DropBox – Federal Trade
Commission (FTC) Request for
Investigation and Complaint for
Injunctive Relief
May 11, 2011
The Facts:
A written complaint was made on May 11, 2011 to the FTC regarding
Dropbox, by Christopher Soghoian, a Washington, D.C. based Graduate
Fellow at the Center for Applied Cybersecurity Research at Indiana
University, and a Ph.D.Candidate in the School of Informatics and
Computing at Indiana University.
Summary of the FTC Complaint:
1. Dropbox has prominently advertised the security of its “cloud” backup,
sync and file sharing service, which is now used by more than 25
million consumers, many of whom “rely on Dropbox to take care of
their most important information.”
2. Dropbox does not employ industry best practices regarding the use of
encryption technology. Specifically, Dropbox’s employees have the
ability to access its customers’ unencrypted files.
3. Dropbox has and continues to make deceptive statements to
consumers regarding the extent to which it protects and encrypts their
data.
4. Dropbox’s customers face an increased risk of data breach and identity
theft because their data is not encrypted according to industry best
practices.
5. If Dropbox disclosed the full details regarding its data security
practices, some of its customers might switch to competing cloud
based services that do deploy industry best practices regarding
encryption, protect their own data with 3rd party encryption tools, or
decide against cloud based backups completely.
6. Dropbox’s misrepresentations are a Deceptive Trade Practice, subject
to review by the Federal Trade Commission (the “Commission”) under
section 5 of The Federal Trade Commission Act.
Link to the Complaint Click Here>>
In-depth:
There have been numerous articles this week related to this FTC
complaint and DropBox has responded on their corporate blog with a large
number of comments. The articles and comments reduce down to the
following major points:
·
Belief by some users and security professionals that DropBox was lying
about access to user files and then tried to coverup their lies - not
good PR
·
Counter accusation by other users that anyone believing data stored in
the cloud is secure is naive
·
Recommendation that anyone who cares about security should be
using encryption
·
Recommendation that those concerned about security shouldn't give
responsibility for their data to someone else or put sensitive data in the
cloud
·
Realization that security often comes at the expense of ease of use - ie
handling of private keys
In addition the following less than desirable features of Dropbox have
surfaced in the discussion of the FTC complaint:
1) Dropbox employs de-duplication for its file syncing to reduce the amount
of storage required. If a file already exists on Dropbox, due to previous
upload by any user, then the file is not uploaded again. The de-duplicating
of data by Dropbox is akin to sharing files across customers. This also
means that it is possible to inspect the bandwidth consumed while a file is
uploaded to it to deduce if it is already on the system. Accellion does not
de-duplicate data.
2) The second concern is the usage by Dropbox of the same key for
encrypting all files on the system. They do mention that they will in future
allow users to use their own private keys to upload data but that means
that sharing data with others or even viewing it over the web will not be
possible.
Accellion Position on Security Concerns related to FTC Complaint on
Dropbox
Accellion’s position on the security concerns raised in relation to Dropbox
is as follows:
·
There is a difference between consumer and enterprise-grade solution
in terms of the features they provide for protecting enterprise data.
Dropbox is consumer-grade, Accellion is enterprise-grade.
·
At Accellion we take data security seriously and we provide our
customers with a wide choice of enterprise features to choose from to
balance information security needs with ease of use.
·
Customers can choose to completely manage their Accellion
deployment, with no visibility to Accellion of the system or any files, via
our virtual private cloud or physical or FIPS deployment options.
·
Alternatively customers can choose the Accellion public hosted cloud
service in which case they choose to authorize Accellion to perform
management functions and provide the necessary access or
permissions - we leave it to the customer to choose.
·
In addition customers can choose what privileges to provide to their
users in terms of security ie encryption or no encryption of files.
Access to customer files:
· On virtual, physical, FIPS and Amazon Cloud appliances managed by
the customer, the administrator can shut off all access by Accellion to
the system, meaning Accellion has no access to customer files.
·
For the Accellion hosted service, the customer authorizes Accellion as
an administrator of the system. Administrator privileges include
access to the appliance, user accounts and files, except those that are
encrypted – these files can only be decrypted if the original link in the
e-mail is clicked. A very limited number of Accellion employees are
authorized with administrative privileges to customer deployments for
initial setup, ongoing management and support.
Encryption Support:
· Accellion provides AES 128 bit encryption of files. Accellion file
encryption can be switched on or off by either the administrator or an
expert user of the Accellion system. The decryption key is not stored
on the Accellion Appliance - a file can only be decrypted if the original
link in the e-mail is clicked.
·
Accellion disk encryption - works for all files and ensures any data on
discarded/offline disks is encrypted.
·
Accellion file encryption is available for secure file transfers.
·
Accellion does not offer file encryption for files stored in secure
workspaces because of the added complexity of managing and
distributing public/private keys that significantly impacts ease of use. In
order to use encrypted files in the workspace the user would need to
upload a public encryption key to the server and distribute a private
key to all others who need to access the file. When the file is uploaded
the server encrypts it immediately with the public key. Any user
wishing to download the file has to download the file and decrypt it
offline using the private key.
Call to Action:
· Review the information provided here so that you can respond to any
questions from current or prospective customers on the security
concerns raised in the FTC complaint of Dropbox.
·
If a current or prospective customer is considering or currently using
Dropbox you should let them know about the FTC request for
Investigation and Complaint for Injunctive Relief – also point out how
Accellion addresses the security concerns raised and how this
illustrates the difference between a consumer and enterprise-grade
solution.