News Stay informed about the latest enterprise technology news and product updates.

The security of cloud storage, Dropbox clarifies the language used in Help

Recently a number of security analysts have queried how cloud storage providers such as Dropbox store data and who has access to that storage.

Recently a number of security analysts have queried how cloud storage providers such as Dropbox store data and who has access to that storage. While transfers from a user desktop may be encrypted via SSL, some confusion has arisen around how the encryption keys are generated and stored, what kind of encryption was used once the data was ‘at rest’ and what meta data Dropbox administrators have access to.

Dropbox clarified the situation by updating its help pages and via a number of blog posts.

“Part of our challenge is that we have to communicate with people both familiar and unfamiliar with the intricacies of encryption and online security.” one blog post argued. 

“Most of our users are learning about these issues for the first time, and rely on us to communicate in plain language about topics that are nuanced and complex, even for security professionals.”

Questions about how Dropbox manages the key store which enables the decryption of data and why decryption is required are valid. Functionality of the service may be impacted by tighter key management.

Companies such as Melbourne based company Lockbox ( and US based SpiderOak claim an important differentiation between the majority of cloud-storage providers and their solutions - even their own employees have no access to encryption keys which protect data stored by their users.

“Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy."


According to the SpiderOak website a users password is never stored and the plain text encryption keys are never accessible to SpiderOak employees. “Our zero-knowledge privacy approach means we can never betray the trust of our users” claim SpiderOak.

Clearly the situation with Dropbox is not the same.

“Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule.” the Dropbox help page explains. Dropbox receives approximately one request per month from US authorities for access to user data, and has a strict process for complying with these requests. 

"Our legal team vets all of these requests before we take any action. The small number of requests we have received have all been targeted to specific individuals under criminal investigation. If we were to receive a government request that was too broad or didn’t comply with the law, we would stand up for our users and fight for their privacy rights."

It’s possible some end users may still be worried about the access a small number of Dropbox employees have to encrypted data. Dropbox employees are permitted to view file metadata (e.g., file names and locations), although Dropbox does not elaborate on why this is necessary.

Dropbox uses Amazon's Simple Storage Service (S3) for storage, making it difficult (or even impossible) to know what compliance and law enforcement access policies apply to data stored with Dropbox. AWS S3 has storage nodes in a number of jurisdictions, including the USA, Ireland, Singapore, and Tokyo.

Dropbox provided some thoughts on the complexity of communicating assurances that data stored with Dropbox was secure.

“We understand that many of you have been confused by this situation — and some folks even felt like we misled them, or were careless about their privacy. We apologize for this confusion. All of us here at Dropbox care deeply about the security and privacy of your data, and the last thing we want to do is let you down.

We are building this company in partnership with all of you. We want to continue to be transparent about these kinds of issues, and to address them as quickly as we can.”

"We believe that storing data in Dropbox is far more safe than the alternatives. We’ve designed Dropbox to protect user data against threats of all kinds, but we’ve focused on helping users avoid the most common threats: not having current backups, not having any backups at all, accidentally deleting or overwriting files, losing USB drives with sensitive information, leaving files on the wrong computer, etc."




Enjoy the benefits of CW+ membership, learn more and join.

Read more on Application security and coding requirements

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.




  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...