Dropbox denies giving researchers non-anonymized user data

The researchers claimed they could see "every Dropbox folder associated with a given researcher."
Written by Zack Whittaker, Contributor

Dropbox has denied claims that researchers obtained non-anonymized data from users of the cloud file storage service.

A study by Northwestern University researchers posted Friday, and co-bylined with a Dropbox insights manager, revealed how collaborative platforms are used by teams of people.

But a key line in the write up claimed that Dropbox "gave [the researchers] access to project-folder-related data" over a two-years period from about 400,000 users across 1,000 universities, which the researchers said they "aggregated and anonymized."

The researchers said that this included a user's "total number of folders, folder structure, and shared folder access," but noted that they and Dropbox employees "could view no personally identifiable information."

That report was later updated to say that Dropbox "had aggregated and anonymized" the data, but the researchers still claimed they saw "every Dropbox folder associated with a given researcher, along with whom they'd shared the folder with, how often the folder was accessed by anyone associated with it, the duration of collaboration on a project, and how users split their time among different projects represented by the folders -- a wide variety of specific touchpoints." The claims led to several well-known academics complaining on Twitter.

When reached, Dropbox denied the claims in a statement emailed to ZDNet on Monday.

"The article contained factual errors which we're working to correct," said Dropbox spokesperson Elisa Pandolfi. "To be clear, before providing any Dropbox users' data to the researchers, Dropbox permanently anonymized the data by rendering any identifying user information unreadable, including individual emails and shared folder IDs."

"This process prevented [the researchers] from seeing any personal information, but allowed them to analyze the anonymized data for patterns and insights," the statement read.

It's understood that the data was scrambled to prevent the researchers from being able to personally identify users in its collected data sample -- a common technique used by companies to anonymize user data.

It remains unclear if any of the academics whose data was collected were ever asked for explicit permission. Dropbox did not immediately have an answer. (If that changes, we'll update.)

It's also not clear what role or access the co-bylined Dropbox staffer had to the data, or why Dropbox didn't vet the results before they were posted.

We reached out to the authors Adam Pah and Brian Uzzi but did not hear back at the time of writing.

Editorial standards