IDG News Service - Cloud data storage and synchronization company Dropbox has been hit with a complaint to the U.S. Federal Trade Commission alleging that the company has deceived consumers about the level of encryption security it offers.
In a letter sent to the FTC, University of Indiana PhD and security researcher Christopher Soghoian claimed that while Dropbox encrypted every file it stored, this could be reversed by employees, undermining the company's security credibility.
Not only did this design fall short of "industry best practices", wrote Soghoian, it also represented a serious security risk that the company was not being upfront about.
"Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data," Soghoian wrote. "Dropbox's customers face an increased risk of data breach and identity theft because their data is not encrypted."
In Sioghan's view, Dropbox has deceived its users, infringing Section 5 of the Federal Trade Commission Act.
Trouble started for Dropbox over the encryption issue some weeks ago with a series of claims made by Soghoian and others about the way the company was handling data. Possibly in response, on April 21 Dropbox clarified its terms service to make explicit that it would allow police access to the contents of files posted to its service if requested to do so.
"If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox's encryption from the files before providing them to law enforcement," read the new terms.
"Just so you know, we don't get very many of those requests -- about one a month over the past year for our more than 25 million users. That's fewer than one in a million accounts," the company said in a subsequent blog post.
For users such as Soghoian, this renders the use of encryption moot. If the file is secure while it is encrypted, but that encryption can be removed at any time, in what sense is the file secure at all?
The core of the Dropbox controversy is that because it encrypts users' files, it necessarily stores the keys used to provide that security. In storing those keys, it has the capability to decrypt files. One solution -- recommended by Dropbox -- is for users to encrypt files before uploading them but this comes at a price. Users can synchronize files between desktop PCs and smartphones, for instance, but no longer open them without loading a dedicated utility which might or might not be available on that device.
The Dropbox response to this is that the service is not intended as a fully-secure file repository, merely as a service that is more secure than conventional ways of carrying around data such as on unencrypted USB sticks.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
