I’ve written before about Dropbox and their supposed scandal regarding the perfectly obvious fact that they could, in fact, read users’ files stored on the site. Despite the lamentations of the aggrieved and even the filing of a complaint with the FTC, I continue to think that those complaining are just being silly or clueless.
Now, sadly, there is a real problem at Dropbox. Earlier this week, Dropbox pushed an update that inadvertently allowed access to any Dropbox account for which the user’s email address was known. This was discovered very rapidly and was fixed within four hours. Nonetheless, the Dropbox logs showed that there was account activity on a small number of the accounts. Yesterday, Dropbox announced that although less than 100 accounts were affected, someone had logged into some accounts and were able to view file and folder names but that no files or account settings were modified and the files did not appear to have been downloaded or viewed.
Obviously Dropbox has egg on their face and, unlike the previous brouhaha, this was a serious failure on their part. There are a couple of obvious lessons that we can take away from this. First, it really is unacceptable for Dropbox to have pushed an insufficiently tested patch to the operational system. To their credit, Dropbox admits this and is not making any excuses.
The second take away is, to my mind, more important. Things like this happen even to the most careful people and users should be asking themselves, “What would it mean to me if it did.” In this case, users should have asked themselves, “What confidential data would I lose if the account were compromised? How devastating would the loss be?” If you’re using Dropbox to sync your college term papers between a laptop and a desktop, then you might be annoyed but you wouldn’t really care. If you’re syncing confidential company plans or sales figures between a laptop and desktop then you might care a lot. Perhaps your company stands to lose substantial amounts of money. Perhaps you’ll get fired.
The point is, each user should make a rudimentary calculation about what a compromise would mean to them and if the answer is other than “Meh” they had better take steps to protect themselves. No one—no one—should feel sorry for the user who whines that he thought Dropbox (or whoever) was going to protect them. If it’s important and you’re going to store it in the cloud, you had better encrypt it yourself.
Fortunately, in the case of Dropbox this is particularly easy to do so there’s no excuse for anyone to have suffered any real harm. But, of course, many people have not protected themselves and they will be mad at Dropbox. Many of them will likely sue; they had better hope that I’m not on the jury.
Update: That didn’t take long.