PC Pitstop is proud to welcome our friends at Windows Secrets as guest contributors. The weekly Windows Secrets Newsletter brings you essential tips for Windows, applications, and computing on the Internet.
By Woody Leonhard/Windows Secrets
We here at Windows Secrets use Dropbox all the time, both as individuals and as a group. As Michael said, “Every once in a while some product — or service in this case — comes along that we soon find we can’t live without. Dropbox, an online file-backup, -sharing, and -synchronization service, fits that category.”
I personally like Dropbox so much I recommended it in my January 27 Top Story, Seven simple steps for setting up Windows 7.
That’s why I was very concerned when reports started surfacing a few weeks ago about possible privacy problems with Dropbox.
Setting up Dropbox from a privacy point of view
To understand the problems that have caused all the concern, you need to understand how Dropbox works.
When you sign up for Dropbox, you supply a user name and password and then install the application. As long as you’re connected to the Internet, the files you drag into the local Dropbox folder magically appear on all PCs, laptops, phones, and iPads that also have Dropbox installed and are attached to the same Dropbox account. The files also appear online when you sign into the Dropbox site and specify the same user name and password.
The first time you set up Dropbox on a new machine (PC, Mac, phone, tablet), you have to specify the user name and password for your account. (Currently, you can have multiple Dropbox accounts, but you can use only one at a time — you have to sign out of one account before signing into another.) After that, Dropbox remembers the sign-in details, and it’s click-and-drag easy for you to store files in the cloud. Dropbox automatically synchronizes the contents of the Dropbox folder on all of the machines using the same account.
Dropbox has a lot of smarts. For example, it won’t store the same file twice. If you drop a picture of your summer vacation into your Dropbox folder and your brother drops the same picture into his Dropbox folder, Dropbox recognizes the duplication — it uploads and stores the file only once. Even if you and your brother have completely different user names and passwords and work with completely different folders, Dropbox is smart enough to refrain from storing the same file twice.
Moreover, if you make a small change to a big file and then drag the updated file into your Dropbox folder, Dropbox is smart enough to just synchronize the deltas — it identifies the parts of the file that have changed and uploads only those changed parts. That can save you a lot of time and bother with sluggish upload speeds. It also saves bandwidth and storage on the Dropbox servers. Slick.
Other people can’t get into your Dropbox unless you give them your account’s user name and password. (You can set up Public folders with Dropbox, which — as the name implies — are accessible to anyone with the right URL. But you have to specifically designate a folder as Public.)
When you move from one device (computer, phone, tablet, etc.) to another, or you have more than one Dropbox folder set up on your computer, you have to supply the correct user name and password on each device to get at the data. (Or you can sign in to the Dropbox website with the correct user name and password.)
So only people with the user name and password can see the data, right? Well, no — and that’s the source of the privacy problem.
Dropbox privacy called into question
Until a month ago, the Dropbox FAQ said, “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.”
But as he reported in his April 12 blog, security researcher Christopher Soghoian put two and two together and came to a rather disconcerting conclusion: the only way Dropbox could deduplicate files or store the deltas is if the Dropbox system can get at the contents of your files. At least on the surface, that contradicts the assurance that your files “are inaccessible without your account password.”
The Dropbox help site also stated a month ago, “Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (file names, file sizes, etc. — not the file contents).” As it turns out, that isn’t exactly true, according to Soghoian’s blog.
I don’t want to leave you with the impression that Dropbox was trying to hide the fact that it could (and can) look at the contents of your files (for example, in response to a legal warrant). A Dropbox representative, Drew H., stated publicly in a three-year-old Dropbox forum post that company employees were authorized to look at stored content such as file names — but not file contents. Dropbox encrypts the data before it’s stored, but the encryption is done with Dropbox’s own keys, and those keys are maintained by Dropbox. When required, people at Dropbox can get at the keys and decrypt your data; but that process is tightly controlled, as described in the “Compliance with laws and law enforcement requests; protection of Dropbox’s rights” section on the company’s Privacy Policy page.
What should — or can — you do about it?–Article continued here.
This post is excerpted with permission from Windows Secrets.