How Safe is DropBox

Well, if you believe the info in a complaint filed last week with the FTC, not as safe as once communicated. While it seems clear DropBox does use the AES-256 standard for encryption which is good, the storage of the keys for unlocking or decrypting the data is not so good. In the safest of environments, you have the key. In this case, DropBox has the key stored on their servers.

The point of the complaint is DropBox said to the effect, “Not even our employees can read your files.” and this turns out not to be true. They now say this:

“Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our security policy. But That’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.”

What’s this mean to those using DropBox?
1) If the authorities want to see what’s in your files on DropBox and they get the appropriate paperwork, DropBox will decrypt it and give it to them.

2) A rogue DropBox employee could decrypt your files. Though DropBox does claim to have safeguards to prevent this.

3) An intrusion on the scale of the ones seen recently at Google, Sony and RSA could result in the exposure of your files.

What to do about it?
If what you are putting on DropBox contains anything secret or private, encrypt it yourself before pushing it to DropBox. A program like TrueCrypt can provide both file level and container level encryption to facilitate this.  Though this may make it somewhat more difficult in sharing data between multiple computers and users.

If you don’t mind a very small chance someone else my see what’s in your files and you are under no regulatory constraints, don’t worry about it and feel free to move it to DropBox.

Advertisements

About securitysnapshot

Security Snapshot LLC is a computer and information security company helping concerned business owners protect their reputation and their client's private and personal information.
This entry was posted in Digital Privacy, encryption. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s