Possible FTC Scrutiny of DropBox Sheds Light on Personal Security in the Cloud

padlock-into-dropbox With more than 25 million users, to call cloud-based personal-storage software DropBox wildly popular would be an understatement. It’s an excellent little on-desktop app with a multitude of connectivity functions to being able to publish files directly from desktop to the web to sharing between friends and mobile devices. In short, it’s become one of the more versatile cloud-based storage technologies to be rolled out to the everyday consumer.

So, when privacy concerns crop up at odds with the expectations of those customers things can get a little dicey. Earlier this month, DropBox came under fire because of statements made on their website about how employees were unable to access stored information (due to it being encrypted on their servers) a statement later shown to be untrue as employees had access to the encryption keys meaning the data was in fact not safe from them.

Wired has developed a thorough timeline of the parry-riposte of allegations against and replies from DropBox about this privacy and consumer education debacle and why the FTC might get involved to sort it out,

The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.

Soghoian, who spent a year working at the FTC, charges that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts therir data,” which amounts to a deceptive trade practice that can be investigated by the FTC.

Dropbox dismissed Soghoian’s allegations.

“We believe this complaint is without merit, and raises old issues that were addressed in our blog post on April 21, 2011,” company spokeswoman Julie Supan said in a short e-mail to Wired.com. “Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private.”

Personal disclaimer: I use DropBox in my personal life and I enjoy it thoroughly. I didn’t gravitate towards the application because they offered extraordinary security above and beyond other software; but because it does its job efficiently, with little fuss, and is highly versatile.

There’s so many ways that data can be leaked out of DropBox without even acknowledging the potential for employees to look at your data. Anytime we put something in the cloud, we open ourselves up to our information stored outside of our computers to be open to the world. As a result, it’s important for us to make our own privacy decisions about what goes into these sharing services.

Point in fact, if I want to share actually important and secret data between computers, it’s incumbent upon me to make certain that I secure it. DropBox may be excellent for transferring that data between computers and even if they’re perfectly secure on their servers, I don’t know that my data is secure in-between or secure where I’ve shared it. As a result, I roll my own encryption for secrets placed in cloud-based services.

TrueCrypt The personal security ecosystem is full of extremely good programs for protecting your personal data. For example, I use open-source information security software, TrueCrypt for Windows to encrypt secret data that I put into DropBox. Let’s put this into a real-world analogy. It’s a lot like I rent at a local storage facility. I understand there’s a lock on the door to my storage unit; but I want to store tax documents within. I hire the storage company to keep my items within safe from theft; but I understand that their employees, ground security, and so on have keys to my storage container and I also understand that the bad guys have bolt cutters. So what do I do? I put my secret tax documents in a safe.

Using cloud-based services is still a risk assessment versus convenience. For my day-to-day stuff that I throw into DropBox it’s snippets of articles I’m working on, pictures of my cat, links to websites that I’m looking at. Things I don’t even care if the world sees. However, when it comes to developing stories, protected sources, and proprietary information shared with teammates at work I encrypt (i.e. put it into a safe.) It may take a little longer to synchronize and I have to enter a password every time I want to modify or view it. This is a very minor inconvenience to me for greatly increased security on my own devices, on the devices of my coworkers, and even from possible breaches of my DropBox.

The personal cloud apps that I use always come with a risk. I personally accept that risk as possible even when the app I’m using suggests that it’s more private than other cloud-based services. Anytime my information leaves the confines of my computer I evaluate and educate myself on what risk I’m willing to accept.

We should all be so aware of our own personal-cloud security.