Dropbox TOS Controversy Highlights Cloud Security Questions
Way back in December 2010, TalkinCloud sister site MSPmentor asked an important question in the wake of the Wikileaks scandal: What should cloud service providers do when the government comes knocking for customer data? Slowly, but surely, the cloud marketplace is reaching an answer. In the case of popular consumer cloud storage solution Dropbox, a recent controversy over new terms of service reveals that its willingness to work with authorities may highlight some flaws in the company’s overall security scheme.
This is where the story splits into two perspectives: Upset bloggers such as Boing Boing’s Cory Doctorow believe Dropbox always claimed that it never stored encryption keys. That’s important to this discussion because: 1) it means Dropbox couldn’t give police similar access to customer data if it wanted to, and 2) it means it’s difficult for Dropbox to restore data to customers who manage to lose their keys. So when the company issues new Terms of Service claiming it’s ready to hand over access to the Feds, questions are naturally raised.
Doctorow received an e-mail from Arash Ferdowsi, CTO of Dropbox, who clarified that the company has never made bones about the fact that technical staff keep a copy of encryption keys. It’s just controlled by what he describes as a tightly regulated mechanism on the back end to prevent abuse. Dropbox, he said, will be enhancing its help pages to make sure that concept is clear. And to Doctorow’s credit, he updated his original post with Ferdowsi’s comments.
So in light of the Dropbox security concerns, here are the key questions I think cloud service providers should ask themselves after all this: How transparent is enough when it comes to your security procedures? And for customers without explicit compliance needs, is security a good enough trade-off for convenience and ease of use?