With online data security being at the forefront of consumers’ minds after several recent high-profile breaches, cloud storage service Dropbox is now coming under fire for the way they handle customers’ files.
Christopher Soghoian, PhD and security researcher for the University of Indiana recently sent a letter to the U.S. Federal Trade Commission stating that the company’s security practices do not live up to their advertised claims.
"Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data," Soghoian wrote in the official complaint. "Dropbox's customers face an increased risk of data breach and identity theft because their data is not encrypted."
Soghoian took issue with the company’s claims that encrypted files were not accessible without the user’s password, and that nobody could view the files without being granted permission by the user. In fact, Dropbox admitted that they had the tools to remove the encryption and would do so if they received a request from a law enforcement agency to hand over files. But the fact that the company could do it at all rendered the security measures useless in the eyes of experts.
In the FTC complaint, the researcher requested that Dropbox make amends with customers by notifying them by email of the company’s access to customer files, instructing them on how to secure the data themselves, and offering paying customers who feel mislead a refund of their purchase fees.
"We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21, 2011,” Dropbox spokeswoman Julie Supan said in a statement. “Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private." However, the company did change the wording of their security claims in their online help files on April 23rd.
The company claims to have 25 million users who save up to 200 million files to their servers daily.
After reading through the complaint, Dropbox’s original statements about their security levels seem glaringly inaccurate compared to the reality they’ve admitted. I would be surprised if the FTC didn’t levy a fine on the company in addition to requiring refunds to customers.
