Dropbox security woes are back, FTC complaint filed


Dropbox’s terms of service are back in the spotlight, as the site is being accused of misleading customers into believing its security is something it’s not.

Less than a month ago, we questioned whether Dropbox’s privacy changes warranted concern of PlayStation proportions. The phrase that piqued users’ interest had to do with sharing information with outside entities, namely the government and law authorities. “We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith to believe that disclosure is reasonably necessary,” the statement reads, and lists various legal, security, and safety situations in which it may have to do this.

Dropbox also clarified the state of security of your stored documents. Namely, its encryption process wasn’t quite what users believed it to be, and while Dropbox assured everyone its system is adequately safe, nerves were rattled to say the least. And now, it looks like users aren’t the only ones calling foul, as a complaint against the company has been filed with the Federal Trade Commission.

The site previously claimed that “all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password” (AES-256 is the highest strength of Advanced Encryption Standard ciphers used to encrypt data). Instead, Dropbox has been using file dedpulication when it’s initially uploading a document in order to determine if that file has already been uploaded by someone else (and if it has, it then links to the formerly uploaded one). This process means Dropbox can save ample storage space and bandwidth, but by means of a less secure system.

Ph.D. candidate and graduate fellow at Indiana University Christopher Soghoian filed the complaint, and explained in his blog his reasons for questioning Dropbox’s policies. He argues that if Dropbox is using a deduplication system, it definitely is able to see unencrypted version of your files in order to determine if there are duplicates. And as Soghoian explains, these measures are “useless against many attacks if the encryption key isn’t kept private,” which he’s uncertain of. The complaint states that “Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files.” The statement goes on to say that the encryption keys are stored on company servers.

For anyone storing particularly sensitive information on the site, this news if cause for concern. But there are also users who believe cloud-based storage can only be so safe, and you’re taking a leap of faith by using them altogether. But what does Dropbox have to say about it? “We believe this complaint is without merit, and raises old issues that were addressed in our blog post [last month]. Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private,” a spokeswoman says.

Adding a strange twist to the whole thing is the fact that Soghoian broke the Facebook PR scandal story. Busy guy.

Source : digitaltrends.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: