Like most internet services, Dropbox was created because its founder — Drew Houston — couldn’t find a solution to a problem which satisfied his needs.
In Houston’s case, while he was a student at MIT, he found he consistently forgot the USB key containing his files on it and the file sharing services which were available in 2007 simply didn’t meet his needs, with problems like latency, buggy software and inability to handle big files among his major gripes.
And so Houston created Dropbox, a simple service which allows users to store files online while also syncing their files to folders on their PCs, laptops and smartphones. Users can share files with others and the whole service was free — at least for those without the need to store a huge amount of data.
Unsurprisingly it was a huge success, and almost a decade after it first launched Dropbox now has over half a billion users globally with 1.2 billion files uploaded to the service every single day by individuals as well as enterprise customers.
Some of the numbers associated with Dropbox are staggering, giving an idea of the amount of data the company stores — and is responsible for keeping safe: 35 billion Microsoft Office files are stored on Dropbox; it supports 20 different languages; and 4,000 file edits are made on Dropbox every single second.
With such a huge trove of data, security and privacy are obviously very important for the company and its users.
To help us understand how secure Dropbox’s service is, let’s first look at how the service operates.
How Dropbox Works
Dropbox’s promise to let you access your files wherever you are, and on whatever device you are using, is a hugely compelling selling point and it is all made possible thanks to the power of cloud computing.
Accessing Dropbox is done in a couple of ways. The first is through the Dropbox website which allows you view, upload and download files as well as sharing them with your family, friends and co-workers. Dropbox also has software which you can install on pretty much all desktop, tablet and smartphone operating systems. This allows you to easily add or remove files from your Dropbox account. When you place a new file in the Dropbox folder, it is uploaded to the central server and then synced with all the computers, tablets and smartphones that you have Dropbox installed on.
Even if your smartphone and PC are in the same room, any change made to your Dropbox folder is first sent to the server before all your other devices are updated.
How Does It Do Security?
This is what Dropbox says about security:
“At Dropbox, the security of your data is our highest priority. We have a dedicated security team using the best tools and engineering practices available to build and maintain Dropbox, and you can rest assured that we’ve implemented multiple levels of security to protect and back up your files.”
Sounds great, but what does it mean in reality?
Well any time you have to send any of your information over the internet and put it on a remote server you are automatically increasing your security risk.
To offset this, Dropbox encrypts all data in transit using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) between Dropbox apps and its servers. This is designed to create a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.
The Dropbox software you install on your PC or smartphone creates a secure connection with the Dropbox servers and therefore with the data encrypted there is no way for anyone to intercept and read that information while in transit.
When it reaches Dropbox’s servers, your data is encrypted with 256-bit AES, which is an industry recognised standard and which is almost impossible to crack without the encryption key.
The information is then synced with all your other devices, with the data again being sent over an encrypted channel. Once on your other devices the data is decrypted and stored on your PC or smartphone.
This all sounds pretty secure — and it is, to a point — but there are still some major concerns Dropbox’s security.
Dropbox Security Issues
Despite all the talk to 256-bit AES encryption and claims “the security of your data is our highest priority” the fact remains that Dropbox has the ability to decrypt all your files and can view them whenever it wants — particularly if any law enforcement agency comes calling.
This leads to a number of security concerns for users. For example, if a Dropbox employee went rogue and decided to unlock all your secret files, they could — though it should be pointed out that only a very limited number of employees have access to the encryption keys needed to do this.
The fact that Dropbox stores all the encryption keys for its users, means that potentially hackers will be able to breach their systems and steal these very valuable pieces of information – though because Dropbox likely stores this in a very secure location the likelihood of this happening is again small.
The real concern is that Dropbox can — if it wants to — disclose your information to a third party. The company has already stated that should a law enforcement agency come calling with a subpoena, it will willingly decrypt your data and hand it over.
This has led to some high profile criticism of Dropbox. Former NSA contractor turned whistleblower Edward Snowden has not been shy about his disdain for Dropbox, calling it “hostile to privacy” and using users to “get rid of it.”
“We’re talking about encryption,” Snowden said during a remote interview for the New Yorker Festival in 2014. “We’re talking about dropping programs that are hostile to privacy. For example, Dropbox? Get rid of Dropbox, it doesn’t support encryption, it doesn’t protect your private files.”
Houston responded by saying that Dropbox could offer better encryption but it is “a trade-off between usability/convenience and security. We offer people choice.”
Houston said that if Dropbox implemented “zero knowledge encryption” then services like search, access to third-party apps, seamless access to data from mobile devices and other features would be impeded.
- Data Retention– Users should be aware that when they are signing up, information like usernames, emails, addresses, phone numbers, credit card information and social network details are retained and stored by the company. This is common practice among almost all online businesses but users should still be aware of it.
- Deleting Your Account Doesn’t Necessarily Delete Your Data– While you can delete your account, Dropbox reserves the right to retain your data in order “to comply with our legal obligations, resolve disputes or enforce our agreements,” according to the company’s vague explanation. There may be several reasons for needing to retain your information, including if your data is tied up in legal obligations or disputes, but Dropbox’s policy wording leaves it open to interpretation — which is never a good thing when your data is involved.
- Sharing Personal Information– Dropbox makes it clear that it will never sell your personal information, but it has no problem sharing it with others. If you sign into your Dropbox account through a third-party app — say Facebook — then Dropbox will share your personal information with Facebook. Dropbox also shares your information with Amazon because it uses Amazon’s S3 service for storage and is required to hand over your details. It will also share your information if it thinks there is a danger to the company or its users, though it doesn’t define what these situations might be — but they are likely to be fraud or property theft. Finally, Dropbox will also hand over your personal information if it is sold or acquired by another company.
- Dropbox Knows Where You Are– It would be very easy for Dropbox to find out where its users are, simply by using GPS information from the devices the information is being sent from — but the company says it doesn’t do this as this would suggest it was monitoring users’ locations. What the company does do however is use data embedded in the files users are uploading (EXIF data in photos and videos) as well as using your IP address to get a rough estimate of where in the world you are located .
On the whole, while Dropbox does claim to make security and privacy a priority, it is clear that if you or your business want to use Dropbox to hide sensitive and valuable data, there are risks involved.
Luckily there are some steps you can take to make your content more secure.
1. Enable Two-Step Verification
A hugely powerful tool to prevent unauthorised access to your accounts, two-step verification (or two-factor authentication as it is also known) is available on most popular online services today, including the likes of Gmail and Facebook.
The features allows you to request a code be sent to your smartphone every time someone tries to access your account from a new device.
To turn on the feature in Dropbox, click on the drop down menu in the top right-hand corner of your account’s home page and hit Settings.
This will open a new window and here you can hit the Security tab. You will see the status of two-step verification on your account and if it is disabled, then hit the “click to enable” link to set it up.
You will be asked to re-enter your account password during the set up process, and then you will be asked if you want your codes sent to your phone as a text message or to an app such as Google Authenticator.
You will then be asked to put in your phone number, and a code will be sent to make sure the system is working. Dropbox then asks for a backup number in case you lose your own phone. Finally Dropbox presents you with a list of 10 backup codes which you are meant to print out or write down and keep in a safe place.
Now you can click on the Enable Two-Step Verification button to finish the process.
If you have been using Dropbox for a long time and in that time you have changed PCs and smartphones several times, then you probably have a long list of linked devices — and it’s very easy to see them, when you last used them and to delist them.
In the same Security tab where you enabled two-step verification above scroll down to see the Devices list. Here you will see the names of the devices you connected your Dropbox account to, where you used them and when the last time your accessed Dropbox on the devices.
At the far right of the list you will see an ‘x’ which allows you to delink the device and make sure that if that device is used by anyone else they won’t automatically be able to access your account.
3. Check Web Sessions
If you are worried that your Dropbox account may have been compromised, then it is relatively easy to check.
On the same Security page just above the list of linked devices, users can view their current web sessions which shows which browsers are currently logged into your Dropbox account. This list can put your mind to ease that no one else is logging into your account and can quickly show you where all the sessions are happening.
4. Manage Your Linked Apps
As mentioned above, when you sign into Dropbox through a third party app, the company shares your personal information with that app. Over time you may forget which apps you have given permission to access your Dropbox account and may have stopped using those apps altogether.
Towards the bottom of Dropbox’s security settings page you can view all the apps you have given permission to over the years and just as with de-listing trusted devices, you can easily revoke permission for any given app.
5. Set Up Email Notifications
If two-step verification is not enough of a safety net for you, then Dropbox does offer you the option of getting emails sent to your account whenever something changes, including logins from new devices or browsers, whenever new apps are given access or when a significant number of files are deleted.
Email notifications can be managed from the Profile panels of the Settings menu.
6. Use A VPN
While Dropbox may not be able to track your location precisely, it can still get a general sense of what part of the world you are in and depending on how your IP address is assigned could be able to pinpoint your location pretty accurately.
There is however an easy way around this. A virtual private network or VPN is a network of connected computers which creates an encrypted tunnel that re-routes your browsing to a server on the VPN network rather than a public server. This means Dropbox (or anyone else for that matter) won’t be able to see your real IP address. Check out our roundup of some of the best VPNs.
7. Use Your Own EncryptionOne way to circumvent Dropbox’s ability to snoop on your data is to get there before them and encrypt all your own information before it is uploaded to Dropbox, meaning the company won’t have the encryption keys needed to unlock your files.
Boxcryptor is a free service which integrates with Dropbox and works on all major desktop and mobile platforms to allow you encrypt data before it leaves your computer. The only problem is that because Boxcryptor has a “zero knowledge” approach to encryption, if you forget your password, then the company won’t be able to retrieve your data .
Here is a list of other free services that can be used for cloud encryption.
8. Use A Strong Password Or Password Manager
This is a piece of advice which is applicable to pretty much every single online service – use a strong password. This means using a combination of upper and lower case letter, numbers and symbols while avoiding reusing the same combination of characters from other services. Dropbox suggests using “non-standard uPPercasing, creative spelllling, personal slang, and non-obvious numbers and symbols (using $ for s or 0 for o is too obvious!).”
However trying to remember a lengthy and unique password is a challenge, particularly if you have a different one for every service. This is where password managers comes in. They will remember all your passwords for you and you will have to just remember a single password in order to access all your accounts.
Here is a comparison of some of the best password managers available at the moment, and an FAQ about using them.
If all these options are still not enough to convince you that Dropbox is secure, then there are alternatives available.
The one service Snowden has promoted in the past is called SpiderOak which basically promises all the same features as Dropbox but with the added benefit of not having the ability to see what files are stored on its servers — claiming as they do a “zero knowledge cloud solution.”
Another option is Sync.com, a Canadian based service which calls itself “the most private, most secure cloud storage service on the planet!”
On top of a zero knowledge approach, passwords are never transmitted to Sync and the company does not store passwords or password hashes during account creation, or when you log in.
E-Box is a UK-based cloud storage company and unlike Dropbox — which hosts everything on US-based servers — it has servers located in the UK which may be a significant benefit for UK or European companies. E-Box is entirely web-based meaning any device with an internet connection and a web browser can access it.
Image credit: “Mysterious box” by Blondinrikard Fröberg licensed under CC BY 2.0