Why Dropbox’s Privacy Policy Is OK (Just Proceed Carefully)

Changes that Dropbox has made to its terms of service have caused somewhat of an uproar in the blogsphere this week after Dropbox said it will decrypt users’ data when needed and share it with law enforcement authorities.

But as far as cloud storage services go, Dropbox’s data-sharing policy is really standard, in that it complies with laws and mandates in the United States. But I would still not recommend using the service to upload anything that you would not otherwise be prepared to share with the rest of the world.

In case you are unfamiliar with Dropbox, it is a very easy-to-use file sharing and cloud storage service that’s free if you store 2GB or less of data, while it ups the maximum limit to 3GB if you refer another customer. I wholeheartedly recommend it for specific file-sharing and storage needs. It comes in very handy when I need to share large files conveniently or sync data between my PCs.

At issue this week is how Dropbox spelled out how it was able and willing to turn over customers’ data. Some users may have wrongly assumed that Dropbox would or could not decrypt data once encrypted on its servers. But now, the company has very clearly stated that it has the keys to access your data if needed.

“If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement,” Dropbox wrote in a post on its blog site Thursday.

But again, Dropbox’s new and old terms of service are purely boilerplate. Its main competitor, SugarSync, has a similar policy. SugarSync says it will never share your files with a third party, that is unless it has to.

“We respect the privacy and confidentiality of your files, so we agree never to disclose your files to anyone unless you instruct us to do so or a court orders us to disclose them, as provided in our privacy policy,” SugarSync says in its terms.

Think about it like this: Any firm storing property as part of a commercial service it offers–whether the property is stored in a safety deposit box in a bank or electronically on a cloud server–must comply with court orders, warrants, and the like–unless it wants to operate an illegal business, but that is something else. Dropbox, SugarSync, Google, and any other U.S.-based cloud storage provider must abide by laws and mandates there to remain legally compliant.

However, you can still prevent Dropbox from sharing your data with legal authorities. You can do this by encrypting files before uploading them to Dropbox’s servers, so it won’t have the keys to your data. Dropbox even comes out and states, “However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”

Still, even if you are reassured now that Dropbox data-sharing requirements aren’t too draconian, there are also security concerns to worry about. A security expert, for example, recently revealed that intruders can bypass authentication gateways and access user accounts. If that wasn’t scary enough, the security expert also said that he is analyzing services that other cloud storage providers offer. I would thus expect to learn about security flaws in other services during the coming months. The bottom line is that, in case it is not already obvious, I would not count on storage providers being able to offer 100 percent security protection.

So if you do not like the idea of a government body being able to access your private data or have security concerns about cloud storage in general, then I would recommend only uploading files on Dropbox’s servers that you are prepared to share with the public at large. That has been my practice, but for data I am not worried about sharing, Dropbox really works great.

Bruce covers tech trends in the United States and Europe and can be reached at www.brucegain.com.