Should you run away from Dropbox?

For a long time, I’ve recommended Dropbox to colleagues, friends, and family.  However, recent revelations and events made me look for a more secure and less risky solution.

First we learn that any employee at Dropbox has access to our data. According to the Dropbox site,

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

The problem I had with this was the lack of communication to customers that this was the case.  Many of us understood that NOBODY could access our data.  Well, no problem.  I simply used TrueCrypt to encrypt sensitive data.  This was inconvenient and caused some performance issues.

As regular listener of Security Now, I decided to try the highly recommended Carbonite.  Not only does it back up all my data, but all my Office files and PDFs are available via my iPad and iPhone.  In addition, nobody can access my files but me…  Finally, the cost is pretty low: $59 per year for unlimited storage.

After testing Carbonite, I wasn’t yet ready to drop Dropbox.  However, today I read that they left all files available to the public for four hours yesterday.  (sigh).  I guess it was too much to expect a great cloud file respository to actually be secure, too.

It’s All about TRUST…

Consumers and the press like to bash vendors and online social networks for lacking perfect privacy, but there is no such thing.  Rather, this is the victim’s argument for getting pwned…

Whenever we perform an action, or fail to act, there are consequences.  A popular zen teaching uses an analogy of picking up a stick; if you pick up a stick holding one end, the other comes with it.  The same is true of sharing personal information online.  There is always the chance  your information will fall into the wrong hands.  Whether or not you share your information should be a matter of trust, of your assessment of risk.

Trust varies between online services.  For example, the steps my bank takes to protect my information are regulated and pretty strong–not perfect, but strong enough for me to take the risk of using its online services.  On the other hand, I would never post anything I don’t want the world to know about on Facebook.

Social networks are not heavily regulated… yet.  And we don’t want them to be.  I don’t want the government sticking its finger into everything I do online.  So, I need to take some responsibility for my actions and not complain to my congressman or senator when my pictures of my last frat party compromise my integrity and that of several others.  Knowing Facebook is a social network, designed for SHARING, why would I assume the risk of putting sensitive content there?  Why would I place my trust in any social networking service?

The same is true of doing business online.  There are differences in how “due diligence” is defined between online business services.  It is our responsibility to ask the right questions before using any service.  If we don’t, we are just as responsible as the service provider when data is stolen… or worse.  Further, regular audits or other assessments are necessary to ensure initial trust does not drift in the wrong direction.

Before sharing your business or personal information with anyone, ask yourself how much you trust the other guy.  If the answer is, “not as far as I can throw him,” then go somewhere else.