Dropbox Is Much Less Private Than I Thought

Slight Paranoia has the story. It seems Dropbox tries to avoid storing duplicate files, and thus check (probably via a hash comparison) to see if any OTHER user has uploaded the same file. And there’s the rub:

As Ashkan Soltani was able to test in just a few minutes, it is possible to determine if any given file is already stored by one or more Dropbox users, simply by observing the amount of data transferred between your own computer and Dropbox’s servers. If the file isn’t already stored by Dropbox, the entire file will be uploaded. If Dropbox has the file already, just a few kb of communication will occur.

While this doesn’t tell you which other users have uploaded this file, presumably Dropbox can figure it out. I doubt they’d do it if asked by a random user, but when presented with a court order, they could be forced to.

What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.

Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.

via slight paranoia: How Dropbox sacrifices user privacy for cost savings.

Ungood. Not actually something that I think has a large chance of impacting my life, but it’s bracing to discover that dropbox has easy access to cleartext of my files and has such a large security hole. I was misled by their description of how they encrypted things. The description is being corrected as a result of this discovery, but I’d rather they fixed the problem thank you very much.

4 thoughts on “Dropbox Is Much Less Private Than I Thought

  1. Hm, how do you know if dropbox doesn’t compare your hash with their database of hashes? Really, do they run through your folder and open every file and regenerate hashes to compare on every upload? Or do they just say “I’ve seen this hash before” and then prevents you from uploading it? All this fear and paranoia is based on random speculation.

    1. That’s not the point. The point is that they have access to cleartext, and now admit it in their revised Dropbox privacy policy.

      We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

      Thus, the fact that my files are encrypted on their server doesn’t protect me nearly as well as I thought, since they also store the means to decrypt them. It’s not, as I had though (been led to believe?), a system where my Dropbox password is part of the key, and they don’t have my password, which would make the fact that my files are encrypted on their server much more meaningful.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.