Dropbox Accused of Lying About Security

lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."

Re:Call me back...

[inpher]

One reason is that the person making the complaint is Christopher Soghoian [wikipedia.org], a heavyweight when it comes to computer security.

Spideroak is a good alternative

[akamad]

Spideroak is a better choice. All data is encrypted on the client side and sent to the server. The Spideroak servers do not store your passphrase, thus it is impossible for them to access your data . The obvious downside is you can't afford to forget your password as you cannot reset it.

Re:Employees have access?

[artor3]

Did they ever say that though? If you RTF complaint, the closest they ever came to making that claim was this line:

"Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc, not the file contents)"

I suppose if you tilt your head and squint, that could mean they don't keep a copy of the keys. I read it as the guys on the floor can't log into your account and snoop around.

Re:Where's Al Gore and his "Lock Box"?

[hedwards]

Because it's not a little generic info about their lives. It's a small leak here a small leak there, pretty soon they've got all of it, and you don't have any privacy. You'd be shocked at how much information about you is likely out there. Even those of us that are exceedingly careful are constantly spied on by ad networks.

It might not be a big deal to you, but once that information is out there, it's out there, and there's no telling what will become of that information in the future. That there is the problem, there's no control over it and we've no idea what somebody else is going to do with it.

Re:Spideroak is a good alternative

[SlightOverdose]

SpiderOak has some serious security issues of its own.

1. The desktop client allows you to change the password without entering the old one. This means that if somebody steals your laptop, they can lock you out of your own account. Permanently.

2. I forgot my password on an account, and emailed support requesting an account reset. They happily complied without verifying in any way, shape, or form that I was the owner of the account. I didn't even send this request from the same email account that was attached to the account.

Major issues like this make me think their understanding of security is not as rock solid a they think it is, and makes me question how good their encryption is.

The desktop software is also woefully bad to the point of being unusable, their service is slow (at least from Australia), and their "Sync" support doesn't work particularly well.

Re:Seconded

[Lunix Nutcase]

O rly?

AT&T seeks more phone deregulation in Alabama [al.com]
AT&T and Deutsche Telekom push for deregulation of wireless markets [eweek.com]
Time Warner seeks Manhattan deregulation [multichannel.com]

It's trivially easy to find other examples.