26 Jul, 2013 No Comments Bobby Data Security

How safe is your data when you plunk it down into Dropbox? Where does it go? Who can see it? There have been concerns raised about Dropbox’s security in the past, so we’re going to take a look and see if they’re concerns worth having.

Expand Table of Contents

What is Dropbox For?

Dropbox Logo

Dropbox synchronizes your files across multiple devices. Just put a file in the Dropbox folder and voila! It puts a copy on all your computers. And when you make changes to a file, it makes the same changes on all the others.

There are many services that offer this functionality (Cubby, SpiderOak, Google Drive, Microsoft SkyDrive, etc), but Dropbox was the first to make it big.

How Does Dropbox Work?

Is it magic? No, silly. Dropbox, like its competitors, uses the internet to keep your files synchronized. It doesn’t matter where they are. You could have computers on opposite sides of the world and it would still work, as long as they both have Dropbox installed and an active internet connection.

It’s all managed by an unseen server that sits in the middle of everything. When you put a file in Dropbox, it’s first uploaded to their server and stored there. Then, it pushes the file out to all your other devices. It always sends the files to their servers first, even if both computers are in the same room.

How Dropbox Works

How Dropbox Does Security

You can probably spot the weaknesses in the process. Any time you send your data anywhere on the internet, you’re assuming risk. What’s more, it’s stored on a central computer that you have no control over. This requires that you trust in the company to treat your data properly.

So is Dropbox doing everything the right way? Let’s take a look at their security process.

  1. The Dropbox client (program) is installed on your computer. This program is what creates a secure connection between your computer and their servers.
  2. Dropbox encrypts the data on your computer in preparation to send it over the internet using the industry standard SSL/TLS with AES 128-bit encryption.
  3. Your data is copied to the Dropbox servers and decrypted once it reaches its destination. Thanks to the encryption performed in the previous step, no eavesdroppers will be able to read your data as it zooms over the internet.
  4. Your data is then encrypted again for storage with AES 256-bit. This is to prevent hackers from seeing your data if it’s stolen from their servers.
  5. The data is then copied from the servers to your other devices over the internet. Again, using SSL/TLS encryption.
  6. Once on your computer, your data is then decrypted and stored on your hard drive.

What’s the Problem With Dropbox’s Security?

All that encryption sounds pretty safe. So what’s the problem?

The biggest issue raised with most services like Dropbox is that you’re not the only one with access to your data, despite all the fancy encryption maneuvers. It’s actually possible for Dropbox to manually decrypt and look at your data while it’s on their servers. This can lead to several issues:

  1. A rogue Dropbox employee who decides he wants your data

    2. Of minimal concern since very few employees typically have the access rights. But still, you should be aware that it’s possible for others to see your data.

  2. Hackers getting their hands on your encryption key

    3. Since Dropbox stores the keys for all its users, it’s possible that a database breech could result in everyone’s encryption keys being stolen. Not likely since they’re probably stored far away from your actual data. But worth the mention nonetheless.

  3. Dropbox voluntarily disclosing your information to a third party

    4. This is the real concern. The question is whether companies like Dropbox should have the right to give away your data.

For instance, Dropbox has already specified that were they to receive a subpoena by law enforcement, they would willingly decrypt your data and hand it over. And what would you be able to do about it? Probably nothing, even though Dropbox’s own Terms of Service specify that you maintain full ownership of your data while it’s stored on their servers.

This may not rile you too much since you probably have nothing to hide from the cops. But it’s worth noting that nothing you put in Dropbox is private. Other eyes may someday see what you put in there.

If you are interested in higher security for your files, you can always encrypt your data using another program like AxCrypt or TrueCrypt before putting it into Dropbox. For step by step instructions see my AxCrypt tutorial. Alternatively, you can use a competing service like SpiderOak which does not have the capability to see your data as long as you’re using their client you installed on your computer (if you log in to their webpage to access your data then their servers do get your encryption key).

Dropbox Privacy Policy Highlights

Here are some of the main points of the Dropbox Privacy Policy in case you’re interested in more of the details.

  • Any personal information you give Dropbox is kept and stored

    • This is common practice for most online businesses. It includes anything personal you give them like names, phones, emails, credit cards, postal addresses, social networking info, etc.

  • Even if you delete your account, Dropbox reserves the right to retain your data

    • There are several reasons for this, such as if your data is tied up in legal obligations or disputes, but also if it’s needed to “enforce our agreements”, whatever that means. Also of concern: the backups of your data that Dropbox creates may not be deleted at all.

  • Your personal information is never sold to third parties

    • This does not mean it’s never shared freely (see next bullet).

  • Dropbox reserves the right to share your information in these circumstances:
    1. If you use another application to sign into your Dropbox account

      2. For instance, if you use Facebook to sign into your Dropbox account, Facebook gets your personal information from Dropbox. Dropbox does not take responsibility for what the other party does with it.

    2. If it’s required to provide you Dropbox’s services

      3. For instance, Dropbox uses Amazon’s S3 service for storage of your data, so Amazon gets your info, too.

    3. If law enforcement requires it

      4. If Johnny Law ever subpoenas Dropbox for your information, Dropbox will comply. What’s more, they’ll even completely decrypt your files for them before handing it over.

    4. Any situation that Dropbox decides is threatening to itself or its users

      5. This includes alleged fraud, property rights infringement, and even the threat of bodily harm to someone. This is a broad scope and allows them a lot of flexibility.

    5. If Dropbox is bought or merged

      6. Of course, if Dropbox is bought out, the acquiring company will get your info.

  • Dropbox does not use your location information (like GPS), but what it will do:
    1. Use the location information embedded in photos and videos you upload

      2. This shows you that Dropbox has the ability to look at the files you upload. You’ll just have to assume that they see it all.

    2. Approximate your location based on information like your IP address

      3. They’re still trying to locate you, even if it’s not as precise as GPS.

Is Dropbox Safe To Use?

The bottom line is that Dropbox has its uses, but in my opinion should not be used for everything. You have little to worry about unless you’re using it to store sensitive data. I suggest that you don’t use it for your passwords, credit cards, medical or tax records, embarrassing pictures, your next unpublished bestseller, or anything else that you wouldn’t want someone else to see.

It does provide good security against hackers and ne’er-do-wells. But the fact that they have the power to decrypt and see your data is significant. It means that anything you do with their service cannot be considered private. As long as you understand what it should and shouldn’t be used for, then it’s a service you’ll probably be happy with.

Related Articles