When you absolutely, positively have to keep people from being able to look at your data, what do you do? Last week a number of people were surprised to find out that the popular cloud storage site Dropbox, which had advertised itself as encrypting its data so thoroughly that even its employees couldn’t look at it, actually could decrypt data after all — if required to do so by U.S. law enforcement.
“As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox,” the company said in a rewrite of its terms of service. “In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.”
Dropbox made a point of telling Steve Kovach at Business Insider, who broke the story, that this was a rephrasing of its terms of service, not a change in policy. “The TOS update was merely a clarification for users, not a policy update,” the company said.
Dropbox also pointed out that it wasn’t alone in this. “It is also worth noting that all companies that store user data (Google, Amazon, etc.) are not above the law and must comply with court orders and have similar statements in their respective terms of service.”
A number of articles about the incident concurred with this, including Business Insider’s. “This is nothing groundbreaking, but Dropbox has updated its security Terms of Service to say that if the government asks, they will have to decrypt user’s files and turn them over. That’s standard practice for any online storage service from Gmail to Amazon”.
But Business Insider went on to say, “and shouldn’t affect the average user unless they’re doing something wrong.”
That’s where it gets sticky.
Several other articles on the subject made similar comments. “In the meantime, don’t go doing anything that’ll get you in so much trouble that the G-Men need to decrypt your email or cloud storage,” said David Gerwitz of ZDNet, whose article headline, “If you have something to hide from the government, don’t use Dropbox” also implied that only those who had something to hide should be concerned. “Ok, so no worries–so long as you’re not doing anything wrong, you should be fine,” agreed Sarah Jacobsson Purewal of PC World. Comments in the PC World story went so far as to say that the only people who would be concerned about this would be pedophiles.
Really?
Recall that in 2005, the New York Times revealed that the National Security Agency was monitoring telephone calls, without warrants, of domestic callers. A few months later, USA Today revealed that this was going on with the cooperation of a number of telephone companies, including AT&T, Verizon, and Bell South.
“[T]o say that only the “guilty” have any reason to care about privacy shows a dangerous lack of awareness of how easy it is to violate some law or regulation and thereby become “guilty” yourself,” says William Morriss, a Senior Associate patent attorney of Frost Brown Todd, writing in the Ephemeral Law blog. “Even worse, when the government goes about collecting enormous amounts of data without having to justify itself and without any oversight, there will inevitably be false positives which have the potential to literally ruin someone’s life.”
The one solution Dropbox has to offer is that users can encrypt their own files before upload them to a data storage service like Dropbox — so that if the data storage service decrypts stored files, they continue to be encrypted, which only the user can decrypt. “Dropbox does not discriminate between the types of files stored in your Dropbox nor the applications used to open those files. This means you can use your own software encryption methods, such as third-party encryption software, to keep your files secure on your terms,” the company’s Terms of Service said.
However, it doesn’t say exactly how one goes about finding or using third-party encryption software. Moreover, there are those who fear that any encryption software — unless it’s open source, where people can examine it — could have a “back door” that would allow government agencies to decrypt it without user assistance. Attempts have been made, and continue to be made, to require such a back door. Some people, consequently, are sticking with “better safe than sorry” and using only open source encryption software. Unfortunately, this goes beyond the area of “easy to use” for the average — law-abiding — user.