Dropbox – a complete breakdown in trust (and what you can do about it)

A while ago I wrote about data security on my academic site. I believe data security to be of huge significance in academia and beyond: protecting significant quantities of sensitive data about ourselves and others is – or should be – an important part of what we all do now.

Collaborative tools like Dropbox can be very helpful in our work with others. Dropbox appears to offer reasonably secure ways of sharing specific folders or files with different people, and provided good passwords are used, most people will assume their data is pretty secure, somewhere “up there in the cloud” (actually, very much down on earth, on Dropbox’s computers…). Of course, if you use any kind of online service these days you may expect there to be data leaks. Dropbox, for example, “lost” 68 million user details in 2012, and recently asked users to change passwords as a result. So if you changed your password, all should be well and you can carry on using Dropbox, yes…?

No. Looking into it in more detail, I see that not only does Dropbox not encrypt data with keys that you create before sending your files to their computers (I gather this is why Edward Snowden advised against using Dropbox), if you have their desktop version installed on your Apple Mac, you are opening your computer to all kinds of vulnerabilities. This is because Dropbox installs itself as a permanent rootkit in your computer without telling you it is doing so. I was alerted to this a couple of days ago by a couple of tweets (1, 2) and then began to see a lot more (maybe Dropbox do this on Windows and other systems too but nobody’s found out about it yet, who knows?)

Perhaps unsurprisingly, any number of searches on the Dropbox help pages failed to give more information on all this.

Perhaps unsurprisingly, any number of searches on the Dropbox help pages failed to give more information on all this.

Even if you trust Dropbox not to take control of your computer (and I don’t see why you should, given they tricked you into giving them that possibility!), anyone who discovers or creates a vulnerability in Dropbox’s software now appears to have an open door to your computer – and if Dropbox can lose 68 million user details, why would you assume they’re particularly good at security? Anything and everything you do on your computer could be at risk. For details on this problem, I recommend the following two postings (and many of the comments are worth reading too):

  1. 28. July 2016: revealing Dropbox’s dirty little security hack
  2. 29. August 2016: discovering how Dropbox hacks your mac

Even if talk of hashtags and algorithms sends you to sleep, the key thing to note is Dropbox’s “explanation” for their actions; it is also highlighted on the second of these two links. Dropbox claim they:

need to request all the permissions we need or even may need in the future.

The problem is, they never ask their users if they could have permission to control all these permissions now and in perpetuity. Instead, Dropbox appear to have tricked users by using inappropriate dialogue boxes to gain this access, making it look as if users were giving their permission for something else.

In my book, this is an unforgivable breach of trust. I find myself asking why I should trust Dropbox with anything, if they deceive me into giving them control over my system?

What to do?

I’d suggest uninstalling Dropbox as soon as possible, and if you must still use it (for sharing with colleagues, for example), then just do so via the web interface. It is very simple to remove it from your Mac:

  1. move any files you want to take off Dropbox to somewhere on your computer
  2. follow the instructions on the Dropbox website to uninstall their desktop interface
  3. if your level of trust in Dropbox is the same as mine after reading all this, you might also want to remove permission for links to your Dropbox data, and then also delete the Dropbox apps on your tablet/mobile.

Then you might want to start looking for secure alternatives to Dropbox