Most terms of service (TOS) changes go unnoticed, but when Dropbox changed its TOS to say it'd provide files to the government people took notice. According to Dropbox's CTO, this is nothing new. But it does raise questions about Dropbox's security and privacy.
By email, Arash Ferdowsi says that the TOS update "was merely a clarification for our users, not a policy update" and says "we will fight vigorously for user privacy."
What prompted the update? Ferdowsi says that with its rapid growth, Dropbox has "gotten an increasing number of questions from users about how we do this [comply with law enforcement officials]." Thus the update was just Dropbox's way of explaining how it would do this.
The how is the big problem, though. As Miguel de Icaza points out on his blog, Dropbox has always claimed its employees are unable to access files. According to Dropbox's Web site, "Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)." The site also goes on to say that Dropbox uses "the best tools and engineering practices available to build our software, and we have smart people making sure that Dropbox remains secure." (Emphasis mine.)
However, the disclosure that Dropbox will provide files to U.S. law enforcement if required indicates that Dropbox employees can actually access files. Ferdowsi confirms this, saying "Every Dropbox employee understands that the most important value of the company is maintaining users' trust. Employees are prohibited by company policy from accessing users' files and there are technical access controls to prohibit unauthorized access by employees. As with almost every other online company, there are a limited number of employees who may access user data when legally required to do so, and to help troubleshoot users' accounts with their consent."
There's a huge difference between employees being unable to access files, and "technical access controls" and policies against doing so. This is not to say that I have any reason to believe that Dropbox employees ever do peek in on files — but if they did, it wouldn't be the first time that a company's employees violated policies and "technical access controls" either.
How often does Dropbox access files legitimately? At the request of law enforcement, Ferdowsi says it's very rare. "Dropbox has over 25 million users and has received an average of only one law enforcement request for data per month over the last year. Each of those requests was targeted to specific individuals who were the subjects of criminal investigations. When requests come in, they are vetted by our legal team to ensure compliance with relevant laws."
Truth in advertising, alternatives, and reality
At least one writer, that I won't dignify with a link, threw out the mind-bogglingly stupid idea that this only matters "if you're doing something wrong." Users have the right to know whether a service is absolutely private, or merely likely to be private.
The odds are, Dropbox's employees are not combing through your files. It's extremely unlikely that your data will be subject to a search by law enforcement — but that doesn't mean that it can't happen, which is what is strongly suggested by Dropbox's current language. The company needs to be more explicit, beyond the TOS update, in how files can be decrypted, by who and when.
If you're a Dropbox customer and find the change unacceptable, Ferdowsi did say that the company would provide refunds — though "we're not expecting users to cancel over a clarification in our TOS. We've always complied with federal law and that has always been articulated in our TOS."
Ferdowsi also says that the company has always complied with court orders, and that "Google, Amazon, and all other companies that store user data are not above the law... and as such have similar statements in their terms."
All true — but what Ferdowsi isn't addressing is that these services are not constructed in such a way as to be totally secure. Dropbox could set its service up in such a way that it would be unable to comply with requests to decrypt files for law enforcement, like SpiderOak. SpiderOak claims a "zero-knowledge" privacy approach, which means that the service can't decrypt files and provide them if asked. Of course, this also means that if you forget your passphrase, you're hosed — because they can't tell you that either.
If you're looking for complete, total privacy — you need to take encryption into your own hands. For many users, Dropbox's security is "good enough." But if you're particularly paranoid, privacy conscious, or actually are doing something wrong — Dropbox may not be for you.