Dropbox Lied About Data Security: Christopher Soghoian

Security researcher Christopher Soghoian has filed a complaint with the Federal Trade Commission alleging that online file storage service provider Dropbox has been making false claims to customers about the company’s protocols for securely storing data.

The crux of the complaint centers around statements made by Dropbox that lead customers to believe data submitted to the service for storage is always in an encrypted state, and only accessible in an unencrypted state by the client.

Soghoian has demonstrated that the company uses a process that leaves the data in an unencrypted form, making the information susceptible to examination by Dropbox employees, as well as government and court ordered searches for copyright infringements.

Soghoian wants the company to further revise advertising and onsite statements to more accurately reflect the security and encryption protocols used by Dropbox.

According to the complaint filed by Soghoian with the FTC:

 1. Dropbox has prominently advertised the security of its “cloud” backup, sync and file sharing service, which is now used by more than 25 million consumers, many of whom “rely on Dropbox to take care of their most important information.”12. Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files.3. Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.

4. Dropbox’s customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices.

5. If Dropbox disclosed the full details regarding its data security practices, some of its customers might switch to competing cloud based services that do deploy industry best practices regarding encryption, protect their own data with 3rd party encryption tools, or decide against cloud based backups completely.

6. Dropbox’s misrepresentations are a Deceptive Trade Practice, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of The Federal Trade Commission Act.

Dropbox officials have dismissed Soghoian’s accusations and maintain that no misrepresentations have been made to customers.

“We believe this complaint is without merit, and raises old issues that were addressed in our blog post on April 21, 2011. Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private,” said company spokeswoman Julie Supan to Wired.com.

Nonetheless, multiple changes have been made in the wording the company uses on their website to explain security protocols, and Supan stipulates that some of Soghoian’s accusations have taken company statements out of context.

“In our help article we stated ‘Dropbox employees aren’t able to access user files.’ That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this. Also, to clarify we’ve never stated we don’t have access to encryption keys. We’ve made quite a few posts in our public forums over the years about this very fact and we are quite open with our community…” Supan stated.

Soghoian maintains that the language Dropbox uses is still a misrepresentation of the actual level of security employed by the company, and that the statements are no only confusing to consumers, but to security experts as well, noting a tweet by encryption expert Jon Callas which states:

“I deleted my Dropbox account. It turns out that they lied and don’t actually encrypt your files and will hand them over to anyone who asks.”

Ceridian and Lookout Services promise better security after exposing 65,000 users’ data

Two companies that maintain large amounts of sensitive information about the employees of their business customers, including Social Security numbers, have agreed to settle US Federal Trade Commission charges that they failed to employ reasonable and appropriate security measures to protect the data, in violation of federal law. Among other things, the settlement orders require the companies to implement comprehensive information security programs and to obtain independent audits of the programs every other year.

The settlements with Ceridian Corporation and Lookout Services are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain. In complaints filed against the companies, the FTC charged that both Ceridian and Lookout claimed they would take reasonable measures to secure the consumer data they maintained, including Social Security numbers, but failed to do so. These flaws were exposed when security breaches at both companies put the personal information of thousands of consumers at risk. The FTC challenged the companies’ security practices as unfair and deceptive.

According to the FTC’s complaint against Ceridian, a provider to businesses of payroll and other human resource services, the company claimed, among other things, that it maintained “Worry-free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” However, the complaint alleges that Ceridian’s security was inadequate. Among other things, the company did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network without a business need. These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information – including Social Security numbers and direct deposit information – of approximately 28,000 employees of Ceridian’s small business customers.

The other company, Lookout Services, Inc., markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint against Lookout, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement orders bar misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.