Dropbox caught red handed
While Dropbox textually said on its website (now changed):
‘Dropbox employees aren’t able to access user files and when troubleshooting an account they only have access to file metadata’
They now admit in their Dropbox updated terms and conditions that they can and will decrypt your private files for law enforcement and textually say :
‘Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement‘
Is Dropbox lying to customers?
They have sent out an statement to the Business Insider saying that they are not lying because:
“…In our help article we state that Dropbox employees aren’t able to access user files. This is not an intentionally misleading statement — it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user’s permission…”
Dropbox can access AES256-bit encryption
This online data storage uses one of the strongest encryption algorithm out there, AES256, but because they hold the encryption keys it is perfectly possible for them to decrypt everything if needed.
There is nothing new with a company admitting that they will help out law enforcement if subpoenaed, what it is new is that they first tell you their employees can’t access the data and after they are caught red handed changing their terms and conditions they now say that it has all been a misunderstanding and they will change the wording on their site.
Even if you were to live in cuckoo land and trust the authorities not to abuse their powers to access people’s data without a valid reason, you might want to read about Derek Newton’s article on Dropbox insecure design and Christopher Soghoian article on how Dropbox sacrifices users privacy for cost savings.
How to secure online data from eavesdropping
If you are going to store data online always encrypt it locally first in your computer, never trust a third party service like Dropbox or Hushmail with your data even if they tell you they can’t access it and that everything is fine, the bottom line here is that they have access to the decryption key.
Besides the chances of encryption implementations being flawed by your online storage service, they can do anything they like with the decryption keys, if you send the data already encrypted to your online storage space you will be the only one who can decide when and how to decrypt your confidential files, you will also protect yourself from a rogue employee tempted to look at your confidential files.
PS: I am adding Dropbox to my shit list.