"I take issue with the allegation that we have somehow lied or misled people for any kind of gain," Dropbox founder Drew Houston told Wired.com. "We never put anything up there that was untrue."
"And now it's leading to people think we are not secure," Houston lamented.
In a written complaint to the FTC last week, security researcher Christopher Soghoian said Dropbox promised users that no one could access the encrypted files they stored on the service, when in fact, their files can be subpoenaed by the government and their online folder can be seen by Dropbox employees.
At issue is how Dropbox uses encryption, and, more to the point, how it described its system to users.
Dropbox gives users a small "hard drive" in the cloud, which can be accessed from a number of computers and devices -- making it simple to share files between devices and with friends. The files are stored encrypted with AES256.
But a user's crypto key aren't stored on that user's own computer; they're stored on Dropbox's servers. That's a legitimate architectural choice -- for one thing, it makes it simple to view your files on the web or add Dropbox to a second device -- but it means Dropbox can decrypt the files at will and see the contents, putting users at risk of court-authorized government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.
Soghoian argues that language on Dropbox's website implied that none of this was possible. Up until April 13, the Dropbox website said this:
Houston counters the company has always been upfront with customers about how the service works, and that the company is now being scapegoated by Soghoian for making its marketing materials clearer after he originally brought up the issue to the company in early April. At that point, Dropbox changed the language to read:
The company also added this text:
Soghoian used the changes Dropbox made to its help pages in mid-April in his FTC complaint last week as proof the company misled users the first time around.
But the old language was still accurate, says Houston, because the company has internal policies and technical safeguards to keep employees from accessing the contents of user files. The original statement, he says in essence, wasn't meant to imply that it was cryptographically impossible for employees to get at user data. Just that it was impossible.
"There is no way to see file data," Houston said. "I wrote the first version of everything and I haven't had access to the servers for years, and we intend to carry the flag even further on this."
The company only allows a limited number of engineers to look at a user's folder in response to a trouble ticket, he says. They can only see the filename and file sizes inside the folder, and any employee who looked in a folder without a corresponding trouble ticket would be fired.
Houston adds that talking about encryption is hard and the company seeks to be clear to users about its practices, while still using simple language understandable to people who don't know anything about encryption.
"There is always a tradeoff between exhaustiveness and clarity," Houston said. "We absolutely want to communicate in plain language, but easily let people dive into details."
As proof that the company has been clear, Dropbox pointed Wired to four posts in its forums (it says there are many more) that show the company has always been forthright. (1, 2, 3, 4).
The company also updated a long blog post about the issue.
"We put the answer so simply because these are the questions people ask and we respond with the plain language they expect," Houston said. "And so when people ask, 'Can employees see your stuff?,' we say 'Absolutely not.' We want to make that as clear as possible."
Soghoian's complaint is currently just that -- a complaint to the FTC. Anyone can file one, and the FTC picks and chooses which to pursue.
But Soghoian has earned a strong reputation in privacy and security circles, and spent a year working for the FTC helping them understand consumer tech issues, which gives his complaint weight in the press and, presumably, at the FTC as well.
While denying it did anything improper, Dropbox says it will continue to work on how it communicates to users and how it protects data.
The company also believes it deserves the benefit of the doubt, as a company that's grown from 4 million to 25 million customers in 15 months, while offering a service that is a "massive step-up in usability and security" for how users store data, Houston said.
"We aren't done," Houston said. "We take this as a reminder about the responsibility on our shoulders."
Photo: A user showing Dropbox installed on a range of devices, including a Mac, an iPhone and a PC. Credit: David King
See Also:
