Transcript

1

BeforetheFederalTradeCommissionWashington,DC20580

IntheMatterof ) )Dropbox,Inc. )

May11,2011

REQUESTFORINVESTIGATIONANDCOMPLAINTFORINJUNCTIVERELIEF

SUMMARY

1. Dropboxhasprominentlyadvertisedthesecurityofits“cloud”backup,syncandfilesharingservice,whichisnowusedbymorethan25millionconsumers,manyofwhom“relyonDropboxtotakecareoftheirmostimportantinformation.”1

2. Dropboxdoesnotemployindustrybestpracticesregardingtheuseofencryptiontechnology.Specifically,Dropbox’semployeeshavetheabilitytoaccessitscustomers’unencryptedfiles.

3. Dropboxhasandcontinuestomakedeceptivestatementstoconsumersregardingtheextenttowhichitprotectsandencryptstheirdata.

4. Dropbox’scustomersfaceanincreasedriskofdatabreachandidentitytheft

becausetheirdataisnotencryptedaccordingtoindustrybestpractices.

5. IfDropboxdisclosedthefulldetailsregardingitsdatasecuritypractices,someofitscustomersmightswitchtocompetingcloudbasedservicesthatdodeployindustrybestpracticesregardingencryption,protecttheirowndatawith3rdpartyencryptiontools,ordecideagainstcloudbasedbackupscompletely.

6. Dropbox’smisrepresentationsareaDeceptiveTradePractice,subjecttoreviewbytheFederalTradeCommission(the“Commission”)undersection5ofTheFederalTradeCommissionAct.

1DrewHoustonandArashFerdowsi,Privacy,Security&YourDropbox,TheDropboxBlog,April21,2011,availableathttp://blog.dropbox.com/?p=735

2

PARTIES

7. ChristopherSoghoianisaWashington,D.C.basedGraduateFellowattheCenterforAppliedCybersecurityResearchatIndianaUniversity,andaPh.D.CandidateintheSchoolofInformaticsandComputingatIndianaUniversity.Hisresearchisfocusedattheintersectionofsecurity,privacy,lawandpolicy.Thiscomplaintissubmittedinhispersonalcapacity.

8. Dropbox,Inc.("Dropbox")wasfoundedin2007andisbasedinSanFrancisco,California.Dropbox’sheadquartersarelocatedat760MarketStreet#1150,SanFrancisco,CA94102.Atalltimesmaterialtothiscomplaint,Dropbox’scourseofbusiness,includingtheactsandpracticesallegedherein,hasbeenandisinoraffectingcommerce,as"commerce"isdefinedinSection4oftheFederalTradeCommissionAct,15U.S.C.§45.

STATEMENTOFFACTS

9. Dropboxisafilebackup,synchronizationandsharingserviceenablinguserstostoretheirphotos,documentsandotherfiles“inthecloud.”

10. Dropbox’ssoftwareautomaticallybacksupfilesfromuser‐specifieddirectoriesontothecompany’sservers.Thesefilesandfolderscanbesynchronizedbetweenmultiplecomputersandsharedwithotherusers.

11. AsofApril2011,Dropboxisreportedtohave25millionusersand200

millionfilesare“saved”usingtheserviceeachday.2

12. Dropboxprovides2GBofstoragespacetoitscustomersforfree.Consumerscanpurchaseadditionalstoragespace,bysigningupforoneoftwo“Pro”serviceplans,offering50GBfor$9.99/monthor$99.00/year,and100GBfor$19.99/monthor$199.00/year.3

DROPBOXPROMINENTLYADVERTISESTHESECURITYANDSAFETYOFITSSERVICE

13. Onthe“install”pageontheDropboxwebsite,visitorsaretoldthat“Yourfiles

arealwayssafe.”42MichaelArrington,DropboxHits25MillionsUsers,200MillionFilesPerDay,TechCrunch,April17,2011,availableathttp://techcrunch.com/2011/04/17/dropbox‐hits‐25‐millions‐users‐200‐million‐files‐per‐day/.3https://www.dropbox.com/plans4https://www.dropbox.com/install

1

1

5http6Thicanb

4. Onthe“ptheirfilesstoredon

5. UntilAprsectionothesecur

“Ain

ps://www.dspagehasbbeaccessed

Figure

productfeatsaresafe,annDropbox’s

Figure2:Th

ril13,2011fDropbox’srityofusers

Allfilesstoreaccessiblew

dropbox.combeenchangeathttps://w

e1:The"Instal

tures”pagendthatthesservers.5

he"ProductFe

,the“HowSswebsiteins’data:6

edonDropbwithoutyou

m/featuresedatleasttwwww.dropb

3

ll"pageonDro

ontheDropcompanyus

atures"pageo

SecureisDrcludedthef

boxserversuraccountp

wicesinceAbox.com/he

opbox'swebsit

pboxsite,visesencrypt

onDropbox'sw

ropbox”pagfollowingsp

sareencryppassword.”

April12,20elp/27.

te.

isitorsarettiontoprote

website.

geinthe“Hpecificclaim

pted(AES‐25

011.Thelate

oldthatectthefiles

elpCenter”msregardin

56)andare

estversion

g

e

Figu

“Nin“Dtr(fi“Yyoba

re3:The“How

Nobodycanvitethemo

Dropboxemoubleshootiilenames,fil

Yourfilesarourcomputeanksandthe

wSecureisDro

seeyourprrputthem

mployeesareinganaccoulesizes,etc,

eactuallysaerinsomecemilitaryto

opbox”pageinAp

4

rivatefilesininyourPub

en’tabletoaunttheyon,notthefile

aferwhilescases.Weusosendands

nthe“HelpCenpril13,2011.

nDropboxublicfolder.”

accessuserlyhaveacceecontents).”

storedinyosethesamestoreyourd

nter”sectiono

unlessyoud

files,andwesstofilem”

urDropboxesecuremedata.”

fDropbox’swe

deliberately

whenmetadata

xthanonthodsas

ebsitepriorto

y

o

5

DROPBOX’SSERVICEDOESNOTPROVIDESTRONGSECURITY

16. TheAdvancedEncryptionStandard(AES)wasannouncedbyNationalInstituteofStandardsandTechnology(NIST)aftera5‐yearstandardizationprocessinwhichfifteencompetingdesignswerepresentedandevaluated.7

17. TheAESstandardiscomprisedofthreedifferentencryptionciphers(AES‐128,AES‐192,AES‐256),withkeysizesof128,192and256bits,respectively.

18. AESisthefirstpubliclyaccessibleandopencipherapprovedbytheNationalSecurityAgency(NSA)fortopsecretinformation(whenthe192or256bitkeylengthsareused).8

19. DropboxusesAES‐256,thehigheststrengthoftheAEScipherstoencryptuserdataonitsservers.9Withregardtoitschoiceofencryptionalgorithmforstoreduserdata,Dropboxfollowsindustrybestpracticesanddoesindeed“usethesamesecuremethodsasbanksandthemilitary.”10

20. Thechoiceofencryptionalgorithmsisanimportantcomponentinthesecurityofasystem.However,equallyimportantisthestorageandmanagementofthekeysusedtoencryptdata.

21. Thekeysusedtoencryptusers’dataareknowntosomeDropboxemployeesandstoredonthecompany’sservers.11

22. Dropbox’suseandstorageofencryptionkeysdoesnotfollowbestpracticesforthe“cloud”backupindustry.12Severalcompetingservices,suchas

7Seegenerally:http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process8LynnHathaway,"NationalPolicyontheUseoftheAdvancedEncryptionStandard(AES)toProtectNationalSecuritySystemsandNationalSecurityInformation",June2003,availableathttp://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf9“HowSecureisDropbox”availableathttps://www.dropbox.com/help/2710Id.11Postby“N.N”,Dropboxemployee,inDropboxsupportforum,http://forums.dropbox.com/topic.php?id=3908#post‐27169(“Currentlythereisonlyonekey,thattheDBteamhas.Notthemostidealsituation,granted,buttherehasbeendiscussionaboutenablingprivatekeysforpeople.(Notethatthiswillbreakthe"quickupload"featureforfilesnotalreadyinyouraccount.)”12TheOpenWebApplicationSecurityProject(OWASP),GuidetoCryptography,availableathttps://www.owasp.org/index.php/Guide_to_Cryptography(“Thestrengthofacryptographicsystemismeasuredinkeylength.Usingalargekey

6

SpiderOak13andWuala,14encryptusers’data,bydefault,withakeyonlyknowntoeachuser.Thesecompetingcompaniesdonothavetheabilitytoaccesstheircustomers’unencrypteddata.

23. RespondingtoaqueryfromacustomerontheofficialsupportforumregardingtheencryptionkeysandsecurityofDropbox’sarchitecture,ArashFerdowsi,thecompany’sCTOrevealedthat:

“Theonly100%safeoptionwithanyonlinestoragesolutionis(asyousaid)toencryptonyourown.[M]anydropboxusersusetruecryptwithnoproblems:‐).”15

24. AlthoughMrFerdowsihasacknowledgedinthesupportforumthathiscompany’sserviceisnot“100%safe,”16thecompanyprominentlyadvertisestoconsumersthat“[y]ourfilesarealwayssafe”whenstoredwiththeservice.17

25. OnApril1,2011,MarciaHofmannoftheElectronicFrontierFoundationcontactedDropboxonmybehalf.18Amongthesuggestionswemadetothecompanywerethefollowing:

a. Updatethestatementsmadeonitswebsitetodisclosedetailsregardingthecompany’suseofencryption,andthefactthatithastheabilitytoaccessusers’data.

b. Notifyitscustomersbyemailtoletthemknowthattheserviceisnotinfactencryptingtheirdatawithakeyonlyknowntotheuser.

c. Switchtoamodelofencryptinguserdatawithakeyonlyknownto

theuser.

lengthandthenstoringtheunprotectedkeysonthesameservereliminatesmostoftheprotectionbenefitgained.”)13NutsandBolts,Spideroak,availableathttps://spideroak.com/engineering_matters.14SecurityandPrivacy,FAQ,Wuala,availableat.http://www.wuala.com/en/support/faq/c/20;Security,Wuala,availableathttp://www.wuala.com/en/learn/technology.15ArashF.,PosttoSupportforumthread“Files:Encryptedornot?”,http://forums.dropbox.com/topic.php?id=17666#post‐10967216Id.17Dropboxinstallpage,https://www.dropbox.com/install.18EmailfromMarciaHofmanntoArashFerdowsi,April1,2011.

7

26. OnApril12th,2011,IpublishedaposttomybloghighlightingprivacyproblemsassociatedwithDropbox’sservice.19Soonafter,prominentbloggersandmembersofthetechnologypresswroteaboutthetopic.20

DISCLOSURESBYDROPBOXSINCEAPRIL13th,2011AREINSUFFICIENT

27. InresponsetoMarciaHofmann’semail,myblogpost,andthesubsequentpressattention,Dropboxmodifiedseveralstatementsmadeontheirwebsite.

28. OnoraroundApril14th,2011,oneofthestatementsonthe“HowSecureis

Dropbox”pageinthe“HelpCenter”sectionofDropbox’swebsitewaschangedfrom“AllfilesstoredonDropboxserversareencrypted(AES‐256)andareinaccessiblewithoutyouraccountpassword”to“AllfilesstoredonDropboxserversareencrypted(AES‐256).”

29. OnApril23,2011,the“HowSecureisDropbox”pagewasagainmodified.

a. Thefollowingstatementwasremovedentirely:“Onlineaccesstoyourfilesrequiresyourusernameandpassword.”

b. Thestatement“NobodycanseeyourprivatefilesinDropboxunlessyoudeliberatelyinvitethemorputtheminyourPublicfolder”wasmodifiedtobe“OtherDropboxuserscan'tseeyourprivatefilesinDropboxunlessyoudeliberatelyinvitethemorputtheminyourPublicfolder.”

c. Thestatement“Dropboxemployeesaren’tabletoaccessuserfiles,

andwhentroubleshootinganaccounttheyonlyhaveaccesstofile19ChristopherSoghoian,HowDropboxsacrificesuserprivacyforcostsavings,SlightParanoia,April12,2011,availableathttp://paranoia.dubfire.net/2011/04/how‐dropbox‐sacrifices‐user‐privacy‐for.html20CoryDoctorow,Dropbox'snewsecuritypolicyimpliesthattheyliedaboutprivacyfromthestart–UPDATED,BoingBoing,April21,2011,availableathttp://boingboing.net/2011/04/21/dropboxs‐new‐securit.html;MigueldeIcaza,DropboxLackofSecurity,PersonalBlog,April19,2011,availableathttp://tirania.org/blog/archive/2011/Apr‐19.html;KlintFinley,HowtoKeepDropboxEmployees'HandsOffYourData,ReadWriteCloud,April20,2011,availableathttp://www.readwriteweb.com/cloud/2011/04/how‐to‐keep‐dropbox‐employees.php;ErikSherman,“AtDropbox,EvenWeCan’tSeeYourDat–Er,Nevermind”[Update],BNET,availableathttp://www.bnet.com/blog/technology‐business/‐8220at‐dropbox‐even‐we‐can‐8217t‐see‐your‐dat‐8211‐er‐nevermind‐8221‐update/10077.

8

metadata(filenames,filesizes,etc,notthefilecontents)”wasmodifiedtoread“DropboxemployeesareprohibitedfromviewingthecontentoffilesyoustoreinyourDropboxaccount,andareonlypermittedtoviewfilemetadata(e.g.,filenamesandlocations).”

d. Anewstatementwasalsoaddedtothepage:

“Likemostonlineservices,wehaveasmallnumberofemployeeswhomustbeabletoaccessuserdataforthereasonsstatedinourprivacypolicy(e.g.,whenlegallyrequiredtodoso).Butthat’stherareexception,nottherule.Wehavestrictpolicyandtechnicalaccesscontrolsthatprohibitemployeeaccessexceptintheserarecircumstances.Inaddition,weemployanumberofphysicalandelectronicsecuritymeasurestoprotectuserinformationfromunauthorizedaccess.”

30. Althoughthecompanyhasaddedsomeclarifyingdisclosurestoitswebsite,

thefirmcontinuestomakeunqualifiedclaimsregardingthesafetyandsecurityofitsserviceonthe“Features”and“Install”pagesonitssite,bothofwhicharelinkedtofromthehomepage,andfarmorelikelytobeviewedbytheaverageuserthanthewebsite’s“HelpCenter”.

31. Dropboxhasnotcontactedits25millionexistingcustomerstoletthemknowaboutthechangestoitsprivacypolicy,orthefactthatthecompanydoesinfacthaveaccesstotheirunencrypteddata.

DROPBOXHASMISLEADITSCUSTOMERSREGARDINGTHEEXTENTTOWHICH

THEIRDATAISPROTECTED

32. OnApril21,2011,Dropbox’sCTOandCEOpublishedaposttocompany’s

officialblogregardingtheextenttowhichthecompanyhasaccesstouserdata.21

33. Commentsleftatthebottomofthatblogpostandinthecompany’ssupport

forummakeitclearthatsomeofDropbox’scustomers(including“Pro”userswhohavepaidfortheservice)wereupset,andfeltthatthecompanyhadliedtothem.22

21DrewHoustonandArashFerdowsi,Privacy,Security&YourDropbox,TheDropboxBlog,April21,2011,availableathttp://blog.dropbox.com/?p=73522CommentbyBrentC.,availableathttp://forums.dropbox.com/topic.php?id=36814#post‐312492;CommentbyJoshuaP.,availableat

3

http:Comm1892http:23htt

4. OnAprilPrivacy(

//forums.dmentbyXyz261869;Com//blog.drop

tps://twitte

19th,2011,PGP)posted

dropbox.comzzy,availabmmentbyJupbox.com/?

er.com/#!/j

JonCallas,tdthefollow

m/topic.phpleathttp://ustinCardin?p=735#com

oncallas/sta

9

theco‐foundwingmessag

p?id=36835&/blog.dropbnal,availablmment‐1900

atus/60401

derandformgetohispub

&replies=33box.com/?pleat051017

188714026

merCTOofblicTwitter

3#post‐312=735#comm

1888

PrettyGoodraccount:23

2775;ment‐

d

3

3

24RicUnofhttp:

5. Ifapromstatemenexpectthbetweenencryptio

6. Severalmclaims.

a. Ri

b. Ro

chardGaywfficialApple//www.tua

minentcryptntsregardinhattheaverathelinesanonwithake

membersof

ichardGayw“AES‐256makesitidecryptioemployeefromyourtookaway

obertVamo

“StorinaccessfrighteyourpcloudForexfull‐en

wood,DropbWeblog,Apaw.com/201

tographeranngitsuseofagenon‐tecnddetermineyonlyknow

thetechnol

woodatThe

isaverysempossibletnkey.Dropesdon'thavrDropboxpyfromtheD

siatPCWo

ngdataviatsyourfilesfeningscenapersonaldatservicestha

xample,thencryptionSe

boxunderfirpril19,20111/04/19/d

10

ndsecurityencryption,chnicalusernethatthecwntotheus

logypressw

eUnofficialA

ecureencryptohackintopbox'sFAQceaccesstotpassword,pDropboxFA

rldwroteth

thecloudsofromaremoariosofotheta.Onewayatincluded

DropboxreecureSocke

reforsecur1,availabledropbox‐un

expertwas,isseemsenwouldhavecompanywaser.

werealsom

AppleWebl

ptionschemotheencrypcopymakesthiskey‐‐aerhaps.Tha

AQ.”24

hat:

olvesprobleotelocationer,unauthorytomitigatedataencrypt

emote‐file‐stetsLayer(SS

rityconcernat

nder‐fire‐for

smisledbyDntirelyunreebeenableasnotinfac

misleadbyD

logwritesth

mewhichbaptedfileswisitsoundlikasthoughit'at'scertainl

ems,enablinn.Butitalsorizedpeopleethatriskistion.

toragesiteeSL)protoco

ns(updated)

r‐security‐c

Dropbox’seasonabletotoreadctusing

ropbox’s

hat:

asicallythoutthekeits'sgeneratedywhatI

ngyoutocreateseaccessingstochoose

employsaolwhenyou

),The

oncerns/

o

d

11

uploadafile,andusesstrongAES256encryptionforthedatayoustorewithinthecloud.”25

DROPBOX’SUSEOFACOMONENCRYPTIONKEYKNOWNTOTHECOMPANY

UNNECESSARILYEXPOSESITSCUSTOMERSTORISK

37. IntheirApril21,2001blogpost,Dropbox’sCEOandCTOhaveacknowledgedthatsomeoftheiremployeeshavetheabilitytoaccessusers’unencrypteddata:

“Likemostmajoronlineservices,wehaveasmallnumberofemployeeswhomustbeabletoaccessuserdatawhenlegallyrequiredtodoso.Butthat’stheexception,nottherule.Wehavestrictpolicyandtechnicalaccesscontrolsthatprohibitemployeeaccessexceptintheserarecircumstances.”26

38. “Insider”attacksareamajorsourceofprivacyviolationsanddatabreaches.EmployeesatGoogle,27Facebook,28theStateDepartment,29andKaiserPermanente30haveallreportedlyaccessedtheprivatefilesofcustomers.

39. AlthoughDropbox’spoliciesprohibititsemployeesfromaccessingusers’unencrypteddataexceptwhenlegallycompelledtodoso,31similarpolicieslikelyexistedatGoogle,FacebookandKaiserPermanente.

40. Inadditiontothethreatofrogueemployees,Dropboxhasexposeditsusers

tounnecessaryriskofdatatheftbyhackerswho,iftheybreakintothe25RobertVamosi,ProtectYourOnlinePrivacy(WithoutReadingAlltheFinePrint),PCWorld,March30,2011,availableathttp://www.pcworld.com/businesscenter/article/221104/protect_your_online_privacy_without_reading_all_the_fine_print.html26DrewHoustonandArashFerdowsi,Privacy,Security&YourDropbox,TheDropboxBlog,April21,2011,availableathttp://blog.dropbox.com/?p=73527AdrianChen,GCreep:GoogleEngineerStalkedTeens,SpiedonChats(Updated),Gawker,September14,2010,availableathttp://gawker.com/#!563723428RyanTate,WhyYouShouldn’tTrustFacebookwithYourData:AnEmployee’sRevelations,Gawker,January11,2010,availableathttp://gawker.com/#!5445592/why‐you‐shouldnt‐trust‐facebook‐with‐your‐data‐an‐employees‐revelations29Passportfilesofcandidatesbreached,AssociatedPress,March21,2008,availableathttp://www.msnbc.msn.com/id/23736254/30KaiserPermanenteBellflowerMedicalCenter,AssociatedPress,March31,2009,availableathttp://www.foxnews.com/story/0,2933,511721,00.html31DrewHoustonandArashFerdowsi,Privacy,Security&YourDropbox,TheDropboxBlog,April21,2011,availableathttp://blog.dropbox.com/?p=735

12

company’sservers,maybeabletostealusers’dataandthekeysnecessaryfordecryption.

41. RecenthighprofiledatabreachesexperiencedbyRSA,32Comodo,33and

Lastpass34demonstratethathackersareincreasinglysophisticated,andarenowseekingouthigh‐valueinfrastructuretargetsthatcandelivermorethanjustafewmillioncreditcardnumbers.

42. IfDropboxencrypteditsusers’datawithakeyonlyknowntoeachuser,itwouldnotbepossibleforrogueemployeestosnooponusers’data,orforhackerswhohadbrokenintothecompany’sserverstogetaccesstouser’unencrypteddata.

DROPBOX’SMISLEADINGSTATEMENTSABOUTENCRYPTIONGIVEITANUNFAIRADVANTAGEOVERCOMPETINGCLOUDBACKUPSERVICESTHATDO

PROTECTTHEIRCUSTOMER’SDATA

43. SeveralofDropbox’scompetitorsdoinfactencryptuserdatawithakeyonlyknowntothatuser.ThesefirmspayhigherbandwidthandstoragecoststhanDropbox,astheydonotdeduplicatedataacrossuseraccounts.35

44. Dropboxanditscompetitorsallmentiontheiruseof“encryption”whenmarketingthesecurityoftheirproducts.EspeciallypriortoApril2011,theaverage,non‐technicalconsumerwouldhavenowayofknowingthat

32JohnMarkoff,SecurIDCompanySuffersaBreachofDataSecurity,TheNewYorkTimes,March17,2011,availableathttps://www.nytimes.com/2011/03/18/technology/18secure.html33RivaRichmond,AnAttackShedsLightonInternetSecurityHoles,TheNewYorkTimes,April6,2011,availableathttps://www.nytimes.com/2011/04/07/technology/07hack.html34AmyGahran,Password‐storingservicemayhavebeenhacked,CNN,May5,2011,availableathttp://www.cnn.com/2011/TECH/web/05/05/last.pass.gahran/35DannyHarnik,BennyPinkasandAlexandraShulman‐PelegSideChannelsinCloudServices,theCaseofDeduplicationinCloudStorageIEEESecurityandPrivacyMagazine,specialissueofCloudSecurity,Vol.8,No.2,pp.40‐47,2010.(“Bystoringandtransmittingonlyasinglecopyofduplicatedata,deduplicationsavesbothdiskspaceandnetworkbandwidth.Forvendors[likeDropbox],itofferssecondarycostsavingsinpowerandcoolingachievedbyreducingthenumberofdiskspindles.”);Seealso,AlanFairless,WhySpiderOakdoesn'tde‐duplicatedataacrossusers(andwhyitshouldworryyouifwedid),SpideroakBlog,August27,2010,availableathttps://spideroak.com/blog/20100827150530‐why‐spideroak‐doesnt‐de‐duplicate‐data‐across‐users‐and‐why‐it‐should‐worry‐you‐if‐we‐did

13

Dropbox’suseofAES‐256encryptionissignificantlyinferiortothatofitscompetitors.

45. Theseotherfirmsareunfairlyplacedatacompetitivedisadvantage.Dropbox

usesthesameterminologytomarketthesecurityofitsproducts,buthasloweroperatingcosts,duetoitsinferiorsecurity.

46. IftheCommissionwishesforcompaniestoembracePrivacybyDesign,36it

mustguaranteethatthosefirmsthatpayacostfordoingsoareabletoeffectivelycompeteinthemarket.THISISNOTANISOLATEDISSUE:DROPBOXHASALSODECEIVEDITS

USERSREGARDINGTHESECURITYOFITSMOBILECLIENT

47. Untilmid‐March,2011,the“HowSecureisDropbox”pageinthe“HelpCenter”sectionofDropbox’swebsitepageincludedthefollowingstatement:

"Alltransmissionoffiledataandmetadataoccursoveranencryptedchannel(SSL)."

48. Contrarytotheseunqualifiedclaims,thecompanyisinfactnotusingSSLencryptiontotransmitallfiledataandmetadata.OnMarch10,2011,technologistMikeCardwellrevealedthatDropbox’sAndroidmobileclientisnotusingSSLtotransmitfilemetadatatoDropbox’sservers.37

49. WhenMr.CardwellcontactedDropbox’ssupportteamtoaskaboutthevalidityoftheclaimonthecompany’swebsite,hewastoldthat:

“TheinformationinthehelpcenterisinrelationtotheDropboxdesktopandwebsiteanddoesn'tapplytothemobileinterface.I'msorrythatthisisn'tmoreclearlydefined.Iwilldiscussthisfurtherwithourmobileteamtoseeifwecanoffertheoptionoftotaltransmissionencryptiononthephoneandupdatethisdocumenttoreflectthecurrentstatusofmetadatatransmission.”

36Seegenerally,ProtectingConsumerPrivacyinanEraofRapidChange:AProposedFrameworkforBusinessesandConsumers,PreliminaryFTCStaffReport,December2,2010,availableathttp://www.ftc.gov/os/2010/12/101201privacyreport.pdf37MikeCardwell,DropboxMobile:LessSecureThanDropboxDesktop,PosttoGrepularBlog,March10,2011,availableathttps://grepular.com/Dropbox_Mobile_Less_Secure_Than_Dropbox_Desktop

14

50. TheApril2011blogpostbyDropbox’sCEOandCTOalsoacknowledgedthatthecompanyhadoptedtotradesecurityforperformanceonthemobileclient:

“Wemadethisdecisiontoprovidebetterperformance(inourtesting,enablingSSLforallmetadatatransfersmadetheappseveraltimesslower).We’velistenedtotheseconcerns,andareworkingonafasterwaytotransmitmetadataoverSSLonthemobileapps.”

DROPBOX’SSTATEMENTSABOUTENCRYPTIONAREADECEPTIVEBUSINESSPRACTICE

51. AccordingtotheFTCPolicyStatementonDeception,38therearethreeelementstoanydeceptioncase.

a. Theremustbearepresentation,omissionorpracticethatislikelytomisleadtheconsumer.

b. Thepracticemustbedeceptivefromtheperspectiveoftheaverageconsumer.

c. Therepresentation,omission,orpracticemustbea"material"one,

andthuswhethertheactorpracticeislikelytoaffecttheconsumer'sconductordecisionwithregardtoaproductorservice.

52. Asdocumentedearlierinthiscomplaint,the“HowSecureisDropbox”pageinthe“HelpCenter”sectiononDropbox’swebsiteincludedseveralmisleadingstatementsuntilthepagewasmodifiedinApril,2011.Theseincluded:

a. “AllfilesstoredonDropboxserversareencrypted(AES‐256)andareinaccessiblewithoutyouraccountpassword.”

b. “NobodycanseeyourprivatefilesinDropboxunlessyoudeliberatelyinvitethemorputtheminyourPublicfolder.”

c. “Dropboxemployeesaren’tabletoaccessuserfiles,andwhen

troubleshootinganaccounttheyonlyhaveaccesstofilemetadata(filenames,filesizes,etc,notthefilecontents).”

38FTCPolicyStatementonDeception,October14,1983,availableathttp://www.ftc.gov/bcp/policystmt/ad‐decept.htm

15

d. “YourfilesareactuallysaferwhilestoredinyourDropboxthanonyourcomputerinsomecases.”

53. Thecompanycontinuestomisleadconsumersonthe“Install”and“Features”pagesonitswebsite.Bytellingconsumersthattheirdatais“alwayssafe,”andthatthedataisencryptedwithAES‐256withoutinformingthemthatthecompanyhasaccesstothekeyusedtodecryptit,thecompanyisomittingamaterialfactregardingthedegreeofsecurityandprivacydeliveredbytheservice.

54. HadDropboxnotmadethesedeceptivestatements,itscustomersmighthaveoptedtoprotecttheirdatabyusingacompetingcloudbasedbackupservicethatencryptstheirdatawithakeyonlyknowntothem,byusing3rdpartyencryptiontools,oroptingtonotstoretheirsensitivedatainthecloudatall.

REQUESTFORRELIEFIrequestthattheCommissioninvestigateDropboxandenjoinitsdeceptivebusinesspractices.Specifically,IrequestthattheCommission:

a. CompelDropboxtoclarifyexistingstatementsonthe“Install”and

“Features”sectionsofitswebsitetonotethatthecompanydoesinfacthaveaccesstousers’unencrypteddataandthatadatabreachofthecompany’sserverscouldleadtothetheftofusers’unencrypteddata.

b. CompelDropboxtocontactits25millionexistingcustomersbyemailtonotifythemthatithasaccesstotheirunencrypteddataandtosuggestspecificstepstheycantaketosecureit(suchasbyusing3rdpartyencryptionsoftware).

c. CompelDropboxtoofferrefundstoanyonethathaspurchasedits

“Pro”servicethatfeltmisleadbythecompany’sstatementsregardingsecurity.

d. ProhibitDropboxfrommakingdeceptivestatementsinthefuture

regardingtheprivacyandsecurityofitsservices.

16

Ireservetherighttosupplementthispetitionasotherinformationrelevanttothisproceedingbecomesavailable.

Respectfullysubmitted, /s/

ChristopherSoghoian


Recommended