Dropbox joins the call for NSA transparency

Posted by on Oct 1, 2013

Dropbox and the NSA

Image from www.pcworld.com/

Cloud storage services are used by many of us to store and share our files or photos. While using this extremely convenient and easy to use file-sharing service, there are valid questions, such as “what if the service providers can access our data?” or “what if somebody hacks into their servers?” Recently, the online cloud storage service Dropbox was in the news for being a target of the NSA’s requests to reveal user’s data stored in their servers. Dropbox has joined hands with other tech companies like Google, Yahoo, Microsoft and Facebook in their quest for permission to publish a transparent report of number of data requests made by US government under national security laws. In a brief filed with foreign intelligence surveillance (FISA) last week, Dropbox seeks permission to report the exact number of data requests it has received, and the number of users affected by the requests. It supports the motions filed with FISA by other tech giants like Google, Microsoft, and Yahoo. According to these companies, their inability to make public the number of data requests they have received is harming their reputation. As per the brief, Dropbox has been denied permission by the government to publish the precise number of national-security requests it receives. The only way it can publish the number of such requests is if it combines NSA requests with regular-law enforcement requests, and then rounds the total figure to the nearest thousand. Since Dropbox received fewer than 100 regular law enforcement requests last year, reporting in the government’s format will decrease the reporting resolution. Let us now take a look at the online transparency report that Dropbox has released. It states that the company has received 87 requests for user information in the U.S. in 2012, and those were specific to 164 user accounts. Out of this it responded to 82% of the requests. As per the report, there were less than 20 non-US requests for user data in the same time frame, specific to 20 unique user accounts. The company has not responded to any of the non-US requests, as it currently requires data requests to go through the U.S judicial system.

Dropbox transparency records

Image from https://www.dropbox.com/transparency

Dropbox has also included the court brief in the transparency report page. The brief uses very strong words and even accuses the government of violating the First Amendment. “There is no statute, nor any other law, supporting the government’s demands,” Dropbox said. “To the contrary, the proposed gag order violates the First Amendment, as it interferes with both the public’s right to obtain truthful information about a matter of substantial public debate and service providers’ rights to publish such information.”  And these are the reasons why the company has agreed to the motions of other service providers and asks the court to “publish accurate information about the number of national-security requests received within a reporting period, along with the number of accounts affected by those requests”. How secure is Dropbox? Now the obvious question that will arise in your mind is how secure is your data in Dropbox, especially in the light of PRISM revelations. There is no doubt that Dropbox is a robust and convenient service that allows you to backup and access your data anytime and from anywhere. But you have the right to know how Dropbox stores and secures your data, irrespective of what the NSA wants. In the last few years Dropbox is under the scrutiny of security researchers as the privacy of user data is under question. There are certain security risks in this widely used cloud storage system:

  • The privacy policy of Dropbox states that  “ it automatically [records] information from your Device, its software, and your activity using the Services. This may include the Device’s Internet Protocol (IP) address, browser type, the Web page visited before you came to our website, information you search for on our website, locale preferences, identification numbers associated with your Devices, your mobile carrier, date and time stamps associated with transactions, system configuration information, metadata concerning your Files, and other interactions with the Service.” What that means is, be ready to share some of your data and browsing habits while using Dropbox.
  • The data stored is Dropbox is encrypted and no body can read your encrypted data. However having the data encrypted is of no value if the keys are with Dropbox. Anybody who has access to the keys can compromise your data.

Spideroak Vs Dropbox

Spideroak v Dropbox

Image from http://i1099.photobucket.com

Despite several similarities there are significant differences between SpiderOak and Dropbox.

  • SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.
  • SpiderOak allows you to forego the instant backup and instead backs up your files during the night where it does not have to borrow extra processing power from other applications.
  • You can select any folder to be backed up by SpiderOak in contrast to using only one folder called “ My Dropbox”.
  • In addtion to the cloud storage feature, the desktop version of Spideroak allows you to sync between hard drives and flash drives.

Why choose Spideroak over Dropbox? Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs. SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. Interested in SpiderOak Products? SpiderOak carved its niche as the top choice for those most concerned with privacy.The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product now. SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.  

4 Responses to “Dropbox joins the call for NSA transparency”

  1. r2d2 says:

    what about files downloaded from the spideroak website and spideroak shares?
    how these files become unencrypted when downloaded?

    thanks a lot.

  2. Pacif13r says:

    ^^^^ What he said ^^^^

    I’d also add how does the key get to the authorized device when I add the new device?

    If you store the key and just not the password to use the private key… then the entire strength of the system lies in the strength (or not ) of the customers password? And is also the password used to log into your website and could therefore be readily harvested from your website login page if you were forced to do so by US gov secret police? Or sniffed out if SSL is indeed compromised by same?

    I like your service and I’m a customer but it’s important the limitations of what you provide are clearly understood by all your customers including me, not just the plus points.

    • Kalyani M. says:

      Thanks for the comments.SpiderOak generates a key created from your password by the key derivation/strengthening algorithm PBKDF2 – This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, it is true that the strength of your password does impact the strength of the encryption system. If your password is easy to guess then the security of the system is compromised. As a user you should always select a strong, hard to crack password. See the blog posting on 10/4/13 for more tips on password security.Any system no matter how strong can be broken via weak passwords.
      The files that you download from SpiderOak website can be unencrypted using your password. When accessing your data via the SpiderOak website or a mobile device, you must enter your password which will then exist in the SpiderOak server memory for the duration of your browsing session. For this amount of time your password is stored in encrypted memory and never written to any disk. The moment your browsing session ends your password is destroyed and no further trace is left.

  3. jaja says:

    Dropbox didn’t allow me to put encrypted stuff in my folder and threatened to suspend my account. Surprise!

Leave a Reply