Dropbox Can't See Your Dat– Er, Never Mind

bizwriter writes "Dropbox, the online backup and file sharing service claims to have hit 25 million users in a single year. But a change in terms, noting that Dropbox will give up data to law enforcement under a legal request, showed that the company's security claims couldn't be possible. It turns out that Dropbox claims in one place that encrypted data makes it impossible for employees to see into user files, but in another says that they're only 'prohibited' from doing so."

the love of cloud

[alphatel]

Everyday I get a corporate client asking me why they can't just do all their work on the cloud. Here's the perfect reason why.

Re:the love of cloud

[gkuz]

So that law enforcement can't access his data? What is his "business" area to be exact?

I love the irony of this comment being posted by an AC. Tell you what, post using your real name, address and phone number, and I'll tell you a dozen reasons why privacy, even from law enforcement, can be a legitimate business need.

Re:the love of cloud

[MoeDumb]

That's the ticket. YOU do your own encryption before sending it up to the cloud. Then it doesn't matter what DB does.

Re:the love of cloud

[Rob+the+Bold]

Well it's not a perfect reason. Many companies traditionally send their backup tapes or their shred bins or boxes of old files to an operator like Iron Mountain to store / destroy them. I expect Iron Mountain would comply with a court order just as readily as a cloud operator. I suppose with cloud operators the jurisdictions are more likely to differ which could be considered an advantage or not depending on why the court order is being served.

I noticed that although you write "court order" here -- and probably a lot of us are making the same assumption -- that phrase is not used in the Dropbox terms quoted in TFA. Instead, it reads "...Dropbox cooperates with United States law enforcement when it receives valid legal process..." It certainly makes you consider that Dropbox -- like other service providers with access to you data -- would give up your files just for a request from the cops, the FBI, etc. without even the limited due process of an actual court order.

The cloud is never secure ...

[Blade]

Maybe it comes from working in IT, but I always assume that if someone else is holding my data, they can access it. It doesn't interest me what they say - that's my basic starting assumption. So I always assumed that Dropbox could get to my data, and if I cared about the privacy of that data I just encrypted the files myself first.

It's my data, I'm in control of it. Giving it up to someone else and hoping they keep it safe is silly.

I'm surprised so many people are surprised (and I wonder if the people are are surprised haven't been in IT long?)

Re:It is not impossible

[TheRaven64]

This is the point of tarsnap. Open source client, you can verify it and the encryption that it uses. It encrypts everything before uploading and can't be decrypted on the server without access to a key that's only stored in the client.

Re:It is not impossible

With encryption, the file usually *completely* changes, thus giving Dropbox no choice but to upload/download the whole thing.

I've never used truecrypt, but from what I know, I suspect the chances of the entire encrypted volume changing when you make any change is close to zero. It would kill performance to have to rewrite the entire volume every time. It has to only update portions. So then the possible solution to this would be to treat it like bittorrent does, where it breaks it into chunks and checksums each chunk. When only a small portion of the file changes, it then know which chunks to reupload. Whether or not dropbox can or does operate this way, I have no idea, but in general, it is feasible to implement into a service.