On Dropbox and Security

Here’s a snippet from Dropbox’s FAQ page on security:

Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

Miguel de Icaza:

Dropbox recently announced an update to its security terms of service in which they announced that they would provide the government with your decrypted files if requested to do so.

This is not my problem with Dropbox.

My problem is that for as long as I have tried to figure out, Dropbox made some bold claims about how your files were encrypted and how nobody had access to them.

Ben Brooks:

That is very concerning for me — I keep just about everything in Dropbox these days. I may have to think about storing more sensitive stuff inside encrypted DMGs on Dropbox.

I am a huge fan of Dropbox, and recommend it (affiliate link) to people fairly often.

That said, here’s the bottom line: any data that isn’t in your direct physical control has the potential to be compromised.

To put it another way, once someone has physical access to your data, you’ve lost control of the security surrounding that data.

Unless you’re using something like FileVault on the Mac, if someone steals your MacBook Pro, they can access your data, without regard to how good your account password is, if they know what they are doing. The same thing is an issue on any OS out there — without data encryption, your files are sitting ducks.

Cloud services are bumping into this all the time. If you have something in the cloud, the reality is that you’ve just put your data in the hands of a corporation. Corporations don’t always act in the best interest of their customers, and don’t always hire outstanding employees. Corporations have problems and run into issues.

While I trust Apple and Amazon more than I trust Google, keeping a close eye on any cloud-based service is a good idea.

But in the world of services like Twitter, Flickr and Tumblr, this sort of thing isn’t given much thought. We trust the companies, and trust the people who see our content not to rip it off.

Apple has access to my calendar, contact and bookmark information, via MobileMe. Dropbox and Amazon have access to my files that I sync with the service. I publish tons of photos on the Yahoo-owned Flickr. Instagram has my photos as well, and countless websites and services have my personal email account. While I don’t use Google for much, the RSS feeds I follow and web searches I conduct are associated with my account.

So, do I trust Dropbox? I do, but I wouldn’t sync a text document with my social security number in it to the company’s S3 server space. Super sensitive files should never be on a server you can’t physically control.

As with most things in life, a little common sense goes a long way when dealing with the cloud and data security. Yes, it sucks that Dropbox employees could see all the cat GIFs I’ve saved in my Dropbox folder, but I understand that they have to operate within the laws of the United States.

Just use your head. Don’t lose it in the clouds.[1. See what I did there? Clever, no?]