Well, the other Dropbox shoe has, uh, dropped. In response to last month’s revelation that the Dropbox file sharing service can’t actually promise to keep your files secure, but can look at them and will turn them in to law enforcement if requested, a researcher has filed a complaint with the Federal Trade Commission claiming deceptive practices.
The complaint was filed on May 11 by Christopher Soghoian, who was a busy boy this month; as you may recall, he also hit the front pages by breaking the story on May 3 of an unknown perpetrator, which turned out to be Facebook, attempting to smear Google with privacy accusations.
It turns out that the whole reason Dropbox changed its privacy policy and brought up the issue of law enforcement in the first place was due to Soghoian, who did some research on encryption, deduplication, and how Dropbox saves storage space. As it happens, it checks to see whether it already has the file being uploaded, and, if so, puts in just a pointer to it in the new user’s space. Very efficient.
The problem is, that’s something someone else can see, too. They can upload a file, and, if much less data transmits than the file size, they know it’s a file Dropbox already has. This is where law enforcement comes in. Writes Soghoian:
What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.
Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.
Do you see how this is even worse than simply Dropbox having to cough up a specific user’s data upon request from law enforcement? Law enforcement can now say, we *know* you have this data online, *you* tell *us* who has it.
And think of how this would play with the new PROTECT-IP bill that’s being proposed, which would let a third party shut down a site for having a copy of its intellectual property: Viacom, say, uploads a copy of a movie it suspects is available on Dropbox, finds it’s already there, demands to know who it owns it, and then shuts down that company’s site — potentially all without ever getting a warrant, because if Dropbox won’t tell, Viacom can shut *it* down for having a copy of the file. And if Dropbox gets shut down, what happens to all its other, innocent users’ files?
Moreover, Soghoian writes in his complaint, users now run the risk of having either rogue employees or hackers breaking into the Dropbox system to steal files and the stored keys that enable the company to decrypt and deduplicate files.
Recent high profile data breaches experienced by RSA, 32 Comodo, and Lastpass demonstrate that hackers are increasingly sophisticated, and are now seeking out high‐value infrastructure targets that can deliver more than just a few million credit card numbers.
(Oddly, Soghoian doesn’t list Epsilon as one of his examples, the electronic mail service bureau that was broken into in March in a data breach, the costs of which could eventually reach $3 to $4 billion.)
Soghoian’s not asking for much in return: Just that Dropbox tell people they can decrypt files, by emailing all its users rather than just changing its terms of service, make Dropbox give their money back to anybody who wants it, and never, ever to do it again.
While Dropbox has responded to the basic facts of the complaint in its blog, it hasn’t addressed the security hole associated with law enforcement or other data owner being able to tell what’s already on the service by sending another copy of it up.
Between this and Facebook/Google, one wonders what Soghoian’s going to do for an encore.