Criticism of Dropbox

Criticism of Dropbox, an American company specializing in cloud storage and file synchronization and their flagship service of the same name, centers around various forms of security and privacy controversies. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords; a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data; concerns about Dropbox employee access to users' information; July 2012 email spam with reoccurrence in February 2013; leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program; a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption; the leak of 68 million account passwords on the Internet in August 2016; and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

April 2011 user authentication file information
Dropbox has been criticized by the independent security researcher Derek Newton, who wrote in April 2011 that Dropbox stored user authentication information in a file on the computer that was "completely portable and is not tied to the system in any way". In explaining the issue, Newton wrote: "This means that if you gain access to a person's config.db file (or just the host_id), you gain complete access to the person's Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface." He updated his post in October 2011 to write that "Dropbox has release version 1.2.48 that utilizes an encrypted local database and reportedly puts in place security enhancements to prevent theft of the machine credentials." A report from The Next Web featured a comment from Dropbox, in which they disagreed with Newton that the topic was a security flaw, explaining that "The researcher is claiming that an attacker would be able to gain access to a user's Dropbox account if they are able to get physical access to the user's computer. In reality, at the point an attacker has physical access to a computer, the security battle is already lost. [...] this 'flaw' exists with any service that uses cookies for authentication (practically every web service)."

May 2011 data deduplication and employee access
In May 2011, a complaint was filed with the U.S. Federal Trade Commission alleging Dropbox misled users about the privacy and security of their files. At the heart of the complaint was the policy of data deduplication, where the system checks if a file has been uploaded before by any other user, and links to the existing copy if so; and the policy of using a single AES-256 key for every file on the system so Dropbox can (and does, for deduplication) look at encrypted files stored on the system, with the consequence that any intruder who gets the key (as well as potential Dropbox employees) could decrypt any file if they had access to Dropbox's backend storage infrastructure. In a response on its blog, Dropbox wrote that "Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. But that's the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access." In response to the FTC complaint, Dropbox spokeswoman Julie Supan told InformationWeek that "We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21."

June 2011 account access without password
On June 20, 2011, TechCrunch reported that all Dropbox accounts could be accessed without password for four hours. In a blog post, co-founder Arash Ferdowsi wrote that "Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions." He wrote that a "thorough investigation" was being conducted, and that "This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again." Julianne Pepitone, writing for CNNMoney, wrote that "It's the security nightmare scenario: A website stuffed with sensitive documents leaves all of its customer data unprotected and exposed", and featured a comment from Dave Aitel, president and CEO of security firm Immunity Inc., saying "Any trust in the cloud is too much trust in the cloud -- it's as simple as that. [...] It's pretty much the standard among security professionals that you should put on the cloud only what you would be willing to give away."

July 2011 Privacy Policy update
In July 2011, Dropbox updated its Terms of Service, Privacy Policy, and Security Overview agreements. The new Privacy Policy sparked criticism, as noted by Christopher White in a Neowin post, in which he wrote that "They attempted to reduce some of the tedious legalese in order to make it easier for normal people to understand. It appears that they have succeeded in that mission and in the process have taken ownership of every file that uses their service". Citing a paragraph in the updated Privacy Policy that Dropbox needed user permission to "use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display" user's data, White wrote that "This broad terminology is frightening for end users because it clearly lets Dropbox take a person’s work, whether it is photographs, works of fiction, or scientific research, and gives the company the right to do whatever they want with no recourse from the original owner". After users expressed concerns about the change, Dropbox once again updated its policy, adding "This license is solely to enable us to technically administer, display, and operate the Services." White concluded by writing that "While this is a step in the right direction, it still makes no sense as to why a product that is used to move files from one computer to another needs the ability to "prepare derivative works of" anyone's files."

July 2012 email spam and February 2013 reoccurrence
In July 2012, Dropbox hired "outside experts" to figure out why some users were receiving e-mail spam from Dropbox. In a post on its blog, Dropbox employee Aditya Agarwal wrote that "usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts." However, Agarwal also noted that "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." One of the additional controls implemented was the introduction of two-factor authentication. In February 2013, users reported additional spam, with the company stating that "At this time, we have not seen anything to suggest this is a new issue", and blamed the earlier e-mail spam issue from the past July.

June 2013 PRISM program
In June 2013, The Guardian and The Washington Post publicized confidential documents suggesting Dropbox was being considered for inclusion in the National Security Agency's classified PRISM program of Internet surveillance.

January 2014 outage
On January 11, 2014, Dropbox experienced an outage. A hacker group called The 1775 Sec posted on Twitter that it had compromised Dropbox's site "in honor of Internet activist and computer programmer Aaron Swartz, who committed suicide a year ago". However, Dropbox itself posted on Twitter that "Dropbox site is back up! Claims of leaked user info are a hoax. The outage was caused during internal maintenance. Thanks for your patience!" In a blog post detailing the issue, Dropbox's Akhil Gupta wrote that "On Friday at 5:30 PM PT, we had a planned maintenance scheduled to upgrade the OS on some of our machines. During this process, the upgrade script checks to make sure there is no active data on the machine before installing the new OS. A subtle bug in the script caused the command to reinstall a small number of active machines. Unfortunately, some master-replica pairs were impacted which resulted in the site going down." Gupta also noted that "Your files were never at risk during the outage".

April 2014 Condoleezza Rice appointment to board of directors
In April 2014, Dropbox announced that Condoleezza Rice would be joining their board of directors, prompting criticism from some users who were concerned about her appointment due to her history as United States Secretary of State and revelations of "widespread wiretapping on US citizens during her time in office". RiceHadleyGates, a consultancy firm consisting of Rice, former US national security adviser Stephen Hadley, and former US Secretary of Defense Robert Gates, had previously advised Dropbox.

May 2014 disabled shared links
In May 2014, Dropbox temporarily disabled shared links. In a blog post, the company detailed a web vulnerability scenario where sharing documents containing hyperlinks would cause the original shared Dropbox link to become accessible to the website owner if a user clicked on the hyperlink found in the document. Some types of shared links remained disabled over the next few weeks until Dropbox eventually made changes to the functionality.

July 2014 Snowden comment
In a July 2014 interview, former NSA contractor Edward Snowden called Dropbox "hostile to privacy" because its encryption model enables the company to surrender user data to government agencies, and recommended using the competing service SpiderOak instead. In response, a Dropbox spokeswoman stated that "Safeguarding our users' information is a top priority at Dropbox. We've made a commitment in our privacy policy to resist broad government requests, and are fighting to change laws so that fundamental privacy protections are in place for users around the world".

October 2014 account compromise hoax
In October 2014, an anonymous user on Pastebin claimed to have compromised "almost seven million" Dropbox usernames and passwords, gradually posting the info. However, in a blog post, Dropbox stated "Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. [...] A subsequent list of usernames and passwords has been posted online. We've checked and these are not associated with Dropbox accounts."

December 2014 and on, Dropbox share links force upgrade to paid data plan
A long discussion on Dropbox's support forum, entitled "Can we have plans that are smaller than 1 TB?" began in December 2014, when Dropbox introduced one terabyte paid storage plans. Dropbox users voice concern that they are not able to grow their plan from the two gigabyte free plan by smaller increments than one terabyte. By 2020 the minimum paid data storage plan increased to two terabytes, making the incremental increase from the free account to the minimum paid plan out of reach for many users.

August 2016 password leak
In August 2016, email addresses and passwords for 68 million Dropbox accounts were published online, with the information originating from the 2012 email spam issue. Independent security researcher Troy Hunt checked the database against his data leak website, and verified the data by discovering that both the accounts belonging to him and his wife had been disclosed. Hunt commented that "There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing". In a blog post, Dropbox stated: "The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. We're very sorry this happened and would like to clear up what's going on." The company outlined details that the information was "likely obtained in 2012", with the company first hearing about the list two weeks earlier, at which time they immediately started an investigation. "We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012. This reset ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts."

January 2017 accidental data restoration
In January 2017, Dropbox restored years-old supposedly deleted files and folders in user accounts. In one example, a user reported that folders from 2011 and 2012 returned. In explaining the issue, a Dropbox employee wrote on its forum that "A bug was preventing some files and folders from being fully deleted off our servers, even after users had deleted them from their Dropbox accounts. While fixing the bug, we inadvertently restored the impacted files and folders to those users' accounts. This was our mistake; it wasn't due to a third party and you weren't hacked. Typically, we permanently remove files and folders from our servers within 60 days of a user deleting them. However, the deleted files and folders impacted by this bug had metadata inconsistencies. So we quarantined and excluded them from the permanent deletion process until the metadata could be fixed".

July 2018 anonymized data analysis
In July 2018, researchers at Northwestern University published an article in Harvard Business Review on the analysis of the habits of tens of thousands of scientists using anonymized data provided by Dropbox. The data used was over the period from May 2015 to May 2017 from all scientists using the platform across 1000 universities. Personal names attached to the data was removed by Dropbox, but according to Casey Fiesler, researcher at Colorado University, the folder titles and file structures that were provided could be used to identify individuals. Dropbox, later in a blog post, said that the reverse identification of the data was impossible. The data was provided without the express consent of the 16 thousand people whose information was accessed.

February 2021 allegations by former employees of gender discrimination
In February 2020, a document containing interviews with 16 current and former Dropbox employees claimed to be victims of gender discrimination was obtained by VentureBeat. The subjects of the report alleged discrimination point to examples such as "changing standards for promotions, unequal compensation, being set back in their careers after maternity leave, and experiencing retribution when they take their cases to HR". The report also detailed instances of alleged harassment and demotion after employees filed a complaint with Dropbox HR or returned to work following maternity leave.