Dropbox airs some dirty laundry with their latest TOS update.
Dropbox continues to be a poster child for its Y-Combinator parents, but today maybe they will re-think using that poster. Dropbox has updated its TOS today to take into account a recent government mandate that Dropbox will turn over all your files if subpoenaed by the government, unencrypted.
Blogger Miguel de Icaza describes the issue with this in his recent blog post. Dropbox is not supposed to have access to your files, nor should anyone else. Per the Dropbox website:
• All transmission of file data occurs over an encrypted channel (SSL).
• All files stored on Dropbox servers are encrypted (AES-256).
• Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).
Clearly someone at Dropbox has access to be able to comply with the new regulation, and I’m honestly unsurprised. For years people have been able to log into their personal Dropbox portal and download files synced into DB unencrypted without any special addons or clients. That means that the web server is able to decrypt the files before sending them, which means some automated process has access to the files if need be.
We’re hoping Dropbox clears this up quickly, but in the mean time, I’d recommend checking out SugarSync. Dropbox still wins in security as it encrypts files before transmission, but overall SugarSync is cheaper, has more features, and is just as fast.