Three weeks ago, I wrote a tip in the DocumentSnap newsletter recommending that if you are going to be using cloud backup or syncing services, it is worth being aware of any security implications this might have and what your options are with respect to encryption.
It turns out that my timing was impeccable, because over the past week there has been a brouhaha about some changes that Dropbox made to their terms of services and the security implications this may have.
Business Insider noted that Dropbox recently changed their terms of service to say that if the United States government requests it, they will comply with US law and decrypt a user’s files.
This is fairly standard stuff, and most (but not all, I am coming to that soon) cloud services have a similar provision in their TOS. After all, they do have to comply with their country’s laws.
The reason that many people are upset is because, as Miguel de Icaza noted, the wording in a previous Dropbox Help Center article gave the impression that no one at Dropbox had the ability to decrypt user files. Based on the new TOS changes, that clearly is not the case.
Dropbox quickly responded to the Business Insider piece and Miguel’s post (see the comment by Arash). They also wrote a blog post explaining the situation. I recommend that you give their post a read if you are a Dropbox user.
Reactions to this seem to be split between the two extremes of “Dropbox lied to us!!! I can’t trust them with my data!!!” and “Duh, of course they can access my files on their own servers. You’re crazy if you think they couldn’t”.
Myself, I have previously worked in a SaaS environment with sensitive financial data, and I tend to lean towards the latter of the two views. It is fairly common from my experience that at least some operational employees have the ability to access data on the servers, which is where technical and policy limitations (with audits) come into play.
That doesn’t excuse their sloppy Help Center article (my guess: the writer of the article thought an engineer meant something that they didn’t), but it seems pretty unlikely to me that it was a deliberate intent to mislead by Dropbox. They’d have too much to lose.
Having said that, when you are going paperless, you by definition will have some sensitive documentation (think bank statements). If you have something that you absolutely positively do not want anyone to ever be able to see, you probably should not be putting it on the Internet.
Things You Can Do
Back in 2009 I wrote a post about SpiderOak’s zero knowledge approach to privacy. As that post and my newsletter article from a few weeks ago outlines, one option if you are concerned about security is to use a provider that encrypts your files before they are sent to to the server. SpiderOak and Wuala are two services that do this.
If your documents are encrypted before uploading, that means no one on the provider’s end can access them. This also means that if the government comes knocking, they can honestly say that they can’t access the files.
If you want to keep using Dropbox but want to make your documents more secure, Dropbox themselves have recommend using something like TrueCrypt to encrypt your documents. There are step-by-step instructions (with videos) for how to do this in the Paperless Document Organization Guide, but otherwise what you do is create the Truecrypt volume in your Dropbox folder, put your documents in that, and then Dropbox will sync it.
What do you think about all this? Has this changed your opinion of using Dropbox? What do you do to keep your documents secure in the cloud?I’ve love to hear in the comments.
(Photo by CarbonNYC)