updated 01:45 pm EDT, Mon July 21, 2014
NSA whistleblower points to board member, companies should have no access to data
In an interview with UK newspaper The Guardian last week, fugitive American whistleblower Edward Snowden made it clear that he opposed cloud companies that had access to user data. He specifically pointed out Dropbox as being "hostile to privacy" for a number of reasons, including a board appointment of an ex-government official with ties to suspected privacy violations.
"Dropbox is a targeted, you know, wannabe PRISM partner," said Snowden.
Snowden accused Dropbox of hiring "the most anti-privacy official you can imagine" in former United States Secretary of State Condoleezza Rice. The storage company hired Rice to its board of directors in April. He claims that Rice was one of the people tasked with overseeing the "Stellar Wind" government spying project. Stellar Wind was an NSA program that collected emails, Internet usage, telephone calls and financial transactions on United States citizens for close to 10 years after the events of the September 11, 2001 terrorist attacks.
According to Snowden, this makes Dropbox a company that's "hostile to privacy." However, it is unclear if Rice has any connection to the creation or administration of privacy policies for the cloud storage company, though her appointment has stirred user outrage. Dropbox defended its appointment of Rice in an open letter on its website. The company stated that they were honored to have Rice join the board, as well as indicated that nothing would change. A Dropbox spokesperson issued a statement to PC World on Snowden's claims, stating that the company supports the privacy of its users.
Outside of his larger issues with Dropbox, Snowden suggests that cloud companies should shift to a policy of zero knowledge when it comes to the data they store. This sort of system would see data hosted and processed, but never accessed by the host company. He adds that by completely removing themselves from the manipulation, analysis and reading of the information, customers would gain trust in cloud hosting companies.
Snowden points to SpiderOak, a small tech company from Illinois founded in 2006, as a company that follows the zero knowledge approach. While other storage companies have added in-transit and at rest encryption, SpiderOak allows users to encrypt data before sending it to the company servers. The company claims that it holds no readable passwords or other data.
"SpiderOak has structured their system in such a way you can store all of your information on them with the same sort of features that Dropbox does, but they literally had have no access to the content," said Snowden. "So while they can be compelled to turn it over, the law enforcement agencies still have to go to a judge and get a warrant to actually get your encryption key from you."