Dropbox Revises Terms of Service After Security Debacle

Not too long ago we covered Dropbox's security lapse, during which time users' data was available to anyone for about four hours. Now, in an effort to mend broken digital relationships, Dropbox has revised its terms of service, privacy policies and security overview to be more transparent and remove near-incoherent "legalese." Here's what you should know ...

Dave Courbanou

July 5, 2011

3 Min Read
Channel Futures logo in a gray background | Channel Futures

Not too long ago we covered Dropbox’s security lapse, during which time users’ data was available to anyone for about four hours. Now, in an effort to mend broken digital relationships, Dropbox has revised its terms of service, privacy policies and security overview to be more transparent and remove near-incoherent “legalese.” Here’s what you should know …

On July 1, 2011, the official Dropbox blog noted the company e-mailed every user about its service changes, including the aforementioned legalese reduction, but there’s more. Dropbox also made it more transparent in how it handles encryption: yes, the company handles users’ encryption keys, but that doesn’t mean users can’t add their own encryption. Dropbox has now spelled out exactly how it handles the encryption keys and how users can enhance the security of their data by using their own encryption on top of it.

Dropbox now also discloses what happens to users’ data after they delete a file or their account entirely. “[W]e try to delete your data quickly,” according to the blog, but there are “rare” exceptions where it can’t, and the company has detailed every last one of those in the updated privacy policy.

The descriptions of how Dropbox uses users’ location data and how and where Dropbox logs users’ access is more detailed, and Dropbox also has clarified its de-duplication practices, which long have been the topic of discussion because of both their efficiency and the controversial way the technology works. For example, if a user uploads a file such as “PopularMovie.avi” and another Dropbox account already has a file with the same name, that file will instantly become available to the user without any real need to upload the file, since Dropbox has pulled it from another account already. So where’s the controversy? A proof of concept hack on Dropbox’s de-dupe technology dubbed Dropship proved that a user could conceivably “spoof” a file to Dropbox, forcing Dropbox to download the real file, all without  having the real file in the first place. Dropbox has since patched this hole, though the basic de-dupe method is still carried out now with more encryption methods in place. Thus, Dropbox has updated its privacy policy details to clarify its de-dupe practices.

Lastly, Dropbox updated its mobile apps to ensure encryption of data over the air, and has now made it clear when mobile media cannot be encrypted.

What can the channel take from Dropbox’s moves? Both cloud providers, customers and resellers alike may want to brush up on their terms of service contracts when deploying and/or buying a cloud backup solution. Cloud service users should be smart on how their data is used and how a service provider handles the data once the relationship is terminated. While a cynic could say that Dropbox is sprucing up its ToS to mitigate legal action from the last mixup, others may see this move as Dropbox pioneering more transparency for a controversial and hot-button topic that is privacy in the cloud.

Either way, take Dropbox’s rise and fall (or stumble) as a cautionary tale for the future of cloud data solutions.

Sign up for The VAR Guy’s Weekly Newsletter, Webcasts and Resource Center. Follow The VAR Guy via RSS, Facebook and Twitter. Follow experts at VARtweet. Read The VAR Guy’s editorial disclosures here.

Read more about:

AgentsMSPsVARs/SIs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like