Dropbox drops the security notification ball, again

Dropbox drops the security notification ball, again

Summary: Yet another failure to tell users directly about security vulnerabilities highlights the need not just for mandatory data breach notification laws, but mandatory notification of security and privacy risks.


There's a short, sharp word for people who solemnly promise to do one thing, repeatedly, but then end up doing precisely the opposite, repeatedly. Unfortunately I am not allowed to use that word here. So I'll use another.


"There's nothing more important to us than keeping your stuff safe and secure," wrote Dropbox co-founder Drew Houston on 11 April, addressing concerns that some folks had raised following the appointment of Dr Condoleezza Rice to the company's board, what with her previous direct links to — nay, involvement in — the United States' security apparatus.

In a post-Snowden world, appointing a former presidential National Security Advisor didn't seem to send the right message to users who might have hoped that their files were being kept securely.

"We've been fighting for transparency and government surveillance reform," wrote Houston, pedalling furiously. "We've been vocal and public with our principles and values. We should have been clearer that none of this is going to change with Dr Rice's appointment to our Board. Our commitment to your rights and your privacy is at the heart of every decision we make, and this will continue."

They're lovely words. They're good at lovely words at Dropbox. "We strive to provide great Services," it says in their terms and conditions.

But actions speak louder than words, and when I look at the evidence, I reckon that at Dropbox, the striving doesn't turn into the actions.

On Tuesday, information security consultant Graham Cluley reported how Dropbox had been contacted by the media, who were investigating claims by Intralinks — an enterprise file sharing and collaboration service — that it had stumbled across individuals' mortgage applications and income tax returns.

"Dropbox responded last night with a blog post saying it was addressing the vulnerability and that it was 'unaware of any abuse of this vulnerability'," Cluley wrote. "Well, clearly — despite Dropbox's protestations — users' data *was* exposed, otherwise files like this and this wouldn't have fallen into the hands of unauthorised parties."

This we-are-unaware denialism in the face of the clear potential for data breaches is bad enough. Absence of evidence is not evidence of absence — especially if you don't bother looking for such evidence. And in any event, being "unaware" isn't exactly a good look.

But it gets worse.

Cluley goes on to explain how Dropbox had been told about this vulnerability back in November 2013, only to wave it away. "We don't believe that this is a vulnerability. If someone accidentally shares a private Dropbox link it can be disabled at any time from the Dropbox website, on the Links tab," they replied at the time.

Cluley is unimpressed. "I think it's a pretty sad state of affairs that months can pass, and the BBC [British Broadcasting Corporation] has to be called in, before a service like Dropbox takes seriously a security concern impacting the privacy of its users," he wrote.

I am unimpressed. I think it's a pretty sad state of affairs that days can pass since the BBC was called in, and yet that solitary blog post is all that Dropbox has done to inform its users.

Surely when it comes to security, every user should be notified? But there hasn't even been a tweet.

It was the same when Dropbox responded to the Heartbleed vulnerability. Just a blog post.

If only there were some sort of machines, some sort of global communications system, through which Dropbox could contact its customers...

Unfortunately, startup culture requires that Dropbox's primary goal is MOAR USERS MOAR USERS MOAR USERS and a nifty logo, rather than, say, being honest. For all the talk of transparency, there's a strong incentive to sweep problems under the carpet, as Dropbox has done here.

That's why Dropbox is far from being the only company that talks the talk of security and privacy but, when the crunch comes, utterly fails to walk the walk.

And that's precisely why mandatory data breach notification laws, which require organisations to tell us when they know they've failed to protect the data we entrusted to them, don't go far enough. We need companies to make better efforts at preventing data breaches in the first place, and we need them to be honest about the risks to our privacy.

Just as we have product safety recalls, when companies make every effort to contact customers to warn them of potential problems, we need mandatory vulnerability notification laws — ones where a blog post that users are expected to find for themselves isn't enough to escape a penalty.

Topics: Security, Privacy, Start-Ups


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Dropbox Attitude

    Months ago now I blanched when I discovered that Dropbox unilaterally and silently Deleted my Account. It took days for any response to my SOS. And that resulted in another wait, only to receive instructions for a time and labor consuming Restoration process
    I ended up finding a simpler way to to Fix It myself. It's their lackadaisical attitude about this all that bothered me.
    Then an Outage. I ended up, tho' the Net suggested alternate ways, figuring out a way back in. It was Dropbox's lack of communication here too that I noted.
    After reading your Article it looks to me that their poor attitude to their consumer public is pervasively lacking big time.
  • Regulation solves nothing

    All regulation does, is add a layer of cost to services. Regulation never improves a service, nor can it adequately punish bad service. All regulation does, is make us hallucinate we did something.

    Let the market decide. If a provider doesn't furnish adequate security, the customer will move somewhere else. That will better regulate than any law you can even dream of adopting.
  • Twitter isn't any better than a blog post.

    "Surely when it comes to security, every user should be notified? But there hasn't even been a tweet.

    It was the same when Dropbox responded to the Heartbleed vulnerability. Just a blog post."

    Frankly, I don't use Twitter. You can't say very much with a limited number of characters, and that makes for horrifically shallow communications. I don 't think that Twitter should be a part of the long term future.

    Granted, you still have valid points elsewhere in your article, but Twitter isn't better than a blog article. The best way to contact people in a way they'll really notice is still email.

    Oddly enough, most of the complaints in the comments in the blog article are about how Dropbox broke their links. Few people actually seem to care about the vulnerability itself.
    • Well, duh...

      Few people actually care about the vulnerability because the vulnerability is user-induced. If you don't share important links - there is no vulnerability. This entire article comes off as a rant by somebody who just has a problem with Dropbox and the success that they've accumulated.
  • Private cloud

    Another reason to abandon the public cloud options (Dropbox, Box, Google Drive, etc.) and go for a private cloud device once and for all. At least I don't have to worry about these guys screwing with my files.
    Tech Geek99
    • ^^re: Tech Geek99

      >Thinks his so-called private cloud is secure.
  • simple sharing

    sure glad I don’t use them for important docs for sharing.
    • Easy Solution

      Encrypt your files on your end and don't create public links = problem solved.
  • What do you expect for Free?

    Seems to me that you get what you pay for. How many users are actually paying for DropBox yet expect free storage, security, backend bandwidth, product enhancements, user and/or customer support? All of it costs money... but hardly anyone pays for it.
  • Skip the cloud

    When all the hubbub with Dropbox started I stared using this program called GoodSync. It's different than Dropbox, SugarSync, etc. But basically it lets you sync without storing your files in the cloud. It's working fine so far. Will keep you updated if I find any problems.
    • Agree!

      Completely agree, JD. I use GoodSync as well and the peace of mind that it provides can't be beat.
      Bob Sacimano
  • Drop, Dropbox

    I ditched this about 2 months ago. Thank God!!!! I have been utilizing a software called GoodSync in place of it. I prefer to be able to have my private files remain just that, private! With GoodSync I can backup and store my data in a "Personal Cloud" of sorts without the worry of a big company like Dropbox having access to my data on their servers.
    Biig Joe
    • Advertisements or Comments?

      Dropbox allows your private files to remain private - simply encrypt them before they leave your computer and don't share them - voila, they remain just that, private! Regarding the rest of your comment... well, peoples' ignorance about cloud computing is really funny. If you use a third party to sync files to your own computer... your files are still going onto the cloud. If you just need to sync between computers, try something like BitTorrent Sync.
  • Intimidating

    I just don't trust these third-party cloud storage services with my data, I still use GoodSync to sync over the internet using GoodSync Connect but to my own local storage devices. GoodSync has the ability to sync to other cloud storage services also but I can't convince myself it's a good idea.
  • Protecting Dropbox share links

    Hi, we recently developed a free app that turns Dropbox into your own secure file transfer service. As a side effect as it relates to this article about the share links vulnerabilities, it adds a password to sharelinks which helps mitigate the risk of users not sharing them securely.

    Check it out at https://app.ironboxexpress.com.


    Kevin Lam
    • Wow...

      Spam artists such as yourself, well, you just have no sense of shame or understanding of proper business ethics, do you? I am sure that you would defend your spamarific actions by saying something like "Hey, my service where I want your money, directly relates to the topic of this article, guy."

      Yet, at the end of the day this is just still pathetic spam and it makes everyone's experience on the Internet, that less enjoyable. Doing this is just as bad and stealing email addresses and sending people your junk-mail emails. I am surprised that ZDNet does not delete blatant spam comments such as your comment.