Risk

5/16/2011
02:06 PM
50%
50%

Dropbox Accused Of Misleading Customers On Security

FTC complaint charges that the file-sharing service hasn't told the truth about the security it applies to stored files, as well as who can access or view those files.

A complaint was filed with the Federal Trade Commission last week alleging that the popular Dropbox file-sharing service has been misleading users about the security and privacy of their files. Dropbox offers cross-platform file synchronization and online backup. According to the company, over 25 million people have registered to use Dropbox.

At issue is Dropbox's description of its service. Previously, the company stated in the "How Secure is Dropbox" page in its "Help Center" that "all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password."

But the reality seems to be more complicated. In particular, Dropbox--unlike some of its competitors, such as Spideroak and Tarsnap--uses file deduplication when files are first uploaded. As a result, when a user uploads a file, the Dropbox site first studies the file to see if it's been uploaded by a different user. If so, Dropbox just links to the previously uploaded file.

But security and privacy researcher Christopher Soghoian, a graduate fellow at the Center for Applied Cybersecurity Research who's completing his PhD at the School of Informatics and Computing at Indiana University, said in a blog post--prefiguring his FTC complaint, noted above--that file deduplication typically results in poorer security. "While the decision to deduplicate data has probably saved the company quite a bit of storage space and bandwidth, it has significant flaws."

For starters, deduplication can make it easy for outsiders to know what's already on Dropbox's servers, since the website studies a file to see if it's seen it before. "While this doesn't tell you which other users have uploaded this file, presumably Dropbox can figure it out. I doubt they'd do it if asked by a random user, but when presented with a court order, they could be forced to," he said. "What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file."

Soghoian also questioned Dropbox's use of a single encryption key for all user data the company stores. First, there's the risk it creates that a malicious insider could inappropriately access any user's data. In addition, he said, "Dropbox has exposed its users to unnecessary risk of data theft by hackers who, if they break into the company's servers, may be able to steal users' data and the keys necessary for decryption." This has happened in several recent, high-profile attacks, for example against RSA and Comodo.

Finally, Dropbox's website had said that "Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)." In April, however, in response to criticism of Dropbox's website--from Soghoian, among others--Dropbox altered its description. Instead of saying that employees can't access data, the new description says "we have strict access controls that prohibit employee access to user data."

In response to Soghoian's initial complaints, Dropbox's founders, CEO Drew Houston and CTO Arash Ferdowsi, on April 21 released a statement on the Dropbox website. "Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so," they said. "But that's the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access."

In response to the FTC complaint Soghoian then filed, a Dropbox spokesperson, Julie Supan, said on Monday in an emailed statement: “We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21."

Will Dropbox face a fallout with its customers? "I deleted my Dropbox account. It turns out that they lied and don't actually encrypt your files and will hand them over to anyone who asks,' said Jon Callis, the co-founder and CTO of PGP, via tweet. But Callis is arguably a security outlier, given that he understands the intricacies of encryption and deduplication.

Other users, however, have also been speaking up. Ewan Leith, a system and data migration specialist, accused Dropbox of having made "a straight-forward lie" in changing its terms of service. "Dropbox employees are able to access user files, but you have policies and technical solutions in place to control their access. It's a fundamental distinction."

Meanwhile, Soghoian, in his complaint to the FTC, urged Dropbox to alter its approach to data security by foregoing data deduplication and assigning each user their own strong encryption key. "Other online backup services have done it for some time. This is the only real way that data can be secure in the cloud," he said.

In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1848
PUBLISHED: 2018-12-14
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1977
PUBLISHED: 2018-12-14
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.
CVE-2018-18006
PUBLISHED: 2018-12-14
Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.
CVE-2018-18984
PUBLISHED: 2018-12-14
Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
CVE-2018-19003
PUBLISHED: 2018-12-14
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails...