Thoughts On the Dropbox Controversy

| 1 Comment

Though on travel last week, I've followed with interest the developing story over Dropbox misrepresenting its services (Wired has a copy of the complaint). In short, Dropbox made claims that data was encrypted and secured on its systems, and, in particular, that they didn't have access to the data. As it turns out, this isn't true. It now appears that they were - at best - using a shared AES256 key to encrypt the data, which the admins could use for indexing and recovery purposes. This issue has come to light in particular because law enforcement has been able to subpoena data from Dropbox directly, which was allegedly encrypted with a key unique to a user and unrecoverable by Dropbox, but which, it turns out, was readily recoverable. Dropbox has subsequently modified their license to remove the offending text.

While I certainly understand people feeling betrayed by Dropbox, it strikes me as a bit odd, especially from within the security industry, that people would actually trust the license and not assume that they're being misled. We have more examples than can be counted where PR, marketing, and lawyers have oversold services. It should come as no surprise that this is in fact happening with Dropbox.

It seems to me that if you're going to use a service like Dropbox, then you do one of two things: either you don't put sensitive data into their storage system or you encrypt it before uploading it. You should assume that the data is out of your control, and you should assume that the controls provided have a reasonable chance of failing. This is one of the key tenets of information survivability.

Now, that said, I certainly understand the outrage from people who feel betrayed and misled. For that, Dropbox should be punished by way of a fine from regulators. However, from my perspective (as a user of Dropbox), I don't think it really justifies withdrawing my business, nor do I want them be made an example of and essentially run out of business. I like their service and have been satisfied with how it was provided. Could I change? Sure. But why? Their performance is inline with my expectations, even if it was accurately represented in their license and TOS.

Bottom line: If you want to be upset about the Dropbox matter, then that's fine, you have every right, and I think you're justified in feeling that way. However, don't delude yourself into thinking that anybody (including Google, Amazon, etc.) are any different or any better. Caveat emptor. If the data is important, then you should be asserting your own controls on it, or using a different method altogether.

1 Comment

About this Entry

This page contains a single entry by Ben Tomhave published on May 19, 2011 11:45 AM.

Thoughts on Secure360 and RMISC (2011) was the previous entry in this blog.

Misunderstanding Risk Analysis is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7