Dropbox Drops the Ball on Data Security

[nsane.forums]

Dropbox, a provider of cloud-based data storage services, is in hot water with the Federal Trade Commission over claims that it lied and intentionally deceived customers into believing that their data is more private and secure than it really is. Whether Dropbox was deliberately misleading, or just failed to clearly communicate policy changes, the complaint filed with the FTC illustrates concerns over online data security.

At issue are Dropbox's terms of service. Previously, the company stated in its terms of service that "all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password." But, Dropbox has continued to modify the terms of service, and backpedal on exactly how secure customer data is--sometimes putting its foot in its proverbial mouth.

After a few amendments, the terms have been altered such that it now reads more to the effect that Dropbox can access and view your encrypted data, and it might do so to share information with law enforcement if it is compelled, but that employees are prohibited from abusing that power and viewing customer data.

According to encryption expert Vormetric, the root of the Dropbox scenario is that the keys used to encrypt and decrypt files are in the hands of Dropbox, not stored on each user's machine. While Dropbox might have policies prohibiting Dropbox employees from viewing files, a rogue employee could view customer data using the keys held by Dropbox.

Aaron Levie, co-founder and CEO of Dropbox rival Box.net, is a class act. Rather than take advantage of the situation to kick Dropbox while it's down, Levie gives his cloud competitor the benefit of the doubt. "I think Dropbox has its users' best interests at heart, but probably went a bit too far in the messaging. I believe they will rectify this."

Levie did, however, stress the importance of data security as well. "Broadly speaking though, security must be of critical importance to any cloud service, and businesses should be absolutely certain they can trust their provider--things like SAS 70 Type II certification, encryption in transit and at rest, and extensive security controls for users and IT should all be top of mind for enterprises looking to leverage the cloud."

Dropbox is a popular online data storage service with over 25 million users. I tend to side with Levie and assume that Dropbox doesn't have any insidious or malicious ulterior motives. It seems that Dropbox has perhaps been too fickle in trying to adapt its service and features to improve performance and meet address concerns, but I doubt Dropbox meant any harm.

That said, employees don't always follow policies, and the fact that customers might believe their data is impenetrable while Dropbox employees can actually view it at will is more than a little problem.

View: Original Article

[silencer]

I think you should check this solutions guys if you use DB and fear about privacy of your files: http://www.howtogeek.com/63262/sync-encrypted-files-with-dropbox-and-secretsync/ :)

[Mtm]

Always wondered how "private" your data really is on these online services...

Altough I don't store any sensitive data on my dropbox account, I gotta say that the article silencer posted is quite interesting for the future :)

[HX1]

Yeah I never do this.. under any circumstances.. Besides that.. when things truly become 'In The Cloud' and processing, bandwidth, transcoding...among others things is shared and is able to exceed limitations of single systems.. and connections... Serving a true purpose of Cloud Computing.... Which would truthfully require reforming the infrastructure itself.. forget it..

It just reminds me of a Bank scenario.. Pay to spend and secure your money.. while in the background.. you just gave someone the right to extort and get caught in a Savings and Loan scam which crashes the bank and you loose everything.. as well possibly even being implicated.. ( given enough twisted circumstances ) for simply going about the normality of your life...

There is a fine line in between 'crazy-smart'... and just plain crazy... Bad decision making and horrible habits concerning security would be the more eye opening... Tell me what cannot be exploited...??? Then tell me what will not... :) While some ideas may wind up being business ideas and practices in the times we live n now technologically... Just not always the best idea.. yeah.. So..

I think people are really afraid to call it by what it is... because of all of the sh!t slinging that is caused by saying a 'FileServer' or even the term 'Storage' these days.. even triggers questions of what and why... Even for personal usage .. gets targeted...IMO... I think it is just time that pretentiousness.. comes to an end and quits being used as a guilt trip... or used to force people into paying for feeling guilty... or even saying they are... common effect in a legal sense of the word.. where the game being played daily ( in courtrooms and by lawyers and other Entities formed to harvest ) ...really is not justice at all... I mean waking up and realizing one day that.. ' We do this out of fear of the corruption...within our perception which is a point of control .. only to serve those entities which abuse our very existence and give nothing in return in our interests ' It really doesn't do anything for anyone in that sense of it, at all.. Why do we waste our resources and time on them... What would we back idealistically... Why is there no truth to it.. nor any physical reality? The most damning question of all... Where is the real focus and end effect...

I dunno.. I am just thinking that 20 years in the 'line of work they do', after 4-8 years of college.. You would think that these laws could be 'peered' over to represent the people themselves and the needs they have today... Instead of feeling violated and robbed of normality, rights, and life in general. Instead of trying save some dying giant.. I rather unload my gun and put it out of its misery.. as in the end this is what we have and its time to move on..

EDIT: My last thought is how maybe if they strangle us and other business and objectives long enough.. by holding the funds and charging outrageous prices.. Nothing else will ever be able to have proper funding and or ever surpass it.. SO they can continue to put money back into the machine itself.. I mean I think to an extent our addictions and fact that blind to the future we build sole reliability on these things.. to the point that if anything were to happen.. we are held hostage globally.. one thing or the other... dunno..

[nsane.forums]

Dropbox Speaks Out on Data Security Controversy

Dropbox has been making headlines this week, but not the kind of headlines that companies like to make. A complaint filed with the FTC accuses the cloud data storage provider of deceptive and misleading practices regarding just how secure customer data is. But, Dropbox takes exception to the claims and is speaking out to defend its security policies and terms of service (Tos).

Dropbox readily admits that it has altered the terms of service, but it rejects the idea that the terms were changed to backpedal on security or move the line in the sand as it relates to Dropbox data protection.

No, according to a new Dropbox blog post, the ToS is not fundamentally different than that of any other online entity--Google, Skype, Twitter, etc.. Dropbox says the ToC was modified to clarify some points and make it easier for Dropbox customers to understand--especially when it comes to explaining the specific circumstances under which Dropbox might disclose information to law enforcement. "We felt our old TOS language was too broad, and gave Dropbox rights that we didn't even want." Dropbox also stresses that customer data is not just handed over to law enforcement at the drop of a hat. First, there is only an average of one such request per month--out of 25 million customers. Second, Dropbox has a stringent vetting process to ensure that any such data request is legally sound, and in the event that a request doesn't stand up to legal scrutiny Dropbox will stand up for the rights of the customer and protect the data.

I spoke with Dropbox founder and CEO Drew Houston who explained that Dropbox is acutely aware of security concerns, and it appreciates the responsibility it has to protect the data its customers entrust it with. With 25 million customers, keeping the data safely protected from unauthorized access is no small feat.

That said, there is a balancing act between security and simplicity, between encryption and usability. Dropbox data is protected in transit by SSL, and is secured at rest on Dropbox servers using AES-256 encryption. But, encryption is a complex concept that even seasoned IT veterans are sometimes intimidated by, so Dropbox manages the encryption keys rather than expecting customers to understand how to maintain and use their own private key.

But, organizations or individual customers that want better data protection and are comfortable managing their own encryption solution are welcome to encrypt their own data as well. There is nothing stopping Dropbox customers from encrypting their own data using something like Truecrypt, in which case Dropbox would have absolutely no ability to decrypt or access that data. The tradeoff, though, is that when that customer loses their own encryption key, there will still be no way for Dropbox to decrypt or access the data, and nothing that Dropbox can do to help a user recover their data.

Dropbox has been up front and transparent about the strengths and weaknesses of its data protection mechanisms. There are threads in the Dropbox forums dating back three years showing Dropbox support personnel informing users how the Dropbox encryption works, and threads in the forums where Dropbox explains that only certain key employees have the ability to access encrypted data, and only in strictly defined scenarios.

As with any story, there are at least two sides, and the situation can look entirely different if you just take the time to look at it from the other perspective. In writing my earlier post about the Dropbox data protection controversy, I took strides to downplay the ominous overtones of other media coverage and give Dropbox the benefit of the doubt, but some of the assertions made are still inaccurate and do a disservice to Dropbox. To be fair, I should have reached out to Dropbox directly for their side of the story in the first place.

View: Original Article