
Can Dropbox Be Trusted? - sant0sk1
My co-worker was reviewing Dropbox as an option for our company's file backup, sharing, and syncing and he came across this language in their privacy policy:<p><pre><code>    Business Transfers. Dropbox may sell, transfer 
    or otherwise share some or all of its assets,
    including your Personal Information, in connection 
    with a merger,  acquisition, reorganization or 
    sale of assets or in the event of bankruptcy.
</code></pre>
https://www.getdropbox.com/terms#privacy<p>Perhaps this is a question for a lawyer (maybe we have one reading HN...), but doesn't this give Dropbox too much freedom with my data? Would you still use their service with this policy in place? Am I overreacting??
======
jlouis
The very fact that there is no explanation of how the storage is done in
detail ought to make you worry. It certainly looks as if files are identified
by their (cryptographic?) checksum across accounts even if those accounts are
not sharing anything officially.

To do that, and to distribute that data from a single point means that someone
other than you have a key to read those data. You will have to protect your
data by encryption yourself before uploading.

Perhaps you should evaluate Tarsnap from <http://www.tarsnap.com/> which is in
public beta as of this writing. It provides a neat backup service and has a
publically readable/accessible description of what measures that are taken to
protect your data from adversaries. I have not tried it myself, but I happen
to know that Colin Percival knows what he is doing.

~~~
cperciva
_I happen to know that Colin Percival knows what he is doing._

Thanks for the vote of confidence. :-)

------
run4yourlives
Upvote because I want to see this discussion. Honestly, it seems to be a
simple "If we get acquired we don't need to ask you for permission", but it
does lean a little harsh.

I think though that if you're going to be storing say, customer CC info, you
don't want to be using a service like dropbox regardless of their policies. I
don't think they are the right choice - you should be handling the security of
this information yourself, or use clauses like dropbox's yourself to remove
liability.

As a business, this would be the more worrying clause though:

 _We may employ third party companies and individuals to facilitate our
service, to provide the service on our behalf, to perform Site-related
services (including but not limited to data storage, maintenance services,
database management, web analytics, payment processing, and improvement of the
Site’s features) or to assist us in analyzing how our Site and service are
used. These third parties have access to your Personal Information only for
purposes of performing these tasks on our behalf._

Why? Because lord knows where the heck your information is, and if some admin
from a company three steps removed gets his laptop stolen, it could come back
to haunt you.

~~~
GHFigs
In practical terms, I think that bit could be shortened to "Your stuff is on
S3."

~~~
run4yourlives
Yeah, but that's an issue in and of itself, from a business POV.

------
arashf
hi all, arash (from dropbox) here. as mentioned elsewhere in the discussion,
the terms are referring to contact information, not data.

~~~
dcurtis
From a purely legal standpoint, "some or all of its _assets_ , including your
Personal Information," could be argued to include the user's data under
"assets."

That's not to say Dropbox would do that. But it probably would be nice to
explicitly say somewhere that you won't sell or give away the physical bits
that are uploaded to the service.

~~~
arashf
not exactly ;-)

pasted from terms:

Dropbox does not claim any ownership rights in Your Files. You acknowledge
that Dropbox does not have any obligation to monitor the Files or User Posts
that are uploaded, posted, submitted, linked to or otherwise transmitted using
the Site or Services, for any purpose and, as a result, is not responsible for
the accuracy, completeness, appropriateness, legality or applicability of the
Files or anything said, depicted or written by users in their User Posts,
including without limitation, any information obtained by using the Site or
Services. Dropbox does not endorse anything contained in the Files or User
Posts or any opinion, recommendation or advice expressed therein and you agree
to waive, and hereby do waive, any legal or equitable rights or remedies you
have or may have against Dropbox with respect thereto.

~~~
ced
_Dropbox does not claim any ownership rights in Your Files_

Do you need to claim ownership of something in order to "share" it with a
third party? (strictly legally speaking, of course)

The rest of the paragraph is just covering of _your_ back. This is fine, of
course, just not relevant to the point.

------
Harkins
You are overreating.

The second paragraph defines Personal Information to be information that
personally identifies you, like your name and contact info.

~~~
staunch
> _You are overreating._

That explains his weight gain. But what about this privacy issue?

------
Angostura
I wrote up a little blog entry about DropBox's place in the enterprise here:

[http://blog.infowranglers.com/blog/_archives/2008/9/16/38803...](http://blog.infowranglers.com/blog/_archives/2008/9/16/3880399.html)

I'm NOT a security or legal expert, but my concerns would be more about the
security of sensitive data, rather than concerns over the possible sale of
personal information (it's been a while, but I don't remember Dropbox asking
anything too intrusive.)

You cannot specify your own AES key, which might be a worry to some people.
The DropBox team suggest sharing encrypted disk images if this is an issue.

------
mattmaroon
Any sensitive data you should be encrypting anyway. I use TrueCrypt volumes
mounted inside Dropbox.

You never know when that nosy Arash might decide to load up your Quicken file
:)

------
FiReaNG3L
What the hell do the paranoids expect? 'In the case of a merger, acquisition,
etc, we will delete everything and start over, or ask personally to each of
our customers' ?

And as noted, Personal Information is the stuff you give them at registration.

Furthermore, please don't put extremely sensitive data somewhere on the cloud
with little to no protection. Common sense.

~~~
rapind
In short, yes. A little less extreme though would be to guarantee privacy and
security to all stored files, and should any changes occur to the current
policy, users should be notified and given the option to completely wipe all
of their data or continue using the service. That to me is common sense. Under
no circumstances should an acquisition impact the user's privacy and security.

As for encrypting data before it's uploaded. Sure, I mean if you believe their
target demographic is tech-savy enough. Which probably means a small fraction
of their current users.

I think security in the cloud has to be a shared a responsibility between
users and providers, for all cloud apps. Telling your users that it's their
sole responsibility is ridiculous and not very competitive... unless you're
releasing an open source offering to sysadmins. Technology has gotten so
confusing for the typical end user that of course they're not going to invest
the time to understand what cloud security even is, whether or not you believe
they should.

------
sanjayparekh
Personally, I use JungleDisk (which was recently acquired by Rackspace) to
encrypt all my data and back it up to Amazon (on my own S3 account, not
JungleDisk's). Sure, it costs more than Dropbox or Carbonite or other services
but it seems incredibly more safer and controllable to me.

On the other hand, I use Dropbox to synchronize non-sensitive files between my
machines. I never put anything on there that I'd be worried about being
published unprotected to the world.

------
dazzawazza
Backup the data in an encrypted form?

~~~
windsurfer
But that would largely eliminate most of DropBoxes usefulness. A large part of
what makes DropBox attractive is it's integration with the operating system.

~~~
newt0311
It is possible to integrate encryption seamlessly with Linux using dm-crypt
and OSX is basically BSD (darwin) below the UI so there should be something
there as well. As for windows, I heard (somewhere, and with no substantiation)
that MS was working on a full disk encryption system. Then again, If you have
enough technical resources to setup a crypfs system on a linux box, it should
be trivial to setup fileserver on Amazon S3 or some other system so thats not
really a good solution.

I think that this highlights a general problem with web-based services. How do
you trust them to safeguard your data? Its hard enough when the software is
local on your own computer and you have contact with _some_ immediate physical
retailer but with the web, who knows?

Oh well... Its the old security vs. convenience problem again.

------
packetslave
encfs + Dropbox works quite well. I have my dropbox set to sync ~/.dropbox and
I mount an encfs on top of it as ~/Dropbox.

Since encfs is transparent and stores its results as plain old files, Dropbox
only has to sync individual updates.

~~~
josep
very good solution thanks! anyone knows of something similar for Windows ?

------
epe
It looks to me like "Personal Information" refers to just that, your personal
information (name, address, phone number, etc.), not the files you store in
your Dropbox. (IANAL)

------
gscott
I have found when users bring up this sort of thing it is because someone the
user wants to share with would prefer to use email and other forms of
communication other then your product and are grasping at straws to get the
person who is excited about it, not to use it. You can change the terms but it
will not do any good, they will look harder for another reason not to use it.

------
jmtulloss
I'm not sure if they do, but it would be cool if dropbox offered an encrypted
version of their service for people who are worried.

~~~
adoyle
If dropbox were to offer encryption, it would not make things more secure
since I'd have to hand them unencrypted bits.

If I were to store bits that need encryption on a service like this I would
encrypt them before I hand them off.

~~~
jmtulloss
Well they have a desktop client. They could easily encrypt it there.

The web client is a bit more of a problem, they would just have to promise to
encrypt it right away.

------
mynameishere
I would not trust any such service, frankly. I'm sure the people there are
very nice, but it only takes one bad employee. On the other hand, any secure
backup solution is going to involve encryption, even if you're putting DVDs in
a safe deposit box.

------
bbhoss-synsol
I think it's safe to say not to put anything on DropBox that you wouldn't lug
around on a flash drive. You probably shouldn't be transporting sensitive
information on your flash drive OR DropBox, and if you DO, you better be damn
sure its encrypted.

------
ananon
damn.. it sure as hell sounds like it.. IP doesn't really apply to the data
you're hosting on their hardware does it now?

------
steffanwilliams
No. Yes. Yes.

Next question!

