Dropbox Lied to Users About Data Security, Complaint to FTC Alleges

Source: Wired

Dropbox, the wildly popular online storage system, deceived users about the security and encryption of its services, putting it at a competitive advantage, according to an FTC complaint filed Thursday by a prominent security researcher.

The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.

Soghoian, who spent a year working at the FTC, charges that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts therir data,” which amounts to a deceptive trade practice that can be investigated by the FTC.

... Those architecture choices mean that Dropbox employees can see the contents of a user’s storage, and can turn over the non-encrypted files to the government or outside organizations when presented with a subpoena.

Read more: http://www.wired.com/threatlevel/2011/05/dropbox-ftc/

Good Lord.

Encrypt your own files before storing them in your dropbox. That's a no-brainer for anyone interested in data security. At the very least, if we rely on someone else's assurances of encryption we should ask for-- and understand-- the details about data security they provide. But better not to trust strangers at all, frankly. Encrypt your own files.

say, a Word document? I am just not that computer-savvy and don't want to lock something up where I can't retrieve it, lol.

Encryption isn't difficult-- there are lots of free, open-source, and for-profit encryption programs available that mostly do it transparently and automatically. TrueCrypt is one: http://www.truecrypt.org/, SafeHouse is another: http://www.safehousesoftware.com/. There are lots more. Most have pretty straightforward instructions.

In the present thread, one could set up a TrueCrypt encrypted volume in the DropBox folder and every time you added files to that directory they would be automatically encrypted on the fly and decrypted just as transparently when accessed later.

You really, really don't want an easy-to-guess password. Initials, birthdates, pets' names, and such should be right out. Ideally, your password is complete garbage, like this:

tYy&M,@Q

or something similar. I can tell you, from experience, that truly secure passwords are an unholy bitch to memorize, but once you do and you use it enough for your brain to have muscle memory of it, the password will be actually easier to 'just type in' than it will be to write it out if you have to think about it. It's hard to describe that, but one day, something in your head will just 'click' and you'll be able to type in the password as quickly as you type actual words.

DON'T use something like:

kestrel051963

where 061963 is your date of birth. Definitely do NOT use names or places, and don't use dictionary words either. Such words are very easily hacked.

DO mix capitals and lower case letters, DO use punctuation- in particular, punctuation other than the comma and the period, and DO use special characters, such as !, @, #, $, %, ^, & or * where allowed (the software mike_c describes, in general, allows you to do just that).

Hope this helps!

Storage devices are very cheap. Why would anyone upload something they want to keep private to an online site?

I don't necessarily want to carry all my storage with me at all times, or maintain a running tally of which files are where.

It also lets me fairly quickly transfer files to or from other devices which I can't plug a USB drive into.

I might work on any one of half a dozen of my own computers at any given time-- in my home office, my University office, my lab, on my laptop at the library, or on a smart classroom computer. I used to use a portable hard drive to synchronize files on my main three or four computers, but you have to be pretty diligent to avoid confusing file versions or to prevent data loss when you get behind. It works, but after you try DropBox you'll never want to use such a cumbersome method for synching files again. Drop them in your DropBox folder and they simply appear on every computer you have running DropBox, and they're available via browser from any other computer. It's super convenient. It just works. Now I don't maintain four or five (often imperfectly) mirrored file systems manually-- I just store anything that I want synched in my DropBox folder. You can store your entire user file system there if you want, making all your files instantly accessible from anywhere. Set up a TrueCrypt volume inside your DropBox and viola! Privacy.

files in both locations. I was going crazy with flash drives and backup hard drives and such until I found Dropbox.

I do some writing. I can work on a project at work, and then access the same files at home to keep working in the evening.

And my extensive family photo collection is stored on BOTH hard drives AND in the cloud.

Any time I turn on either computer it automatically syncs with the more recent file editions. I LOVE IT!!!!! Really, my stress level has plummeted because of this software.

Business or pleasure, traveling with a computer means your hard drive may be subject to search. A service like Dropbox is much, much more convenient than TSA taking an image of the whole thing, or mailing the drive to yourself, or lugging around a portable hard drive.

I would do what mike_c suggests, though, and encrypt it with an open-source solution lacking any backdoors first (using the sorts of passwords I describe above), just to be on the safe side.

Sometimes easily sharing a file is more important. It's a great way to share files between people or to have the file in more than one place. No disks or copying needed.