Dropbox Security And Going Paperless

Dropbox Security And Going Paperless

Three weeks ago, I wrote a tip in the DocumentSnap newsletter recommending that if you are going to be using cloud backup or syncing services, it is worth being aware of any security implications this might have and what your options are with respect to encryption.

It turns out that my timing was impeccable, because over the past week there has been a brouhaha about some changes that Dropbox made to their terms of services and the security implications this may have.

The Issue

Business Insider noted that Dropbox recently changed their terms of service to say that if the United States government requests it, they will comply with US law and decrypt a user’s files.

This is fairly standard stuff, and most (but not all, I am coming to that soon) cloud services have a similar provision in their TOS. After all, they do have to comply with their country’s laws.

The reason that many people are upset is because, as Miguel de Icaza noted, the wording in a previous Dropbox Help Center article gave the impression that no one at Dropbox had the ability to decrypt user files. Based on the new TOS changes, that clearly is not the case.

Dropbox’s Response

Dropbox quickly responded to the Business Insider piece and Miguel’s post (see the comment by Arash). They also wrote a blog post explaining the situation. I recommend that you give their post a read if you are a Dropbox user.

My Thoughts

Reactions to this seem to be split between the two extremes of “Dropbox lied to us!!! I can’t trust them with my data!!!” and “Duh, of course they can access my files on their own servers. You’re crazy if you think they couldn’t”.

Myself, I have previously worked in a SaaS environment with sensitive financial data, and I tend to lean towards the latter of the two views. It is fairly common from my experience that at least some operational employees have the ability to access data on the servers, which is where technical and policy limitations (with audits) come into play.

That doesn’t excuse their sloppy Help Center article (my guess: the writer of the article thought an engineer meant something that they didn’t), but it seems pretty unlikely to me that it was a deliberate intent to mislead by Dropbox. They’d have too much to lose.

Having said that, when you are going paperless, you by definition will have some sensitive documentation (think bank statements). If you have something that you absolutely positively do not want anyone to ever be able to see, you probably should not be putting it on the Internet.

Things You Can Do

Back in 2009 I wrote a post about SpiderOak’s zero knowledge approach to privacy. As that post and my newsletter article from a few weeks ago outlines, one option if you are concerned about security is to use a provider that encrypts your files before they are sent to to the server. SpiderOak and Wuala are two services that do this.

If your documents are encrypted before uploading, that means no one on the provider’s end can access them. This also means that if the government comes knocking, they can honestly say that they can’t access the files.

If you want to keep using Dropbox but want to make your documents more secure, Dropbox themselves have recommend using something like TrueCrypt to encrypt your documents. There are step-by-step instructions (with videos) for how to do this in the Paperless Document Organization Guide, but otherwise what you do is create the Truecrypt volume in your Dropbox folder, put your documents in that, and then Dropbox will sync it.

Your Thoughts?

What do you think about all this? Has this changed your opinion of using Dropbox? What do you do to keep your documents secure in the cloud?I’ve love to hear in the comments.

(Photo by CarbonNYC)

About the Author

Brooks Duncan helps individuals and small businesses go paperless. He's been an accountant, a software developer, a manager in a very large corporation, and has run DocumentSnap since 2008. You can find Brooks on Twitter at @documentsnap or @brooksduncan. Thanks for stopping by.

Leave a Reply 11 comments

Dave M - April 30, 2014 Reply

Personally, I have nothing to hide from the government or anyone else for that matter. I’m not running a crime ring, dealing drugs, or operating a terrorist organization. 🙂 My only fear is theft in general, or more specifically, identify theft. I’m pretty paranoid, and I work in the IT field, so I do as much as possible to protect myself from ID theft. But having some bank statements or bills on Dropbox or Evernote is no more risky, IMHO, than having all those documents sitting on the many servers of the various banks, credit card companies, brokerage firms, utility companies, etc, where those documents originate from anyway. I have NO control over any of those services, nor have a fully read each of their TOS statements.

That’s just my 2 cents, which is about all it’s worth. 🙂

    Brooks Duncan - May 1, 2014 Reply

    Excellent point, Dave.

Sirena Nicks - March 19, 2012 Reply

Personally, I prefer local storage; I like being 100% in control of my data. Backing up data in the cloud is pretty risky (possible hackers and other third parties having access to it) I backup my data monthly, to a flash drive as well as an external hard drive.

The Economist On The Cloud Castle | Tips To Learn How To Go Paperless | DocumentSnap Paperless Blog - November 17, 2011 Reply

[…] There are, of course, security considerations when doing this. One more the more insightful articles I have read on this topic was written on The Economist’s Babbage blog this Spring after Dropbox’s well-publicized security woes. […]

Verchromter Nachtrag — Konstantin Klein - May 16, 2011 Reply

[…] 2.0 speichert man seine Daten zwar durchaus gerne in der Wolke, aber – nicht erst seit dem Dropbox-Desaster (wir erinnern uns: die verschlüsselten Daten, die everybody and his Grandmother entschlüsseln […]

marc - May 1, 2011 Reply

Hey there,

I’m very interested in what guys are talking about. I’m upset with Evernote and Dropbox but yet I decided to go paperless. I so much wish to find THE alternative here… 🙁

guest - April 26, 2011 Reply

If you use Truecrypt then you cannot access with an iPad or iPhone. One of the main reasons to use Dropbox until Apple gets something that works for file storage. I am in the middle. I don't trust DropBox like I did as I took their TOS and Help site to be accurate and it wasn't. That said, it is a lot more secure than a zip drive that can fall out of your pocket even if you do encrypt it. I use mostly for personal info and to move files vs. a zip. I will not be putting all my sensitive info in Dropbox. I used to think Dropbox had better security than Evernote, but now I wonder.

I think the fact that a password reset really does nothing bothers me just as much as their other security information. I think they went for easy of use vs security, but represented otherwise.

VPN may be the best bet again, from a computer-still won't work for iPhones and iPad, but Logmein would. I am interested in suggestions too.

What about Box.net or NetDocuments (legal specific)?

    Tom - April 27, 2011 Reply

    Switch to I-Drive. YOU have the encryption key, not them.

      Brooks Duncan - April 27, 2011 Reply

      Thanks for the recommendation Tom.

Glen - April 26, 2011 Reply

I store my documents on dropbox but I encrypt the files first using truecrypt. The downsides to this are it messes up the spotlight search, you have to mount and unmount the truecrypt file like a drive to mess with your files and I cannot access the files from my phone on the go. Does anyone have any suggestions for these issues?

    Brooks Duncan - April 26, 2011 Reply

    I'm struggling with the exact same encrypt-or-accessible-on-phone choice. Will be interesting to see suggestions.

Leave a Reply: