Dropbox security woes are back, FTC complaint filed

Less than a month ago, we questioned whether Dropbox’s privacy changes warranted concern of PlayStation proportions. The phrase that piqued users’ interest had to do with sharing information with outside entities, namely the government and law authorities. “We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith to believe that disclosure is reasonably necessary,” the statement reads, and lists various legal, security, and safety situations in which it may have to do this.

Dropbox also clarified the state of security of your stored documents. Namely, its encryption process wasn’t quite what users believed it to be, and while Dropbox assured everyone its system is adequately safe, nerves were rattled to say the least. And now, it looks like users aren’t the only ones calling foul, as a complaint against the company has been filed with the Federal Trade Commission.

The site previously claimed that “all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password” (AES-256 is the highest strength of Advanced Encryption Standard ciphers used to encrypt data). Instead, Dropbox has been using file dedpulication when it’s initially uploading a document in order to determine if that file has already been uploaded by someone else (and if it has, it then links to the formerly uploaded one). This process means Dropbox can save ample storage space and bandwidth, but by means of a less secure system.

Ph.D. candidate and graduate fellow at Indiana University Christopher Soghoian filed the complaint, and explained in his blog his reasons for questioning Dropbox’s policies. He argues that if Dropbox is using a deduplication system, it definitely is able to see unencrypted version of your files in order to determine if there are duplicates. And as Soghoian explains, these measures are “useless against many attacks if the encryption key isn’t kept private,” which he’s uncertain of. The complaint states that “Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files.” The statement goes on to say that the encryption keys are stored on company servers.

For anyone storing particularly sensitive information on the site, this news if cause for concern. But there are also users who believe cloud-based storage can only be so safe, and you’re taking a leap of faith by using them altogether. But what does Dropbox have to say about it? “We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21, 2011 .  Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private,” says company spokesperson Julie Supan.

Adding a strange twist to the whole thing is the fact that Soghoian broke the Facebook PR scandal story. Busy guy.