Dropbox Responds to FTC Complaint about Data Security

Wednesday, May 18, 2011



Online data storage provider Dropbox has responded to allegations the company is making misleading statements to customers regarding the security measures used by the company.

Security researcher Christopher Soghoian had filed a complaint with the Federal Trade Commission alleging that the online file storage service provider has been making false claims to customers about the company's protocols for securely storing data.

The crux of the complaint centers around statements made by Dropbox that led customers to believe data submitted to the service for storage is always in an encrypted state, and only accessible in an unencrypted state by the client.

The company has responded to some of the allegations in updates to an existing Dropbox Blog:

"We understand that many of you have been confused by this situation — and some folks even felt like we misled them, or were careless about their privacy. We apologize for this confusion. All of us here at Dropbox care deeply about the security and privacy of your data, and the last thing we want to do is let you down," Dropbox states.

According to the complaint filed by Soghoian with the FTC, "Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data."

Dropbox replies that the nature of encryption is complex, and in attempting to explain the process employed by the company in simple terms there may have been some misinterpretation:

"We openly discuss how Dropbox security works. Part of our challenge is that we have to communicate with people both familiar and unfamiliar with the intricacies of encryption and online security. Most of our users are learning about these issues for the first time, and rely on us to communicate in plain language about topics that are nuanced and complex, even for security professionals," Dropbox explains.

Soghoian further alleges in the FTC complaint that "Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files."

Dropbox responded that the issue of employee access and prevention measures the company has in place were simply not clearly explained prior to the FTC complaint:

"Another statement read “Dropbox employees aren’t able to access user files.” That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this," Dropbox continued.

Soghoian also asserts that "Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data."

Dropbox responds that the confusion on the issue lays in a faulty assumption by Soghoian, and that the company has now provided a better explanation of the encryption methodologies employed:

"For example, one help article formerly stated that 'files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.' We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user’s password, so we’ve separated the two points for clarity," the blog post states.

While Soghoian characterizes Dropbox's prior efforts at relaying this important information to their customers as "misrepresentations" that amount to deceptive trade practices, Dropbox would like the whole matter to be explained away as a simple misunderstanding.

It will be up to the FTC to decide if Dropbox intended to mislead their clients with the language used, and whether the company will incur sanctions for the offense.

If the point of the FTC complaint was to inspire Dropbox to amend published materials that tout the company's services, then it seems Soghoian has already accomplished what he set out to do.

"We will continue to try to find the right balance between using clear language and providing the right level of technical detail. And when we oversimplify something or the community asks for clarification, we do our best to respond directly and publicly," Dropbox assured.

Possibly Related Articles:
Encryption Storage Cloud Computing Headlines FTC Consumers Dropbox Complaint
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.