Dropbox Faces the FTC After Allegedly Lying to Users About Data Security
Dropbox Faces the FTC After Allegedly Lying to Users About Data Security
Posted 05/15/2011 at 1:38pm
| by Justin Kerr
21
Comments
Print
We’ve recommended Dropbox in so many features & how-to’s we’ve lost count. It’s an amazing service that just keeps getting better, but the company has found itself in hot water with the FTC over concerns of anti-competitive behavior related to its file encryption.
Wired has done an excellent deep dive on the full FTC complaint against Dropbox, however the main allegations stem from the way Dropbox says it handles your files, and what it actually does in reality. Many of these complaints have resulted in changes to its terms of service, but the FTC is investigating competitor’s allegations that the company has been intentionally vague. For Example:
On April 13th Dropbox revised its data security policy to read “All files stored on Dropbox servers are encrypted (AES 256)”. Compare this to the previous wording which states “All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password”. Both policies sounds like you are the only one capable of accessing your data, although this would not technically be correct. Dropbox employees can in-fact access your password and decrypt your data, they are just told not to.
Company Spokewomen Julie Supan further clarified by saying “Dropbox employees aren’t able to access user files.” That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this. Also, to clarify we’ve never stated we don’t have access to encryption keys. We’ve made quite a few posts in our public forums over the years about this very fact and we are quite open with our community.”
From a technical stand point Dropbox claims it needs raw access to your data to prevent users for needlessly uploading duplicate files that might already be stored in another user’s account. Competitors such as SpiderOak and Wuala who perform client side encryption are unable to use similar techniques to reduce their storage footprint since they are unable decrypt your data. Both companies argue Dropbox is claiming similar security functionality they don’t deliver by engaging in clever wordplay.
At the end of the day it’s important to understand Dropbox can indeed decrypt your data under certain circumstances, and does that matter to you.
More like this
21
Comments
Comments are closed on this article
fry
May 16, 2011 at 11:31am
Predicatable, which is why anyone with half a brain is encrypting important files before uploading them to Dropbox. Glad to see I'm not the only paranoid one around here.
Joji
May 16, 2011 at 3:41pm
I'm guessing I'm one of those without a brain then. You think I show encrypt all important files on other sites like Mediafire, 4shared, and MegaUpload?
skirge01
May 16, 2011 at 6:10am
It's not that big of a deal to zip your files with encryption before sending them up. I don't trust anyone with my files, including family members, whose computers I use for offsite storage. You never know who is going to gain access to the computer holding your files. ALWAYS encrypt them yourself.
maddingo
May 15, 2011 at 10:51pm
well I have always been dubious of the cloud
I use it some, I just use truecrypt and encrypt stuff before I load it to my cloud storage.
I would not load anything in the clear I didn't mind the world seeing
tornato7
May 15, 2011 at 7:50pm
I really wouldn't care if some random person on the other side of the country was able to view all of my files. (exculding cookies and autofill which will have passwords and personal info. I think that's all heavily encrypted anyway(or at least i hope it is).)
Joji
May 15, 2011 at 7:31pm
Whoa... I should tweat this to all my friends... thanks for the info! :O
kleinkinstein
May 15, 2011 at 4:20pm
Anything you care about should avoid the cloud. Encryption breaks with so little effort. Don't take any solace in the encryption mirage!
QuadCoreAbe
May 15, 2011 at 9:04pm
Well, lets see how you can crack 256bit encryption then. If you don't have access to the key or the algorythm, encryption at that level is flawless. Most hackers will not think it's worth it to spend time attempting to brake such deep encryption and will just wander around the web looking for qwerty passwords instead.
Bullwinkle J Moose
May 16, 2011 at 5:45am
Just Google "Encryption cracked on NIST Certified hard drives"
256bit AES has already been cracked
And since you don't seen to be very up to date with the news..
Try this Google Search> Flash drive manufacturers warn:
These AES encrypted flash drives show that they are backdoored whereas the newer drives hide the fact much better now
ZDNet Jan 6 2010
NIST Certified Kingston, Sandisk and Verbatim USB Flash Drives
When the correct password is supplied by the user, the authentication program always sends the same character string to the drive to decrypt the data, no matter what the password used.
This character string was the same for all 3 manufacturers, proving once and for all that your AES encrypted hardware is backdoored for Govt access!
Get a Clue, then crawl under a rock!
ALL AES Hardware encrypted Hard Drives, thumbdrives, Cellphones, etc are backdoored
This problem was in the news WAY back when sprint started using backdoored encryption but the Internet has been censored from most of this useful information
geewhipped
May 16, 2011 at 9:30am
AES 256 has NOT been cracked...
those flawed hardware implementations have.
very different.
Besides, nobody is talking about uploading a hardware-encrypted drive to dropbox...
I guarantee you that if I upload a AES 256 encrypted zip file or truecrypt volume with a properly-long non-dictionary key, nobody short of the NSA will be cracking it within the next 15 years.
Bullwinkle J Moose
May 16, 2011 at 3:02pm
Oh, you Guarantee do you?
Then show me the sourcecode for the hardware encryption baked into every AES device so we can test them thouroughly in a public forum
Oh, you can't?
Then you can't Guarantee anything can you?
Go crawl back under your rock
aarcane
May 16, 2011 at 1:29am
aes256 is in fact a standardized algorithm. Advanced Encryption Standard. note the Standard. as for not having a key.. that's a little issue. With today's massive GPUs and CPUs, anyone with a few moderate computers lying around could crack an individual key in a matter of weeks, if your data was that important.
The problem this article expresses is that any employee can get ahold of the key and have INSTANT access to your data without any need for additional cracking or "brake"ing.
Bullwinkle J Moose
May 16, 2011 at 3:04pm
If the standard uses a single unlock key, regardless of the password you choose, then the correct term is SPYWARE!
Prove its not before making any more wild claims
roninnder
May 16, 2011 at 12:39pm
Any amount of time could be expressed as a "matter of weeks." In this case it would be thousands of weeks assuming a strong non-dictionary password is used.
knipfty
May 15, 2011 at 2:52pm
If you don't want someone to read it, make sure you encypt it yourself. Dropbox is a great product, I use it daily. Anything on it that I truly care about would be encrypted BEFORE it goes on the cloud...
Mighty BOB!
May 15, 2011 at 2:28pm
So pre-encrypt any important files before uploading them.
Of course that's not ideal for stuff like photos and music backups, but would be prudent for important personal data.
kixofmyg0t
May 15, 2011 at 1:52pm
If a Dropbox employee can decrypt your files and view them, Anonymous can too.
Just throwing it out there.
kixofmyg0t
May 16, 2011 at 5:41am
Yep. Removing OtherOs cripled the PS3. OherOs was the most important thing about the PS3. How can you even use a PS3 without OtherOs?!?
It's not like the thing was made to play games or anything, cuz you know THAT WOULD BE ABSURD. Why have a decent game machine when you can have a half ass linux machine with only 256mb of RAM?
Yep.
roninnder
May 16, 2011 at 12:41pm
That's like saying it's ok for the dealer to take the stereo out of your car after you bought it and drove it for a year. Well you can still drive the car; so why should you care if it no longer has a stereo?
kixofmyg0t
May 16, 2011 at 3:35pm
How many people use their stereo? Everybody.
How many people used OtherOs? A FRACTION of 1% of total PS3 users. Which btw I was one of the few who used OtherOs.
No its more like removing the cigarette lighter than the radio, idiot.
Yes, removing the ability to make a 10 gig partition for a linux with no GPU access and only 256MB(well, really more like 192MB but well give you the argument of ALL 256MB) of RAM is TOTALLY the worst thing EVER. *yawn*
If you want a gimped linux so bad buy a laptop from 2003, you'll get the same experience.
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy1 day 4 hours ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj1 day 4 hours ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E3 days 1 hour ago
