Warning – Dropbox files may NOT be encrypted from viewing by Dropbox or its employees

There are many articles encouraging attorney’s to use Dropbox to share files with others or with themselves. Often it is suggested a great way to get files between a work computer and a laptop or iPad.  However, this is first time I have seen a claim that the files are not securely encrypted and that they can be viewed by Dropbox employees and subject to subpoena.   Please review the below information and take appropriate steps to protect the confidentiality of your client’s data.  I am sure we will hear more about in the days to come.

Christopher Soghoian, a security researcher has published the following information at  How Dropbox sacrifices user privacy for cost savings:

Dropbox, the popular cloud based backup service deduplicates the files that its users have stored online. This means that if two different users store the same file in their respective accounts, Dropbox will only actually store a single copy of the file on its servers.

The service tells users that it “uses the same secure methods as banks and the military to send and store your data” and that “[a]ll files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” However, the company does in fact have access to the unencrypted data (if it didn’t, it wouldn’t be able to detect duplicate data across different accounts).

This bandwidth and disk storage design tweak creates an easily observable side channelthrough which a single bit of data (whether any particular file is already stored by one or more users) can be observed.

If you value your privacy or are worried about what might happen if Dropbox were compelled by a court order to disclose which of its users have stored a particular file, you should encrypt your data yourself with a tool like truecrypt or switch to one of several cloud based backup services that encrypt data with a key only known to the user.

The issue is also discussed in this Infoworld article, Dropbox caught with its finger in the cloud cookie jar  and for me the most interesting part of the article was this:

On April 12, the Dropbox help site said:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)… All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.

Starting on or before April 14, Dropbox changed that help page, and changed it again on April 23, so it now says:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata… we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances… All files stored on Dropbox servers are encrypted (AES-256)

A little different, eh?

Dropbox followed up on April 21, discussing employee access to encrypted data, and explaining changes to its Terms of Service Agreement, including this new TOS provision:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights.

So Dropbox appears to be clearly stating they have access to your data and have the right to disclose it as they believe necessary.

Once again, the security of cloud computing for attorneys is brought into question.

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: