Dropbox™ and Your Data

As more and more information and communication shifts to the Internet, understanding the security and privacy implications of new technologies becomes critical. Consumer protection laws, which prohibit advertisements that are “misleading in a material respect,” help ensure customers can make informed decisions even when the technology concerned is radically different than anything before it. As security and privacy issues become increasingly complex, tech companies must be transparent about their data practices.

The recent revelations about Dropbox, Inc.’s™ security practices demonstrate the importance of consumer protection laws in the digital age. Dropbox™ is a proprietary data backup and sharing service that uses servers in the ‘cloud’ to enable users to share data between devices, be they computers in an office or a smartphone anywhere in the world. The cloud is not an abstract concept; rather it’s a collection of physical data centers. Dropbox™ uses Amazon’s S3 data centers, which are scattered throughout the US and world. Anyone with physical or remote access to those buildings has access to data stored with Dropbox™. Under the Stored Communications Act of 1986, 18 U.S.C. §§ 2701 et seq., as well as the Patriot Act, Dropbox™ is required to turn over your data when asked by law enforcement.

This is why it’s so important for data to be encrypted when living in the cloud. Dropbox™ uses AES-256 encryption for your data, which is the same as the government uses for information designated as “top secret.”

This all sounds pretty good, except that Dropbox™ also has the keys to your data. This isn’t for technical reasons. It’s possible to design a service where the keys to your data are stored only on your machines, or stored encrypted with your password in their servers. In such a system, Dropbox™ employees only have access to the encrypted data, and that would be all they could turn over to the government.

Instead Dropbox™ manages the keys to your data on your behalf. The system only allows access to the keys once you’ve put in your password, but from a technical sense there’s nothing stopping Dropbox™ from decrypting your data except company policies against doing so, which have wide exceptions for the need to comply with federal law.

Many users may well feel comfortable with this level of security, but companies like Dropbox™ have a legal obligation to provide accurate information so users can make an informed choice. It’s not just criminals who want their data kept away from the prying eyes of corporations or the government. Journalists, lawyers, doctors, computer programmers, human rights workers, political dissidents, startup companies and even bloggers all have important ethical, legal, and business reasons for not wanting their data shared with the world.

Dropbox™ seems to have dropped the ball when it came to accurately explaining its privacy and security practices. Until recently, users who wanted to learn about Dropbox’s™ security and privacy practices were told: “Dropbox employees aren’t able to access user files.” On April 23rd, 2011 Dropbox™ revised its policy, making it clear that it’s employees did have the technical means to access user’s files. Its CTO was quoted as saying:

We can see, however, why people may have misinterpreted ‘Dropbox employees aren’t able to access user files’ as a statement about how Dropbox uses encryption, so we will change this article to use the clearer ‘Dropbox employees are prohibited from accessing user files.’

Consumer protection law provides an important means of holding companies like Dropbox™ accountable for their misrepresentations about security and privacy. Companies that make materially misleading statements in advertising may be liable for damages equal to the cost of service, as well as consequential and punitive damages. If you’d like to learn more about consumer protection laws and how they apply on the Internet, please contact us at info(at)drmtlaw.com.