Phillip Smith

Dear @Dropbox, you sound like a broken record on #security & #privacy

I guess I’m going to have to keep writing posts until Dropbox manages to sort out how to do a Paypal refund. In their defense, they responded quickly to my request, and have ensured that I won’t get billed in the future. But I’m still waiting for a refund on the original purchase.

One aspect of my back-and-forth with Dropbox (presented below and here) that really disappoints me is that Dropbox has now become a broken record: they appear to only have one response to criticism of their privacy and security practices. They are reading from a script that doesn’t change and, in doing so, appearing more in the wrong every day.

Just take a look at their @Dropbox_Support twitter feed. It’s full of responses like this one:

@phillipadsmith Please read and let us know if you still have any questions.less than a minute ago via web Favorite Retweet Reply

In a month of criticism, you only have one response to provide to customers? Yikes! (Clearly some start-ups still need to dust off that copy of The Cluetrain Manifesto and actually read it. Markets are conversations more than ever today.)

What follows is the exchange I had with their support department. I give them points for being prompt and promising a refund; but, as of 9AM ET this morning, I have yet to see an actual refund in my Paypal account.

Graham - Dropbox Support, May-16 06:05 pm (PDT): Hi Phillip,

I have refunded and downgraded your account. I would like to bring your attention to this blog post:

It goes into detail regarding a number of claims made by recent articles. We care deeply about security, and I apologize if you feel you were mislead in any way.

If you have any further questions please let me know.

Best, Graham

Phillip Smith, May-16 05:43 am (PDT): Dear Dropbox,

In light of recent findings by security and online privacy researchers, and the FTC allegations, I would like to request a refund on the subscription plan I started recently.

When subscribing, I read the “How secure is my data” FAQ very closely and browsed the forums in detail for security-related posts, and I was lead to believe that A) my data was encrypted with a key that Dropbox did not have access to, and B) that accessing my files via one of my mobile devices was in fact as secure as using the desktop client (a very reasonable assumption).

Both of these turn out to be not true, and – frankly – after reading your team’s responses in the forums and to the press, I believe that you obfuscated those facts.

I take my data security as seriously as every Internet citizen should, and would have hoped that Dropbox would have taken it seriously too, or been more upfront about the limits of what your service was going to do to protect customer data.

I looked at other services that don’t obfuscate the details of their security measure (e.g., Backblaze) and I believe that Dropbox should have been more transparent, and – in light of recent findings – should be doing more to protect customers, not back-pedalling and making website copy changes that only work in Dropbox’s favour.

Please be a responsible Internet citizen and apply the law of least surprise. Everything should be secure and encrypted – in transit, and on disk – by default.

Please refund my subscription. After I’ve received the refund, I will close my account.

Best regards,

Phillip Smith Toronto, Canada.

UPDATE: At 12:53PM ET today, May 17th, I received a refund from Dropbox for the full $99 USD subscription price.


Hi, I'm Phillip Smith, a veteran digital publishing consultant, online advocacy specialist, and strategic convener. If you enjoyed reading this, find me on Twitter and I'll keep you updated.


Want to launch a local news business? Apply now for the journalism entrepreneurship boot camp

I’m excited to announce that applications are now open again for the journalism entrepreneurship boot camp. And I’m even more excited to ...… Continue reading