Dropbox is said to be the most widely used consumer-oriented cloud storage service with 50 million users, as announced recently. Founded in 2007 by MIT graduates Drew Houston and Arash Ferdowsi, the service went through a period of quick expansion but has also faced some serious challenges. Dropbox security issues, a FTCcomplaint and technical loopholes didn’t manage to usurp its position in the market. However, this was not without the consequences – users started doubt the service to a large extent. In the past couple of years many questions were raised, but not many of them were answered.
May 2011: Misleading Terms of Service
Last year Dropbox security and privacy system started to be seriously questioned. Those who actually examined their Help Center page could easily find places that are not in concordance with the reality. Namely, Dropbox claimed that all files were securely encrypted with AES – 256 and that no one can access user files without the password. After complaints from privacy researcher Christopher Soghoian, Dropbox changed their terms of services so they would be more transparent. Here they actually explained that there are employees in the company that can access user files any time if necessary. This naturally caused various reactions which even resulted in a FTC complaint because it was believed that Dropbox was misleading users intentionally.
June 2011: System Failure
The issues concerning security of Dropbox services first went public after it had a serious password issue in in June last year. System failure left user accounts open for 4 hours, meaning that anyone could access any account with any password. Dropbox reported that only a “small number” of accounts was actually accessed. They examined the mistake and sent an apology e-mail to all of the users whose accounts were threatened. Many users didn’t think this was enough.
Until few months ago, Dropbox authentication system worked in such a way that the system checked whether the data is already stored on Dropbox servers. If it found the same information it would automatically link the existing file instead of uploading the new one. So, if you tried to upload a video to your Dropbox folder and was astonished by the upload speed, this was because the system recognized the existing video and automatically replaced it with the previously uploaded file.
This strategy used to save a lot of money and storage space to Dropbox and made file upload faster. However, as Soghoian warned a year ago, such deduplication strategies are typically very insecure as there are many possible ways for a third parties to get insight into data. He also pointed out to the risks of using a single encryption key for all the user documents. Soghoian urged Dropbox to abandon deduplication and assign a different encryption key to all the users.
Dropbox Security Issues – Now and Then
Global deduplication strategy was disabled several months ago, which resulted in somewhat slower speed and better security. Last year they changed their dedup method (dropship) that was insecure because it pretended to sync files from Dropbox folders without actually having the contents. Correcting such issues is an example of Dropbox’s good practices.
However, this is not the end of their troubles. It’s been more than a year since Dropbox security issues went public and the legal process is still not finished. In the meantime, few weeks ago, Dropbox announced another system failure. One of the employees’ account was hacked and this resulted in mass e-mail spamming of users. Though Dropbox announced an intention to improve their security by adding new authentication features, there still seem to be too many questions unanswered.