Last week I publicly (via Twitter—really what other venue is there?) mentioned that I might be leaving Dropbox. What ensued was a rather lengthy conversation between me and others as to why I would do such a thing. Soon after the conversation started, the folks at @Dropbox noticed and joined the discussion. Why would I think about leaving Dropbox, a service which I often cite as one of the most useful around for educators? One word answer: Privacy. Based on some recent reports, I now have reason to be concerned about the degree to which Dropbox can keep files secure and private. When I expressed these concerns via Twitter the folks at Dropbox responded with some helpful information, and an invitation to write their legal department with any concerns I might have (140 characters being insufficient for adequately addressing the matter. And as I said on Twitter, credit to Dropbox for listening and engaging in a conversation.)
I started to write such an email, and then changed my mind, why not publicly layout my concerns, and let other educators see what the issues are, after all I feel somewhat responsible since I have spent so much time praising Dropbox. Rather than have a private dialogue with Dropbox it would be better to make it public, yes? So here goes.
For those that don’t use Dropbox, think of it as an automatically syncing flash drive in the cloud, an excellent way to keep files synced across multiple computers and have them available on whatever device you have in front of you at the time. (Here is the official explanation.) Because of Dropbox I never need to carry assignments, syllabi, or journal articles that I want to read with me, or on a flash drive. These are just stored in the cloud and I can access them anytime the need arises. And this is just the tip of the ridiculously useful iceberg that is Dropbox. If you want more, just look at all the times it is mentioned on Profhacker (or just Google Dropbox uses and see what I mean). Dropbox has become one of the most important services in my media/computing ecosystem. On a scale of one to ten for usefulness and ease of use Dropbox is an 11.
About a month ago I started to see reports that expressed concern over Dropbox security, questions about the encryption being used, and who has access to the files you store on there servers. Basically there are to two sets of concerns. The first is that by design Dropbox is insecure. You can read the whole article, which is mildly technical but amounts to a concern that it would be fairly trivial for a nefarious party to steal one file and thus gain access to all your files without you necessarily knowing. The second is that Dropbox updated their Terms of Service to reflect the fact that they have access to your files if needed. In other words if the government subpoenas Dropbox, Dropbox has the ability to turn over your files in unencrypted form to the officials. (I know what some of you are thinking: Who cares, I am not doing anything illegal? . . . but wait I promise you should.) Both of these issues boil down to the fact that the encryption of your files takes place on the Dropbox servers, not on your own computer. In other words the question is who has the keys to your file(s) and where are those keys stored.
One way to think about this concern is to imagine your files are being stored in a lock box. One way to do it would be to put the files in a lockbox keep the key and send the whole box to Dropbox. In this way Dropbox has no way to unlock the files. But rather than this method what Dropbox employs is a technique whereby you send them your files they place them in a lockbox and give you the key, but have another copy of the key that lets them look in your box anytime they want. Why would they do it the second way instead of the first? Several reasons but I think there are probably two main ones: 1. Ease of use for Dropbox customers. A system where they (the server) handle the encryption rather than one where you manage (the client) has several advantages including a “lighter” Dropbox program on your device since it doesn’t have to handle encryption and the ability to retrieve files for you, even if you forget or lose your password. 2. Dropbox doesn’t want to cross the government.
Dropbox has responded to these concerns with a lengthy FAQ, which I encourage everyone to read. But, honestly the FAQ troubles me, and makes it even more likely that I will seek an alternative cloud service as it leaves many questions unanswered.
Lets start with the transparency of this issue. What Dropbox is claiming, or appears to be claiming is that this change in the TOS does not reflect a policy shift, but merely an attempt to clarify what has been the policy all along. I’ll take Dropbox at their word on this, but I still have concerns about their wording.
“That said, like all U.S. companies, we must follow U.S. law. That means that the government sometimes requests us (as it does similar companies like Apple, Google, Skype, and Twitter) to turn over user information in response to requests for which the law requires that we comply.”
What Dropbox seems to be implying here is that they are required by US Law to have what is known as a backdoor key (the ability to unlock any file) and give it over to the government when served with a subpoena. But this is not actually the case. If Dropbox has the ability to unlock the files yes they have to give that over if they receive a request. But that doesn’t mean that they have to build a system that would allow them to do this. In other words if they didn’t have the ability to unlock your files the government couldn’t ask for that key, because Dropbox wouldn’t have the ability to unlock said files, they could only give over the encrypted versions of the files to the government, rather than the actual files themselves. This is what is essentially the issue in this article, about the government wanting to be able to WireTap the Internet. My understanding though, and I have asked a few lawyers about this, and their opinion was that the current state of the law does not require companies to serve up plaintext files.
Okay, at this point I hear many of you saying that you want this feature, that you want the government to be able to access the files of “the badies,” and since you have nothing to hide from the government you are not concerned. Let’s table that for a moment, and I’ll explain in a second why this is a dangerous view, but for now, irrespective of this issue there is a more significant one, which affects every user, regardless of whether or not you feel that you have something to hide from the government: A system which by design enables a third party to decrypt your files, is by design not secure. Or, a secret between two people can only be kept if one of them is dead. A system which by design has a backdoor to enable third party access is vulnerable to a security breach. As a way of thinking about this consider the relatively recent case where a Google Employee was accessing user email and chats. Yes, Google is concerned about user privacy, but any system, no matter how good the engineers has holes unless the user is the only one with the keys. So here is the rub, by trusting Dropbox and their current system you are not just trusting Dropbox but a host of employees. Any system designed like this will have a security breach at some point. It might not be a large one, it might not affect many users, but it will happen, you are just rolling the dice, gambling that you are not going to be the one effected (a fair gamble in most cases). Its not just software that you are trusting, but people, and people are usually the weakest link in any system.
Now just as importantly for me is the type of atmosphere this private-government partnership entails. I realize many of you might not agree with this, and I don’t want to turn this into a big discussion here (a discussion I am more than willing to have in other places), but I prefer to play corporate interests against the government, keep those two forces working against each other, rather than siding against the public. One of the particularly damaging developments we have seen in the web over the last 5 years is the ability of governments to control what happens online thru extra-judicial means, collaboration with companies to curtail our privacy. For me at least it isn’t a matter of having something to hide from the government, but rather knowing that I maintain control. Control of my own data, and the data of others who have entrusted it to me seems to be an essential component of dignity.
But What Do I Care?
You don’t have to imagine that the government would want your information to see some problems here. Let’s imagine that through an engineering problem (a problem with the code), an employee problem (see Google case above), or a deliberate hacking attack, Dropbox files suddenly become available. I actually have a good deal of student work, evaluations, letters of recommendation etc. stored there at any given time. Aside from my own paranoia about data and privacy there is a good bit of data that students and others with whom I work are entrusting me to keep private. Lets imagine that your grade roster is stored on Dropbox and that gets compromised. Once that file is unlocked and passed around there would be no getting it back. Leaving aside what kind of FERPA violation this may or may not be, I can imagine many students who might be harmed by this type of info. Have you stored judicial letters (for plagiarism cases) on Dropbox? I can think of a lot of information that I wouldn’t want out there even if it wouldn’t directly harm me.
Now about 80% of the stuff I store on Dropbox has no privacy issue associated with it, things like journal articles or chapters I want to read, or syllabi & assignments, or my running schedule, or stuff that is publicly available elsewhere like my CV. But there is enough there that I am concerned and looking for other options.
I will also note here that given the recent FOIA filings by conservative groups going after professors that being paranoid about data isn’t a bad thing, removing the option from others to share my data (this is why I use my own email more than I use the University provided one).
It’s true I have become somewhat paranoid here, using a VPN when on campus to ensure that the University can’t monitor my internet use, but I don’t think you have to be too paranoid to see this as an issue.
Questions for Dropbox
Having said all of this I think there are probably several things Dropbox could make clear that would help.
1. How many employees have access to user files? Is there a dual control system (do two employees have to sign off on access, or are there are a certain number of employees who can do so on their own)? Are records kept anytime users files are accessed this way, so that the company creates a clear audit trail? Do employees (and or any contractors they deal with) have background checks?
2. Under what conditions do they give the government data? The FAQ suggests that they would fight these requests if they found them to be lacking in merit. Have they done so? Can they make transparent this process? Hard data on this?
3. What is being done to fix the architecture issues? (Here Dropbox runs into a problem as the more it says about its security the more susceptible it is to vulnerabilities, but the less it says the less trustworthy it seems. Security thru obscurity really isn’t a good idea.)
4. Does Dropbox think it is their legal responsiblity, ethical responsiblity, or both to share information with the US government? Would they do so without a warrant? The policy says “request” what constituents a request?
The Other Options
1. As the Dropbox FAQ suggests the first option is to encrypt your file before it syncs with Dropbox. If you encrypt your files before syncing them with Dropbox, using something like TrueCrypt, nobody else will be able to access them. The disadvantage to this is it makes it such that your files are not accessible on your iPhone, iPad, or Android device. In other words a not so useful option.
2. Use Dropbox only to store public, or pseudo-public information. Again 80% of what I store on Dropbox I am not concerned about so maybe I just only store that type of stuff on Dropbox.
3. Go back to using a flash drive. (Uhh, no thanks.) This also doesn’t let me use it across other platforms (iPad, phone, etc.)
4. Create a partition on my phone that would store these files. They would always be with me, and I could run something like Samba File sharing and Root Explorer. This would make it more than trivial though to access the files. Really I like cloud features.
5. Switch to a different service. Both SpiderOak and Wuala seem to offer services similar to Dropbox which encrypt the files on the user side. Both of these have applications for all the devices I use (iPad, Linux Computer, Android Phone).
6. Set up my own Dropbox type service on my home computer. Sure this can be done, or I can just run a VNC back to my computer and fetch the files I want, but this is less than optimal. There is also an open source Dropbox being developed, called Sparkleshare.
7. Pogoplug. Pogoplug works by creating your own cloudserver at home.
There is one meta-issue here. As the leader in this type of service, many other applications rely on, and provide support for syncing with Dropbox, for example iAnnotate or GoodReader—usability that would be sacrificed by switching services. And as the easiest and most frequently used, Dropbox is the easy one for me to recommend to faculty members who are less than computer savvy.
Right now I am investigating SpiderOak, Wuala, and PogoPlug. I will let you all know what I discover. My preferred option though would be for Dropbox to address the current issues, cause you know I really do like their service.