Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Head Responds To Snowden Claims About Privacy

Posted by samzenpus on from the protect-ya-neck dept.

First time accepted submitter Carly Page writes When asked for its response to Edward Snowden's claims that "Dropbox is hostile to privacy", Dropbox told The INQUIRER that users concerned about privacy should add their own encryption. The firm warned however that if users do, not all of the service's features will work. Head of Product at Dropbox for Business Ilya Fushman says: "We have data encrypted on our servers. We think of encryption beyond that as a users choice. If you look at our third-party developer ecosystem you'll find many client-side encryption apps....It's hard to do things like rich document rendering if they're client-side encrypted. Search is also difficult, we can't index the content of files. Finally, we need users to understand that if they use client-side encryption and lose the password, we can't then help them recover those files."

17 of 176 comments (clear)

  1. umm duh? by Noah+Haders · · Score: 3, Insightful

    Search is also difficult, we can't index the content of files.

    umm duh, that's the point? sucks when your customers can't trust you.

    1. Re:umm duh? by AudioEfex · · Score: 5, Insightful

      Yeah, uh, because all "cloud" services aren't inherently ridiculous for anyone to consider secure or anything...

    2. Re:umm duh? by Charliemopps · · Score: 5, Insightful

      Yea, we use a very expesnsive cloud service that per the contract is encrypted at rest and in transit. After 5yrs I happened to have a networking issue and did a packet capture on the stream... no encryption. So we approached them... "Encryption? No, we don't do that..." We explained that it was in the contract and they HAD to do that. So after 2 months they had to move us to a "Special" server and we were encrypted. I checked the packets again and we were at least encrypted in transit. A few months later we had another trouble ticket with them. One of their techs was working on it and explained how he logged in an edited the table raw to fix it. So I asked how he could do that if the data was encrypted. "Encryption? No, we don't do that..." ugh... so now we're supposedly "really" encrypted.

      The problem with cloud services is they can lie cheat and steal with your data and there's nothing you can do about it. You can't verify it, you can't test it, and if anything happens to it you wouldn't have a clue. You're entirely at the mercy of the provider and as time goes on their internal staff can turn over, competence can wane, controls can get lax, and you'll have no idea any of that is happening.

    3. Re:umm duh? by Immerman · · Score: 4, Insightful

      So, when you contracted with these folks did they issue you a kilobyte-long encryption key with a warning not to lose it or your data would be permanently inaccessible? And did you have to use that key every time you stored or retrieved data with them? If not, then that's your glaring red flag that any encryption they might offer is a sham. Even if it were stored encrypted on their servers, if you can access it without supplying the encryption key that means they're essentially storing the keys in the lock to the safe.

      Which is why, honestly, I'm okay with folks like Dropbox being a bit lax about security, provided they're open about it. Encryption in transit is nice if you just want to keep idle prying eyes off your not-terribly-sensitive data, and SSH provides a convenient way to implement it. But if you want real security on the stored data the *only* way to get it is if you do just what they're suggesting and exercise total personal control over the encryption. That data should be securely encrypted before it ever leaves your computers, and you are the only one who should possess the keys to decrypt it. If you want people in your organization to have easy access without worrying about encryption then establish a local proxy that will transparently handle the encryption and decryption as data flows through it to your cloud provider.

      Actually that could be a great internet appliance - it could even perform indexing of the data if you wanted it to, while providing near-perfect security for *any* remote data-server offering. If anyone decides to market such a thing I want 1% for the idea - we can make each other rich.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
  2. Our stuff is encrypted!!!! by Y2K+is+bogus · · Score: 5, Insightful

    With the keys we readily hand over when warranted.... o_O

  3. Duh by backslashdot · · Score: 5, Insightful

    Dropbox has Condoleeza Rice on its board of directors. If anyone remembers, she was Secretary of State and also the president's National Security Advisor during the Bush administration. She basically allowed torture, and is responsible for Guantanamo. She had no problem with torturing people without even doing a basic check to see if the person being tortured was guilty of the crime he was being tortured for. And you want to talk about spying? She was part of the administration that developed the PATRIOT Act. The justification being "it's ok to spy on foreigners" .. Oh and we can DECLARE you a foreigner without any due process by making you prove your Americanness. She was cool with torturing foreigners without giving them any sort of due process, so why would you assume that she wont torture citizens if she was scared into doing so? We already know she doesn't think people need privacy.

    1. Re:Duh by operagost · · Score: 3, Insightful

      Good thing she's not a Democrat, or we'd all be calling you racist and sexist.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  4. Re:Worst Response of all Time by Anonymous Coward · · Score: 5, Insightful

    It's not stupid; it's just a fact. Obviously they can't do any of that crap if they can't decrypt your data, but that's fine by me.

  5. Re:Worst Response of all Time by AudioEfex · · Score: 5, Insightful

    It's not stupid; it's just a fact. Obviously they can't do any of that crap if they can't decrypt your data, but that's fine by me.

    Exactly. Gotta love the knee-jerk, I can't have a logical thought because I'm just so ready to rant about "the man" bullshit. Especially since it sounds like it's coming from someone who doesn't even use or understand the service.

    Dropbox is file storage, plain and simple. I use it to make a few music files and some reading material available across my devices. That's it's main function, to store/share files.

    All that other shit he is talking about that encryption won't work with is all fluff and ancillary stuff - I name my files properly, for example, so I don't need them to search within them for me. The service works just fine with encrypted files - you just can't use the fancy doodads that you don't really need anyway.

    I applaud him for being honest - if this was certain other companies they'd be telling you "oh trust us. It's secure!" He's being honest - it's a dumping spot for files, if you want encryption, BYO.

    Christ some of the folks around these parts don't know their heads from their asses - use the words encryption or privacy and they don't even listen or understand wtf is being talked about they just automatically jump to tired fear mongering rhetoric. Just like the folks who take rifles strapped across their backs to Starbucks - I want to say, WTF are you so scared of? And if you do have something to be scared of - stay the fuck home, or in this case, don't be a complete retard and use a "cloud" service to begin with.

  6. Cloudy, chance of rain by AndyCanfield · · Score: 1, Insightful

    Dropbox is cloud. Cloud is a remote hard disk. My hard disk has nothing to do with privacy; anyone who can SSH into my computer can read my hard disk. Put that hard disk on the Internet, in "the cloud", and the same thing applies, anybody logged in to the Internet can read your dropbox. Hey, I thought that was the PURPOSE of Drop box, to share files. If you want privacy, burn a DVD and hand it to the guy.

    For me, my notebook has a 1TB hard disk. I have a web site I control. Yeah, my web site is hostile to privacy; that's the whole purpose of a PUBLIC web site. I had a "Dropbox" and dropped it.

    1. Re:Cloudy, chance of rain by martin-boundary · · Score: 2, Insightful
      How is that insightful? You've completely missed the whole point of privacy laws. In law, your hard drive in your computer is yours, and it is not public unless you go out of your way to make it so. In particular, anyone who uses ssh to access your hard drive breaks the law, unless you've specifically authorized them to do so. Lots of people, some slashdot readers, have gone to jail for doing just that.

      Also, your hard disk, in your computer, in your house isn't searcheable by law enforcement unless they have a warrant. So keep your stuff at home, and you'll be better off than leaving it on Dropbox (*).

      (*) I can see you're unconvinced. Let me spell it out for you: if your file is on Dropbox, then a properly worded warrant needs to be served to Dropbox, and they'll allow searches and copies of anything their hard drives contain. Including your file, your neighbour's file, everybody's files. If everybody keeps their own files at home, then a warrant needs to be served to you, to see your files, but it won't work for your neighbour's files. Another warrant needs to be served to the neighbour to see his files. And it won't work for everybody else. A warrant needs to be served individually to everyone, just to get the same access that Dropbox can give with a single properly worded warrant.

  7. Re:Worst Response of all Time by Kardos · · Score: 5, Insightful

    So, you would have preferred a positive sounding statement indicating that they are aware that some users have privacy concerns and a vague reference to ongoing efforts to address these concerns?

    I didn't find that response "worst of all time". It came across as lacking in the bullshit department, almost refreshingly so, actually.

  8. Trust No One = TNO by Streetlight · · Score: 5, Insightful

    Steve Gibson's mantra: TNO. If the host has your encryption password/key, then they can't be trusted. If you don't believe that, ask Snowden's email provider, Lavabit's founder Ladar Levison: http://www.wired.com/2014/04/l...

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
  9. No big deal (except the encryption part) by scottbomb · · Score: 2, Insightful

    I don't need them to do "rich document rendering" (whatever the hell that is) nor do I need them (or anyone else to) index the contents of my files. All I want is for someone to STORE the shit and keep it synced between all my machines. Dropbox does this very well.

    As for encryption, I don't have time for that nonsense. Anything sensative such as financials is kept locally on my own server or burned to a DVD and put in the closet. I couldn't care less if someone gets a hold of my vast collection of pictures and documents. It is private, but not going to hurt me if someone at the NSA starts snooping around.

    1. Re:No big deal (except the encryption part) by Anonymous Coward · · Score: 0, Insightful

      You don't understand how it works, you are providing the raw materials they will use to construct the stuff to hurt you.

  10. We should add our own encryption??? by DrXym · · Score: 2, Insightful
    Hi Dropbox, stop blaming users. You are in the strongest position possible to offer encryption in Dropbox because it's your software. You know the triggers that cause files to be exchanged. You know the optimal way to minimize network traffic. If you can send and receive files, then why can't you also encrypt / decrypt files in this step? This could be as simple as providing a settings screen where the user enters a passphrase and once enabled all files within a protected folder are encrypted before they leave the client. This encryption could also scramble file names and break up large files into parts to obfuscate their size.

    Yes you'd have to warn the user that a protected folder means exactly that and there are restrictions on what you can do with it, e.g. access in some dropbox clients, web browsers, sharing to others. People will get it.

    Even better, this encryption / decryption could be thrown open as a pluggable API so 3rd parties could write their own encryption protocols to whatever personal or corporate standard they desired. For transparency the aforementioned passphrase encryption could even be supplied for review.

    Same goes for Skydrive, Google Drive etc. There is no excuse for not offering encryption. Not that I'm in the tinfoil hat camp to think this is to facilitate monitoring (although it does). More likely it's because these cloud storage servers use file hashing to spare themselves the bother of storing 1,000,000 copies of the same file. It still sucks though and even if the option is off by default, encryption of at least one folder should be provided.

  11. Re:iDrive has the same problem by Anonymous Coward · · Score: 3, Insightful

    And Spideroak gives you a closed binary to run on your endpoints, and you quite happily type your password into that. Uh-huh.

    Spideroak are just another vendor saying 'trust us not to have been served an NSL' and trust us not to capture your key with the client software if served an NSL/warrant.

    Once the spideroak client is open and audited, perhaps at that point their marketing about a secure server architecture makes a difference.