Dropbox Employees COULD Access Your Data, Despite Site Wording

| April 20, 2011 | Reply

If you haven’t heard Dropbox recently updated their security Terms of Service to say that if the government asks, they will have to decrypt user’s files and turn them over. The updated section reads:

As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.

This is standard practice for online storage companies, so it shouldn’t come as a surprise. As long as you’re not doing anything wrong, you should be all good.

BUT, as was reported over at bnet.com, this recent change goes directly against something that they state on their site:

Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)”

Um, if employees aren’t ABLE to access the files that you have entrusted to their AES-256 encrypted storage then how are they able to unencrypt files to give to the government?! Something doesn’t jive here… Well, if you dig a little deeper you will find the following passage in their security overview:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (file names and locations). Dropbox employees may access, but not view the contents of, files in your Dropbox account when assisting Dropbox in complying with a legal obligation, such as responding to a search warrant.

Obviously the phrases “aren’t able to” and “are prohibited” are two entirely different animals. So basically employees actually COULD access your data but strict company policy prohibits them from doing so, unless the government tells them to. Again, it’s not really a huge deal unless you are doing something unlawful, but it’s still a case of Dropbox not being very forthcoming to its users.

After being contacted by bnet regarding the issue, Dropbox responded to them with the following:

In our help article we state that Dropbox employees aren’t able to access user files. This is not an intentionally misleading statement — it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user’s permission. We can see, however, why people may have misinterpreted “Dropbox employees aren’t able to access user files” as a statement about how Dropbox uses encryption, so we will change this article to use the clearer “Dropbox employees are prohibited from accessing user files”.

It’s good that they are going to change the wording so that it’s not misleading, but their idea that “The contents of a file will never be accessed by a Dropbox employee without the user’s permission.” is a little naive. While they can enforce their policies to the best of their ability it doesn’t really ensure that it will “never” happen, just ask Facebook


Source: bnet

Thanks for the tip, @dmidgley1 !!

Tags: , , , , , , , , , , , , , , , , , , ,

Category: Tech News

About the Author ()

Co-owner and PR guy for GizmoNinja.com. I’m happily married and a father to a wonderful (most of the time) son. I work in the E9-1-1 software/data industry by day and am a tech loving geek in my spare time. I’m interested in all things tech, but am big into Android especially. I dabble in a little of everything – Android development, PC development, web development, etc – but am a master of none (not even close)… But I have fun doing it anyway! =P