Dropbox Head Responds To Snowden Claims About Privacy 176
First time accepted submitter Carly Page writes When asked for its response to Edward Snowden's claims that "Dropbox is hostile to privacy", Dropbox told The INQUIRER that users concerned about privacy should add their own encryption. The firm warned however that if users do, not all of the service's features will work. Head of Product at Dropbox for Business Ilya Fushman says: "We have data encrypted on our servers. We think of encryption beyond that as a users choice. If you look at our third-party developer ecosystem you'll find many client-side encryption apps....It's hard to do things like rich document rendering if they're client-side encrypted. Search is also difficult, we can't index the content of files. Finally, we need users to understand that if they use client-side encryption and lose the password, we can't then help them recover those files."
Re:Our stuff is encrypted!!!! (Score:4, Interesting)
I wouldn't expect anything more than that from services that are aimed at businesses, and I think you've got to be an idiot if you view a free (or dirt cheap) storage service like Dropbox as anything other than temporary space some stranger's letting you use for a while. You've got to expect that you can't rely on the data to persist when you want it, and that it'll always be there if the government or hackers or anyone besides you wants it. I don't really have a problem with that. At zero dollars, it's been handy to have around and their API is probably the simplest and best of the cloud services I've used (even though their handling of file-type-based app permissions is bizarre).
Re:umm duh? (Score:3, Interesting)
Hehe, I have some clients from New Zealand and they were inquiring about some of my company's cloud service offerings. I talked a bit about them but mentioned that they would be better served by hardware that they owned. I asked if they had heard of Mega and what happened to them. They said it was on the news ALL THE TIME in New Zealand. So then I said "Well then you know that law enforcement raided Mega's servers, took them, and have since refused to give all of that data back to its owners. Would you trust your data when that is one of the consequences?" They bought new servers.
iDrive has the same problem (Score:5, Interesting)
iDrive [idrive.com], which is supposed to be a remote backup service, has a similar problem. They used to be a honest remote backup service, with client-side encryption. (They didn't protect the client password very well on the client machine, but at least the server didn't have it.) File contents were encrypted, but filenames were not, so you could look at logs and the directory tree on line. Then they came out with a "new version" of the service, one that is "web based" and offers "sharing".
For "sharing" to work, of course, they need to know your encryption key. They suggest using the "default encryption key". Even if you're not "sharing", when you want to recover a copy of a file, you're prompted to enter your encryption key onto a web page. The web page immediately sends the encryption key to the server as plain text, as can be seen from a browser log. Asked about this, they first denied the problem, then, when presented with a browser log, refused to answer further questions.
They try real hard to get their hands on your encryption key. After you log into their web site, a huge pop-up demands your encryption key. Without it, some of the menu items at the top of the page still work, and with some difficulty, you can actually find logs of what you backed up. You can't browse your directory tree, though.
It's possible to use the service securely (maybe), but you have to run only the application for recovery, and never use the web-based service. They don't tell you that.
This isn't a free service. I pay them $150 a year.
Re:No big deal (except the encryption part) (Score:4, Interesting)
You know there is a web interface to Dropbox too? People expect to read their documents, like word or PDF right there online. To do this the service must index the files and read them. Obviously if you encrypt the files, this can not be done.
I use Dropbox as my offsite backup of sensitive information and I trust the information to be safe. Simple, I encrypt the tar-ball with symmetric GPG. But then again I can only download the file vie the web interface if I wish and not view the contents online... buhuhu
Re:umm duh? (Score:5, Interesting)
The main reason that I suspect DropBox discourages encryption is that they rely a lot on deduplication to reduce their costs. If everyone encrypted their files, then even two identical files would have different representations server-side if owned by different users, so their costs would go up a lot.