As the BusinessInsider article linked to in the clip below makes clear, Dropbox's recent update to its security policy is nothing unusual, and in line with other cloud services. The clip below points out, however, that there are inconsistencies that arise from this, that will need to be addressed at some point.
Dropbox recently announced an update to its
security
terms of service in which they announced that they would
provide the government with your decrypted files if requested
to do so.
My problem is that for as long as I have tried to figure
out, Dropbox made
some bold claims
about how your files were encrypted and how nobody had access
to them, with statements like:
- All transmission of file data occurs over an encrypted channel (SSL).
- All files stored on Dropbox servers are encrypted
(AES-256)
- Dropbox employees aren't able to access user files, and
when troubleshooting an account they only have access to file
metadata (filenames, file sizes, etc., not the file contents)
This announcement means that Dropbox never had any
mechanism to prevent employees from accessing your files, and
it means that Dropbox never had the crypto smarts to ensure
the privacy of your files and never had the smarts to only
decrypt the files for you. It turns out, they keep their keys
on their servers, and anyone with clearance at Dropbox or
anyone that manages to hack into their servers would be able
to get access to your files.
If companies with a very strict set of security policies
and procedures like
Google have
had problems with employees that abused their privileges,
one has to wonder what can happen at a startup like Dropbox
where the security perimeter and the policies are likely going
to be orders of magnitude laxer.
No comments:
Post a Comment