I’m a big fan of the Dropbox application for a while. Dropbox helps you to synchronize your files within a personal deposit located in the cloud. If you have multiple Dropbox clients configured, your files will be instantly synchronized between all your devices when they come online. I use it daily to exchange files between my iPhone, Macbook and Linux laptop. Any change performed in the monitored folder is immediately synchronized with the other devices. Easy but safe?
Dropbox recently changed its EULA (“End User License Agreement“) and this made lot of people cringe. For a few days, the following mentions about privacy of your uploaded files have been removed from their website:
“Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder“
“Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).“
Dropbox now announces:
“We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”
For me, this means that people inside the Dropbox organization have tools to decrypt your files and access the content. I don’ t synchronize critical files with my Dropbox account but, as you probably know, the malicious insider became a major threat today. My privacy remains a big concern! Bad month for Dropbox, it looks that the Dropbox user’s authentication is insecure by design. So, I decided to look for a nice Dropbox alternative. Is is time to change? There are plenty of Dropbox-alike services available but only one matched my principal requirements:
- Respect of my privacy (encryption)
- Multi-platform support (Linux, Windows, MacOS & iPhone)
This other service which came fist is Wuala (an European sub-company of Lacie). The biggest advantage of Wuala is the encryption. It’s performed on the client side before the data being sent to the cloud. This means that Wuala cannot decrypt your data (except by using a bruteforce attack against weak passwords ). As you encrypt data by yourself, more CPU usage is required and a risk of data loss exists if you loose your password! (You are the only one to know it). About the security of your data, Wuala allows their users to share some free disk space to store blocks of data from user users. By doing this, you can get extra storage capacity (they call this “trading“). Nice but I’m not feeling comfortable with some piece of my data stored on other computers not controlled by the “service provider“. What will happen if their encryption algorithm is broken? From a pure networking point of view, Wuala can be detected as a Peer-2-Peer application. I still prefer Dropbox which works below the radar (it uses HTTPS). Here is a small overview of pro & con:
My conclusions? First, don’t forget the “security triangle“! More features are available in applications, more security concerns may arise. A good example is the deduplication mechanism used by Dropbox to reduce bandwidth and storage requirements. Second, always keep in mind that your files are sent to the cloud with all it’s known issues! Before using a synchronization service (or any other service offered in the cloud), perform a risk management exercise. What if your data were lost? What if they are disclosed? As always awareness is mandatory. Users must be aware of the risks they take by using such services. Don’t kill immediately services like Dropbox or Wuala but use them in the right way!
If you really need to exchange sensitive data, there are solutions to increase their confidentiality and integrity:
- Encrypt them by yourself! (GnuPG is your friend)
- Create a TrueCrypt container in your Dropbox folder
About TrueCrypt containers, I don’t recommend to use them “live”. It’s not easy to sync a big container even if both are working with blocks. It seems that Dropbox will always transfer the complete file after every change.
Dropbox already communicated on your topic via their blog about those security issues.