Dropbox is one of the world's most popular cloud storage providers. If you want to store your files with a company that’s been well tested, they are the obvious choice.
If you care about data privacy, however, choosing the right provider becomes a little more complicated. Dropbox scores highly in this regard, but they are far from being the best.
In this article, we will discuss how Dropbox keeps your files safe, and a few areas in which they could definitely do a better job.
Dropbox Security Features
Dropbox takes a very serious approach to data security. They wouldn’t have grown so popular if they didn’t.
Strong Encryption
Dropbox uses 128-bit AES encryption for files in transit and 256-bit AES encryption for files at rest. Both of these are pretty much impossible to crack without access to the encryption key.
2FA
Two-factor authentication has been an optional feature of Dropbox since 2016. Once set up, an account becomes impossible to access without a second form of authentication.
For example, if you wanted to log in to your account, instead of just being asked for your password, you might also be asked to provide proof that you are in possession of a particular device such as your phone.
TLS
The company also uses TLS. Transport Layer Security protects your data from man-in-the-middle attacks. For example, if you wanted to access your files using public Wi-Fi, it would technically be safe to do so.
Regular Testing
Given the size of the company, it should come as no surprise that their entire system is tested for vulnerabilities on a regular basis.
Dropbox Security Problems
Dropbox have a reputation for being reliable. If you give them your files, you can be certain that you’re going to get those files back.
But they also have a reputation for not being as secure as they could be.
Dropbox Has a History of Security Breaches
In 2011, there was an update error. It allowed any Dropbox account to be accessed with just the associated email address, i.e. no password required. This problem was resolved within four hours.
In 2012, there was a data breach. This resulted in the email address and password of 68 million users being leaked.
To make matters worse, the extent of the problem wasn’t known about until 2016. Up until then, Dropbox believed that only the email addresses had been affected.
In 2017, multiple users reported that previously deleted files had began reappearing in their accounts.
Apparently, there was an error that prevented these files from originally being deleted. And when Dropbox fixed that error, this caused the files to reappear.
This is particularly problematic because many of the files that reappeared were a number of years old.
Dropbox Is a Target for Cybercrime
Dropbox has over 15 million paying users. This number is great for PR, not to mention profitability. But it also makes Dropbox a target.
Much like malware developers are more likely to target Windows than iOS, Dropbox is the cloud storage provider of choice for those trying to steal confidential files.
If somebody wants to launch a phishing website to steal personal, financial, or business data, it just makes sense that they would target that website to Dropbox users.
It's Not Zero Knowledge
When you upload files to Dropbox, they keep a copy of your encryption key.
This makes the service significantly faster. It also means that if you ever have a problem with your account, they can help you to get your files back. From a security standpoint, however, this is problematic.
It not only gives Dropbox access to your files. It also gives access to anyone who manages to breach their security. This is a common problem with cloud storage. Box.com, for example, takes a similar approach.
Other cloud storage providers, however, use what is known as zero knowledge encryption.
Here, the encryption key is known to you, and you alone. The encryption is done on your computer, even the employees of the provider have no way of accessing the key.
As a result, if such a service is hacked, your files remain completely secure.
Dropbox Is Based in the US
Dropbox is headquartered in the United States and is therefore subject to a number of laws which are questionable from a privacy standpoint.
These laws include the Patriot Act which has made it possible for the US government to spy on US citizens without establishing probable cause.
This is considerably more problematic when you remember that Dropbox is not zero knowledge.
Contrast this with other providers that are not only based outside of the US, but don’t even have the ability to provide access to your files if they wanted to.
Alternatives to Dropbox
If you’re concerned about Dropbox security and privacy, the good news is that there’s no shortage of alternatives.
Tresorit
Tresorit is based in Switzerland which is home to some of the strongest privacy laws in the world. It uses 256-bit encryption even during transit. And it is zero knowledge. The only real downside to Tresorit is that it’s not open source.
Spideroak
Spideroak was first established in 2007 but first gained notoriety when it was recommended by Edward Snowden. It offers similar features to Tresorit but has the added benefit of being both open source and equipped with a warrant canary.
NextCloud
NextCloud takes a slightly different approach in that it doesn’t actually store your files. Instead, it offers to encrypt your files before you upload them to the cloud.
This means that it can be used with other cloud storage providers, including Dropbox, to add zero knowledge functionality.
If you’d like to read more about these companies, you can read our list of the most secure cloud storage providers.
So, Is Dropbox Secure?
In terms of security, Dropbox gets a lot of things right.
The primary problem with the service is that it’s not zero knowledge. And this is something that the company does deliberately as part of a trade off between privacy and user experience.
For many people, Dropbox is secure enough. But if you care about privacy, or you are uploading sensitive files, there’s no denying that there are better alternatives.