Dropbox's privacy commitment questioned

News 20 Apr, 2011

It’s popular because it’s cheap and simple to use, but just how secure are your Dropbox files?

Dropbox users have been forced to reconsider the security of the files after revelations the provider will decrypt and release customer information to law enforcement authorities.

Dropbox, which has quickly become popular with individuals and small agencies, has inserted a clause in its terms of service which states the company will turn over files to the authorities if they ask for them.

In a move heralded as “not surprising but disappointing” by analysts, the decision brings Dropbox into line with the terms of other cloud providers, including Amazon and Google.

In a clause entitled “compliance with laws and law enforcement requests; protection of Dropbox’s rights,” the company declared it “may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to... comply with a law, regulation or compulsory legal request.”

“If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement,” the clause continued.

“Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”

RedMonk analyst James Governor said, whilst disappointing, the move was to be expected.

“To be frank, Dropbox has little choice, given it runs on Amazon Web Services, which would give up the data is asked anyway,” he said. “Most US web companies would rather comply than argue with the Feds.”

“When Amazon turned off Wikileaks, the issue got a lot of attention. Twitter has been a good citizen in this regard – at least it asks for subpoenas – and it seems Dropbox is following them.”

Governor said he believed there was a disconnect between Dropbox promising security – and its claims stored data is encrypted and cannot be accessed by Dropbox employees or third parties – and then announcing via a terms of service change they can and may decrypt and release a customer’s personal files.

“Dropbox’s decision won’t hurt it with small or independent companies so much as big ones,” Governor said. “Thus for example an IBM employee certainly shouldn’t use Dropbox to hold IBM-related information. Corporations prefer to make their own arrangements with legal jurisdictions.”

“Of course small agencies, a key Dropbox client base, may find their clients have issues with use of the software.”

However, Governor said Dropbox was still “a truly great service.”

“This just seems to be the way the wind is blowing at the moment,” he said.

Dropbox did respond to Cloud Pro's request for comment.

Dropbox offers two free gigabytes of storage to small customers and inexpensive storage to agencies needing more space in the cloud. It places a special folder on your hard drive at installation, which users can then place and remove files as required.

These are then automatically synced with the user’s Dropboxes elsewhere – be it other computers or mobile devices like tablets and smartphones.