Dropbox CTO on their security policy

Arash Ferdowsi, CTO of Dropbox, wrote to me to clarify Dropbox's present and historical privacy policy:
first, I'd like to clarify what our intent was in how we represented privacy in our TOS. in our help article we stated "Dropbox employees aren't able to access user files" we didn't intend to mislead anybody with this statement - we prevent this via access controls on our backend as well as strict policy prohibitions. we don't feel this statement implies anything about who holds the encryption keys or what mechanisms prevent access to the data.

that said, it's become very clear to us that the statement wasn't explicit enough about what the barriers to access are. consequently, we've updated our help article and security overview to be explicit about this.

secondly, I'd like to clarify that we've never stated we don't have access to encryption keys. we've made quite a few posts in our public forums over the years about this very fact and we are quite open with our community: 1, 2, 3.

Dropbox's new security policy implies that they lied about privacy from the start



    1. dude just likes to keep things loose. like dropbox’s security and understanding of honesty.

      that burn so harsh they gonna need skin grafts and a sterilized environment.

  1. Compare and contrast:



    “No form of data or meta-data concerning the behavior of our customers or the contents of their filesystems, or
    even the customer data that we hold in our records for billing, will ever be divulged to any law enforcement
    officer or agency without order served directly by a US court having jurisdiction. Immediate notice will be
    given to any customer named in such a court order, and access to their files will not be interrupted unless
    specifically barred by the court order.”


    “No consumer or personal information about our customers of any kind will be divulged to any party for any reason.”

  2. I guess what they meant to say is that, “There exist Dropbox employees who are not able to access user files.”

    Perhaps the janitor. Perhaps all but one. Perhaps we’re having fun with the definition of employee!

  3. Don’t implicitly trust anyone when it comes to cryptography, people. If you want to make sure your stuff is safe in your Dropbox, just store a TrueCrypt-volume and put your stuff in there.

  4. I love dropbox – it works well, and it’s super convenient. That said, I don’t keep anything in it that I’d consider secret. I’m not terribly concerned if someone manages to access my Diablo 2 save data or recipe list.

    1. True. My team uses it here at work, but mostly it’s graphic files and such that we all need to share. Nothing private.

      1. Are all of your team in the same office, with company workstations? If so, why not just use a server on the LAN rather than pushing stuff over to an off-site server and back?

        1. IIRC, there’s a feature in there that will cause a sync to look to other repositories on a machine’s local network before going out to hit the dropbox server. I’m not sure if it activates only for setting up an account on a new machine (sync from scratch), though – that’s the only time I noticed it. I’d installed Dropbox on my laptop, and the initial sync was lightning fast, as it was able to grab the data directly from my desktop.

          I did use it to share sources with my teammate once in college. I couldn’t convince him to just use my SVN server >.>

  5. I was always suspicious of the closed nature of Dropbox (yes, even on Linuxm there is a binary blob). I guess this just confirms it.

Comments are closed.