Update: This story was updated at 3:25 PDT to include comment from Dropbox, which did not respond by initial publication time.
Soghoian is asking the FTC to force Dropbox to clarify its website further, to contact all its users to tell them Dropbox can see their data in the clear, offer refunds to "Pro" users and prohibit the company from making deceptive claims in the future. In fact, the mobile device does not encrypt all the traffic. The complaint additionally alleges that Dropbox misleads users of its mobile app, by claiming that its product uses an encrypted HTTPS connection to communicate between a user's device and Dropbox's servers. It turns out that they lied and don't actually encrypt your files and will hand them over to anyone who asks." (Technically, Callas is incorrect because the files are encrypted, just not encrypted on the users' devices.) Callas now works for Apple, focusing on security.Ĭallas tweeted on April 19: "I deleted my Dropbox account. Soghoian cites as evidence comments on Dropbox's own blog and a Tweet from Jon Callas, who spent years as chief technology officer of PGP Corporation, one of most respected provider of encryption products. (SpiderOak does do de-duping within each user's account to save user's space, the company says)ĭropbox's security statements were confusing to users - including to computer security experts, the complaint alleges. That, according to the complaint, lets Dropbox promise total security without paying the costs, while putting its competitors at a disadvantage. That means those services have to spend more on storage, because they can't detect duplicate files stored by different users. The complaint alleges that at least two of Dropbox's competitors, SpiderOak and Wuala, make security promises similiar to those of Dropbox, but actually can't get at the data because they don't hold the encryption keys.
In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. But that’s the rare exception, not the rule. Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so).
0 kommentar(er)
