AAPL Stock: 118.03 ( -0.85 )

Printed from

Dropbox faces possible FTC investigation over security

updated 07:00 pm EDT, Fri May 13, 2011

Dropbox accused of using deceptive trade practices

Dropbox has had a complaint (PDF) filed against it with the FTC by a well-known security researcher. The cloud-based file storage site, which recently clocked up 25 million users, is alleged to be falsely advertising the security of its services. The allegation comes against the backdrop of the Sony PSN data breach fiasco that exposed the personal information of over 77 million users, the result of apparently lax security. Since Sony's woes emerged, along with privacy concerns with Google and Apple, many have questioned the integrity of the masses of personal information stored on data servers around the world.

Dropbox is now the latest company to have the spotlight directed at its security practices. Ph.D student Christopher Soghoian, who has worked with the FTC, has accused Dropbox of making, "deceptive statements to consumers regarding the extent to which it protects and encrypts therir data." Previously, Dropbox has told users that their files are encrypted and even unreadable by its own employees. Soghoian has demonstrated that this is not the case and that user's information could be vulnerable to government searches and unscrupulous Dropbox employees.

On April 13, Dropbox revised its security claims from:

All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.


All files stored on Dropbox servers are encrypted (AES 256).

The change is particularly important because of the way Dropbox saves file storage space. When a user attempts to upload a file, Dropbox runs an algorithm that scans the file for a short signature to see if another user has already uploaded the same file. If it is the case, then Dropbox doesn't upload the "duplicate" file, but simply "adds" it to the user's Dropbox folder. Further, the keys used to encrypt and decrypt files remain with Dropbox and are not stored on each user's machines.

Consequently, Dropbox employees can see the content contained in every user's Dropbox and could potentially grant government access to those files if subpoenaed. Also on April 13, Dropbox revised this original statement from:

Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).


Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations).

Soghoian alleges Dropbox has engaged in deceptive trade practices in order to gain commercial advantage over similar sites who make similar claims to Dropbox, but which have more optimal security mechanisms. His complaint asks the FTC to force Dropbox to make appropriate disclosures and offer a refund to "Pro" users. [via Wired]

by MacNN Staff



  1. hayesk

    Joined: Dec 1969


    Be careful

    Even with popular cloud services, you have to be careful with sensitive data.

  1. TRRosen

    Joined: Dec 1969


    Good service bad security

    Remember if you ever lose a device with dropbox on it whomever has has permanent access to your files.

    Change the password you say, doesn't work, if you change your password it is automatically updated on all the devices currently setup. This is just STUPID!

  1. growlf

    Joined: Dec 1969


    Re: Good service bad security

    1. Dropbox files are local, so if you lose a device, you're obviously going to have to deal with someone having access to them unless your device is password protected and encrypted.
    2. To stop a machine from syncing, you go to Account, Manage, My Computers, and unlink the computer. THEN you can change the password.

    That hardly seems stupid to me. Seems a bit more like "didn't read the instructions."

    I've kept all of my sensitive files in an encrypted disk image on dropbox. That works for me.

  1. Freddy1

    Joined: Dec 1969


    So What?

    It is foolish to upload anything sensitive to "the cloud" without first encrypting it yourself. Relying on other's assurances of keeping your data private is just silly. It's like handing your super-secret diary to someone you don't know after they assure you they won't share your private thoughts.

    If we're old enough to post here, and old enough to understand how to implement Dropbox in the first place, we should be smart enough to not trust every stranger who says they won't spy on us or says they have free candy in their van with darkened windows.

    Dropbox does a wonderful job of storing one's data if one understands these simple, everyday commonsense limitations. Real life is a wonderful analog for the digital domain when contemplating what information one should trust with strangers.

    Simply create encrypted sparse disk images on your desktop and drop your sensitive information in them. Place these in Dropbox.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented