Jul 21 2014
I know security is coming to the public awareness when I start getting contacted by relatives and friends about the security of products beyond anti-virus. I think it’s doubly telling when the questions are not about how to secure their home systems but about the security of a product for their business. Which is exactly what happened this week; I was contacted by a family member who wanted to know if it was safe to use Dropbox for business. Is it safe, is it secure and will my business files be okay if I use Dropbox to share them between team members?
Let’s be honest that the biggest variable in the ‘is it secure?’ equation is what are you sharing using this type of service. I’d argue that anything that has the capability of substantially impacting your business on a financial or reputational basis shouldn’t be shared using any third-party service provider (aka The Cloud). If it’s something that’s valuable enough to your business that you’d be panicking if you left it on a USB memory stick in your local coffee shop, you shouldn’t be sharing it via a cloud provider in the first place. In many cases the security concerns of leaving your data with a service provider are similar to the dropped USB stick, since many of these providers have experienced security breaches at one point or another.
What raised this concern to a level where the general public? It turns out it was a story in the Guardian about an interview with Edward Snowden where he suggests that Dropbox is insecure and that users should switch to Spideroak instead. Why? The basic reason is that Spideroak is a ‘zero-knowledge’ product, where as Dropbox maintains the keys to all the files that users place on it’s systems and could use those keys in order to decrypt any files. This fundamental difference means that Dropbox could be compelled by law to provide access to an end user’s file, while Spideroak couldn’t because they don’t have that capability. From Snowden’s perspective, this difference is the single most important feature difference between the two platforms, and who can blame him for suggesting users move.
Snowden has several excellent points in his interview, at least from the viewpoint of a security and privacy expert, but there’s one I don’t think quite holds up. He states that Condoleezza Rice has been appointed to the board of directors for Dropbox and that she’s a huge enemy of privacy. This argument seems to be more emotional than factual to me, since I don’t have much historical evidence on which to base Rice’s opinions on privacy. It feels a little odd for me to be arguing that a Bush era official might not be an enemy of privacy, but I’d rather give her the benefit of the doubt than cast aspersions on Dropbox for using her experience and connections. Besides, I’m not sure how much influence a single member of the board of directors actually has on the direction of the product and the efficacy of its privacy controls.
On the technical front, I believe Snowden is right to be concerned. We know as a fact that Dropbox has access to the keys to decrypt user’s files; they use the keys as part of a process that helps reduce the number of identical files stored on their system, a process called deduplication. The fact that Dropbox has access to these keys means a few things; they also have access to decrypt the data if they’re served with a lawful order, a Dropbox employee could possibly access the key to get to the data and Dropbox could potentially be feeding into PRISM or one of the many other governmental programs that wants to suck up everyone’s data. It also means that Dropbox could make a mistake to accidentally expose the data to the outside world, which has happened before. Of course, vulnerabilities and misconfigurations that results in a lapse of security is a risk that you face when using any cloud service and is not unique to Dropbox.
I’ve never seen how Dropbox handles and secures the keys that are used to encrypt data and they haven’t done a lot to publicize their processes. It could be that there are considerable safeguards in place to protect the keys from internal employees and federal agencies. I simply don’t know. But they do have the keys. Spideroak doesn’t, so they don’t have access to the data end users are storing on their systems, it’s that simple. The keys which unlock the data are stored with the user, not the company, so neither employees nor governmental organizations can access the data through Spideroak. Which is Snowden’s whole point, that we should be exploring service providers who couldn’t share our data if they wanted. From an end-user perspective, a zero-knowledge is vastly preferable, at least if privacy is one of your primary concerns.
But is privacy a primary concern for a business? I’d say no, at least in 90% of the businesses I’ve dealt with. It’s an afterthought in some cases and in many cases it’s not even thought of until there’s been a breach of that privacy. What’s important to most businesses is functionality and just getting their job done. If that’s the case, it’s likely that Dropbox is good enough for them. Most businesses have bigger concerns when dealing with the government than whether their files can be read or not: taxes, regulations, taxes, oversight, taxes, audits, taxes… the list goes on. They’re probably going to be more concerned with the question of if a hacker or rival business can get to their data than if the government can. To which the answer is probably not.
I personally use Dropbox all the time. But I’m using it to sync pictures between my phone and my computer, to share podcast files with co-conspirators (also known as ‘co-hosts’) and to make it so I have access to non-sensitive documents where ever I am. If it’s sensitive, I don’t place it in Dropbox, it’s that simple. Businesses need to be making the same risk evaluation about what they put in Dropbox or any other cloud provider: if having the file exposed would have a significant impact to your business, it probably doesn’t belong in the cloud encrypted with someone else’s keys.
If it absolutely, positively has to be shared with someone elsewhere, there’s always the option of encrypting the file yourself before putting it on Dropbox. While the tools still need to be made simpler and easier, it is possible to use tools like TrueCrypt (or it’s successor) to encrypt sensitive files separate from Dropbox’s encryption. Would you still be as worried about a lost USB key if the data on it had been encrypted?