Dropbox's Latest Fiasco: Resurrecting Files Deleted YEARS Ago

by Paul Arnote (parnote)

That some users might contend that Dropbox has become a beleaguered service could have a ring of truth to it, depending on your point of view. It would be an understatement to say that the service has had its fair share of trouble and controversy.

Founded in 2007 by Drew Houston, a MIT student who kept forgetting his USB thumb drive, Dropbox made its official launch in 2008 after obtaining "seed funding" to help it get going, via Y Combinator. Today, Dropbox touts having more than 400 million registered users. (Disclosure: yes, I am one of those users).

If you're one of those two dozen users on the planet who aren't familiar with Dropbox, it's a cloud based file sharing service. When you install it, it creates a Dropbox folder on your computer, and anything placed in that folder (or one of its subfolders) is automatically synced between all of your shared devices that are also running Dropbox, via the Dropbox server. Users of Dropbox Basic (that would be me) are given 2GiB of space to use, free of charge. Dropbox Pro users can access up to 1TB of space, for a fee.

Troubled History

In May 2010, Chinese Dropbox users were unable to access the service after the Chinese government placed Dropbox behind the Great Firewall. While no fault of Dropbox, it does stand as a testament to the early popularity of the service. But then, the Chinese government is also notorious for making all such popular services inaccessible by placing them behind the Great Firewall. Dropbox was subsequently (and briefly) unblocked from behind the Chinese Great Firewall in February 2014, only to be sequestered again in June 2014.

An early criticism from an independent security researcher was that Dropbox stored the answers to user authentication questions in a plain text format. That issue was resolved with the release of version 1.2.48 (Dropbox is currently at version 18.4.32). A software engineer with Dropbox also came out and stated that Dropbox's Terms of Service agreement and their Privacy Policy contradicted each other, and that Dropbox's famous claim that Dropbox employees are unable to access user files was a lie.

In May 2011, a complaint was filed with the U.S. FTC (Federal Trade Commission) that Dropbox misled users about the privacy and security of their files.

In June 2011, TechCrunch reported that all Dropbox accounts could be accessed without a password for a four hour period.

In July 2011, an article in Neowin and The Digital Reader asserted that the simplified Terms of Service agreement allowed Dropbox to legally sell all of your files.

In July 2012, a Dropbox employee's account was hacked, which resulted in a number of Dropbox users being spammed. Another group of Dropbox users were spammed in March 2013, from July 2012 breech.

On June 6, 2013, The Guardian and The Washington Post publicized confidential documents suggesting Dropbox was being considered for inclusion in the National Security Agency's classified PRISM program of Internet surveillance.

In January 2014, Dropbox experienced an outage as a result of some issue that arose during routine maintenance of the Dropbox site.

In a July 2014 interview, former NSA contractor Edward Snowden called Dropbox "hostile to privacy" because its encryption model enables the company to surrender user data to government agencies, and recommended using the competing service SpiderOak instead. According to a September 2014 Wall Street Journal article, Dropbox had been considering switching to a model similar to SpiderOak's, where users have control over their encryption keys. However, this has not been implemented.

In August 2016, it was revealed that hashed passwords for 68,000,000 accounts, stolen in 2012, were published.

The latest round

Dropbox's published policy is that all deleted files will be purged from the system 30 days after the user deletes them from their account. This allows users a 30 day "grace period" where files can be recovered, should a user change their mind about the file's deletion. A bug in Dropbox's software prevented some files from being purged.

The affected files that were thought to have been deleted were accidentally restored while Dropbox was addressing and attempting to fix the bug. A spokesman for Dropbox emphasized that it was Dropbox's mistake, and that no third party was involved. The blame was placed on "inconsistent metadata," which caused the deleted files in question to not actually be deleted.

The lesson in all of this

The lesson remains the same as it has all along, for all cloud storage services: don't upload sensitive data that you cannot afford to fall into the hands of others. When you store your "goods" in someone else's "house," you're subject to their rules. Expect your "goods" to be inspected. If you cannot dare afford just anyone "inspecting" your "goods," you probably shouldn't be storing those "goods" in someone else's "house" in the first place.

With that in mind, make your own frequent backups of sensitive data. Storage media does fail from time to time, so you will want to protect against that. For REALLY sensitive data, consider storing copies off site, away from the location where they will be typically used and accessed. A safe deposit box at a bank comes immediately to mind, but there are other choices, too.

Will I continue to use Dropbox? Yes, without any hesitation. But then, I'm careful to NOT store sensitive, private, personal data on the Dropbox servers. Each user will have to decide for themselves whether Dropbox merits their trust, as well as exactly what to store there. Undoubtedly, the decision will be a personal one, and each decision will be different for each user.