demanding action

Article comments

Cloud data synchronisation company Dropbox has been hit by a complaint to the Federal Trade Commission (FTC) alleging that the company has deceived consumers about the level of encryption security it offers.

In a letter sent to the FTC, University of Indiana PhD and security researcher Christopher Soghoian has claimed that while Dropbox encrypted every file it stored this could be reversed by employees, undermining the company’s security credibility.

Not only did this design fall short of “industry best practices”, said Soghoian, it also represented a serious security risk that the company was not being upfront about.

“Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data,” reads Soghoian’s letter. “Dropbox’s customers face and increased risk of data breach and identity theft because their data is not encrypted.”

In Sioghan’s view, Dropbox has deceived its users, infringing Section 5 of the Federal Trade Commission Act.

Trouble started for Dropbox over the encryption issue some weeks ago with a series of claims made by Soghoian and others about the way the company was handling data. Possibly in response, on April 21 Dropbox clarified its terms service to make explicit that it would allow police access to the contents of files posted to its service if requested to do so.

“If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement,” read the new terms.

“Just so you know, we don’t get very many of those requests - about one a month over the past year for our more than 25 million users. That’s fewer than one in a million accounts,” a subsequent blog later explained the change.

For users such as Soghoian, this renders the use of encryption moot. If the file is secure while it is encrypted, but that encryption can be removed at any time, in what sense is the file secure at all?

The core of the Dropbox controversy is that because it encrypts users’ files it necessarily stores the keys used to provide that security. In storing those keys, it has the capability to decrypt files. One solution - recommended by Dropbox - is for users to encrypt files before uploading them but this comes at a price. Users can synchronise files between desktop PCs and smartphones, for instance, but longer open them without loading a dedicated utility which might or might not be available on that device.

The Dropbox response to this is that the service is not intended as a fully-secure file repository, merely as a service that is more secure than conventional ways of carrying around data such as on unencrypted USB sticks.

“We’ve focused on helping users avoid the most common threats: not having current backups, not having any backups at all, accidentally deleting or overwriting files, losing USB drives with sensitive information, leaving files on the wrong computer, etc,” said Dropbox in a blog.

Dropbox responded to Soghoian’s FTC letter.  "We believe this complaint [Soghoian’s] is without merit, and raises issues that were addressed in our blog post on April 21, 2011.  Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private,” said Julie Supan in a prepared statement.

Founded in 2007 by MIT students Drew Houston and Arash Ferdowsi, the inspiration for Dropbox was that its founders were “tired of emailing files to themselves to work from more than one computer.” Now with 25 million users worldwide, the company’s free service allows users to store up to 2GB of documents, images and videos centrally, automatically synchronizing these to every device on which the user loads the company’s client software.



Share:

More from Techworld

More relevant IT news

Comments

Robert Campbell said: how does this issue compare with the other market alternatives such as livedrive



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *