I’m sure this is the situation with any cloud based storage and here’s the loophole they can use (not just Dropbox), especially when faced with a legal order to hand over files:
Think of what happens when you forget your password. You click the “Forgot password” option, type your e-mail, maybe a security question and receive a password reset e-mail a little while later.
So how does this give their staff access? Well, they just need to follow this same process. For a service with security questions, I’m sure they can skip this step. They just need to have their server divert the password reset e-mail to an internal account and voila, they now have access. Once they copy out the files they want, they can either flag the account as suspended or restore the old password hash and log files to make the account look it was not touched. If for some reason the end user tries accessing the account during this time and complains about access, it’s just a matter of them making an excuse (e.g. server maintenance.)
If a service provided true password based encryption, there would be no way of gaining access to that service account once the password is lost, much like a high security flash drive (e.g. IronKey). Even if a service does make such a claim, there is no way of knowing for sure that the service provider has no access.
