The crux of the matter is that Dropbox previously claimed to encrypt all user files and that no employees would have access to these files. As of April 13th, Dropbox privacy policies have been changed and it’s clear that Dropbox employees do have access to user files. However, Dropbox have not contacted its customers to advise of this change in user data privacy, prompting the accusations that Dropbox has been misleading their customers.
Before April 13th, the website clearly stated that: “Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).”
After April 13th, the claim changed to: “Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations).”
Dropbox’s response was as follows: “That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this. Also, to clarify we’ve never stated we don’t have access to encryption keys. We’ve made quite a few posts in our public forums over the years about this very fact and we are quite open with our community.”
Other privacy claims also changed on April 13th, such as a previous claim that “All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password” now simply reads “All files stored on Dropbox servers are encrypted”.
The complaint revolves around the fact that these security claims were confusing and misleading to users.