June 2, 2011
Re-examining Dropbox and its alternatives
By Woody Leonhard
Recent revelations about privacy concerns with Dropbox have led many people — including me — to think about changing my practices regarding online file-storage and -synchronization providers.
If you use Dropbox or some other cloud storage and sync program, let me explain what you do — and don't — need to be concerned about. And what you can do to sleep better at night.
Michael Lasky wrote about Dropbox in his October 28, 2010, Top Story, Dropbox: File synching and sharing made easy. Dropbox lets you drag and drop files into a special folder on your Windows desktop. The dropped files then magically appear on all other PCs, laptops, phones, and iPads that use the Dropbox service and are set up to share the folder you have. It has good password-based security and fine file-sharing options.
We here at Windows Secrets use Dropbox all the time, both as individuals and as a group. As Michael said, "Every once in a while some product — or service in this case — comes along that we soon find we can't live without. Dropbox, an online file-backup, -sharing, and -synchronization service, fits that category."
I personally like Dropbox so much I recommended it in my January 27 Top Story, Seven simple steps for setting up Windows 7.
That's why I was very concerned when reports started surfacing a few weeks ago about possible privacy problems with Dropbox.
Setting up Dropbox from a privacy point of view
To understand the problems that have caused all the concern, you need to understand how Dropbox works.
When you sign up for Dropbox, you supply a user name and password and then install the application. As long as you're connected to the Internet, the files you drag into the local Dropbox folder magically appear on all PCs, laptops, phones, and iPads that also have Dropbox installed and are attached to the same Dropbox account. The files also appear online when you sign into the Dropbox site and specify the same user name and password.
The first time you set up Dropbox on a new machine (PC, Mac, phone, tablet), you have to specify the user name and password for your account. (Currently, you can have multiple Dropbox accounts, but you can use only one at a time — you have to sign out of one account before signing into another.) After that, Dropbox remembers the sign-in details, and it's click-and-drag easy for you to store files in the cloud. Dropbox automatically synchronizes the contents of the Dropbox folder on all of the machines using the same account.
Dropbox has a lot of smarts. For example, it won't store the same file twice. If you drop a picture of your summer vacation into your Dropbox folder and your brother drops the same picture into his Dropbox folder, Dropbox recognizes the duplication — it uploads and stores the file only once. Even if you and your brother have completely different user names and passwords and work with completely different folders, Dropbox is smart enough to refrain from storing the same file twice.
Moreover, if you make a small change to a big file and then drag the updated file into your Dropbox folder, Dropbox is smart enough to just synchronize the deltas — it identifies the parts of the file that have changed and uploads only those changed parts. That can save you a lot of time and bother with sluggish upload speeds. It also saves bandwidth and storage on the Dropbox servers. Slick.
Other people can't get into your Dropbox unless you give them your account's user name and password. (You can set up Public folders with Dropbox, which — as the name implies — are accessible to anyone with the right URL. But you have to specifically designate a folder as Public.)
When you move from one device (computer, phone, tablet, etc.) to another, or you have more than one Dropbox folder set up on your computer, you have to supply the correct user name and password on each device to get at the data. (Or you can sign in to the Dropbox website with the correct user name and password.)
So only people with the user name and password can see the data, right? Well, no — and that's the source of the privacy problem.
Dropbox privacy called into question
Until a month ago, the Dropbox FAQ said, "All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password."
But as he reported in his April 12 blog, security researcher Christopher Soghoian put two and two together and came to a rather disconcerting conclusion: the only way Dropbox could deduplicate files or store the deltas is if the Dropbox system can get at the contents of your files. At least on the surface, that contradicts the assurance that your files "are inaccessible without your account password."
The Dropbox help site also stated a month ago, "Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (file names, file sizes, etc. — not the file contents)." As it turns out, that isn't exactly true, according to Soghoian's blog.
I don't want to leave you with the impression that Dropbox was trying to hide the fact that it could (and can) look at the contents of your files (for example, in response to a legal warrant). A Dropbox representative, Drew H., stated publicly in a three-year-old Dropbox forum post that company employees were authorized to look at stored content such as file names — but not file contents. Dropbox encrypts the data before it's stored, but the encryption is done with Dropbox's own keys, and those keys are maintained by Dropbox. When required, people at Dropbox can get at the keys and decrypt your data; but that process is tightly controlled, as described in the "Compliance with laws and law enforcement requests; protection of Dropbox's rights" section on the company's Privacy Policy p! age.
Soghoian posted his analysis on April 12; shortly after, several Dropbox website statements on privacy and security changed. On April 21, the folks at Dropbox posted a clarification of their terms of service. "We felt our old TOS language was too broad and gave Dropbox rights that we didn't even want. We wish we had explained this when we made the change, but unfortunately we didn't and we're sorry if these changes have raised concerns about our commitment to keeping your stuff private." Again, it's important to note that Dropbox has always clearly stated that it maintains keys for unlocking all of the data: that's in the company blog and has been for years.
The blog goes on to describe situations in which Dropbox will divulge your data, under the new Terms of Service: "We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good-faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) protect Dropbox's property rights." You can see the full statement on Dropbox's Privacy Policy page.
You may find those terms chilling, but Dropbox does make a compelling argument in its favor by comparing its Privacy Policy with those of Apple, Google, Skype, and Twitter. Apple and Google store data online and have similarly broad-reaching policies. Skype and Twitter aren't quite so broad, fitting the nature of their service.
Soghoian has since filed a 16-page complaint with the U.S. Federal Trade Commission, alleging deceptive trade practices and unfair competition. He argues with some authority that Dropbox has an unfair advantage over competing cloud file-sharing services by maintaining its own keys (which allows its programs and employees access to your data). He further argues that Dropbox is misrepresenting the strength of its security and that its inferior security practices allow it to operate at a lower cost than its competitors.
What should — or can — you do about it?
I don't have any secrets worth sweating about, and I bet you don't either. But it's disconcerting nonetheless to know that specific Dropbox employees, no doubt following strict company guidelines, can see all of the data in my Dropbox folders. I'm also more than a little concerned about recent massive data breaches, where data and keys on other sites — such as Epsilon, Sony, Honda, Netflix, DSLReports, SecurID, Gawker, WordPress, iTunes, and many more — have fallen into bad-guy hands. Dropbox may follow the best security practices in the world, but that still doesn't make the company or its employees impervious to the rewards of data harvesting. And who's to say the keys can't be swiped as well?
Depending on your level of security comfort (or paranoia), you have four possible choices if you want to synchronize data in the cloud:
You can use Dropbox, realizing that the staff of Dropbox has the capability to read your data and send it to duly constituted authorities in some jurisdiction or another. If you understand the situation and it doesn't bother you, more power to ya!
You can encrypt your data before Dropbox gets it. The people at Dropbox recommend TrueCrypt, which runs on Windows, Mac OS X, and Linux. In general, all you have to do is put a TrueCrypt-encrypted file inside your Dropbox folder and change one setting on the TrueCrypt file. Dropbox has a forum thread that describes the approach and some of its problems. Suffice it to say that most people find it works easily. The major downside? It doesn't work on mobile devices, and file uploads and downloads might take longer.
You can use one of the integrated Dropbox third-party routines that perform encryption and decryption. At this moment, SecretSync and BoxCryptor are the best-known representatives of the genre. Both work with the Dropbox API and allow you to encrypt and decrypt the data with your own keys. Dropbox still encrypts the files (a second time), but should the occasion ever arise where Dropbox or some nefarious person uses the Dropbox key, the resulting file will still be scrambled — and you're the only one with the key. Users report varying degrees of success with BoxCryptor on Mac OS X and Linux. SecretSync support for Mac and Linux is "coming soon." There's no mobile support for this technology, either.
Or, you can drop Dropbox altogether. SpiderOak offers similar services, free, without the centrally maintained encryption keys: you encrypt the data with your key — and only you have the key. Bad guys can steal everything in SpiderOak, and they still can't crack your files. With SpiderOak, you create your password on your own computer — not through a Web form received by SpiderOak servers. According to a SpiderOak FAQ, "When you create a SpiderOak account, the setup process happens on your computer (after you download the application), and there your password is used in combination with a strong key derivation function to create your outer layer encryption keys. Your password is never stored as part of the data sent to Spide! rOak servers." In fact, SpiderOak's support staff has no ability to reset your password — you are completely responsible for its safekeeping. SpiderOak works on Windows, Mac OS X, and Linux but not on mobile devices.
SpiderOak even offers an open license, which allows your company or organization to set up its own SpiderOak operation. The administrator can see each account's name and contact information as well as the amount of data stored — and that's it. There are no keys floating around and no way for admins to look at the data. SpiderOak calls it "zero-knowledge privacy."
So whether the Dropbox privacy news elicits a yawn or seems dire (or at least sobering), you now know its limitations and you have alternatives.