Dropbox Security: Good Enough?


I don’t intend to argue the merits of the suit, except to say that I’m skeptical that people really know what they mean when they say “best practice.” (I’ve written critically about that term “best practice” before.)

Dropbox has apparently clarified its description of how files are secured on their servers.  They made it clear that customer data can be accessed by “a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so).”

Some people seem to be outraged by this revelation and are showing their displeasure by cancelling their Dropbox accounts.

Should you do likewise?  If you honestly feel deceived, perhaps you should.  But if you’re more concerned about the confidentiality of your data, Dropbox is still a reasonable choice.

The answer to the question, “is X secure?” is never just yes or no.  The correct question to ask is “how secure is X, given some risk Y?”  In other words, there is no absolute standard of security, but it is relative to the value of the information and the loss that would occur if it were compromised (i.e. risk).   This question applies to all external (cloud) services.

If you have very high value information, like national security secrets or future winning lottery numbers, Dropbox is not the place for you.  But what about things like customer information, credit card information, or electronic health records?  — you know, the practical data organizations deal with every day.  Are these things safe on Dropbox?  I would make the arguments that they are, and probably more so than if you kept them on your own systems.

While the FTC complaint alleges that industry best practices are not followed, Dropbox’s revised description of their practices (if their website is to be believed) certainly fall into the realm of reasonable and prudent.  Specifically, they:

  • Encrypt data at rest
  • Encrypt data in transit
  • Provide administrative and technical controls to prevent disclosure by privileged staff.

That last point may need some explaining.  It’s not necessary that no one have access to your data, only that the people who do are prevented from misusing that access.  Is that an ironclad guarantee of protection? No, but it’s reasonable and prudent, and that’s what most regulations such as HIPAA and SOX require.

There are those who will say, “I don’t trust anybody else with my data.”  They will argue that a more secure storage system is one where only you have the encryption key.  Since only you can decrypt the data, the storage provider can’t access it legitimately or illegitimately, so your data is more secure.

Well, maybe.  What you’ve done is transfer the responsibility from the storage provider back to yourself.  That may or may not be a good thing. Unless you have a well-thought-out security plan, you’re probably not doing as good a job as Dropbox is, even with their allegedly misleading advertising.

Here are just a few questions I would ask you:  how well do you protect access to your data before it is encrypted?  Who has access to the key?  How is that access controlled?  Is access to the data logged?  Can it be audited? Is the encryption key backed up?  If your laptop is stolen, can you recover the key? Could a rogue employee steal the key or hold it for ransom?

My experience is that most organizations don’t even come close to having acceptable answers to these questions.  For those organizations, storing data at a provider, even an allegedly deceptive one like Dropbox, is actually an improvement over managing security on their own.

Dropbox may or may not have mislead their customers, but their storage system provides reasonable security for most commercial uses.

Leave a Reply