Technology

Dropbox shows privacy and usability is not an easy balance

WIRED: Dropbox’s file-sharing product is too simple to meet data security expectations

DANNY O'BRIEN
Fri May 20 2011 - 01:00

WIRED:Dropbox's file-sharing product is too simple to meet data security expectations

DROPBOX IS a Silicon Valley start-up which has managed to take an apparently straightforward problem – how do you share files with friends, and keep them synchronised between computers? – and turn it into a unique and compelling product.

But the very trick the company has used to beat back competitors, and even built-in utilities packaged with Windows, Mac and Ubuntu computers, has caused it serious headaches in this week’s tech press, and possibly with the US government.

Dropbox may be simple enough to succeed, but too simple for the security expectations of its users or the Federal Trade Commission’s standards.

READ MORE

Dropbox offers its users a folder that sits on your computer. When you drop files onto it, they’re silently copied onto Dropbox’s own servers. From there, you can share your files with friends, make them public, or seamlessly replicate them on any other computers you have connected to the internet.

It’s hardly the most unique idea, but unlike Windows Briefcase, Ubuntu One, or Mac’s iFile, Dropbox “just works”. Its synchronisation occurs in the background and does not interfere with the computer’s other uses. Its software is available for all key platforms, including Android and iPhones. Its interface – your computer’s file system – is so simple it’s barely noticeable. Once you have it running, you barely remember it’s there. That silent running is comforting for day-to-day use: but it makes for a bigger surprise when users’ expectations are violated. For Dropbox, that happened when privacy researcher Chris Seghoian pointed out in a complaint to the US consumer regulator that the company’s terms of service may have misled its customers.

Until mid-April, Dropbox stated that “all files stored on Dropbox’s servers are encrypted and are inaccessible without your account password”.

In fact, while Dropbox does encrypt its users’ files, the company also keeps the key to unencrypting the same content. That means a rogue employee at the company could look into a user’s account and see what was stored. It also means the US government could serve a subpoena on Dropbox and access that same content.

Dropbox has defended its language, saying it did not intend to mislead consumers, and pointing to numerous clarifications over its practices in its support forums. The challenge it faces, however, is both one of perceptions and of the law.

Dropbox is so successfully invisible in its operation that most of its users have probably never even considered how it works. Given the company’s strong emphasis on protecting private files and synchronising between private machines, it’s natural to assume those files are as private as they would be had you copied between computers yourself.

That’s not the case either in fact, and, in the United States at least, under the law. Dropbox keeps corporate copies of the files on its own servers and in numerous backups. By US law, those files are far more easily accessible by law enforcement and other legal investigations than they would be if you kept them on your home machine or copied them by hand.

It is not as though practically every other internet backup or synchronisation service is any better. E-mail on Google’s Gmail service, files on your web hosting service, even your financial records on sites like Mint.com are all just as easily accessed.

Seghoian’s complaint was perhaps more strongly connected to how things could be run on “cloud” services like Dropbox. Dropbox could have encrypted its users’ files in a way that meant neither the company’s employees, nor third-parties, could access them. To do so would require users to have the only copy of the secret key that would decrypt the files. Unfortunately that would be harder for Dropbox to implement and potentially more intrusive for Dropbox users to manage. For a company that got to where it is by making things simple and invisible, building better privacy was almost certainly considered but rejected in favour of better usability.

Cloud companies will only succeed if they manage to do the unsurprising thing in every case, from everyday usability to long-term privacy and security. It will be a tricky balance to make, but as Dropbox’s programmers and its critics will agree: writing software was never as easy as it looked.

Business Today

Business Today

Get the latest business news and commentary from our expert business team in your inbox every weekday morning