Dropbox: How secure is it?

DropBox – the web service for transferring files – may have inadvertently revealed a security hole by making an announcement about terrorism.

DropBox announced in an update that they would provide the government with your decrypted files if requested to do so – obviously this is not a concern to the average user, but it does reveal that Dropbox staff can decrypt and access your stuff.

Close reader Miguel de Icaza of blog Tirania points out that that’s in contradiction to Dropbox’s stated security policy, which says:

“All transmission of file data occurs over an encrypted channel (SSL).
All files stored on Dropbox servers are encrypted (AES-256)
Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)”

So going by the announcement, it would seem that Dropbox employees are actually able to access user files. Though they may only use those powers in occasional circumstances, it is clearly different from stating that they are not able to access to access a user’s files.

So it’s not going to change how I use the service – I love it – and this just brings it down to the same level of security as Gmail or Google Docs, but it’s interesting to see where security policies don’t match up with the truth..

Read Miguel’s analysis at his blog here