By: Kareem Ali
The Federal Trade Commission is after DropBox for apparently lying to it’s customers about how safe, secure and encrypted their data is on the service.
The problem seems to stem from DropBox not being entirely forthcoming in it’s terms of service. DropBox has modified and changed it’s terms of service since it’s release, not really a big deal usually, except in this case, they’ve made some pretty serious changes pertaining to security that could affect the way people use it or if they use the service at all.
Originally DropBox claimed that it’s service would store your data on in an encrypted fashion and that the keys to that encryption were only accessible to those who had your login information. This assumingly meant that a user had the keys to their drop box on their machine, safely behind all their own security and away from prying eyes.
The changes DropBox made now state that they (DropBox) can access and view your encrypted data, and it’s willing to give it to law enforcement (no word on if they charge or are giving it away for free like MySpace used to) if they ask. Not only that but DropBox employees also hold the keys to your encryption and have access to all your data as well. DropBox did say however that employees are prohibited from viewing your data so I guess that’s something.
This could be a mistake on DropBox’s part. Cloud storage is pretty new and kind of a touchy security thing. The biggest mistake they seem to have made here is allowing themselves access to the encryption keys at all. These things should be stored on users machines and only pass through their servers, never be stored there. If an employee was to go ‘bad’ and steal or delete a bunch of user data that could cost the company millions in downtime. Not to mention that if their servers were hacked the attacker could not only get users login information, but also the encryption keys to all their files.
There are better solutions to security when it comes to cloud storage, I’m not an expert by any means in this field so I can’t say what those are exactly, but I’m sure most DropBox users are hoping that this was just an oversight on the companies part and that they’ll implement a better, more secure system soon.
All this will be settled out in court soon, if the FTC gets their way, DropBox’s TOS will have to reflect the truth, and let all it’s users know who exactly can see their data.
Related Stuffs:
Source: Wired
No comments:
Post a Comment