The online data hosting service Dropbox was forced to modify certain texts extolling the security of its service after a complaint was filed in the USA by the FTC (Federal Trade Commission). The problem concerns the encryption of data hosted "in the cloud" and the possibilities of access to user files by employees.
Commercial puns
Last month Dropbox changed some mentions on its site which claimed that the hosted files were subject to AES 256 encryption and inaccessible without a password. Today only the mention of encryption is kept because the files are indeed accessible even without the password that only the user knows.
The files are actually encrypted on the company's servers but the key to decrypt the files is in their possession and is not linked to the password chosen by the user. This greatly limits the interest of encryption and represents a big difference for the user who thought he was the only one to be able to view the data deposited.
The other modified mention concerned precisely this access by a third party. So far the company explained that employees were not able to access the contents of the files deposited but only to some metadata such as the title and the weight of the file. They are now replaced by statements explaining that employees are not authorized to access the files.
There too the difference is significant, the employees are indeed required not to access the files but more than a technical constraint it is an obligation imposed by the employer. This does not protect users from a technical failure or a malicious act.
Unfair competition
However, the seriousness of these statements must be put into perspective. The complaint primarily concerns unfair competition with the few services that actually encrypt online data based on a unique password or key held solely by the user.
While it's worrying that Dropbox has misled its users about data security, the actual way it works is the default for most online services. In the cloud, data is not encrypted in order to make it completely unreadable but only as a protective measure in the event of hacking of the servers or during transfer.
Encryption, encryption: the big blur
For users, encryption or encryption is often synonymous with confidentiality, but the distinction between the different types of encryption blurs understanding. If the encryption when sending information, as for a payment by credit card, secures the transit of data, it does not guarantee their security once hosted online.
Similarly, encryption on an online service is only a guarantee against data theft by a third party, as was the case with the hacking of the PSN and SOE Sony networks. This does not guarantee that a malicious person from the service or that a clumsiness can endanger your data.
The only valid encryption is that which is based on a unique key (password or sequence of characters) held by the user and him alone. This technique also has some disadvantages such as the impossibility of recovering data in the event of loss of the key, or of sharing files online without also sharing this famous key.
Data confidentiality and encryption therefore do not necessarily go hand in hand and security is only guaranteed under certain conditions. A point on which it will be necessary to be vigilant at the time of cloud computing type online services and computers no longer providing storage such as the new Chromebooks.
Practical: Iphone/ipad: securing your data with encryption