Dropbox: Nothing Shocking About Handing Your Data Over to the Feds

Dropbox, an online file hosting service, ignited controversy recently over a change in its policy that undermined one of its own promises to security. Dropbox defended the policy change saying that there is nothing shocking about handing over your data to law enforcement.

Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes

Security of ones data can be very important to some. Services can take advantage of the need to have secure files and offer services that fits that need. So what happens when one service that did pride itself on security decides to change a policy that contradicts one of its own security claims? For that, we turn to what happened to Dropbox.

Earlier this week, a blogger made note of some particularly interesting claims from Dropbox. Those claims included the following:

* All transmission of file data occurs over an encrypted channel (SSL).
* All files stored on Dropbox servers are encrypted (AES-256)
* Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)

Indeed, these claims are quite bold. So it came to quite a surprise to some when Dropbox implemented changes to its policies that suggests that the claims aren’t quite up to some people’s expectations. That report came from the Business Insider which noted the following in the policy changes:

As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.

That passage sparked uproar because it appears that the claim that employees can’t see the contents of the files was not exactly true. Either Dropbox can see the contents of the files and hand them over to law enforcement or they can’t see the contents of the file. There’s no middle ground over whether a file is encrypted or not in this case.

Later on, PCMag posted comments from Dropbox on the matter saying that if law enforcement asks for the contents of the file, they would be forced to comply and hand the data over to them. Apparently, Dropbox thinks that there’s nothing particularly shocking about this. From the report:

The update clarified the circumstances under which Dropbox would hand over user data to law enforcement officials. The company said its old terms of service were “too broad, and gave Dropbox rights that we didn’t even want.”

Dropbox has posted on their blog regarding the controversy which includes the following:

The previous section should clarify our commitment to user privacy. That said, there have been a lot of questions raised about government data requests.

Just so you know, we don’t get very many of those requests — about one a month over the past year for our more than 25 million users. That’s fewer than one in a million accounts.

That said, like all U.S. companies, we must follow U.S. law. That means that the government sometimes requests us (as it does similar companies like Apple, Google, Skype, and Twitter) to turn over user information in response to requests for which the law requires that we comply.

When we get a government request, we don’t just hand over your information or files. Our legal team vets all of these requests before we take any action. The small number of requests we have received have all been targeted to specific individuals under criminal investigation. If we were to receive a government request that was too broad or didn’t comply with the law, we would stand up for our users and fight for their privacy rights.

4.) We have strict access controls that prohibit employee access to user data

We know that millions of people rely on Dropbox to take care of their most important information. Keeping it safe and private is our top priority. Some concerns have been raised about our Help Center article and other statements that discuss employee access to user data. We agree that we could have provided more details and we will be updating these to make them more clear. Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. But that’s the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

The company is forced to abide by US laws because it’s a US based company, fine, nothing the company can do about it. I think comments on law enforcement is beside the point. The fact is, this company said that they aren’t able to view the contents of the files and now they are saying they can. I think that’s technically considered false advertising. If the company can’t really make the claim that employees aren’t able to view the contents of data users uploaded, then it shouldn’t have said that in the first place.

Chances are, this controversy will continue to haunt Dropbox for the next little while. Whether or not this will permanently hurt Dropbox remains to be seen.

Drew Wilson on Twitter: @icecube85 and Google+.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: