Dropbox drops the security notification ball, again

Yet another failure to tell users directly about security vulnerabilities highlights the need not just for mandatory data breach notification laws, but mandatory notification of security and privacy risks.
Written by Stilgherrian , Contributor

There's a short, sharp word for people who solemnly promise to do one thing, repeatedly, but then end up doing precisely the opposite, repeatedly. Unfortunately I am not allowed to use that word here. So I'll use another.


"There's nothing more important to us than keeping your stuff safe and secure," wrote Dropbox co-founder Drew Houston on 11 April, addressing concerns that some folks had raised following the appointment of Dr Condoleezza Rice to the company's board, what with her previous direct links to — nay, involvement in — the United States' security apparatus.

In a post-Snowden world, appointing a former presidential National Security Advisor didn't seem to send the right message to users who might have hoped that their files were being kept securely.

"We've been fighting for transparency and government surveillance reform," wrote Houston, pedalling furiously. "We've been vocal and public with our principles and values. We should have been clearer that none of this is going to change with Dr Rice's appointment to our Board. Our commitment to your rights and your privacy is at the heart of every decision we make, and this will continue."

They're lovely words. They're good at lovely words at Dropbox. "We strive to provide great Services," it says in their terms and conditions.

But actions speak louder than words, and when I look at the evidence, I reckon that at Dropbox, the striving doesn't turn into the actions.

On Tuesday, information security consultant Graham Cluley reported how Dropbox had been contacted by the media, who were investigating claims by Intralinks — an enterprise file sharing and collaboration service — that it had stumbled across individuals' mortgage applications and income tax returns.

"Dropbox responded last night with a blog post saying it was addressing the vulnerability and that it was 'unaware of any abuse of this vulnerability'," Cluley wrote. "Well, clearly — despite Dropbox's protestations — users' data *was* exposed, otherwise files like this and this wouldn't have fallen into the hands of unauthorised parties."

This we-are-unaware denialism in the face of the clear potential for data breaches is bad enough. Absence of evidence is not evidence of absence — especially if you don't bother looking for such evidence. And in any event, being "unaware" isn't exactly a good look.

But it gets worse.

Cluley goes on to explain how Dropbox had been told about this vulnerability back in November 2013, only to wave it away. "We don't believe that this is a vulnerability. If someone accidentally shares a private Dropbox link it can be disabled at any time from the Dropbox website, on the Links tab," they replied at the time.

Cluley is unimpressed. "I think it's a pretty sad state of affairs that months can pass, and the BBC [British Broadcasting Corporation] has to be called in, before a service like Dropbox takes seriously a security concern impacting the privacy of its users," he wrote.

I am unimpressed. I think it's a pretty sad state of affairs that days can pass since the BBC was called in, and yet that solitary blog post is all that Dropbox has done to inform its users.

Surely when it comes to security, every user should be notified? But there hasn't even been a tweet.

It was the same when Dropbox responded to the Heartbleed vulnerability. Just a blog post.

If only there were some sort of machines, some sort of global communications system, through which Dropbox could contact its customers...

Unfortunately, startup culture requires that Dropbox's primary goal is MOAR USERS MOAR USERS MOAR USERS and a nifty logo, rather than, say, being honest. For all the talk of transparency, there's a strong incentive to sweep problems under the carpet, as Dropbox has done here.

That's why Dropbox is far from being the only company that talks the talk of security and privacy but, when the crunch comes, utterly fails to walk the walk.

And that's precisely why mandatory data breach notification laws, which require organisations to tell us when they know they've failed to protect the data we entrusted to them, don't go far enough. We need companies to make better efforts at preventing data breaches in the first place, and we need them to be honest about the risks to our privacy.

Just as we have product safety recalls, when companies make every effort to contact customers to warn them of potential problems, we need mandatory vulnerability notification laws — ones where a blog post that users are expected to find for themselves isn't enough to escape a penalty.

Editorial standards