Phillip Smith

Dear @Dropbox, it's time to take #security & #privacy seriously.

I’m leaving Dropbox. I’ve been using Dropbox for less than a year, and I’m going to ask for a refund because I feel deceived. You may also want to think twice about storing your personal or organizational files with a company that is less-than-forthcoming about their security practices.

This weekend, I had the opportunity to meet and connect with a number of online privacy and security researchers at the Cyber-surveillance in Everyday Life conference.

One of the people I met was online privacy researcher Christopher Soghoian. Christopher recently revealed, among other things, that Facebook hired a PR firm to smear Google’s reputation on privacy and security.

Friday morning, I read about Christopher’s latest findings on Wired’s Threat Level: Dropbox Lied to Users About Data Security, Complaint to FTC Alleges. Admittedly, this wasn’t entirely new news to me, as I head heard rumblings of this online a week or so ago. However, discussing the implications with Christopher and others over Dim Sum on Sunday really brought the issue into focus.

What’s the issue? Dropbox can – at will or whim – read the files that users have entrusted to them, and they obfuscated that fact prior to April 2011.

While I don’t believe that I’m currently a ‘person of interest’ that needs to secure every last ‘bit’ of my data from the watchful eyes of my government, I do believe that basic security is the responsibility of every Internet citizen (and, frankly, every Internet software company too). My day-to-day computer contains files entrusted to me by clients, friends, and family that they wouldn’t want shared with the world.

In doing research on my ultimate data backup triple-play for under $500, I was careful to ensure that each copy of the files to be backed up were encrypted at their destination, and on route to that destination. So, when I started to look at ‘cloud storage’ solutions earlier this year, those same security concerns were a top priority.

Just the most basic requirements – encryption on route to the provider, and the encryption of the files themselves – ruled out many, many providers like Apple’s iDisk (part of their Mobile Me package). However, I eventually settled on Dropbox because they promised these minimum security measures (or so I was lead to believe – and, trust me, I read and re-read those pages several times before signing up).

It turns out that the real Dropbox story is quite different:

The tdlr; version is: Dropbox’s mobile clients are insecure by design (to achieve speed over security, in Dropbox’s own words) and that Dropbox will, at their discretion, hand over my data, completely unencrypted, to a third-party. Given that Dropbox is located in the US, not Canada, this isn’t an acceptable level of risk.

As soon as I’ve had a chance to hear back from Dropbox on my formal request for a refund, I’ll be closing my Dropbox account and investing that money in a company that takes their customers security seriously.

Who will that company be? Well, I’m glad you asked. That will be the topic of an upcoming post.


Hi, I'm Phillip Smith, a veteran digital publishing consultant, online advocacy specialist, and strategic convener. If you enjoyed reading this, find me on Twitter and I'll keep you updated.