Last week I publicly (via Twitter—really what other venue is there?) mentioned that I might be leaving Dropbox. What ensued was a rather lengthy conversation between me and others as to why I would do such a thing. Soon after the conversation started, the folks at @Dropbox noticed and joined the discussion. Why would I think about leaving Dropbox, a service which I often cite as one of the most useful around for educators? One word answer: Privacy. Based on some recent reports, I now have reason to be concerned about the degree to which Dropbox can keep files secure and private. When I expressed these concerns via Twitter the folks at Dropbox responded with some helpful information, and an invitation to write their legal department with any concerns I might have (140 characters being insufficient for adequately addressing the matter. And as I said on Twitter, credit to Dropbox for listening and engaging in a conversation.)
I started to write such an email, and then changed my mind, why not publicly layout my concerns, and let other educators see what the issues are, after all I feel somewhat responsible since I have spent so much time praising Dropbox. Rather than have a private dialogue with Dropbox it would be better to make it public, yes? So here goes.
The Background:
For those that don’t use Dropbox, think of it as an automatically syncing flash drive in the cloud, an excellent way to keep files synced across multiple computers and have them available on whatever device you have in front of you at the time. (Here is the official explanation.) Because of Dropbox I never need to carry assignments, syllabi, or journal articles that I want to read with me, or on a flash drive. These are just stored in the cloud and I can access them anytime the need arises. And this is just the tip of the ridiculously useful iceberg that is Dropbox. If you want more, just look at all the times it is mentioned on Profhacker (or just Google Dropbox uses and see what I mean). Dropbox has become one of the most important services in my media/computing ecosystem. On a scale of one to ten for usefulness and ease of use Dropbox is an 11.
The Problem:
About a month ago I started to see reports that expressed concern over Dropbox security, questions about the encryption being used, and who has access to the files you store on there servers. Basically there are to two sets of concerns. The first is that by design Dropbox is insecure. You can read the whole article, which is mildly technical but amounts to a concern that it would be fairly trivial for a nefarious party to steal one file and thus gain access to all your files without you necessarily knowing. The second is that Dropbox updated their Terms of Service to reflect the fact that they have access to your files if needed. In other words if the government subpoenas Dropbox, Dropbox has the ability to turn over your files in unencrypted form to the officials. (I know what some of you are thinking: Who cares, I am not doing anything illegal? . . . but wait I promise you should.) Both of these issues boil down to the fact that the encryption of your files takes place on the Dropbox servers, not on your own computer. In other words the question is who has the keys to your file(s) and where are those keys stored.
One way to think about this concern is to imagine your files are being stored in a lock box. One way to do it would be to put the files in a lockbox keep the key and send the whole box to Dropbox. In this way Dropbox has no way to unlock the files. But rather than this method what Dropbox employs is a technique whereby you send them your files they place them in a lockbox and give you the key, but have another copy of the key that lets them look in your box anytime they want. Why would they do it the second way instead of the first? Several reasons but I think there are probably two main ones: 1. Ease of use for Dropbox customers. A system where they (the server) handle the encryption rather than one where you manage (the client) has several advantages including a “lighter” Dropbox program on your device since it doesn’t have to handle encryption and the ability to retrieve files for you, even if you forget or lose your password. 2. Dropbox doesn’t want to cross the government.
Dropbox has responded to these concerns with a lengthy FAQ, which I encourage everyone to read. But, honestly the FAQ troubles me, and makes it even more likely that I will seek an alternative cloud service as it leaves many questions unanswered.
My Concerns:
Lets start with the transparency of this issue. What Dropbox is claiming, or appears to be claiming is that this change in the TOS does not reflect a policy shift, but merely an attempt to clarify what has been the policy all along. I’ll take Dropbox at their word on this, but I still have concerns about their wording.
“That said, like all U.S. companies, we must follow U.S. law. That means that the government sometimes requests us (as it does similar companies like Apple, Google, Skype, and Twitter) to turn over user information in response to requests for which the law requires that we comply.”
What Dropbox seems to be implying here is that they are required by US Law to have what is known as a backdoor key (the ability to unlock any file) and give it over to the government when served with a subpoena. But this is not actually the case. If Dropbox has the ability to unlock the files yes they have to give that over if they receive a request. But that doesn’t mean that they have to build a system that would allow them to do this. In other words if they didn’t have the ability to unlock your files the government couldn’t ask for that key, because Dropbox wouldn’t have the ability to unlock said files, they could only give over the encrypted versions of the files to the government, rather than the actual files themselves. This is what is essentially the issue in this article, about the government wanting to be able to WireTap the Internet. My understanding though, and I have asked a few lawyers about this, and their opinion was that the current state of the law does not require companies to serve up plaintext files.
Okay, at this point I hear many of you saying that you want this feature, that you want the government to be able to access the files of “the badies,” and since you have nothing to hide from the government you are not concerned. Let’s table that for a moment, and I’ll explain in a second why this is a dangerous view, but for now, irrespective of this issue there is a more significant one, which affects every user, regardless of whether or not you feel that you have something to hide from the government: A system which by design enables a third party to decrypt your files, is by design not secure. Or, a secret between two people can only be kept if one of them is dead. A system which by design has a backdoor to enable third party access is vulnerable to a security breach. As a way of thinking about this consider the relatively recent case where a Google Employee was accessing user email and chats. Yes, Google is concerned about user privacy, but any system, no matter how good the engineers has holes unless the user is the only one with the keys. So here is the rub, by trusting Dropbox and their current system you are not just trusting Dropbox but a host of employees. Any system designed like this will have a security breach at some point. It might not be a large one, it might not affect many users, but it will happen, you are just rolling the dice, gambling that you are not going to be the one effected (a fair gamble in most cases). Its not just software that you are trusting, but people, and people are usually the weakest link in any system.
Now just as importantly for me is the type of atmosphere this private-government partnership entails. I realize many of you might not agree with this, and I don’t want to turn this into a big discussion here (a discussion I am more than willing to have in other places), but I prefer to play corporate interests against the government, keep those two forces working against each other, rather than siding against the public. One of the particularly damaging developments we have seen in the web over the last 5 years is the ability of governments to control what happens online thru extra-judicial means, collaboration with companies to curtail our privacy. For me at least it isn’t a matter of having something to hide from the government, but rather knowing that I maintain control. Control of my own data, and the data of others who have entrusted it to me seems to be an essential component of dignity.
But What Do I Care?
You don’t have to imagine that the government would want your information to see some problems here. Let’s imagine that through an engineering problem (a problem with the code), an employee problem (see Google case above), or a deliberate hacking attack, Dropbox files suddenly become available. I actually have a good deal of student work, evaluations, letters of recommendation etc. stored there at any given time. Aside from my own paranoia about data and privacy there is a good bit of data that students and others with whom I work are entrusting me to keep private. Lets imagine that your grade roster is stored on Dropbox and that gets compromised. Once that file is unlocked and passed around there would be no getting it back. Leaving aside what kind of FERPA violation this may or may not be, I can imagine many students who might be harmed by this type of info. Have you stored judicial letters (for plagiarism cases) on Dropbox? I can think of a lot of information that I wouldn’t want out there even if it wouldn’t directly harm me.
Now about 80% of the stuff I store on Dropbox has no privacy issue associated with it, things like journal articles or chapters I want to read, or syllabi & assignments, or my running schedule, or stuff that is publicly available elsewhere like my CV. But there is enough there that I am concerned and looking for other options.
I will also note here that given the recent FOIA filings by conservative groups going after professors that being paranoid about data isn’t a bad thing, removing the option from others to share my data (this is why I use my own email more than I use the University provided one).
It’s true I have become somewhat paranoid here, using a VPN when on campus to ensure that the University can’t monitor my internet use, but I don’t think you have to be too paranoid to see this as an issue.
Questions for Dropbox
Having said all of this I think there are probably several things Dropbox could make clear that would help.
1. How many employees have access to user files? Is there a dual control system (do two employees have to sign off on access, or are there are a certain number of employees who can do so on their own)? Are records kept anytime users files are accessed this way, so that the company creates a clear audit trail? Do employees (and or any contractors they deal with) have background checks?
2. Under what conditions do they give the government data? The FAQ suggests that they would fight these requests if they found them to be lacking in merit. Have they done so? Can they make transparent this process? Hard data on this?
3. What is being done to fix the architecture issues? (Here Dropbox runs into a problem as the more it says about its security the more susceptible it is to vulnerabilities, but the less it says the less trustworthy it seems. Security thru obscurity really isn’t a good idea.)
4. Does Dropbox think it is their legal responsiblity, ethical responsiblity, or both to share information with the US government? Would they do so without a warrant? The policy says “request” what constituents a request?
The Other Options
1. As the Dropbox FAQ suggests the first option is to encrypt your file before it syncs with Dropbox. If you encrypt your files before syncing them with Dropbox, using something like TrueCrypt, nobody else will be able to access them. The disadvantage to this is it makes it such that your files are not accessible on your iPhone, iPad, or Android device. In other words a not so useful option.
2. Use Dropbox only to store public, or pseudo-public information. Again 80% of what I store on Dropbox I am not concerned about so maybe I just only store that type of stuff on Dropbox.
3. Go back to using a flash drive. (Uhh, no thanks.) This also doesn’t let me use it across other platforms (iPad, phone, etc.)
4. Create a partition on my phone that would store these files. They would always be with me, and I could run something like Samba File sharing and Root Explorer. This would make it more than trivial though to access the files. Really I like cloud features.
5. Switch to a different service. Both SpiderOak and Wuala seem to offer services similar to Dropbox which encrypt the files on the user side. Both of these have applications for all the devices I use (iPad, Linux Computer, Android Phone).
6. Set up my own Dropbox type service on my home computer. Sure this can be done, or I can just run a VNC back to my computer and fetch the files I want, but this is less than optimal. There is also an open source Dropbox being developed, called Sparkleshare.
7. Pogoplug. Pogoplug works by creating your own cloudserver at home.
There is one meta-issue here. As the leader in this type of service, many other applications rely on, and provide support for syncing with Dropbox, for example iAnnotate or GoodReader—usability that would be sacrificed by switching services. And as the easiest and most frequently used, Dropbox is the easy one for me to recommend to faculty members who are less than computer savvy.
Right now I am investigating SpiderOak, Wuala, and PogoPlug. I will let you all know what I discover. My preferred option though would be for Dropbox to address the current issues, cause you know I really do like their service.
Thanks, Dave, for posting your concerns. I’ve been following your tweets about this issue and share your concerns.
In your investigations of SpiderOak, Wuala, and PogoPlug, have you found an easy way to switch from Dropbox to the others? One of the reasons I didn’t make the switch during the semester is the amount of time it would be to re-set up each computer so the exact folders and files are synced and have the right settings. (As a way to force me to do only work on my work laptop and only home and photography-related work on my home computer the computers have access to different Dropbox folders.)
I didn’t see any way to do easily port settings when investigating SpiderOak.
Thanks,
Bill
I appreciate your concerns and thoughtfulness about this issue, but personally think you’re being overly cautious. As a student and teacher myself, it’s hard to imagine a scenario where a breach in the security of your dropbox would lead to the release and exposure of something like a grade roster in a way that would really be damaging. Having said that, any data that you consider that private shouldn’t be stored in the cloud anyway. No solution is going to be 100% hack-proof. In the meantime, I trust Dropbox much more than SugarSync, Mozy, or SpiderOak. Better engineering all-around.
This is well worded, Dave, and lays out clearly what the stakes and concerns are. I think the real issue for switching away from Dropbox is the one that you mention in the penultimate paragraph: so many of the tools that I use now are tied to Dropbox that I moving away becomes more than just where I sync and store all of my files.
I’ll look forward to reading what you think about SpiderOak, Wuala, and PogoPlug.
And I hope you emailed Dropbox to let them know that this is here.
For sensitive information on an cloud service I would put it in an encrypted volume. Encrypted sparse images under OS X work great for this. (They are made up of 8MB files whereas a Truecrypt volume is one big file). Another option under Linux is to use encfs.
No matter what service you choose, the only way to be entirely safe is to encrypt your sensitive information. That’s what I do with my encrypted disk image.
BTW, for a do it yourself Dropbox you can look at SparkleShare. It’s pretty rough (and I’m waiting to hear how they are going to deal with large binary files) but it is useable now.
Hello.
Daniel Larsson @ spideroak Inc here. Just thought I would say hello and inform you about our service real quick.
At Spideroak.com you can join for free and get up to 7GB (2GB + friend-referrals) for life free. We offer clients for Windows, Mac, Linux (lots of different distributions), iOS, Android, Maemo and soon BlackBerry and WebOS.
We offer client side encryption, zero-knowledge and only account specific deduplication (as opposed to cluster wide).
Best,
Daniel
what are you uploading there that could even be a concern for privacy? i mean really? are you putting student or personal records there? are you not encrypting them locally first? this seems to me to be not a problem with dropbox services as much as bad practices on your part if there is a concern for privacy and security. the first rule of privacy and security is if there is another party, there is no privacy or security. this means that you have to see to that before transferring files, etc.
@briancroxall Yes this is why I am tending towards a solution that uses Dropbox for journal articles and things I want to read but some other measure for everything else
@ryan Yes I have an encrypted hard drive, I just want a solution where I encrypt the files before sending them to the cloud that allows them to be unencrypted on a range of my own devices, so far you can’t do that on Dropbox (or at least I can’t figure out a way-even with jailbreaking an iPad and a rooted Android phone)
@terry — I wonder what you think about Dropbox is better in terms of the engineering? I mean, in the context of what Dave’s talking about here, privacy and security, their engineering is much worse. (That’s his point.) I’m wondering what other factors you’re considering? I use Dropbox now, and am just starting to test SpiderOak; in terms of functionality, they seem pretty close.
In fact, the “host_id” issue (see Dave’s link above under “The Problem”) is some really, really bad design. I’m surprised a company who claims to be secure ever built something like that, and should really make us question what other poor design choices and shortcuts that may also have taken. I do hope someone from Dropbox read’s Dave’s post, and answers those questions at the bottom.
Also, just wanted to add a link to a post from Bruce Schneier, which I thought about while reading this. (http://www.schneier.com/blog/archives/2009/07/laptop_security.html) In it, he illustrates pretty well the importance of the private key. Obviously, keeping the private key from anyone, including yourself, is an extreme example, but I think it drives home the point.
I use a small TrueCrypt partition inside my dropbox for my private stuff. Slightly less practical (and truecrypt needs to be configured to not retain original file date, but since I only need protection, not deniability, that’s ok) but works quite well.
I love dropbox, but even though I do not have much to hide, I would prefer my files in the cloud to be a little more secure. I really hope dropbox reads this and takes it into consideration. I hope I don’t have to stop using it and I hope I don’t have to tell all the others to stop, too.
Please take care of us dropbox!!
This is a great article that reveals the danger of putting our files in the hands of a third party. As the trend towards cloud computing evolves and accelerates, we must be aware of the risks to our data. I am a user of pogoplug, but it’s certainly not a business class solution, the speeds are too slow and have little faith in those devices reliability or longevity. I also do not have the backup redundancy of a cloud company. At the moment, I am using both drop box, box.net and google docs. I don’t trust any of them completely, so my data is mostly just mundane non-sensitive files like images and powerpoint presentations.
Good article, thanks for bringing these issues to the front.
Dave:
What did you find out? It’s been a few months since you posted this and I’m searching for something FERPA compliant. Just need to share files with others within the department BUT we cannot access our intranet from home. Hence the need for a FERPA friendly cloud.
Thanks!