Article first published as The Cloud Fails Users Again – The Dropbox Case on Technorati. ============================= Here we go again… The Cloud, the over hyped marketing tool for basically Software as a Service has once again showed it’s true nature and dark side when it comes to user’s data. This time the online storage service, Dropbox, is in the limelight. Dropbox changed their Terms of Service agreement and people are actually reading them now and discovered that the Cloud is not a nice, safe happy place for you to store your data.
The blogs and media stories are focusing on more of control of your files where I see it a little differently when it comes to their alleged security. Let’s break it down.
Here is their new verbage.
We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.
Sometimes need permissions… what about the other times? If you read this a few times you will see that Dropbox does not care about your data. But I look at it much differently and deeper that goes to the core of these online storage services, security of your data.
Going further into the Terms we can see their stance on security.
We encrypt the files that you store on Dropbox using the AES-256 standard, which is the same encryption standard used by banks to secure customer data. Encryption for storage is applied after files are uploaded, and we manage the encryption keys.
OK, they have a pretty good encryption on it, but they have the keys, not you. This is to prevent external attacks from sucking all the stored files outside of Dropbox’s walls, but this does not prevent Dropbox from accessing all your files. Which is states that it does from time to time.
We guard your privacy to the best of our ability and work hard to protect your information from unauthorized access.
Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.
I’d like to talk about the red sentence. First Dropbox knows that they are shoddy by coming out an saying they ‘some’ emplyees have access to EVERYTHING. They start the statement in the defensive trying to justify their actions by using a schoolyard tactic, “Well, those other kids are doing it, we will too.”
As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.
This is the Cloud ladies and gentlemen. You are sacrificingconvenience for your security and data. Beyond some text on a screen and an “I Agree” button, there is no guarantee that your data is not being access, used, or stockpiled by the company you are entrusting your data too. At no time are you involved with the legal request to have law enforcement or some other agency (RIAA, MPAA, etc…) from getting a court order to see what people have stored. Dropbox will fold like a deck of cards and hand it all over, right or wrong, you own the content but not the file. Think about that. Now, I would assume 90+% of the people using these services are storing photographs, documents, and other non-illicit content, but there is the other small majority that will use these services as a launch point to spread piracy, viruses and other illegal materials. Like most things instead of implementing processes and punishments to take care of those, they punish everyone.
The Cloud is the worst Brochure Buzzword out there now. It’s a dangerous practice that these online services are taking advantage of and not providing the services you think you are getting. You are trusting that these companies are taking care of your data and protecting it, where in reality they are not.
I am for online storage, it is a safe way to keep your data in an offsite location in the event of a home disaster. Your memories and documents are valuable and there needs to be an easy way to keep those forever. However, trusting that the services will keep them secure for you is not the way to go, because they won’t.
The best way to ensure that you data is protected is to encrypt it yourself before you store it online somewhere. That way if your data is accessed, so what, it’s encrypted by you, with your keys. Let them try all day long, with an AES-256 or 512 encryption on it, good luck cracking it. This is the only way you can make sure your data is safe and secure is to apply the security on your data yourself. My next blog post will detail one way how to do this. In this day of online everything, getting encryption into your daily data routine is a good practice to start doing for your home PC, external harddrives, USB drives and so on.
You can’t trust anyone, especially in “The Cloud”.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.