For the past few weeks, Tech Media is buzzing with discussions on Dropbox (see previous CloudAve coverage) security. Dropbox from their modest beginnings have grown big with 25 Million users. Recently, a security engineer Derek Newton exposed a serious security issue with them where they store the machine hash in an unencrypted form in any machine where Dropbox is installed. Dropbox’s response was that once a machine is hacked or compromised, all the security bets are off. In a way, it is like saying that if your server firewall or OS is compromised all the security is off why should we spend our resources trying to develop applications with any security. It was definitely an irresponsible response but, now, it does appear that they are taking users concerns into account and trying to make it more secure.
This was immediately followed by news on how Dropbox is not clear on their TOS about how they deal with US Govt.’s request for user data. They reacted to this with a change in their TOS making it clear that they will hand over the user data to US Govt. if there is a valid request from them. There is also another round of discussions on how Dropbox earlier made assertions that their employees have no access to the user data and now changed the TOS to claim that they have strict policies about employees handling user data, essentially confirming that their employees always had access to user data if needed. This is creating lot of backlash inside the tech community and Dropbox has come out with a blog post trying to explain their position on these issues and do some damage control.
I am pretty disappointed with the way they Dropbox is handling this issue, in general. Even though they may have messed up by not being forthright on their TOS, I won’t fault them on handing over the data to the government. They are a business and they are bound by the US laws. I am not even going to blame US govt. here. Depending on what side you are on politics, you may or may not agree with it. But it is immaterial. US govt., at least for this discussion, are within their right to demand access. However, this highlights a bigger problem confronting the cloud and something which I have discussed in the past.
This fiasco once again brings into focus the assertions made by some pundits about having handful of players in the infrastructure space, due to low margins in the market and their ability to achieve scale. Well, most of us also love the idea of imaging one centralized location up in the sky from where we tap compute resources much like how we tap electricity and other utilities (Thank You, Nick Carr). Dropbox fiasco clearly highlights the danger with such a consolidation. If the consolidation is to occur, the infrastructure is going to be controlled by companies based in US (at least, it is the conventional wisdom) and they have to comply with the requests from US govt. to access the user data. This is quite unacceptable to many outside the US. We are already seeing resistance from Canadian government and EU. This is only going to increase with the increased cloud adoption.
The solution? Federated clouds. Period. I have been talking about federated clouds for a long time here and this Dropbox fiasco is yet another example of why we need federated clouds. Nah, federated clouds doesn’t solve the problem of governments poking their nose into users data but it will be the government in the users’ country and they will, hopefully, have the necessary judicial remedies to handle it. At least, with federated clouds, they can avoid facing a situation where the cloud providers’ govt. is sniffing around their data. Some might argue that encryption can protect the users’ data from the governments. Well, as a user, I don’t want a foreign government sniffing around even my encrypted data. I don’t want to deal with governments outside the jurisdiction where I have access to legal remedies.
I am thoroughly convinced that federated clouds are the way to go. We, as a society, are diverse and out needs are diverse. We have diverse set of governments and we should only be dealing with the governments representing our land. Dropbox fiasco is a perfect example of what can happen to your data
- in a foreign territory
- with providers outside your country
It is time for users, especially the ones outside US, to think seriously about such issues. I am glad this fiasco has once again put focus on what can happen to foreign data on US soil. Well, in fact, US has a decent bill of rights and legal remedies. Imagine the data going into countries where there are no rights for their own citizens. Imagine what can happen to your data there.
This is one of the reasons why I am strongly advocating the idea of federated clouds where users get to choose where their data resides. Even within the federated marketplace, there should be complete transparency. Users should not hand over their data to providers who offer no visibility on their business or their infrastructure. These are some of the important issues one should consider while planning their strategy for a cloudy world. I would love to hear your concerns regarding data privacy and what you are doing to mitigate the risks coming from sources such as foreign governments.
Note: Safe Harbor provisions might help a bit but they have limited use right now. Plus, I am not advocating that we should not do business across the border. I am only arguing about having choice.
- Dropbox Addresses Privacy Concerns (pcworld.com)
- Dropbox responds to privacy outrage (geek.com)
- Dropbox under fire for security concerns (tuaw.com)
- How to Keep Dropbox Employees’ Hands Off Your Data (readwriteweb.com)
- Dropbox Will Hand Over Your Files to the Feds If Asked (pcworld.com)
- Dropbox addresses privacy concerns (macworld.com)
- Dropbox Security Under Scrutiny (infosecurity.us)
- Privacy, Security and Your Dropbox (the official line) (dropbox.com)
- Dropbox Lack of Security (tirania.org)
- Dropbox’s new security policy implies that they lied about privacy from the start (boingboing.net)