Sign in with
Sign up | Sign in

Dropbox Is Peeking At Your Files, But Don't Panic

By - Source: PC Advisor | B 4 comments

Don't mind Dropbox reading your test files. It's all normal procedure.

Dropbox may be reading your stored documents. This revelation arrives by way of WNC InfoSec who claim that several ".doc" files had been opened on the Dropbox end in a recent test using HoneyDocs. Dropbox reportedly states that this is normal behavior for the storage company.

HoneyDocs is a web app for generating documents that can show where and when a document was opened. This is made possible by a unique, embedded GET request that is initiated when the related document has been opened. Thus not only can the author see where and when the document was opened, but the client used to read the text.

MORE: How NSA's Spying Keeps You Safe

In the experiment, the site created a "passwords" document generated by HoneyDocs, and uploaded it using the Windows-based client and the web-based interface into a Dropbox Personal Account with non-shared Private Folders. Ten minutes later, one of these documents was read by an IP address of an Amazon EC2 instance in Seattle. WNC InfoSec deleted all files and re-uploaded them again, but this second batch remained unread.

Next, the site created new files and uploaded them to the same Dropbox folder but with a different computer and ISP. Every single HoneyDocs document uploaded was accessed from different IP addresses in Amazon EC2 instances. They were even accessed with LibreOffice, the free open-source personal productivity suite for Windows, Mac and Linux.

Note that Dropbox relies on Amazon's Simple Storage Service (S3) in multiple data centers located across the United States to store user files. However Amazon EC2, aka Elastic Compute Cloud, is a web service that provides resizable compute capacity in the cloud. This service allows clients to boot, run and terminate virtual machines/servers (instances) running their software when needed, allowing customers to add and subtract servers to meet consumer demand.

Amazon customers can pay by the hour, as at times these servers are only needed for a brief period. Customers can even control where these virtual servers are geographically located to reduce latency. However where the stored docs are actually located in Amazon's cloud is unknown, but the HoneyDocs files specifically pointed to these virtual servers handling WNC InfoSec's files at the time.

"All in all, I made three attempts to upload embedded documents and all appeared to be opened from different Amazon instances," the site states. "This could have something to do with how Dropbox’s storage architecture is configured while utilizing Amazon S3 buckets. Regardless, the .doc files seemed to have been opened for some reason.  I’d like to know why."

The document reading is supposedly part of Dropbox's automatic backend processing. The service allows users to see previews of certain files, but these previews must be built first, meaning Dropbox needs to open these files regardless of the privacy setting on the folder. However that doesn't really explain why LibreOffice was used unless it's built into the actual Dropbox platform. This suite may be what allows users to open stored Word, PowerPoint, PDF and text files within the browser.

"Dropbox employees are prohibited from viewing the content of files you store in your account," the company states on its website. "Employees may access file metadata (e.g., file names and locations) when they have a legitimate reason, like providing technical support. Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that's the rare exception, not the rule."

Dropbox uses modern encryption methods to both transfer and store your data, the company states.

Display 4 Comments.
This thread is closed for comments
  • 1 Hide
    ethanolson , September 16, 2013 9:21 AM
    "That's the rare exception, not the rule."

    This statement bugs me because if they operate by exceptions instead of rules then they can do anything they want. I think it is the rule and they should clearly state that the rule is to only access data under subpoena and metadata at the customer's support request... or when feeding the NSA.
  • 0 Hide
    warezme , September 16, 2013 11:28 AM
    That's why anything with cloud to me means stay away. I don't FB, tweet, online game, or dropbox or anything of the sort. Most of that stuff is part of a corporate attempt to lure people into a pay always service/subscription to get your money or an easy way for agencies to spy on you and sell your info.
  • 0 Hide
    nerdsmith , September 23, 2013 11:37 AM
    Sounds like they're using the same tricky language the NSA does.
  • 0 Hide
    nerdsmith , September 23, 2013 11:38 AM
    Sounds like they're using the same tricky language the NSA does.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter