If you are a reader of this blog for any length of time, you’d know that I am huge proponent of Dropbox.
However, Dropbox recently came into a lot of fire when they changed their terms of service indicating that they have access to all the data stored by their users.
As with any cloud computing services, convenience of accessing our data from anywhere comes at a price. The problem is an average use doesn’t understand what that means. I just came across an excellent article by G.F. on Economist that puts a perfect analogy to this situation.
CONSIDER the purchase of a home in two adjacent gated communities. Both have houses with truly impregnable locks. In one community, whenever you need to enter your house, you visit the management office and show your driving licence. A guard walks you to your home, and lets you in using the master key that opens every door lock in the community. You can stay inside indefinitely. If an employee misuses the key to wander into homes or, heaven forfend, a thief gets his hands on it, all bets are off—the households’ sanctity has been compromised.
In another community, the management requires that you privately choose your own lock and corresponding key, which you hang on to and use to enter your abode at will. But if you lose the key, or any copies you have made, you can never re-enter. It will remain a sealed edifice until the universe’s heat death. Which would you choose? The latter offers extreme privacy but with an unthinkable penalty for carelessness. The former is convenient there is the risk of the key falling into the wrong hands.
Dropbox security falls into the former category. And that’s the reason for all the recent privacy concerns around using the service.
Dropbox possesses the encryption key to every user’s cloud locker, as in the first sort of gated community. This is necessary, in its view, to provide simple web-based access to files and give multiple users shared access to the same directories. The company revised its website to reflect reality, and apologised, but it faces a complaint filed with the Federal Trade Commission (FTC) by researcher Chris Soghoian over this (and certain technical matters).
Dropbox oversimplified a few points related to security, favouring a brief explanation that was not entirely accurate. The most egregious of these statements claimed employees had no access to user data, only metadata. Its detractors say plainly that it lied, although this is hard to prove. Ever since the company was set up in 2007 Dropbox founders and employees told anyone who asked that it could, in fact, decrypt anything it liked.
I started out storing only non-confidential stuff in my Dropbox folders when the service was in beta. But, the convenience of having my docs available whereever I neeeded them has enticed me into storing even some of my personal documents in Dropbox. This happened gradually over the years as I started to embrace the cloud culture of doing things online.
I am looking hard into Dropbox alternatives with ‘zero knowledge’ security to store my confidential stuff in the cloud. SpiderOak seems like a great alternative that falls into the second category in the analogy.
With SpiderOak, I get to choose my encrytion key and only I can access the encrypted data I store in their servers. I will do a more detailed review on it as soon as I get a chance to try it.
While I will continue to use Dropbox for all my non-essential, not so confidential data for easy access in the cloud and across all my devices, I am going to complement it with a service like SpiderOak for my confidential stuff.
If you want to stick with Dropbox, consider using an encryption solution like TrueCrypt to secure your Dropbox data.
I highly encourage you to read this article on The Economist which I have to credit for making me think hard on how I use the cloud.