The Dropbox Security Saga gets Serious:

This news is a few days old, but I thought I should post an update about it as I’ve covered Dropbox security issues in a previous blog entry. There is an extensive article in Wired magazine about this Dropbox fiasco. Apparently an FTC complaint has been filed.

From the article . . .

The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.

Soghoian, who spent a year working at the FTC, charges that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts therir data,” which amounts to a deceptive trade practice that can be investigated by the FTC.

Dropbox dismissed Soghoian’s allegations.

“We believe this complaint is without merit, and raises old issues that were addressed in our blog post on April 21, 2011,” company spokeswoman Julie Supan said in a short e-mail to “Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private.”

Dropbox, which has more than 25 million users, revised its website claims about its data security April 13, from:

All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.


All files stored on Dropbox servers are encrypted (AES 256).

The difference, Soghoian charges, is very important. (If his name sounds familiar, you might remember him as the one who exposed Facebook’s attempt to place anti-Google stories in the press this week.)

Dropbox saves storage space by analyzing users’ files before they are uploaded, using what’s known as a hash — which is basically a short signature of the file based on its contents. If another Dropbox user has already stored that file, Dropbox doesn’t actually upload the file, and simply “adds” the file to the user’s Dropbox.

The keys used to encrypt and decrypt files also are in the hands of Dropbox, not stored on each user’s machines.

Those architecture choices mean that Dropbox employees can see the contents of a user’s storage, and can turn over the nonencrypted files to the government or outside organizations when presented with a subpoena.

Read the rest of the article here.