Dropbox may be reading your stored documents. This revelation arrives by way of WNC InfoSec who claim that several ".doc" files had been opened on the Dropbox end in a recent test using HoneyDocs. Dropbox reportedly states that this is normal behavior for the storage company.
HoneyDocs is a web app for generating documents that can show where and when a document was opened. This is made possible by a unique, embedded GET request that is initiated when the related document has been opened. Thus not only can the author see where and when the document was opened, but the client used to read the text.
MORE: How NSA's Spying Keeps You Safe
In the experiment, the site created a "passwords" document generated by HoneyDocs, and uploaded it using the Windows-based client and the web-based interface into a Dropbox Personal Account with non-shared Private Folders. Ten minutes later, one of these documents was read by an IP address of an Amazon EC2 instance in Seattle. WNC InfoSec deleted all files and re-uploaded them again, but this second batch remained unread.
Next, the site created new files and uploaded them to the same Dropbox folder but with a different computer and ISP. Every single HoneyDocs document uploaded was accessed from different IP addresses in Amazon EC2 instances. They were even accessed with LibreOffice, the free open-source personal productivity suite for Windows, Mac and Linux.
Note that Dropbox relies on Amazon's Simple Storage Service (S3) in multiple data centers located across the United States to store user files. However Amazon EC2, aka Elastic Compute Cloud, is a web service that provides resizable compute capacity in the cloud. This service allows clients to boot, run and terminate virtual machines/servers (instances) running their software when needed, allowing customers to add and subtract servers to meet consumer demand.
Amazon customers can pay by the hour, as at times these servers are only needed for a brief period. Customers can even control where these virtual servers are geographically located to reduce latency. However where the stored docs are actually located in Amazon's cloud is unknown, but the HoneyDocs files specifically pointed to these virtual servers handling WNC InfoSec's files at the time.
"All in all, I made three attempts to upload embedded documents and all appeared to be opened from different Amazon instances," the site states. "This could have something to do with how Dropbox’s storage architecture is configured while utilizing Amazon S3 buckets. Regardless, the .doc files seemed to have been opened for some reason. I’d like to know why."
The document reading is supposedly part of Dropbox's automatic backend processing. The service allows users to see previews of certain files, but these previews must be built first, meaning Dropbox needs to open these files regardless of the privacy setting on the folder. However that doesn't really explain why LibreOffice was used unless it's built into the actual Dropbox platform. This suite may be what allows users to open stored Word, PowerPoint, PDF and text files within the browser.
Dropbox uses modern encryption methods to both transfer and store your data, the company states.
This statement bugs me because if they operate by exceptions instead of rules then they can do anything they want. I think it is the rule and they should clearly state that the rule is to only access data under subpoena and metadata at the customer's support request... or when feeding the NSA.