Sorry, Dropbox, I still don't trust you

Sorry, Dropbox, I still don't trust you

Summary: Last summer, I deleted my Dropbox account after the company admitted to a horrifying security breach. This week, I reluctantly opened a new Dropbox account. Within minutes, I received a message from Dropbox suggesting that their back-end processes are still problematic. Here's why I'm concerned.


See update at end of post with comment from Dropbox support.

Last summer, I deleted my Dropbox account. That wasn't something I did in anger or in haste. Instead, it was the result of a series of security failures that led me, finally, to lose my trust in Dropbox.

In that June outage, a Dropbox code update caused the security underlying the entire cloud-based file storage system to break down. For at least four hours, anyone could log into any Dropbox account using any password. Some accounts were compromised. Dropbox says the number was "fewer than a hundred," but there's no way to fact-check that statement.

This week, reluctantly, I created a new Dropbox account. My teammates in a new work project are using it for its convenience, and I can't afford not to be a team player.

To set up the new account, I used Ninite to install the Dropbox app for Windows. I used a different e-mail address this time around, one that I had never used with Dropbox before. I entered my account information in the Dropbox app, including a strong password I generated using a separate app. After going through the brief configuration, I was ready to begin syncing my own files and receiving shared files from my new partners.

And then, a few minutes later, I got an e-mail from Dropbox containing this welcome message:

How cheerful! How friendly! How ... wrong.

I didn't respond to an invitation from anyone to create this account. I do not know the individual whose name is on that message. It's a common enough name, but a thorough search of my e-mail inbox shows no such invitation (nor any other email for that matter) from anyone by that name. I have a LinkedIn connection with someone by the same name, but we've never exchanged email and we don't know each other in real life.

So, did this individual get a corresponding email message from Dropbox announcing that I had just accepted his invitation? Probably.

And that concerns me.

Dropbox uses a referral model to grow. If you send invitations to your friends and they create new Dropbox accounts, you get additional free storage space. There's nothing wrong with that business model, but if you're going to use a social strategy to grow a service that depends on secure file transfers, you had better have your back-end processes buttoned down.

And Dropbox doesn't. Somewhere on their back end, their systems got confused. What else on the Dropbox back end is confused? I have no way of knowing.

When I dropped Dropbox in July, I quoted a post from the Dropbox CTO, who said, “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.” My response?

It’s going to take more than just promises of “additional safeguards” to erase the doubt that a mistake like this inspires. At the very minimum, Dropbox needs to have a thorough security audit from an independent group to ensure that it has the processes in place to back up those promises.

I see no indication that the necessary security audit ever happened.

A message I sent to Dropbox support yesterday asking for an explanation of the mysterious email has gone unanswered. It has not even been acknowledged.

This is not how a trustworthy company operates.

Because my new teammates use Dropbox, I don't have the option to quit using the service. But you can bet I will be extremely careful with it, and I certainly won't share or sync anything that is remotely confidential.

Update, 28-Oct 9:00 AM Pacific. After almost exactly 24 hours, Dropbox support responded to my support request with the following note:

Hi Ed,

The reason you received that referral email is because someone invited your email address to Dropbox at some point in the past. Even if the invitation didn't make it to you, the system remembered the referral and awarded you and the person who referred you the extra space.

Even if you don't know the person, this does not expose any of your files or information to the inviter.

I am not reassured, especially when the original e-mail specifically said I had "accepted --- ---'s invitation." I didn't, and as the support agent notes, anyone can "invite" anyone else.

As a test, I just "invited" myself to join Dropbox, using a clean email address I set up recently. Without ever seeing the email invitation, I then used that address to set up a Dropbox account. Sure enough, I was immediately notified that the new account had been set up using that address, even though I never authorized the use of my name or responded to the invitation.

As I said earlier, I want to believe Dropbox when they tell me my files are perfectly safe, but this is just an unacceptably sloppy part of the initial sign-up workflow.

Update 2: In response to comments in the Talkback section below, I contacted Ninite co-founder Patrick Swieskowski, who confirms that Ninite does not use affiliate codes with Dropbox: "Ninite just gets the plain installer directly from dropbox, confirms its digital signature, and runs it silently with the /S switch. There aren't any affiliate codes or anything like that." 

Topics: Security, Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Sorry, Dropbox, I still don't trust you

    I think Dropbox's referral system, like many others, uses a cookie system to track referrals, with cookies sometimes lasting a year or even more. You may have been tricked into clicking on a Dropbox referral link from this individual on that same PC at some point and now that you've gone back to Dropbox and signed up, it saw the cookie and gave him credit for the signup. It still isn't right since you are unaware that it even happened, but at least it's an explanation.
    • <a href="">Ù?Ù?تدÙ?ات</a>

      @techSage I use the much more secure SpiderOak instead of DropBox, and even I agree with you. I was trying to convince my brother to switch yesterday, saw this article, thought it would do the trick, then read it and just didn't see what the fuss was about and decided not to forward it to him. Their system matches up invited e-mails and new account e-mails... which makes sense, and isn't a security concern in any way. If anything, Mr. Bott should be happy he got an extra 250MB free! happy
  • RE: Sorry, Dropbox, I still don't trust you

    Once you know the problems and the benefits you can do you compromises. People understand that and the smart ones already know that using Drop Box is very good to store stuff that is not critical to you. I agree on the fact that a online vendor that make statements must stand behind and make sure that the users understand in detail the changes that were made (I still believe that drop box did something in regards to security), in order to show improvements.
  • RE: Sorry, Dropbox, I still don't trust you

    That is a pretty serious security issue. If that's on the front facing web server magine whats going on in the back end.
    • That's not on a web server


      It was in an email to me.
      Ed Bott
      • RE: Sorry, Dropbox, I still don't trust you

        @Ed Bott
        My mistake
  • RE: Sorry, Dropbox, I still don't trust you

    Irrespective of how it might have happened, this is still wrong and is another indicator of the shadow world so beloved of Facebook where our information is secretly accumulated and maintained without our visibility. When my wife died in 2009, I attempted to delete her email account after a due delay. 18 months later it's still sitting there receiving mail! Not good enough for consumer confidence!
    • RE: Sorry, Dropbox, I still don't trust you


      I am sorry for your loss.
  • RE: Sorry, Dropbox, I still don't trust you

    This is proof positive against cloud computing. I said this from the beginning that I don't trust it, and this is why. I use Windows Live to sync school work between my computers, but all my important data (pictures, documents, music, etc) doesn't leave my HDDs. There's no reason I should hand over my data to others for keeping. It's not safe to do so.
    The one and only, Cylon Centurion
    • RE: Sorry, Dropbox, I still don't trust you

      @Cylon Centurion good luck thinking that... "doesn't leave my HDD's" - um, yeah it does... and you have no control of it while it's in transit... I guarantee there's a copy of every bit of it on Live's servers somewhere...
      • RE: Sorry, Dropbox, I still don't trust you

        @NetworkPIMP The data stays on your hard drive with Dropbox too. But as Ed points out, nothing critical goes there because there's also a copy out there on the cloud where it can be accessed if there's a security breach. For collaboration on a project each collaborator (and doesn't that sound suspicious?) that can make changes, comments, etc. leaves the document different that it was when it first got there. That's the idea. When the project is done you TAKE IT OFF Dropbox for final edit.
      • RE: Sorry, Dropbox, I still don't trust you


        No, it doesn't. All my personal files reside locally. At no point do they travel across the Internet. It will forever remain that way too.
        The one and only, Cylon Centurion
      • RE: Sorry, Dropbox, I still don't trust you

        That's a good nym and defines your arrogance/gnorance well. SOME will have been exposed, but not ALL of EVERYTHING as you wish to imply with your blatherskite attitude. Perhaps in your case it's true, but you would be the exception who is weak with their security.
      • RE: Sorry, Dropbox, I still don't trust you

        <i>No, it doesn't. All my personal files reside locally. At no point do they travel across the Internet. It will forever remain that way too.</i><br><br>Uh, if you're Live synching those files, then yes they would. How do you know you're not doing that? Did you make sure? ;) <br><br>And if you're really all that concerned then consider external HDs used only for storage and connected to your PC only when you need it.
      • RE: Sorry, Dropbox, I still don't trust you

        @NetworkPIMP I think the point Cylon is making is that he only puts schoolwork data on Windows Live Sync, not his personal data. If he never adds his pictures music etc to Windows Live Sync then it will never leave his hdd.
    • RE: Sorry, Dropbox, I still don't trust you

      @Cylon Centurion PROOF AGAINST Cloud Computing! you are ignorant. I suppose you support Green Initiatives too and yet are probably a bit of a hypocrite if you do not support Green IT to reduce green house emissions by reducing the carbon footprint of Data Centers by moving to the cloud.
      • RE: Sorry, Dropbox, I still don't trust you


        I'm not talking about data centers, I'm talking about Joe User's personal files. I'm talking about public sector cloud operating systems and services.

        Given what Ed has written here, and in the past, and put that with Google's privacy blunders, Facebook's privacy blunders, and you'll see why I don't let any of my things leave the local network. There just isn't any reason why people should be jumping for joy when putting files out on the Internet.
        The one and only, Cylon Centurion
      • RE: Sorry, Dropbox, I still don't trust you

        @357_89 The cloud is data centers! Where do you think the data you give them to store goes?
    • RE: Sorry, Dropbox, I still don't trust you

      @Cylon Centurion ... +1! It constantly amazes me how many supposedly knolwedgeable people climb aboard thos spaghetti westerns and trust them so completely. You're absolutely right: There si absolutely NO reason to hand classified or higher rated data over to strangers for safekeeping. The old saw "If you don't want it seen by others, do NOT put it on the 'net? still applies and always will with today's structure.
    • RE: Sorry, Dropbox, I still don't trust you

      @Cylon Centurion agree. you just have think of what you put up there. I'm using Polkast: Cloud benefits, minus the cloud.

      It works like this: Polkast creates a connection ??????direct cloud??? ??? that lets your mobile devices access your computers directly. When you want to access files, the service automatically detects your mobile device???s proximity to the PC and chooses the fastest route: Wi-Fi or over the Internet. Polkast then opens a secure password-protected SSL connection between the two devices, and encrypts all transmissions. No delay or storage of your files on the cloud. Very cool!!!