Ryan Singel, Threat Level, Wired (May 13, 2011)
"Dropbox, the wildly popular online storage system, deceived users about the security and encryption of its services, putting it at a competitive advantage, according to an FTC complaint filed Thursday by a prominent security researcher.
"The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.
"Soghoian, who spent a year working at the FTC, charges that Dropbox 'has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts therir data,' which amounts to a deceptive trade practice that can be investigated by the FTC.
"Dropbox dismissed the Soghoian's allegations...."
The Lemming isn't surprised that Dropbox says the allegations should be ignored.
If Dropbox really does encrypt data - and Soghoian is wrong - Dropbox would naturally want to get past a false accusation and get back to business-as-usual.
On the other hand, if Dropbox decided that it was easier to be creatively accurate ("lying" is such a harsh term) when describing their service - and got caught - Dropbox would naturally want to get past a true accusation and get back to business-as-usual.
Back to that article:
"encrypted (AES256) "...Dropbox, which has more than 25 million users, revised its website claims about its data security April 13, from:
and are inaccessible without your account password
"All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password."to:
"All files stored on Dropbox servers are encrypted (AES 256)."The difference, Soghoian charges, is very important. (If his name sounds familiar, you might remember him as the one who exposed Facebook's attempt to place anti-Google stories in the press this week.)
"Dropbox saves storage space by analyzing users' files before they are uploaded, using what's known as a hash — which is basically a short signature of the file based on its contents. If another Dropbox user has already stored that file, Dropbox doesn't actually upload the file, and simply 'adds' the file to the user's Dropbox.
"The keys used to encrypt and decrypt files also are in the hands of Dropbox, not stored on each user's machines.
"Those architecture choices mean that Dropbox employees can see the contents of a user's storage, and can turn over the nonencrypted files to the government or outside organizations when presented with a subpoena...."
(Threat Level, Wired)
The Lemming suspects that Dropbox and Soghoian may be right. It looks like Dropbox, while not quite telling customers that their files could be read under some circumstances - gave the impression that they were offering air-tight security.
That sort of 'clever' marketing can, in the Lemming's opinion, hurt a company. Big time.
It's also a reason why the Lemming reads manifests, contracts, whatever, before signing them. Caveat Emptor, and all that.
There's more in the Threat Level article, including before-and-after quotes from the Dropbox website. Quite interesting stuff, and a major reason why the Lemming isn't likely to use 'cloud computing' any time soon. Not for data that's at all sensitive.
The Postcard PrincipleThe Lemming thinks that the best mental picture for online security is the old-fashioned postcard: that old-fashioned rectangle of heavy paper with the address - and message written where anybody who sees the card may read its contents.
Nothing wrong with postcards, by the way, in the Lemming's opinion: they offer a lower-cost alternative to sheets-in-an-envelope letters for traditional mail; and picture postcards are arguably a sort of art form.
Still, the Lemming thinks sensible folks don't write sensitive information on postcards. Like Social Security Numbers - you get the idea.
The Lemming's discussed - or ranted about - cloud computing before.