Phillip Smith

Dear @Dropbox, it's time to take #security & #privacy seriously.

I’m leaving Dropbox. I’ve been using Dropbox for less than a year, and I’m going to ask for a refund because I feel deceived. You may also want to think twice about storing your personal or organizational files with a company that is less-than-forthcoming about their security practices.

This weekend, I had the opportunity to meet and connect with a number of online privacy and security researchers at the Cyber-surveillance in Everyday Life conference.

One of the people I met was online privacy researcher Christopher Soghoian. Christopher recently revealed, among other things, that Facebook hired a PR firm to smear Google’s reputation on privacy and security.

Friday morning, I read about Christopher’s latest findings on Wired’s Threat Level: Dropbox Lied to Users About Data Security, Complaint to FTC Alleges. Admittedly, this wasn’t entirely new news to me, as I head heard rumblings of this online a week or so ago. However, discussing the implications with Christopher and others over Dim Sum on Sunday really brought the issue into focus.

What’s the issue? Dropbox can – at will or whim – read the files that users have entrusted to them, and they obfuscated that fact prior to April 2011.

While I don’t believe that I’m currently a ‘person of interest’ that needs to secure every last ‘bit’ of my data from the watchful eyes of my government, I do believe that basic security is the responsibility of every Internet citizen (and, frankly, every Internet software company too). My day-to-day computer contains files entrusted to me by clients, friends, and family that they wouldn’t want shared with the world.

In doing research on my ultimate data backup triple-play for under $500, I was careful to ensure that each copy of the files to be backed up were encrypted at their destination, and on route to that destination. So, when I started to look at ‘cloud storage’ solutions earlier this year, those same security concerns were a top priority.

Just the most basic requirements – encryption on route to the provider, and the encryption of the files themselves – ruled out many, many providers like Apple’s iDisk (part of their Mobile Me package). However, I eventually settled on Dropbox because they promised these minimum security measures (or so I was lead to believe – and, trust me, I read and re-read those pages several times before signing up).

It turns out that the real Dropbox story is quite different:

The tdlr; version is: Dropbox’s mobile clients are insecure by design (to achieve speed over security, in Dropbox’s own words) and that Dropbox will, at their discretion, hand over my data, completely unencrypted, to a third-party. Given that Dropbox is located in the US, not Canada, this isn’t an acceptable level of risk.

As soon as I’ve had a chance to hear back from Dropbox on my formal request for a refund, I’ll be closing my Dropbox account and investing that money in a company that takes their customers security seriously.

Who will that company be? Well, I’m glad you asked. That will be the topic of an upcoming post.


Hi, I'm Phillip Smith, a veteran digital publishing consultant, online advocacy specialist, and strategic convener. If you enjoyed reading this, find me on Twitter and I'll keep you updated.


Want to launch a local news business? Apply now for the journalism entrepreneurship boot camp

I’m excited to announce that applications are now open again for the journalism entrepreneurship boot camp. And I’m even more excited to ...… Continue reading