Dropbox 'deceived' users over security: Files are open to government searches

Dropbox 'deceived' users over security: Files are open to government searches

Summary: Dropbox 'deceived' users about the security and encryption of its cloud storage services, according to a complaint made to the FTC.

SHARE:
49

Post updated: 16:55 PST.

Dropbox, one of the favourite cloud synchronisation services available for free, 'deceived' its users about the security and encryption of its cloud storage services.

A complaint made to the Federal Trade Commission suggests Dropbox employed "deceptive trade practices" by putting it "at a competitive advantage", with users being told that that Dropbox employees could not access your files or data when they could. It also meant that as files were able to be decrypted by employees.

David Gewirtz's assertions were correct. You shouldn't use Dropbox if you have something to hide.

Data held in Dropbox was and still us vulnerable to inspection by U.S. authorities.

The full complaint can be found here.

Only last month, PhD student Christopher Soghoian at Indiana University, blew the whistle on the popular cloud storage service, which now serves as evidence in the complaint submitted to the FTC.

Though Dropbox has now revised statements on its website relating to file security and how employees have access to the encryption keys to unlock your files, the damage is still done.

The service is popular amongst students who use it not only to hold their university work but music files also, with 2GB of free storage available in an instant.

A company spokesperson told me:

"We believe this complaint is without merit, and raises old issues that were addressed in our blog post on April 21, 2011. Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private."

This post reflecting the change in terms and conditions were added after the allegations were made by Soghoian.

Dropbox may have a lot of work on its hands to restore faith in its service. It has been a rough week for major companies dealing with public relations spats, especially after the alleged Facebook smear campaign against Google.

Topics: Storage, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • Why is this any surprise?

    Why? If you are not the "sole" owner of the encrypting code then someone, somewhere has access to it and that someone could be compelled by a government agency to turn it over and would most likely do so without a moments hesitation.
    oncall
    • RE: Dropbox 'deceived' users over security: Files are open to government searches

      @oncall Used to work for an ISP/hosting company - and the most hesitation you'll see these companies put forth is to call a local office to confirm the validity of the subpoena.
      ITSamurai
    • RE: Dropbox 'deceived' users over security: Files are open to government searches

      @oncall Just remember *you* can be the target of a warrant just as easily as a company such as Dropbox. Even if you are the "sole" owner of the encrypting code as well as the encrypted device, it still does not keep the government from getting the keys.
      zackers
    • RE: Dropbox 'deceived' users over security: Files are open to government searches

      @oncall
      and..
      your account is probably flagged for review if you suddenly get spooked and delete your files from dropbox

      I'm sure they keep your files as long as necessary after you think they are deleted due to "National Security"
      Not "Your Security"

      Never use closed source encrytion!
      Encrypt it at least twice if its that important
      Never put ANYTHING in the cloud that can be used against you "EVER"
      U.S. Corporations are required to deceive you in order to gather intelligence data for the Gov't and are under no obligation to inform you under penalty of Law!
      OutOfBoxExperience
  • RE: Dropbox 'deceived' users over security: Files are open to government searches

    Wow. Google certainly picked the wrong week to drop the Chromebook.

    First MS BPOS, then Google Blogs, now Dropbox.

    Can't say I'm surprised by this one though; but, as a non-user of Dropbox, I also am not affected.
    UrNotPayingAttention
  • RE: Dropbox 'deceived' users over security: Files are open to government searches

    Files removed - app & account deleted.

    Thank you very much.
    bump911
    • Deleted, But Not Gone

      @bump911 Your files might still be there in backups. No knowing how long they hold on to files.
      vel0city
      • RE: Dropbox 'deceived' users over security: Files are open to government searches

        @vel0city Probably a span of 5-7yrs. Just guessing based on legal liability.
        ITSamurai
    • RE: Dropbox 'deceived' users over security: Files are open to government searches

      @bump911 : "Files removed - app & account deleted." you hope so.......
      deaf_e_kate
    • RE: Dropbox 'deceived' users over security: Files are open to government searches

      @bump911 My law firm is investigating the security issues on behalf of Dropbox customers and would like to speak with you about your reasons for canceling the service.
      Swestcot
      • RE: Dropbox 'deceived' users over security: Files are open to government searches

        @Swestcot
        I'm also concerned about security issues. As such, my only "cloud" computing is my external hard drive which remains in the OFF condition unless I'm actually accessing it for backup.
        I use Dropbox only for sharing family photos with specific people. Nothing else goes on there.
        I think you should be investigating ALL security issues. Microsoft also has "PCSecurity" that, in past, at least, sent personal data up to their servers at least once per session. Using a hex editor, I found a friend's credit card data (number, expiration date and 3-digit security code) embedded in one of these files on his computer. That was with WinXP. Are they still doing this with Win7? I don't know but wouldn't put it past them. Microsoft buying Skype is going to have me dropping that little "gold mine" of information off my computer as soon as I see what changes they make to the Terms of Use statement.
        We don't have privacy in this country any more. The PATRIOT Act has created the New East Berlin out of the USA. The government and Big Business have all the power now, not the people.
        xffcapt01
  • The cloud is BS

    Pundits keep telling us that the 'cloud' is the future. I suppose they have column-inches to fill, but that doesn't mean we should pay attention to them.
    Aside from the fact that the US internet infrastructure is two orders of magnitude too slow to support it, there remains the fact that many vendors of services just aren't up to the job.
    The cloud might be fine for cases in which non-contiguous locations must share data. The rest of us shouldn't be too quick to toss out our external hard-drives.
    MC_z
    • RE: Dropbox 'deceived' users over security: Files are open to government searches

      @MC_z
      But for those depending on services like these for amrtphones and tablets this is another issue.
      :(
      rhonin
    • RE: Dropbox 'deceived' users over security: Files are open to government searches

      @MC_z

      I couldn't agree more. The same goes for "software as service." I won't be throwing out my software CDs any time soon. Once we migrate in mass to complete dependence on the cloud for all of our software and data, we will be enslaved by the same.

      I like the idea of being able to have a PC that is completely offline and still functional for all the basic tasks such as word processing, accounting, and the like.
      No one special
      • RE: Dropbox 'deceived' users over security: Files are open to government searches

        @martyh@... Amen! I often travel into areas where internet service is spotty. I hate having any part of my computing environment dependent on maintaining connection -- excluding, obviously, email and browsers. I am always peeved at software that puts its User Manual, Help files, etc. on the Web. It's not very helpful if you can't access it.
        mdwalls
  • Hooray for CSC!

    I use dropbox for random files I might need to get with a handy website UI, but for everything important I want to sync between all my computers I just toss it on my server and it gets synced between everything on my network. With CSC enabled on the network locations, I keep a local copy on all my computers, just like Dropbox. And if I'm on the go, I just VPN home and the updates to the network location get sent to me.

    Like Dropbox, but more secure and as much space as I can afford at the moment XD
    vel0city
  • Only a sap would trust the cloud

    To think that any cloud service can keep your data absolutely private is absurd. If you don't want to risk having your data exposed, you DON'T put it on the cloud.
    shawkins
    • Well said

      @shawkins It is kind of stupid to believe that the cloud is safe when unknown people from unknown countries own admin powers to the servers where the data reside.
      wackoae
    • RE: Dropbox 'deceived' users over security: Files are open to government searches

      @shawkins concur. If you want to keep your cloud stored information private, encrypt it before storing it. Truecrypt is an excellent solution.
      pkparker40
      • RE: Dropbox 'deceived' users over security: Files are open to government searches

        @pkparker40
        The image used in the article of a TrueCrypt volume inside Dropbox is a recipe for disaster. A TrueCrypt volume contains an entire file system inside. If you use Dropbox on more than one computer, you have to make sure you unmount the TrueCrypt volume every time you switch to another computer. You can't use any file in the volume until you've unmounted the volume in the other computer.
        Another online backup service that promises security is SpiderOak. You generate the password locally and it is never sent to them, which means they never have access to your data.
        birkir