Dropbox has deceived users about security?

On Sun, May 15, 2011, in the cloud , Privacy , Reporting , by Ernesto Belisario

The cloud computing is the technology of the moment: businesses, governments and simple users are increasingly becoming aware of its benefits and the fact that, in the near future, will revolutionize the world of IT as we know it.
At the same time, just as everyone is talking about the benefits of cloud computing, there is a growing awareness of the critical aspects of this technology, mainly due to the loss of control over the data (with the obvious implications in terms of the contract but also security and privacy). This awareness is also accelerated by a series of problems that, in recent weeks, have involved some of the major cloud providers like Amazon , Microsoft , Aruba and Sony .

These days to be at the center of the storm is Dropbox , one of the most popular services for sharing and saving files, accused in a complaint lodged with the Federal Trade Commission , he lied about data security of its members.

dropbox 错误 页面

The author is dell'esposto Christopher Soghoian , PhD student at Indiana University, who argues that - contrary to the findings from Dropbox - it would not be true that the archived files are encrypted and only accessible by the user, since that Dropbox employees could view it at any time . The company, with a post on his blog, has rejected the allegations but - in fact - recently have changed the conditions of use of the service; in particular, whereas before it was expected that:

All files stored on Dropbox servers are encrypted (AES - 256) and are inaccessible without your account password.

Now is written simply that

All files stored on Dropbox servers are encrypted (AES - 256).

But there's more! While up to 13 April 2011, the conditions of use stipulated that

Dropbox employees are not able to access user files

now predict that

Dropbox employees are forbidden to display the contents of files stored in user accounts

It 'clear that this is not just an ethical issue: whether Dropbox really lied, could be judged not only responsible for its own user (for example, those who bought a pro account may claim reimbursement of the amounts paid) but also in relation to other cloud service providers that - actually those offering security guarantees (in particular encryption) - have been victims of unfair competition: as noted, security costs and the implementation of safeguards would put them declared impossible to adopt policies of price competitive with those of Dropbox.

While waiting for the FTC to rule sull'esposto and hope that Dropbox has not betrayed the trust of its members, I can not help but point out that - actually - the modification of the conditions is at least unfortunate in terms of its formulation. In a time when people, organizations and companies need to be able to count on the reliability of cloud providers, they must pay particular attention to the content of the terms of service, writing - clearly - just what we are able to guarantee and informing users - transparently - when changing the initial conditions.

Tagged with:

3 Responses to Dropbox has deceived users about security?

  1. Max-B writes:

    I have developed a small alternative DropBox that allows me to do more or less the same things as DropBox on a self-managed server.
    The program I wrote is called OurBox and is released under the GPL, runs on GNU / Linux and needs a server SSH / rsync.

    You will find additional information and links to the project:

  2. [...] These days, as reported on Law 2.0, the team DropBox has suddenly changed the conditions of use of the service. According To [...]

  3. [...] Quite a stir "l'affaire Dropbox" (admirably summarized by Ernesto in this post). Assuming that store in the cloud (the much-discussed "Cloud") file [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>