Dropbox lied to users about data protection, filed a complaint with the FTC
A complaint was filed against Dropbox (PDF) with the Federal Trade Commission demanding a trial deceiving 25 million users of this hosting. Since the start of its operations, Dropbox has stated that their employees are not able to access the encrypted files of users. In the informational section it was written that "all files are encrypted with AES-256 and cannot be decrypted without your password ."
Recently it turned out that it is not. It turned out that Dropbox employees can decrypt files if they deem it necessary . On April 13, 2011, the second part of the sentence (in italics) was removed from the information section.
In addition, other wordings of the reference section were changed:
The old wording: “Dropbox employees do not have access to user files, and in case of problems, they can see only metadata (file names, file size, etc., but not content)” / and when it comes to file metadata (file sizes, file sizes, etc.).
')
The new wording: “Dropbox employees are forbidden to view the content of files that users store in their folders, they are only allowed to view metadata, such as file names and paths”. are only permitted to view file metadata (eg, file names and locations).
Also added a text with an explanation: they say, as in most online services, access to user data has a "small number of employees" Dropbox and they do so in the rare cases described in the privacy policy.
According to the author of the complaint at FTC Christopher Soghoian (Christopher Soghoian), the company Dropbox has dishonestly gained an advantage over competitors who actually provide reliable cryptographic protection of files.
Dropbox’s official response to the application is that the claims put forward are “out of date”, and the situation was explained in the Dropbox official blog on April 21 . Dropbox's position boils down to the fact that they never claimed that they did not store cryptographic keys, that is, they allegedly did not deceive anyone.
As you know, the algorithm of Dropbox operation is based on comparing the hashes of each uploaded file with those already stored on the hosting. That is, the contents of the file are still analyzed, even if this file is stored on the server in an encrypted form. Using a modification of the program that exploits the functions of the Dropbox private protocol, you can easily make sure that someone out of 25 million users of Dropbox has a specific file in the box or not.
Although there is a scheme, how to find duplicates without decrypting a file on the server , but Dropbox, to all appearances, does not work so elegantly. Such a conclusion can be made based on the fact that they keep the keys.
At the same time, Dropbox competitors, SpiderOak and Wuala online hosts even theoretically do not have access to user files, because they do not store keys. Thus, they cannot identify duplicates and are forced to spend more resources on storing user files, paying the full price for the safety of users (apparently, they also did not think of the aforementioned scheme or saw flaws in it).
According to Sogoyan, Dropbox still misleads users with its statements about the protection of user information, because the reference section says that Dropbox “uses the same security methods as banks and military”, “Dropbox files can be in more security than on your home computer. " It requires FTC to make Dropbox clearly explain on its website data protection conditions, send an email to each Dropbox user with a clear explanation that the company has the ability to view the contents of its files, pay reimbursement to users of paid accounts and prohibit the use of fraudulent statements in the future.
Recently it turned out that it is not. It turned out that Dropbox employees can decrypt files if they deem it necessary . On April 13, 2011, the second part of the sentence (in italics) was removed from the information section.
In addition, other wordings of the reference section were changed:
The old wording: “Dropbox employees do not have access to user files, and in case of problems, they can see only metadata (file names, file size, etc., but not content)” / and when it comes to file metadata (file sizes, file sizes, etc.).
')
The new wording: “Dropbox employees are forbidden to view the content of files that users store in their folders, they are only allowed to view metadata, such as file names and paths”. are only permitted to view file metadata (eg, file names and locations).
Also added a text with an explanation: they say, as in most online services, access to user data has a "small number of employees" Dropbox and they do so in the rare cases described in the privacy policy.
According to the author of the complaint at FTC Christopher Soghoian (Christopher Soghoian), the company Dropbox has dishonestly gained an advantage over competitors who actually provide reliable cryptographic protection of files.
Dropbox’s official response to the application is that the claims put forward are “out of date”, and the situation was explained in the Dropbox official blog on April 21 . Dropbox's position boils down to the fact that they never claimed that they did not store cryptographic keys, that is, they allegedly did not deceive anyone.
As you know, the algorithm of Dropbox operation is based on comparing the hashes of each uploaded file with those already stored on the hosting. That is, the contents of the file are still analyzed, even if this file is stored on the server in an encrypted form. Using a modification of the program that exploits the functions of the Dropbox private protocol, you can easily make sure that someone out of 25 million users of Dropbox has a specific file in the box or not.
Although there is a scheme, how to find duplicates without decrypting a file on the server , but Dropbox, to all appearances, does not work so elegantly. Such a conclusion can be made based on the fact that they keep the keys.
At the same time, Dropbox competitors, SpiderOak and Wuala online hosts even theoretically do not have access to user files, because they do not store keys. Thus, they cannot identify duplicates and are forced to spend more resources on storing user files, paying the full price for the safety of users (apparently, they also did not think of the aforementioned scheme or saw flaws in it).
According to Sogoyan, Dropbox still misleads users with its statements about the protection of user information, because the reference section says that Dropbox “uses the same security methods as banks and military”, “Dropbox files can be in more security than on your home computer. " It requires FTC to make Dropbox clearly explain on its website data protection conditions, send an email to each Dropbox user with a clear explanation that the company has the ability to view the contents of its files, pay reimbursement to users of paid accounts and prohibit the use of fraudulent statements in the future.
Source: https://habr.com/ru/post/119348/
All Articles