Should Dropbox & Co be Killed?

Partly CloudyI’m a big fan of the Dropbox application for a while. Dropbox helps you to synchronize your files within a personal deposit located in the cloud. If you have multiple Dropbox clients configured, your files will be instantly synchronized between all your devices when they come online. I use it daily to exchange files between my iPhone, Macbook and Linux laptop. Any change performed in the monitored folder is immediately synchronized with the other devices. Easy but safe?

Dropbox recently changed its EULA (“End User License Agreement“) and this made lot of people cringe. For a few days, the following mentions about privacy of your uploaded files have been removed from their website:

Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder

Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).

Dropbox now announces:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”

For me, this means that people inside the Dropbox organization have tools to decrypt your files and access the content. I don’ t synchronize critical files with my Dropbox account but, as you  probably know, the malicious insider became a major threat today. My privacy remains a big concern! Bad month for Dropbox, it looks that the Dropbox user’s authentication is insecure by design. So, I decided to look for a nice Dropbox alternative. Is is time to change? There are plenty of Dropbox-alike services available but only one matched my principal requirements:

  • Respect of my privacy (encryption)
  • Multi-platform support (Linux, Windows, MacOS & iPhone)

This other service which came fist is Wuala (an European sub-company of Lacie). The biggest advantage  of Wuala is the encryption. It’s performed on the client side before the data being sent to the cloud. This means that Wuala cannot decrypt your data (except by using  a  bruteforce attack against weak passwords 😉 ). As you encrypt data by yourself, more CPU usage is required and a risk of data loss exists if you loose your password! (You are the only one to know it). About the security of your data, Wuala allows their users to share some free disk space to store blocks of data from user users. By doing this, you can get extra storage capacity (they call this “trading“). Nice but I’m not feeling comfortable with some piece of my data stored on other computers not controlled by the “service provider“. What will happen if their encryption algorithm is broken? From a pure networking point of view, Wuala can be detected as a Peer-2-Peer application. I still prefer Dropbox which works  below the radar (it uses HTTPS). Here is a small overview of pro & con:

Solution Pro Con
  • Use HTTPS
  • Simple OS integration
  • Multiple platforms support
  • Server side encryption
  • Close source software
  • The only way to increase storage quota is $$$
  • Lack of configuration (delays, confirmations, …)
  • Client side encryption
  • Multiple platforms support
  • Extra storage can be received by “trading”
  • Less OS integration (require extra packages like MacFuse)
  • Sync between multiple computers not available for free accounts
  • Closed source software
  • Peer-2-Peer protocols (incoming connections – firewalls must be update)

My conclusions? First, don’t forget the “security triangle“! More features are available in applications, more security concerns may arise.  A good example is the deduplication mechanism used by Dropbox to reduce bandwidth and storage requirements. Second, always keep in mind that your files are sent to the cloud with all it’s known issues! Before using a synchronization service (or any other service offered in the cloud), perform a risk management exercise. What if your data were lost? What if  they are disclosed? As always awareness is mandatory. Users must be aware of the risks they take by using such services. Don’t kill immediately services like Dropbox or Wuala but use them in the right way!

If you really need to exchange sensitive data, there are solutions to increase their confidentiality and integrity:

  • Encrypt them by yourself! (GnuPG is your friend)
  • Create a TrueCrypt container in your Dropbox folder

About TrueCrypt containers, I don’t recommend to use them “live”. It’s not easy to sync a big container even if both are working with blocks. It seems that Dropbox will always transfer the complete file after every change.

Dropbox already communicated on your topic via their blog about those security issues.


  1. Si les TOS ont été modifiés en langue anglaise, ce n’est pas le cas pour les traductions locales.
    Ainsi les TOS qui s’appliquent en France (choisir “Français” en bas du site) sont toujours les anciennes :
    “Conformité avec la législation et application des lois. […] Nous divulguerons les informations vous concernant aux responsables gouvernementaux et à la police ou à des organismes privés, si nous considérons, […]”

    Enfer juridique un jour, enfer juridique toujours…

  2. It’s is not only a Dropbox problem but a Cloud problem. I think it is mandatory that everything that is stored in the cloud must be encrypted locally before being sent to the cloud.

  3. Why do you need a third party storage host? your own devices are adequate for this.

    ie 64g on phone 256g on netbook and 1024g usb hd on wireless router available everywhere via reciprocal NFS or CIFS mounts, git for stuff you want redundant and historied, rsync for stuff you want redundant but not historied (write-once files like emails or feeed/chat/activity logs)

    do you like a python script spidering your drives and uploading stuff to a third party when you’re already using git/hg for important stuff and irssi/procmail/etc are dumping files to predictable locations that a one-time crontab entry can take care of disgributing?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.