Recently a number of security analysts have queried how cloud storage providers such as Dropbox store data and who has access to that storage. While transfers from a user desktop may be encrypted via SSL, some confusion has arisen around how the encryption keys are generated and stored, what kind of encryption was used once the data was ‘at rest’ and what meta data Dropbox administrators have access to.
Dropbox clarified the situation by updating its help pages and via a number of blog posts.
“Part of our challenge is that we have to communicate with people both familiar and unfamiliar with the intricacies of encryption and online security.” one blog post argued.
“Most of our users are learning about these issues for the first time, and rely on us to communicate in plain language about topics that are nuanced and complex, even for security professionals.”
Questions about how Dropbox manages the key store which enables the decryption of data and why decryption is required are valid. Functionality of the service may be impacted by tighter key management.
Companies such as Melbourne based company Lockbox (https://www.lock-box.com/) and US based SpiderOak claim an important differentiation between the majority of cloud-storage providers and their solutions - even their own employees have no access to encryption keys which protect data stored by their users.
According to the SpiderOak website a users password is never stored and the plain text encryption keys are never accessible to SpiderOak employees. “Our zero-knowledge privacy approach means we can never betray the trust of our users” claim SpiderOak.
Clearly the situation with Dropbox is not the same.
"Our legal team vets all of these requests before we take any action. The small number of requests we have received have all been targeted to specific individuals under criminal investigation. If we were to receive a government request that was too broad or didn’t comply with the law, we would stand up for our users and fight for their privacy rights."
It’s possible some end users may still be worried about the access a small number of Dropbox employees have to encrypted data. Dropbox employees are permitted to view file metadata (e.g., file names and locations), although Dropbox does not elaborate on why this is necessary.
Dropbox uses Amazon's Simple Storage Service (S3) for storage, making it difficult (or even impossible) to know what compliance and law enforcement access policies apply to data stored with Dropbox. AWS S3 has storage nodes in a number of jurisdictions, including the USA, Ireland, Singapore, and Tokyo.
Dropbox provided some thoughts on the complexity of communicating assurances that data stored with Dropbox was secure.
“We understand that many of you have been confused by this situation — and some folks even felt like we misled them, or were careless about their privacy. We apologize for this confusion. All of us here at Dropbox care deeply about the security and privacy of your data, and the last thing we want to do is let you down.
We are building this company in partnership with all of you. We want to continue to be transparent about these kinds of issues, and to address them as quickly as we can.”
"We believe that storing data in Dropbox is far more safe than the alternatives. We’ve designed Dropbox to protect user data against threats of all kinds, but we’ve focused on helping users avoid the most common threats: not having current backups, not having any backups at all, accidentally deleting or overwriting files, losing USB drives with sensitive information, leaving files on the wrong computer, etc."