Dropbox Accused of Lying About Security

lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."

Good

[gadzook33]

As if we needed more snake-oil when it comes to computer security; especially where it involves encryption. I hope these guys get taken to task.

Call me back...

[bannable]

...when there's an actual investigation. Why the hell is it news that someone made a complaint?

Where's Al Gore and his "Lock Box"?

[retroworks]

Here I was feeling all certain that my data was secure, and it just turns out my information just isn't important or interesting enough to purloin.

Seriously, what is missing in most of the press about data security is the relative weight of security necessary given the risk. You don't put your junk mail in a safe deposit box. What is sufficient security for my work files in dropbox is not sufficient for Obama's missile launching laptop. Speaking about security in the absence of weighted risk is the biggest waste of resources in security discussion. Rhetorically scaring people that their data is interesting and is going to be stolen is as bad as rhetorically emphasizing "lock box" security.

i think i see the problem

[Anonymous Coward]

"the encryption keys are in their possession"

Nobody with half a brain is going to trust their cloud storage provider with their encryption keys. That sounds downright insane. Why would anyone who cares about the privacy of their files do that?

If you want privacy, keep your keys private to you. The provider can superimpose whatever they want on top, that's fine, doesn't hurt anything. Just means if they screw up, nobody can read the results.

Is it just me, or about 99.9% of these stories taking the form, "people who don't understand even the most basic concepts about what they're doing get taken for a ride?"

Re:Where's Al Gore and his "Lock Box"?

[chill]

The only thing at issue here is that Dropbox LIED about the service they provided. Whether or not you personally believe anyone needs that level of protection is irrelevant. They said they offered it and LIED.

Re:Employees have access?

[belthize]

Which would be fine if they said "Our employees have access to your data through key escrow in the event you forget your passphrase". If what you're storing is random pictures or some such that's quite likely good enough.

Some companies don't want that and give their business to companies that say "Key escrow is your problem, it is physically impossible for our employees to read your data". They tend to pay more for that service.

Dropbox was unfairly competing by claiming to do more expensive B when it really did cheaper A.

Re:Seconded

[PopeRatzo]

Also, before someone comes in blaming the whole cloud thing again, it's not the fault of "cloud". It's a fault of a lying company.

It's the fault of the "Free Market", where there is enormous incentive for companies to lie and cheat. The more successful a company the more money it will have with which to purchase power. The more power it has, the more it will push de-regulation. The more de-regulation, the more damage they will do.

Corporations are golems, with the single imperative to profit at any cost. The potential for profit increasingly outweighs any risk involved in negative behavior. And when you get big enough, say Exxon big, there's no risk at all.

And it is a little bit the fault of "the cloud". I can go down to my bank and look at the vault. I can read the government-backed FDIC insurance on my deposits and the FDIC has never, ever failed. All we can do is hope that what the cloud companies tell us about security is true. How could we possibly verify?

Re:Seconded

[fuzzyfuzzyfungus]

According to TFA's description of the problem, the issue wasn't one of technical acumen at all.

In order to be able to do deduplication across their subscriber base, rather than per-user or none at all(likely making for considerable disk and bandwidth savings across a service of their size), Dropbox failed to (usefully) encrypt user files and introduced a fun side-channel attack where anybody can determine whether somebody else has a file stored, just by attempting to upload it and then sniffing the wire to see if it takes the expected upload time, or just a tiny amount of hash comparing to "upload".

Technologically, they didn't exactly advance the state of the art in crypto to power their service; but the issues at question appear to be technologically competent enough, deduplication across the largest set of files possible is a perfectly sensible way of reducing storage and bandwidth costs, it's just that they then proceeded to sharply oversell the amount of actual privacy they were providing.

Given that education doesn't seem to have much effect on honesty(unless you count the courses of study that probably make you worse...) I'd be inclined to say that it is irrelevant to the problem at hand.

Re:Seconded

[Linux Torvalds]

Regulatory capture has proven to be a much bigger problem than deregulation, I think. It seems better not to give the government so much power in the first place.

Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.

Re:Security is NOT an issue with The Cloud.

[formfeed]

The good ol' "let's mock the victim here for not being as smart as me" routine.

No. If I mocked everyone not being as smart as me, I wouldn't get anything else done.
I only mock for "not being as smart as me but thinking to be way smarter than me".

Re:Seconded

[PopeRatzo]

Put another way, a government that's big enough to give Exxon and the MPAA everything they want is big enough to take it away from you.

If you trust Exxon and the MPAA more than the government with all its faults, then you have not been paying attention for the past 30 years.

Re:Seconded

[Moryath]

Hey, remember when the police and the teachers' unions crashed the stock market, raided everyone's pension funds, and shipped all the jobs to India?

Yeah, neither do I.

Re:Did they really lie to most people?

[shmlco]

"All files stored on Dropbox are encrypted (AES-256)."

Well, the op states, "...but in fact, as the encryption keys are in their possession...". As such, the statement can easily be true. The files *are* stored in an encrypted format.

In fact, if you think about the "shared" features of their service, folders and files, they would HAVE to be able to access them and decrypt them, otherwise they could not be shared.