Privacy advocate asserts Dropbox deceived users about security
By Geri L. Dreiling, Esq.
Dropbox has quickly become one of the most popular cloud-based storage services among lawyers. But recent accusations leveled by one prominent security researcher may have some attorneys reconsidering the choice.
The central issue is whether Dropbox employees have access to the contents of a user’s file. In our March 30 post, Dropbox Review for Lawyers, Lawyer Tech Review wrote:
Dropbox asserts that it offers military-grade encryption methods for both transferring files and storing them. Access to files requires a username and password, and Dropbox employees do not have access to users’ files.
But in a complaint filed May 11 with the Federal Trade Commission, privacy advocate Christopher Soghoian alleges Dropbox has engaged in deceptive practices that have even duped sophisticated users. The complaint states:
2. Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files.
3. Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.
In an article, Wired.com writer Ryan Singel explains that Dropbox saves space by analyzing documents before they are stored to determine whether they have already been stored by another user. If the items already exist, instead of uploading, the files already in Dropbox are added to the user’s file.
The complaint also claims that the keys to encrypt and decrypt files are not stored on each user’s machine but are in the hands of Dropbox.
Those architecture choices mean that Dropbox employees can see the contents of a user’s storage, and can turn over the nonencrypted files to the government or outside organizations when presented with a subpoena.
Dropbox has denied the claims. In a statement to Wired.com, a spokesperson said the complaint was “without merit” and the concerns were addressed in an April 21 blog post.
The complaint claims two cloud-storage services, SpiderOak and Wuala, have allegedly been harmed by the so-called unfair practices of Dropbox. SpiderOak is a privately-held company based in Chicago. Lawyer Tech Review confirmed that SpiderOak’s server center is located in the greater Chicago area. The company is about to open a secondary center in the Kansas City metro area. Wuala is a Swiss company whose servers are based in Switzerland, Germany and France.
To be sure, cloud-based solutions, especially for solo and small firms, offer a cost-effective, efficient way to remain competitive and serve clients. And cloud-based options can be more secure than conventional email. But at Lawyer Tech Review, we also realize that attorneys have a professional duty to safeguard confidential information from release to third parties. We will continue to monitor the controversy and update our readers as it unfolds.
We also suggest that you read the complaint and the Wired.com article, “Dropbox Lied to Users About Data Security, Complaint to FTC Alleges.”
Stay updated about the latest news on this topic. Receive app reviews, tips, and useful alerts subscribing here or via RSS feeds. You can also find Lawyer Tech Review on Facebook and read our real-time updates on twitter.com/lawyertechrvw.