Here’s a short series of bullet points of what you can expect from a reading of the updated ToS and other documents:
- Dropbox manages its own encryption – this became a sticking point when people realized that Dropbox employees can in fact access your information as the service itself has the keys to your information so that they can recover your data for you. They also mention that you can encrypt your own files. (Further on this explained below.)
- Dropbox will comply with US law enforcement – as if they needed to mention this, but like any other company presented with a document like a warrant or a subpoena will hand over your data. They are required to do this by law anyway.
- Dropbox will delete your data if you ask – cyber forensic studies of Dropbox have questioned what happens to your data when you leave the service. Now they point out that it will delete your data when you remove your account immediately (except in some rare cases.)
- Dropbox logs a lot of information about you – logs of personal information such as your country, operating system, and the hardware you’re using in order to enhance service. This is done by other services as well (although most of them ask first.)
- Dropbox warns about mobile devices and secure sockets – while all files shared from mobile devices are encrypted on its servers, not all mobile devices enabled secure sockets (i.e. encrypted file transfers) which means your files may be in the clear when synchronized.
A series of recent fiascos have struck the extremely popular cloud-storage file-sharing service, but it remains in a fairly strong market position. The first of those events opened up questions of how Dropbox’s encryption policy worked—originally they had been unclear about employees having access to the cryptographic keys (i.e. the locks that keep your data safe.) This revelation caused the baleful eye of the Federal Trade Comission to gaze in Dropbox’s direction and the company is probably trying to stay ahead of any possible investigation.
The next security disaster for the service occurred when, due to a programming error, every account became available to the net via any password. June 19th the service had opened itself up for about four hours total. After the issue was discovered the company acted quickly to shore up the breach.
Encrypt Thyself or Suffer the Consequences
This is probably why Dropbox has opted to add language to their Security Overview and ToS describing the fact that you can encrypt your own files. “Dropbox applies encryption to your files after they have been uploaded, and we manage the encryption keys. Users who wish to manage their own encryption keys can apply encryption before placing files in their Dropbox. Please note that if you encrypt files before uploading them, some features will not be available, such as creating public links. Doing so will also make it impossible for us to recover your data if you lose your encryption key.”
Dropbox happens does happen to extend your personal cloud, but it does so by sharing your files on the Internet; it is only wise to actually lock your data with your own keys and not rely on Dropbox if you really want to share secrets in it. To this end several different software solutions have emerged.
If you’d like to lock your own data, you can use a program called BoxCryptor, a drag-and-drop folder solution that synchronizes a directory to Dropbox and encrypts/decrypts the files in it using AES-256 (the same level of crypto that Dropbox uses.) This software costs $19.99 (€14.99). Another extremely similar product, but free, happens to be SecretSync that also uses AES-256 to encrypt and backup files.
And, for those seeking much stronger protection from a well-known open source software there’s always TrueCrypt. The program doesn’t provide an easy drag-and-drop folder interface like the two above, but it does deliver a profoundly powerful cryptographic tool. (And it has applications far beyond Dropbox.) I use this program to envelope my secrets that I share and backup in the cloud.
People who encrypted their files in Dropbox would have remained relatively unaffected by both the fact that employees can view their files and if their account had in fact been revealed to the world. An attacker would still have to breach their encryption (an extra layer of discouragement) even if they gained access. This would even be true in the case of U.S. law enforcement should your paranoia lean that way.
Actual secret information should always have a layer that you control (especially when it’s in the cloud.) The protection put on it by cloud-service companies can only go so far.