Update: Dropbox Will Hand Over Your Files to the Feds If Asked
Popular cloud-storage service Dropbox has updated its terms of service to include a clause that states it will turn your files over to the government--if the government asks, of course.
Dropbox is one of the leading cloud-storage services, and it works by installing a special "cloud" folder to your computer's hard disk. Any files you place in this special folder are then synced with your Dropboxes around the world (you can install Dropbox on any number of computers, phones, and tablets), and can be accessed from any Dropbox-enabled device.
The updated passage reads:
Ok, so no worries--so long as you're not doing anything wrong, you should be fine. So why is this news?
Well, as programmer Miguel de Icaza points out on his personal blog, Dropbox makes some "bold claims" about security on its Website. Specifically, it says that Dropbox uses "modern encryption methods" to transfer and store your data, and that nobody, not even Dropbox employees, are able to access user files. In fact, here's the exact wording:
"Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)."
De Icaza points out that Dropbox's claim that it's able to decrypt user files if the government asks contradicts its previous public statements.
"They claim that Dropbox employees aren't able to access user files," de Icaza writes, "This announcement means that Dropbox never had any mechanism to prevent employees from accessing your files, and it means that Dropbox never had the crypto smarts to ensure the privacy of your files and never had the smarts to only decrypt the files for you."
Troubling. Perhaps it's time to rethink your cloud storage service. Also, stop saving your child porn and drug money receipts in your Dropbox folder.
[UPDATE 4/20/11: According to Dropbox CTO, Arash Ferdowsi, Dropbox's claim that employees aren't able to access user files is "not intentionally misleading"--it's "enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions." In other words, Dropbox employees are not unable to access user files, but they're prohibited from accessing user files. Dropbox is updating its privacy article to include this specific wording.
Dropbox also says that its update to the TOS was merely a clarification for users, not a policy update (Dropbox notes that it's U.S. law to comply with the feds, and so all U.S. companies must abide by this rule). Dropbox also says it will "fight vigorously for user privacy." ]