Dropbox Told Us Our Files Were Encrypted and Private. Turns Out They Aren't?

Illustration for article titled Dropbox Told Us Our Files Were Encrypted and Private. Turns Out They Arent?

Security researcher Christopher Sogohain believes Dropbox is lying in claiming that they encrypt uploaded files and keep them from employee eyes. So he filed an FTC complaint against them.


According to Wired, the complaint alleges that the lack of encryption means that your files could be involved in possible government searches, copyright infringement lawsuits, or the machinations of Dropbox employees.

Dropbox saves storage space by analyzing users' files before they are uploaded, using what's known as a hash - which is basically a short signature of the file based on its contents. If another Dropbox user has already stored that file, Dropbox doesn't actually upload the file, and simply "adds" the file to the user's Dropbox.

The keys used to encrypt and decrypt files also are in the hands of Dropbox, not stored on each user's machines.

Those architecture choices mean that Dropbox employees can see the contents of a user's storage, and can turn over the nonencrypted files to the government or outside organizations when presented with a subpoena.


Additionally, Dropbox previously claimed that employees " aren't able to access user files." They've since changed that statement to say that they aren't permitted to access those files.

In filing the complaint, Soghoian basically wants Dropbox to make their policy more explicit. Looks like someone's got some 'splainin to do. [Wired]

UPDATE: A Dropbox PR flak has this to say...

"We believe this complaint is without merit, and raises old issues that were addressed in our blog post on April 21, 2011. Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private."


Share This Story

Get our newsletter



Knowing people who work at dropbox, I can tell you that this is a non issues, files are safe and no one is going to go poking through.

The same argument could be made for a banks safety deposit box. Banks usually keep keys on premises to open the boxes. This does not mean they would open one unless a warrant was delivered. Nor would they just go rooting about.