The “Cloud” and “Privacy”

This is a reminder.

Unrealistic expectations: I think that is probably the best way to describe the general ‘internet communities’ take on Dropbox and the privacy/security woes the company has been facing. I know this to be the case because the fastest way to be the #1 story on the web right now, would be to post about how your entire life was ruined by any security lapse or overreaching policy that Dropbox has.

“Man has entire life savings wiped out from security lapse at Dropbox.”

“Women faces lawsuit after incriminating data turned over by Dropbox.”

Normally it would be fair to say any and all of the following about me:

  1. Picky
  2. Paranoid
  3. Pessimistic

However in the case of Dropbox I am not paranoid, nor am I pessimistic about their future. I think the biggest problem that Dropbox faces is user education.

Companies really need to start hitting users over the head with the following information:

  • Bad things happen to good people and good companies. Once the data is out of your control, it is indeed out of your control — be vigilant about what data you let out of your control.
  • In the U.S. the government can and will seize your data through the use of the legal system. U.S. companies must comply with this, but you only need be concerned if your are doing something shady. 1

Smart Usage

I took a look through everything that I keep in Dropbox yesterday and I determined that, of all the files I keep there the most sensitive ones are financial files for iBank. These files don’t contain bank account numbers (they could, but I choose not to) so essentially you would just get to see how much money I make and how much more money I spend if you hacked into my Dropbox account.

That is, yesterday you could potentially have seen that data.

In about 5 minutes I created a few encrypted DMGs with the password saved on my Mac. That adds one extra step (opening the DMG) when I do weekly accounting, yet that one tiny step secured everything “sensitive”.

Sure, I don’t want everything in my Dropbox folder to be public, but if it was to get exposed it certainly wouldn’t amount to anything more than a really bad day.

With any “cloud” service you run the risk of your data being seen by someone other than you — it doesn’t matter which company is providing the service — this can and will happen.

If you accept this inherent risk, and you use the services accordingly, there is nothing to fear. So stop freaking out about Dropbox and it’s security — either accept the risks or don’t use the service.

Pondering a Way for a Better Security System by a Guy Who Knows Nothing About Security or Programming

If you take Dropbox and how it currently works, say you ditch the website version. Once you ditch the website, Dropbox itself (as an entity) has no need to know which files are yours and where those files are, only your computers need to know that information.

It would be like a giant pool of those gross plastic balls that kids “swim” around in, only each ball is owned by a different person. Each person has marked the balls that they own in a unique way, but only the person that marked the ball knows what the mark is theirs. Thus an individual can find the balls that they own, but no one else would know that those balls belong to them and since all balls look the same, well you get the point.

Of course the whole thing is kept in a locked cage to keep out puzzle solvers.

This is security by obfuscation. If you couple this type of routine with what Dropbox is doing, then you have a system that becomes exponentially more useless to would be attackers. That is, you could see my financial “data” above (again without the account numbers) but you wouldn’t have much of a way to attach that data to me.

This also significantly makes government seizure a more difficult process — if Dropbox literally doesn’t know where, or what is, my data then how could they possibly hand it over?

No system is going to be perfect, so remember that when iCloud launches.

  1. Because of that ‘innocent until proven guilty’ thing we got going on I am going with shady instead of illegal.
Originally posted for members on: July 6, 2011
Follow along on RSS, App.net, or Twitter.
~I would appreciate it if you considered becoming a member.~