RSS
Add to Chrome
Dropbox: Nothing Shocking About Handing Your Data Over to the Feds

Dropbox: Nothing Shocking About Handing Your Data Over to the Feds

Dropbox, an online file hosting service, ignited controversy recently over a change in its policy that undermined one of its own promises to security. Dropbox defended the policy change saying that there is nothing shocking about handing over your data to law enforcement.

Security of ones data can be very important to some. Services can take advantage of the need to have secure files and offer services that fits that need. So what happens when one service that did pride itself on security decides to change a policy that contradicts one of its own security claims? For that, we turn to what happened to Dropbox.

Earlier this week, a blogger made note of some particularly interesting claims from Dropbox. Those claims included the following:

* All transmission of file data occurs over an encrypted channel (SSL).
* All files stored on Dropbox servers are encrypted (AES-256)
* Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)

Indeed, these claims are quite bold. So it came to quite a surprise to some when Dropbox implemented changes to its policies that suggests that the claims aren’t quite up to some people’s expectations. That report came from the Business Insider which noted the following in the policy changes:

As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.

That passage sparked uproar because it appears that the claim that employees can’t see the contents of the files was not exactly true. Either Dropbox can see the contents of the files and hand them over to law enforcement or they can’t see the contents of the file. There’s no middle ground over whether a file is encrypted or not in this case.

Later on, PCMag posted comments from Dropbox on the matter saying that if law enforcement asks for the contents of the file, they would be forced to comply and hand the data over to them. Apparently, Dropbox thinks that there’s nothing particularly shocking about this. From the report:

The update clarified the circumstances under which Dropbox would hand over user data to law enforcement officials. The company said its old terms of service were “too broad, and gave Dropbox rights that we didn’t even want.”

Dropbox has posted on their blog regarding the controversy which includes the following:

The previous section should clarify our commitment to user privacy. That said, there have been a lot of questions raised about government data requests.

Just so you know, we don’t get very many of those requests ” about one a month over the past year for our more than 25 million users. That’s fewer than one in a million accounts.

That said, like all U.S. companies, we must follow U.S. law. That means that the government sometimes requests us (as it does similar companies like Apple, Google, Skype, and Twitter) to turn over user information in response to requests for which the law requires that we comply.

When we get a government request, we don’t just hand over your information or files. Our legal team vets all of these requests before we take any action. The small number of requests we have received have all been targeted to specific individuals under criminal investigation. If we were to receive a government request that was too broad or didn’t comply with the law, we would stand up for our users and fight for their privacy rights.

We know that millions of people rely on Dropbox to take care of their most important information. Keeping it safe and private is our top priority.

Some concerns have been raised about our Help Center article and other statements that discuss employee access to user data. We agree that we could have provided more details and we will be updating these to make them more clear. Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. But that’s the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

The company is forced to abide by US laws because it’s a US based company, fine, nothing the company can do about it. I think comments on law enforcement is beside the point. The fact is, this company said that they aren’t able to view the contents of the files and now they are saying they can. I think that’s technically considered false advertising. If the company can’t really make the claim that employees aren’t able to view the contents of data users uploaded, then it shouldn’t have said that in the first place.

Chances are, this controversy will continue to haunt Dropbox for the next little while. Whether or not this will permanently hurt Dropbox remains to be seen.

Have a tip? Want to contact the author? You can do so by sending a PM via the forums or via e-mail at [email protected].

Drew Wilson
Drew Wilson is perhaps one of the more well-known file-sharing and technology news writers around. A journalist in the field since 2005, his work has had semi-regular appearances on social news websites and even occasional appearances on major news outlets as well. Drew founded freezenet.ca and still contributes to ZeroPaid. Twitter | Google Plus
James Sels
James Sels

The two main OWNERS of dropbox have always said they have the main decryption keys which would allow them to access the contents of peoples' documents. However, the EMPLOYEES (such as the developers, testers, customer support, etc) don't have access to the key(s) so they can only access the meta data.

Werner
Werner

Or it could be as hush.com does/did. They store the files encrypted, but when law enforcement wants somebody's data. hush.com records your password when you type it in, and use it to decrypt the requested data.

Anonymous
Anonymous

Or, as in the case of AES256, released by NSA, they have a back-door and it doesn't fucking matter anyway. There is no law that states a service provider must be able to decrypt. I cannot see the reason why Dropbox have cypher keys in their control. Open source, anonymous and subversive is the way to go.

Mountain_rage
Mountain_rage

Anyone who relies on a third party to encrypt the data of their sensitive files is an idiot. There are numerous programs that will encrypt your data for free. Before sending data to these locked, just encrypt them, then only you will be able to access the files. That is granted the government hasn't key logged your computer.



VyprVPN Personal VPN lets you browse securely