Dropbox, a provider of cloud-based data storage services, is in hot
water with the Federal Trade Commission over claims that it lied and
intentionally deceived customers into believing that their data is
more private and secure than it really is. Whether Dropbox was
deliberately misleading, or just failed to clearly communicate policy
changes, the complaint filed with the FTC illustrates concerns over
online data security.
At issue are Dropbox's terms of service. Previously, the company
stated in its terms of service that "all files stored on Dropbox
servers are encrypted (AES-256) and are inaccessible without your
account password." But, Dropbox has continued to modify the terms of
service, and backpedal on exactly how secure customer data
is--sometimes putting its foot in its proverbial mouth.
Dropbox has been at least confusing, if not misleading, about just how
secure data really is.
After a few amendments, the terms have been altered such that it now
reads more to the effect that Dropbox can access and view your
encrypted data, and it might do so to share information with law
enforcement if it is compelled, but that employees are prohibited from
abusing that power and viewing customer data.
According to encryption expert Vormetric, the root of the Dropbox
scenario is that the keys used to encrypt and decrypt files are in the
hands of Dropbox, not stored on each user's machine. While Dropbox
might have policies prohibiting Dropbox employees from viewing files,
a rogue employee could view customer data using the keys held by
Dropbox.
Aaron Levie, co-founder and CEO of Dropbox rival Box.net, is a class
act. Rather than take advantage of the situation to kick Dropbox while
it's down, Levie gives his cloud competitor the benefit of the doubt.
"I think Dropbox has its users' best interests at heart, but probably
went a bit too far in the messaging. I believe they will rectify
this."
Levie did, however, stress the importance of data security as well.
"Broadly speaking though, security must be of critical importance to
any cloud service, and businesses should be absolutely certain they
can trust their provider--things like SAS 70 Type II certification,
encryption in transit and at rest, and extensive security controls for
users and IT should all be top of mind for enterprises looking to
leverage the cloud."
Dropbox is a popular online data storage service with over 25 million
users. I tend to side with Levie and assume that Dropbox doesn't have
any insidious or malicious ulterior motives. It seems that Dropbox has
perhaps been too fickle in trying to adapt its service and features to
improve performance and meet address concerns, but I doubt Dropbox
meant any harm.
That said, employees don't always follow policies, and the fact that
customers might believe their data is impenetrable while Dropbox
employees can actually view it at will is more than a little problem.
File sharing products like Dropbox, OneDrive and Google Drive are made for consumers not for business. When you start using it for your company you will discover that you miss some features. Therefore my company use top virtual data room providers.
ReplyDelete