"At Dropbox, Even We Can't See Your Dat-- Er, Nevermind" [Update]

Last Updated Apr 26, 2011 7:40 PM EDT

Dropbox, the online backup and file sharing service claims to have hit 25 million users in a single year. Big news for any start-up. A change in its terms and conditions received a lot less attention because it seemed like adding a common term for online services.

However, as sharp-eye blogger Miguel de Icaza noticed, the change puts to the lie a major Dropbox claim about user security: that not even company employees can gain access to the data in users accounts. That could put a damper on how much consumers and businesses have begun to trust the service.

And there's a lot of that trust happening right now. Dropbox says that its users "save more than 200 million files every day." There are reasons the company has done well:
  • Dropbox's service is well designed, simple to install, and works across multiple platforms.
  • It integrates with your device's storage, becoming a folder into which you can drop files.
  • It's free for 2 gigabytes of storage. Users can get from 50 GB to 100 GB through paid accounts.
As with any backup system, security is important. Dropbox says that it uses "modern encryption methods" so that data is available only to users and that online access requires a user name and password. "Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)," the site says.

What touched off the revelation is that Dropbox changed its terms of service to incorporate something that is standard in online storage: the company will comply with a valid legal order to turn over user data:
As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox's encryption from the files before providing them to law enforcement.
Just one problem, as de Icaza points out. Dropbox gives the impression that it offers rigorous security control. The company goes so far as to say the following:
  • Shared folders are viewable only by people you invite
  • All transmission of file data occurs over an encrypted channel (SSL).
  • All files stored on Dropbox servers are encrypted (AES-256)
  • Dropbox website and client software have been hardened against attacks from hackers
  • Online access to your files requires your username and password
  • Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable
  • Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)
Employees aren't able to access user files. Then how can they unencrypt files to give to the government, if that becomes necessary? A look at Dropbox's security overview gives a clue:
Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (file names and locations). Dropbox employees may access, but not view the contents of, files in your Dropbox account when assisting Dropbox in complying with a legal obligation, such as responding to a search warrant.
Employees "are prohibited" from looking at file contents. That means forbidden by company policy, not physically prevented from access, which is what "aren't able to access user files" implies. (Dropbox's PR agency did not respond to a request for an interview in time for this post.)

When employees can still get in, a company can have situations like the two Google faced, when engineers gained access to private data without authority or permission. How often do such things happen when employees don't get caught? Dropbox should be more forthcoming to users -- and make sure that its marketing department actually knows what the service can and cannot do.

[Update: We heard back from Dropbox. Here's a statement attributed to CTO Arash Ferdowsi:
In our help article we state that Dropbox employees aren't able to access user files. This is not an intentionally misleading statement -- it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user's permission. We can see, however, why people may have misinterpreted "Dropbox employees aren't able to access user files" as a statement about how Dropbox uses encryption, so we will change this article to use the clearer "Dropbox employees are prohibited from accessing user files".
Good that Dropbox will clarify its statement. However, let's be realistic -- contents of a file will never be accessed by an employee without user permission? That also contradicts the clearly reasonable issue of court orders. And how can the company assume that what it doesn't want to have happen could never occur? What makes it that much more capable of control than Google, or even Facebook? All the company can honestly do is say that employees aren't allowed to access user files. If a policy and systemic prohibitions were enough to keep people from doing what they are not supposed to, no company would see theft by employees.]

Related: Image: morgueFile user wax115, site standard license.
  • Erik Sherman On Twitter» On Facebook»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.