Hacker News new | comments | show | ask | jobs | submit login
Can Dropbox Be Trusted?
67 points by sant0sk1 on Dec 8, 2008 | hide | past | web | favorite | 32 comments
My co-worker was reviewing Dropbox as an option for our company's file backup, sharing, and syncing and he came across this language in their privacy policy:

    Business Transfers. Dropbox may sell, transfer 
    or otherwise share some or all of its assets,
    including your Personal Information, in connection 
    with a merger,  acquisition, reorganization or 
    sale of assets or in the event of bankruptcy.
https://www.getdropbox.com/terms#privacy

Perhaps this is a question for a lawyer (maybe we have one reading HN...), but doesn't this give Dropbox too much freedom with my data? Would you still use their service with this policy in place? Am I overreacting??




The very fact that there is no explanation of how the storage is done in detail ought to make you worry. It certainly looks as if files are identified by their (cryptographic?) checksum across accounts even if those accounts are not sharing anything officially.

To do that, and to distribute that data from a single point means that someone other than you have a key to read those data. You will have to protect your data by encryption yourself before uploading.

Perhaps you should evaluate Tarsnap from http://www.tarsnap.com/ which is in public beta as of this writing. It provides a neat backup service and has a publically readable/accessible description of what measures that are taken to protect your data from adversaries. I have not tried it myself, but I happen to know that Colin Percival knows what he is doing.


I happen to know that Colin Percival knows what he is doing.

Thanks for the vote of confidence. :-)


Upvote because I want to see this discussion. Honestly, it seems to be a simple "If we get acquired we don't need to ask you for permission", but it does lean a little harsh.

I think though that if you're going to be storing say, customer CC info, you don't want to be using a service like dropbox regardless of their policies. I don't think they are the right choice - you should be handling the security of this information yourself, or use clauses like dropbox's yourself to remove liability.

As a business, this would be the more worrying clause though:

We may employ third party companies and individuals to facilitate our service, to provide the service on our behalf, to perform Site-related services (including but not limited to data storage, maintenance services, database management, web analytics, payment processing, and improvement of the Site’s features) or to assist us in analyzing how our Site and service are used. These third parties have access to your Personal Information only for purposes of performing these tasks on our behalf.

Why? Because lord knows where the heck your information is, and if some admin from a company three steps removed gets his laptop stolen, it could come back to haunt you.


In practical terms, I think that bit could be shortened to "Your stuff is on S3."


Yeah, but that's an issue in and of itself, from a business POV.


"... Upvote because I want to see this discussion. Honestly, it seems to be a simple "If we get acquired we don't need to ask you for permission", but it does lean a little harsh. ..."

Good point considering ValuesOfN (Stikkit & I want Sandy) and Pownce are shutting down leaving the users to gather up their data and find somewhere else to play. Contingency of service is something I'd be thinking about.


hi all, arash (from dropbox) here. as mentioned elsewhere in the discussion, the terms are referring to contact information, not data.


From a purely legal standpoint, "some or all of its assets, including your Personal Information," could be argued to include the user's data under "assets."

That's not to say Dropbox would do that. But it probably would be nice to explicitly say somewhere that you won't sell or give away the physical bits that are uploaded to the service.


not exactly ;-)

pasted from terms:

Dropbox does not claim any ownership rights in Your Files. You acknowledge that Dropbox does not have any obligation to monitor the Files or User Posts that are uploaded, posted, submitted, linked to or otherwise transmitted using the Site or Services, for any purpose and, as a result, is not responsible for the accuracy, completeness, appropriateness, legality or applicability of the Files or anything said, depicted or written by users in their User Posts, including without limitation, any information obtained by using the Site or Services. Dropbox does not endorse anything contained in the Files or User Posts or any opinion, recommendation or advice expressed therein and you agree to waive, and hereby do waive, any legal or equitable rights or remedies you have or may have against Dropbox with respect thereto.


Dropbox does not claim any ownership rights in Your Files

Do you need to claim ownership of something in order to "share" it with a third party? (strictly legally speaking, of course)

The rest of the paragraph is just covering of your back. This is fine, of course, just not relevant to the point.


You might want to rewrite the terms to clarify that. I don't personally see a problem with them, but a few days ago I suggested that someone use dropbox in order to send me some files (the freebsd.org mailserver was returning a "550 5.7.1 Microsoft Executable detected" error), but he replied that he was "scared of the dropbox EULA" and that it "seemed too broad".


You are overreating.

The second paragraph defines Personal Information to be information that personally identifies you, like your name and contact info.


> You are overreating.

That explains his weight gain. But what about this privacy issue?


I wrote up a little blog entry about DropBox's place in the enterprise here:

http://blog.infowranglers.com/blog/_archives/2008/9/16/38803...

I'm NOT a security or legal expert, but my concerns would be more about the security of sensitive data, rather than concerns over the possible sale of personal information (it's been a while, but I don't remember Dropbox asking anything too intrusive.)

You cannot specify your own AES key, which might be a worry to some people. The DropBox team suggest sharing encrypted disk images if this is an issue.


Any sensitive data you should be encrypting anyway. I use TrueCrypt volumes mounted inside Dropbox.

You never know when that nosy Arash might decide to load up your Quicken file :)


What the hell do the paranoids expect? 'In the case of a merger, acquisition, etc, we will delete everything and start over, or ask personally to each of our customers' ?

And as noted, Personal Information is the stuff you give them at registration.

Furthermore, please don't put extremely sensitive data somewhere on the cloud with little to no protection. Common sense.


In short, yes. A little less extreme though would be to guarantee privacy and security to all stored files, and should any changes occur to the current policy, users should be notified and given the option to completely wipe all of their data or continue using the service. That to me is common sense. Under no circumstances should an acquisition impact the user's privacy and security.

As for encrypting data before it's uploaded. Sure, I mean if you believe their target demographic is tech-savy enough. Which probably means a small fraction of their current users.

I think security in the cloud has to be a shared a responsibility between users and providers, for all cloud apps. Telling your users that it's their sole responsibility is ridiculous and not very competitive... unless you're releasing an open source offering to sysadmins. Technology has gotten so confusing for the typical end user that of course they're not going to invest the time to understand what cloud security even is, whether or not you believe they should.


Personally, I use JungleDisk (which was recently acquired by Rackspace) to encrypt all my data and back it up to Amazon (on my own S3 account, not JungleDisk's). Sure, it costs more than Dropbox or Carbonite or other services but it seems incredibly more safer and controllable to me.

On the other hand, I use Dropbox to synchronize non-sensitive files between my machines. I never put anything on there that I'd be worried about being published unprotected to the world.


Backup the data in an encrypted form?


But that would largely eliminate most of DropBoxes usefulness. A large part of what makes DropBox attractive is it's integration with the operating system.


It is possible to integrate encryption seamlessly with Linux using dm-crypt and OSX is basically BSD (darwin) below the UI so there should be something there as well. As for windows, I heard (somewhere, and with no substantiation) that MS was working on a full disk encryption system. Then again, If you have enough technical resources to setup a crypfs system on a linux box, it should be trivial to setup fileserver on Amazon S3 or some other system so thats not really a good solution.

I think that this highlights a general problem with web-based services. How do you trust them to safeguard your data? Its hard enough when the software is local on your own computer and you have contact with some immediate physical retailer but with the web, who knows?

Oh well... Its the old security vs. convenience problem again.


encfs + Dropbox works quite well. I have my dropbox set to sync ~/.dropbox and I mount an encfs on top of it as ~/Dropbox.

Since encfs is transparent and stores its results as plain old files, Dropbox only has to sync individual updates.


very good solution thanks! anyone knows of something similar for Windows ?


It looks to me like "Personal Information" refers to just that, your personal information (name, address, phone number, etc.), not the files you store in your Dropbox. (IANAL)


I have found when users bring up this sort of thing it is because someone the user wants to share with would prefer to use email and other forms of communication other then your product and are grasping at straws to get the person who is excited about it, not to use it. You can change the terms but it will not do any good, they will look harder for another reason not to use it.


I'm not sure if they do, but it would be cool if dropbox offered an encrypted version of their service for people who are worried.


If dropbox were to offer encryption, it would not make things more secure since I'd have to hand them unencrypted bits.

If I were to store bits that need encryption on a service like this I would encrypt them before I hand them off.


Well they have a desktop client. They could easily encrypt it there.

The web client is a bit more of a problem, they would just have to promise to encrypt it right away.


I would not trust any such service, frankly. I'm sure the people there are very nice, but it only takes one bad employee. On the other hand, any secure backup solution is going to involve encryption, even if you're putting DVDs in a safe deposit box.


I think it's safe to say not to put anything on DropBox that you wouldn't lug around on a flash drive. You probably shouldn't be transporting sensitive information on your flash drive OR DropBox, and if you DO, you better be damn sure its encrypted.


damn.. it sure as hell sounds like it.. IP doesn't really apply to the data you're hosting on their hardware does it now?


No. Yes. Yes.

Next question!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: