After inconsistencies about Dropbox’s claim of its employees being unable to access the contents of files that are uploaded onto private folders it creates on its 25 million users’ computers, it has finally been called out by security researcher Christopher Soghoian in a 16-page report to the United States FTC. The report is creating conversation for some as to exactly what they are getting from Dropbox.
Soghoian initially published his findings online about the claims of Dropbox in its Terms of Service about the inability of any of its employees to see the actual file contents, as they presumably are able to only access metadata when dealing with any problems. Before they changed their help page, it claimed that all the files on their servers were encrypted, and would be inaccessible without a password. However, that inconsistency caught Soghoian’s attention.
Apparently, they also claimed that their service would prevent a file being uploaded should they determine that there is already a similar file that was previously uploaded. They would then create a link instead to the similar file. If a file is similar but there have been some changes, only the altered part would be uploaded. While this does seem minor, it does not sound correct for uploading of the altered part of a file only and have it encrypted.
After Soghoian finally posted his findings, Dropbox issued a change in the wording of their claims. Instead of their employees being completely cut off from accessing file contents, they say that there are a small number of employees that must have access to the data for legal reasons. They add that such cases would be a “rare exception, not the rule” and that they have millions of users’ data to take care of. Furthermore, they would have to decrypt and disclose any such file contents if needed by law, if it is key to a person’s safety, for fraud prevention, or if they deem it to be suspicious of encroaching on their property rights.
The report against them accuses Dropbox of deceiving users and potential users to its service’s security, and seeks a clarification in its policy, immediate contact to all subscribers about their ability to see their data, and to issue refunds to those who have upgraded using the “Pro” version of Dropbox. Soghoian says that the company uses a system called deduplication that results in substandard security of the data that is deduplicated, and even suggests that they should forgo the system completely and give each user an individual encryption key.
A Dropbox spokesperson brushed away the complaint, calling it “without merit”. While this does sound minor in nature, it may follow Dropbox for a while.