Over the past couple of years Dropbox, the online file storage and sharing company, has been growing in popularity. We have seen this service being used by many of our customers for simple access to files wherever a user has an internet connection, to share files too large to email, or simply for file backups. Recently there have been a number of security and legal issues surrounding the Dropbox service and we felt our customers needed to be fully informed.
The main issue being raised with using this service in the UK is that it is illegal for European companies to use Dropbox to store any personal information. Due to data protection laws, any US company storing personal data for EU companies must comply with theSafeharbor framework. This framework essentially proves that US companies comply with the stricter EU data protection laws. Although this information is not readily available on Dropbox’s website, we have contacted them directly and they have confirmed they are not Safeharbor certified.
Dropbox’s security has been questioned for some time now. A particular issue is that Dropbox does not encrypt your files on their system; it only encrypts the files as you transfer them to and from their servers. If their system were to be hacked in a similar way to the recent Playstation Network attack, all files and personal data would be openly available to the hackers. In fact only two weeks ago a programming error on their web site, allowed anyone to log in with any password. All that was needed was the correct email address to gain access to any files stored in or shared with that account. This security hole was left open for some time before the issue was resolved.
Finally, Dropbox have recently updated their terms and conditions. They come into effect on the 15th July 2011 and must be agreed to if continued access to their service is required. One of the changes that have been made effectively means that any data that is uploaded to their servers is owned by Dropbox and they can pretty much use it however they see fit. The following is an excerpt from their T&C’s:
“We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.”
Although it is unlikely Dropbox would actually act in such a manor, you may find yourself in a situation where you do not have the legal protection or rights that you expect over your own data or imagery.
This email is not trying to scare you or suggest you completely stop using the service. However, due to the severe nature of these issues we would recommend further discussions between the management of your organisation and your user base on how you utilise Dropbox going forward.
As always we are here to help. If you require any more information from us, please contact us on the usual contact information.