After one too many data breaches, just how safe is Dropbox?
Does one of the world's largest cloud storage solutions really deliver when it comes to security and privacy?
Dropbox was released in 2008 and quickly became a popular cloud storage name, with 700 million registered users in 2021. If you’re a Dropbox user, you’re most likely aware of the big tech file hosting service’s data breaches and scandals over the years. While Dropbox is a popular big tech provider, today there are many alternative storage providers that are similar, if not better and safer than Dropbox. If you’re wondering if Dropbox is 100% safe and private, you’ve come to the right place. As privacy experts we take a look at Dropbox’s privacy and safety features to help you decide if it can still be trusted.
We’ve said it before, and we’ll say it again - popular doesn’t mean better, and unfortunately popular just about never means private. Especially when it comes to your private information and personal data. For many years Dropbox has been one of the leading cloud storage providers, and after all its ups and downs it might be news to you that Dropbox in fact still does not use end-to-end encryption and it sadly does not protect your privacy.
In short, this means the US-based company has access and can view your files whenever they please. So while Dropbox might invest strongly into protecting your data from external attacks, it doesn’t mean it’s safe from inside snooping. Keep reading as we go more into detail about it’s security and privacy features.
Table of contents:
When looking for a suitable cloud storage provider, like email – one shoe doesn’t fit all. There are many factors you should consider when choosing the perfect cloud provider, the most important in my opinion is security and privacy.
When speaking about data security, I am talking about how well your data is protected. If the provider doesn’t protect your personal data from external and internal exploits, just how secure is it? Data security is put in use when your files are transported from your personal device to the cloud, and when they’re stored on a cloud server. Privacy, just as important as security, refers to who has access to your private information and if there’s access, how your provider uses your personal data.
The benchmark or gold standard we could say for cloud storage is one that has zero-knowledge encryption, also referred to as private end-to-end encryption. With end-to-end encryption, only the user has access to their account and their private information. Unfortunately Dropbox doesn’t support any kind of end-to-end encryption. With proper encryption you’re guaranteed that you, and only you, have access to your account – thus both the privacy and security boxes are checked.
A look at Dropbox’s security
In terms of security, Dropbox adheres to very good protocols while your files are in transit from your device to their servers, as well as when your files are stored on their servers. As mentioned on their website, when your files are in transit, Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption - a standard encryption protocol used by most online services these days. TLS/SSL protects your data as it transits between device and server – without such encryption your data would be vulnerable to external attacks and available to everyone to read just as if you were sending a postcard.
If you use Dropbox, your files are encrypted while in transit, decrypted on arrival, and encrypted once again, but this time with 256-bit Advanced Encryption Standard (AES). When your data is stored at rest on the Dropbox servers it’s protected by AES-256 bit encryption which is also used by militaries and governments globally. The problem with Dropbox’s encryption implementation is that it has access to the private key that is securing your data. Thus, the US-based company has full access to all your data as it can easily decrypt it.
Dropbox uses SSL/TLS encryption while your files are in transit and AES-256 bit encryption while your files at at rest in their server. Image source: Dropbox
While Dropbox does use standard encryption protocols, it doesn’t offer end-to-end encryption which means your files and private information is accessible without you even knowing. They have access to the encryption key, so in theory your private files and information is a free for all at Dropbox. As mentioned, Dropbox is secure on a broader level but we can’t give it a thumbs up for being private or for offering end-to-end encryption. With many Big Tech companies like Gmail or Outlook, we see over and over again that, yes, they are secure but regarding privacy? Hell no! – user privacy doesn’t support their ad based business models.
And yes, of course Dropbox has an in detail privacy policy which clearly details what data they use and how – but why should they have access to all this data in the first place? Do we need to trust them or are there more secure options?
Additional security features
Dropbox does support two-factor authentication, which adds a layer of protection to your login. Like with many online accounts these days, you can add this extra protection by using a security key or a code during login in addition to your login credentials. 2FA is recommended to keep your accounts safe from external attacks, especially if your credentials are leaked - which happened during Dropbox’s 2021 breach where 78 million passwords were compromised.
But is it actually secure?
When I started working at Tuta I’ve quickly learned that true security and privacy can only be achieved when no one but the user or intended recipient can access the information - by using strict, end-to-end encryption protocols like in Tuta Mail. With end-to-end encryption the file is automatically encrypted before transmitting to the server. When the files are resting on the server, they are inaccessible and protected, so no one, except the user with the encryption key can access them.
If you are looking to encrypt files on Dropbox, it becomes a bit more technical and tricky. You will need to use a third-party encryption tool for this. Image source: Dropbox
While Dropbox doesn’t offer any form of end-to-end encryption as a default, users have the option to use third-party encryption tools like Veracrypt, this allows you to upload encrypted files to Dropbox. It’s evident that there’s a way to work around getting end-to-end encryption but this is something that should be the default from the moment of sign up, and not an inconvenience at the cost of your right to privacy.
To address this issue, Dropbox recently acquired Boxcryptor – and end-to-end encryption tool that would let you encrypt your Dropbox files before uploading them to the cloud. However, it is not yet clear if and how Dropbox is going to add this functionality natively into its application. If you want to learn more on how to encrypt your Dropbox files with Boxcryptor, you need to contact Dropbox via their website.
Dropbox privacy concerns
Cloud storage should be a place to privately store your important files and documents. For many, the cloud is the perfect way to back up important information like tax documents, pictures, and financial documents that you don’t want to loose when your clunky hard drive breaks. For companies that have tons of records, the cloud is the perfect place to store this confidential information – but for companies it should only be an option if the records remain confidential and private. Unfortunately, in the case of Dropbox the information that’s stored isn’t private, and without privacy we can’t say user files and data remain confidential. This raises major concern.
What does Dropbox do with user data?
In their privacy policy, Dropbox makes it quite clear that they process your personal data, collect and track your usage, your device and IP address, and share your personal information with “trusted” third parties like Amazon, Google, OpenAI as well as other Dropbox owned companies. In addition to collecting a lot of information about you, they can also share this with law enforcement and other third parties, and you as a user have literally no control over these data sharing practices.
Dropbox Jurisdiction
Another factor to consider is Dropbox’s jurisdiction. Its headquarter is based in the US and the majority of its servers reside there, too. Dropbox does have additional servers in the UK, in the EU, in Japan and Australia. Unfortunately, users don’t get a choice of where they’d like their data to get stored. In terms of having data stored in the US, this is a big no no for us as we all know the non-existing privacy protection laws in the US which make authorities’ access to the data all to easy.
At the end of the day, it comes down to one lesson: Unless you use third-party tools to end-to-end encrypt your data on, your data is not private. Additionally it’s evident that the US-based company gathers massive amounts of user information and data also to share it with their trusted partners like Google – whose business model is based on posting targeted advertisements. What’s more is the Dropbox code isn’t open source and doesn’t adhere to top privacy and security standards – there’s no end-to-end encryption by default. So no, Dropbox isn’t the most secure option out there.
Luckily, it’s 2024 and you have many more privacy focused cloud providers compared to a couple of years ago. If your wanting to ditch Dropbox, we’d recommend these end-to-end encrypted cloud providers to ensure your private matters remain private.
Our List of Dropbox Alternatives:
- Tresorit: A Swiss encrypted cloud storage provider which was recently acquired by the Swiss Post and operates under Swiss privacy laws. Although operating as an independent company this may raise concerns as the Swiss Post is controlled by the Swiss government.
- Internxt: An EU based ethical cloud storage alternative to Big Tech platforms like Google Drive.
- Mega: Mega is the rebranded successor of Megaupload the controversial project led by Kim DotCom.
- NextCloud: Open source collaboration and cloud storage has never been easier!
Should these not meet your needs or you wish to continue using DropBox it is important that you take the time to encrypt any files locally before they are uploaded to the cloud. This work-around will keep your information safe and accessible.
Whichever option you choose your data needs to remain secure now and in the future. That’s why we are working towards the release of our own post-quantum encrypted cloud storage platform Tuta Drive. With Tuta Drive you will be able to keep your data safe from “Harvest now, decrypt later” tactics used by government surveillance programs. We believe that privacy should extend beyond communication and that your private documents deserve the same protections.
Let’s keep making the internet better together!