A great example of how easy it is to do shallow reporting: Business Insider’s Steve Kovach calls “nothing groundbreaking” the news that Dropbox — the big online storage company (which I use for some file backups) — has admitted it will decrypt your files and will hand them over to government agencies demand to see the files. Don’t worry about it, says Kovach — you only need to be concerned if you’re doing something wrong.
This is incorrect, on several levels. The latest terms of service flatly contradict Dropbox’s assurance elsewhere on the site that “Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).” So some people inside the company (must be employees, right?) can access user files after all.
And if someone inside the company can do that, the files are vulnerable. As Miguel de Icaza points out on his blog:
This announcement means that Dropbox never had any mechanism to prevent employees from accessing your files, and it means that Dropbox never had the crypto smarts to ensure the privacy of your files and never had the smarts to only decrypt the files for you. It turns out, they keep their keys on their servers, and anyone with clearance at Dropbox or anyone that manages to hack into their servers would be able to get access to your files.
If companies with a very strict set of security policies and procedures like Google have had problems with employees that abused their privileges, one has to wonder what can happen at a startup like Dropbox where the security perimeter and the policies are likely going to be orders of magnitude laxer.
If you care about your security and use Dropbox, you should care about this. If you’re a journalist covering the company, maybe you should look further than the surface.