Slight Paranoia has the story. It seems Dropbox tries to avoid storing duplicate files, and thus check (probably via a hash comparison) to see if any OTHER user has uploaded the same file. And there’s the rub:
As Ashkan Soltani was able to test in just a few minutes, it is possible to determine if any given file is already stored by one or more Dropbox users, simply by observing the amount of data transferred between your own computer and Dropbox’s servers. If the file isn’t already stored by Dropbox, the entire file will be uploaded. If Dropbox has the file already, just a few kb of communication will occur.
While this doesn’t tell you which other users have uploaded this file, presumably Dropbox can figure it out. I doubt they’d do it if asked by a random user, but when presented with a court order, they could be forced to.
What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.
Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.
Ungood. Not actually something that I think has a large chance of impacting my life, but it’s bracing to discover that dropbox has easy access to cleartext of my files and has such a large security hole. I was misled by their description of how they encrypted things. The description is being corrected as a result of this discovery, but I’d rather they fixed the problem thank you very much.