before the federal trade commission washington, dc 20580 ... · spideroak13 and wuala,14 encrypt...
TRANSCRIPT
1
BeforetheFederalTradeCommissionWashington,DC20580
IntheMatterof ) )Dropbox,Inc. )
May11,2011
REQUESTFORINVESTIGATIONANDCOMPLAINTFORINJUNCTIVERELIEF
SUMMARY
1. Dropboxhasprominentlyadvertisedthesecurityofits“cloud”backup,syncandfilesharingservice,whichisnowusedbymorethan25millionconsumers,manyofwhom“relyonDropboxtotakecareoftheirmostimportantinformation.”1
2. Dropboxdoesnotemployindustrybestpracticesregardingtheuseofencryptiontechnology.Specifically,Dropbox’semployeeshavetheabilitytoaccessitscustomers’unencryptedfiles.
3. Dropboxhasandcontinuestomakedeceptivestatementstoconsumersregardingtheextenttowhichitprotectsandencryptstheirdata.
4. Dropbox’scustomersfaceanincreasedriskofdatabreachandidentitytheft
becausetheirdataisnotencryptedaccordingtoindustrybestpractices.
5. IfDropboxdisclosedthefulldetailsregardingitsdatasecuritypractices,someofitscustomersmightswitchtocompetingcloudbasedservicesthatdodeployindustrybestpracticesregardingencryption,protecttheirowndatawith3rdpartyencryptiontools,ordecideagainstcloudbasedbackupscompletely.
6. Dropbox’smisrepresentationsareaDeceptiveTradePractice,subjecttoreviewbytheFederalTradeCommission(the“Commission”)undersection5ofTheFederalTradeCommissionAct.
1DrewHoustonandArashFerdowsi,Privacy,Security&YourDropbox,TheDropboxBlog,April21,2011,availableathttp://blog.dropbox.com/?p=735
2
PARTIES
7. ChristopherSoghoianisaWashington,D.C.basedGraduateFellowattheCenterforAppliedCybersecurityResearchatIndianaUniversity,andaPh.D.CandidateintheSchoolofInformaticsandComputingatIndianaUniversity.Hisresearchisfocusedattheintersectionofsecurity,privacy,lawandpolicy.Thiscomplaintissubmittedinhispersonalcapacity.
8. Dropbox,Inc.("Dropbox")wasfoundedin2007andisbasedinSanFrancisco,California.Dropbox’sheadquartersarelocatedat760MarketStreet#1150,SanFrancisco,CA94102.Atalltimesmaterialtothiscomplaint,Dropbox’scourseofbusiness,includingtheactsandpracticesallegedherein,hasbeenandisinoraffectingcommerce,as"commerce"isdefinedinSection4oftheFederalTradeCommissionAct,15U.S.C.§45.
STATEMENTOFFACTS
9. Dropboxisafilebackup,synchronizationandsharingserviceenablinguserstostoretheirphotos,documentsandotherfiles“inthecloud.”
10. Dropbox’ssoftwareautomaticallybacksupfilesfromuser‐specifieddirectoriesontothecompany’sservers.Thesefilesandfolderscanbesynchronizedbetweenmultiplecomputersandsharedwithotherusers.
11. AsofApril2011,Dropboxisreportedtohave25millionusersand200
millionfilesare“saved”usingtheserviceeachday.2
12. Dropboxprovides2GBofstoragespacetoitscustomersforfree.Consumerscanpurchaseadditionalstoragespace,bysigningupforoneoftwo“Pro”serviceplans,offering50GBfor$9.99/monthor$99.00/year,and100GBfor$19.99/monthor$199.00/year.3
DROPBOXPROMINENTLYADVERTISESTHESECURITYANDSAFETYOFITSSERVICE
13. Onthe“install”pageontheDropboxwebsite,visitorsaretoldthat“Yourfiles
arealwayssafe.”42MichaelArrington,DropboxHits25MillionsUsers,200MillionFilesPerDay,TechCrunch,April17,2011,availableathttp://techcrunch.com/2011/04/17/dropbox‐hits‐25‐millions‐users‐200‐million‐files‐per‐day/.3https://www.dropbox.com/plans4https://www.dropbox.com/install
1
1
5http6Thicanb
4. Onthe“ptheirfilesstoredon
5. UntilAprsectionothesecur
“Ain
ps://www.dspagehasbbeaccessed
Figure
productfeatsaresafe,annDropbox’s
Figure2:Th
ril13,2011fDropbox’srityofusers
Allfilesstoreaccessiblew
dropbox.combeenchangeathttps://w
e1:The"Instal
tures”pagendthatthesservers.5
he"ProductFe
,the“HowSswebsiteins’data:6
edonDropbwithoutyou
m/featuresedatleasttwwww.dropb
3
ll"pageonDro
ontheDropcompanyus
atures"pageo
SecureisDrcludedthef
boxserversuraccountp
wicesinceAbox.com/he
opbox'swebsit
pboxsite,visesencrypt
onDropbox'sw
ropbox”pagfollowingsp
sareencryppassword.”
April12,20elp/27.
te.
isitorsarettiontoprote
website.
geinthe“Hpecificclaim
pted(AES‐25
011.Thelate
oldthatectthefiles
elpCenter”msregardin
56)andare
estversion
g
e
Figu
“Nin“Dtr(fi“Yyoba
re3:The“How
Nobodycanvitethemo
Dropboxemoubleshootiilenames,fil
Yourfilesarourcomputeanksandthe
wSecureisDro
seeyourprrputthem
mployeesareinganaccoulesizes,etc,
eactuallysaerinsomecemilitaryto
opbox”pageinAp
4
rivatefilesininyourPub
en’tabletoaunttheyon,notthefile
aferwhilescases.Weusosendands
nthe“HelpCenpril13,2011.
nDropboxublicfolder.”
accessuserlyhaveacceecontents).”
storedinyosethesamestoreyourd
nter”sectiono
unlessyoud
files,andwesstofilem”
urDropboxesecuremedata.”
fDropbox’swe
deliberately
whenmetadata
xthanonthodsas
ebsitepriorto
y
o
5
DROPBOX’SSERVICEDOESNOTPROVIDESTRONGSECURITY
16. TheAdvancedEncryptionStandard(AES)wasannouncedbyNationalInstituteofStandardsandTechnology(NIST)aftera5‐yearstandardizationprocessinwhichfifteencompetingdesignswerepresentedandevaluated.7
17. TheAESstandardiscomprisedofthreedifferentencryptionciphers(AES‐128,AES‐192,AES‐256),withkeysizesof128,192and256bits,respectively.
18. AESisthefirstpubliclyaccessibleandopencipherapprovedbytheNationalSecurityAgency(NSA)fortopsecretinformation(whenthe192or256bitkeylengthsareused).8
19. DropboxusesAES‐256,thehigheststrengthoftheAEScipherstoencryptuserdataonitsservers.9Withregardtoitschoiceofencryptionalgorithmforstoreduserdata,Dropboxfollowsindustrybestpracticesanddoesindeed“usethesamesecuremethodsasbanksandthemilitary.”10
20. Thechoiceofencryptionalgorithmsisanimportantcomponentinthesecurityofasystem.However,equallyimportantisthestorageandmanagementofthekeysusedtoencryptdata.
21. Thekeysusedtoencryptusers’dataareknowntosomeDropboxemployeesandstoredonthecompany’sservers.11
22. Dropbox’suseandstorageofencryptionkeysdoesnotfollowbestpracticesforthe“cloud”backupindustry.12Severalcompetingservices,suchas
7Seegenerally:http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process8LynnHathaway,"NationalPolicyontheUseoftheAdvancedEncryptionStandard(AES)toProtectNationalSecuritySystemsandNationalSecurityInformation",June2003,availableathttp://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf9“HowSecureisDropbox”availableathttps://www.dropbox.com/help/2710Id.11Postby“N.N”,Dropboxemployee,inDropboxsupportforum,http://forums.dropbox.com/topic.php?id=3908#post‐27169(“Currentlythereisonlyonekey,thattheDBteamhas.Notthemostidealsituation,granted,buttherehasbeendiscussionaboutenablingprivatekeysforpeople.(Notethatthiswillbreakthe"quickupload"featureforfilesnotalreadyinyouraccount.)”12TheOpenWebApplicationSecurityProject(OWASP),GuidetoCryptography,availableathttps://www.owasp.org/index.php/Guide_to_Cryptography(“Thestrengthofacryptographicsystemismeasuredinkeylength.Usingalargekey
6
SpiderOak13andWuala,14encryptusers’data,bydefault,withakeyonlyknowntoeachuser.Thesecompetingcompaniesdonothavetheabilitytoaccesstheircustomers’unencrypteddata.
23. RespondingtoaqueryfromacustomerontheofficialsupportforumregardingtheencryptionkeysandsecurityofDropbox’sarchitecture,ArashFerdowsi,thecompany’sCTOrevealedthat:
“Theonly100%safeoptionwithanyonlinestoragesolutionis(asyousaid)toencryptonyourown.[M]anydropboxusersusetruecryptwithnoproblems:‐).”15
24. AlthoughMrFerdowsihasacknowledgedinthesupportforumthathiscompany’sserviceisnot“100%safe,”16thecompanyprominentlyadvertisestoconsumersthat“[y]ourfilesarealwayssafe”whenstoredwiththeservice.17
25. OnApril1,2011,MarciaHofmannoftheElectronicFrontierFoundationcontactedDropboxonmybehalf.18Amongthesuggestionswemadetothecompanywerethefollowing:
a. Updatethestatementsmadeonitswebsitetodisclosedetailsregardingthecompany’suseofencryption,andthefactthatithastheabilitytoaccessusers’data.
b. Notifyitscustomersbyemailtoletthemknowthattheserviceisnotinfactencryptingtheirdatawithakeyonlyknowntotheuser.
c. Switchtoamodelofencryptinguserdatawithakeyonlyknownto
theuser.
lengthandthenstoringtheunprotectedkeysonthesameservereliminatesmostoftheprotectionbenefitgained.”)13NutsandBolts,Spideroak,availableathttps://spideroak.com/engineering_matters.14SecurityandPrivacy,FAQ,Wuala,availableat.http://www.wuala.com/en/support/faq/c/20;Security,Wuala,availableathttp://www.wuala.com/en/learn/technology.15ArashF.,PosttoSupportforumthread“Files:Encryptedornot?”,http://forums.dropbox.com/topic.php?id=17666#post‐10967216Id.17Dropboxinstallpage,https://www.dropbox.com/install.18EmailfromMarciaHofmanntoArashFerdowsi,April1,2011.
7
26. OnApril12th,2011,IpublishedaposttomybloghighlightingprivacyproblemsassociatedwithDropbox’sservice.19Soonafter,prominentbloggersandmembersofthetechnologypresswroteaboutthetopic.20
DISCLOSURESBYDROPBOXSINCEAPRIL13th,2011AREINSUFFICIENT
27. InresponsetoMarciaHofmann’semail,myblogpost,andthesubsequentpressattention,Dropboxmodifiedseveralstatementsmadeontheirwebsite.
28. OnoraroundApril14th,2011,oneofthestatementsonthe“HowSecureis
Dropbox”pageinthe“HelpCenter”sectionofDropbox’swebsitewaschangedfrom“AllfilesstoredonDropboxserversareencrypted(AES‐256)andareinaccessiblewithoutyouraccountpassword”to“AllfilesstoredonDropboxserversareencrypted(AES‐256).”
29. OnApril23,2011,the“HowSecureisDropbox”pagewasagainmodified.
a. Thefollowingstatementwasremovedentirely:“Onlineaccesstoyourfilesrequiresyourusernameandpassword.”
b. Thestatement“NobodycanseeyourprivatefilesinDropboxunlessyoudeliberatelyinvitethemorputtheminyourPublicfolder”wasmodifiedtobe“OtherDropboxuserscan'tseeyourprivatefilesinDropboxunlessyoudeliberatelyinvitethemorputtheminyourPublicfolder.”
c. Thestatement“Dropboxemployeesaren’tabletoaccessuserfiles,
andwhentroubleshootinganaccounttheyonlyhaveaccesstofile19ChristopherSoghoian,HowDropboxsacrificesuserprivacyforcostsavings,SlightParanoia,April12,2011,availableathttp://paranoia.dubfire.net/2011/04/how‐dropbox‐sacrifices‐user‐privacy‐for.html20CoryDoctorow,Dropbox'snewsecuritypolicyimpliesthattheyliedaboutprivacyfromthestart–UPDATED,BoingBoing,April21,2011,availableathttp://boingboing.net/2011/04/21/dropboxs‐new‐securit.html;MigueldeIcaza,DropboxLackofSecurity,PersonalBlog,April19,2011,availableathttp://tirania.org/blog/archive/2011/Apr‐19.html;KlintFinley,HowtoKeepDropboxEmployees'HandsOffYourData,ReadWriteCloud,April20,2011,availableathttp://www.readwriteweb.com/cloud/2011/04/how‐to‐keep‐dropbox‐employees.php;ErikSherman,“AtDropbox,EvenWeCan’tSeeYourDat–Er,Nevermind”[Update],BNET,availableathttp://www.bnet.com/blog/technology‐business/‐8220at‐dropbox‐even‐we‐can‐8217t‐see‐your‐dat‐8211‐er‐nevermind‐8221‐update/10077.
8
metadata(filenames,filesizes,etc,notthefilecontents)”wasmodifiedtoread“DropboxemployeesareprohibitedfromviewingthecontentoffilesyoustoreinyourDropboxaccount,andareonlypermittedtoviewfilemetadata(e.g.,filenamesandlocations).”
d. Anewstatementwasalsoaddedtothepage:
“Likemostonlineservices,wehaveasmallnumberofemployeeswhomustbeabletoaccessuserdataforthereasonsstatedinourprivacypolicy(e.g.,whenlegallyrequiredtodoso).Butthat’stherareexception,nottherule.Wehavestrictpolicyandtechnicalaccesscontrolsthatprohibitemployeeaccessexceptintheserarecircumstances.Inaddition,weemployanumberofphysicalandelectronicsecuritymeasurestoprotectuserinformationfromunauthorizedaccess.”
30. Althoughthecompanyhasaddedsomeclarifyingdisclosurestoitswebsite,
thefirmcontinuestomakeunqualifiedclaimsregardingthesafetyandsecurityofitsserviceonthe“Features”and“Install”pagesonitssite,bothofwhicharelinkedtofromthehomepage,andfarmorelikelytobeviewedbytheaverageuserthanthewebsite’s“HelpCenter”.
31. Dropboxhasnotcontactedits25millionexistingcustomerstoletthemknowaboutthechangestoitsprivacypolicy,orthefactthatthecompanydoesinfacthaveaccesstotheirunencrypteddata.
DROPBOXHASMISLEADITSCUSTOMERSREGARDINGTHEEXTENTTOWHICH
THEIRDATAISPROTECTED
32. OnApril21,2011,Dropbox’sCTOandCEOpublishedaposttocompany’s
officialblogregardingtheextenttowhichthecompanyhasaccesstouserdata.21
33. Commentsleftatthebottomofthatblogpostandinthecompany’ssupport
forummakeitclearthatsomeofDropbox’scustomers(including“Pro”userswhohavepaidfortheservice)wereupset,andfeltthatthecompanyhadliedtothem.22
21DrewHoustonandArashFerdowsi,Privacy,Security&YourDropbox,TheDropboxBlog,April21,2011,availableathttp://blog.dropbox.com/?p=73522CommentbyBrentC.,availableathttp://forums.dropbox.com/topic.php?id=36814#post‐312492;CommentbyJoshuaP.,availableat
3
http:Comm1892http:23htt
4. OnAprilPrivacy(
//forums.dmentbyXyz261869;Com//blog.drop
tps://twitte
19th,2011,PGP)posted
dropbox.comzzy,availabmmentbyJupbox.com/?
er.com/#!/j
JonCallas,tdthefollow
m/topic.phpleathttp://ustinCardin?p=735#com
oncallas/sta
9
theco‐foundwingmessag
p?id=36835&/blog.dropbnal,availablmment‐1900
atus/60401
derandformgetohispub
&replies=33box.com/?pleat051017
188714026
merCTOofblicTwitter
3#post‐312=735#comm
1888
PrettyGoodraccount:23
2775;ment‐
d
3
3
24RicUnofhttp:
5. Ifapromstatemenexpectthbetweenencryptio
6. Severalmclaims.
a. Ri
b. Ro
chardGaywfficialApple//www.tua
minentcryptntsregardinhattheaverathelinesanonwithake
membersof
ichardGayw“AES‐256makesitidecryptioemployeefromyourtookaway
obertVamo
“StorinaccessfrighteyourpcloudForexfull‐en
wood,DropbWeblog,Apaw.com/201
tographeranngitsuseofagenon‐tecnddetermineyonlyknow
thetechnol
woodatThe
isaverysempossibletnkey.Dropesdon'thavrDropboxpyfromtheD
siatPCWo
ngdataviatsyourfilesfeningscenapersonaldatservicestha
xample,thencryptionSe
boxunderfirpril19,20111/04/19/d
10
ndsecurityencryption,chnicalusernethatthecwntotheus
logypressw
eUnofficialA
ecureencryptohackintopbox'sFAQceaccesstotpassword,pDropboxFA
rldwroteth
thecloudsofromaremoariosofotheta.Onewayatincluded
DropboxreecureSocke
reforsecur1,availabledropbox‐un
expertwas,isseemsenwouldhavecompanywaser.
werealsom
AppleWebl
ptionschemotheencrypcopymakesthiskey‐‐aerhaps.Tha
AQ.”24
hat:
olvesprobleotelocationer,unauthorytomitigatedataencrypt
emote‐file‐stetsLayer(SS
rityconcernat
nder‐fire‐for
smisledbyDntirelyunreebeenableasnotinfac
misleadbyD
logwritesth
mewhichbaptedfileswisitsoundlikasthoughit'at'scertainl
ems,enablinn.Butitalsorizedpeopleethatriskistion.
toragesiteeSL)protoco
ns(updated)
r‐security‐c
Dropbox’seasonabletotoreadctusing
ropbox’s
hat:
asicallythoutthekeits'sgeneratedywhatI
ngyoutocreateseaccessingstochoose
employsaolwhenyou
),The
oncerns/
o
d
11
uploadafile,andusesstrongAES256encryptionforthedatayoustorewithinthecloud.”25
DROPBOX’SUSEOFACOMONENCRYPTIONKEYKNOWNTOTHECOMPANY
UNNECESSARILYEXPOSESITSCUSTOMERSTORISK
37. IntheirApril21,2001blogpost,Dropbox’sCEOandCTOhaveacknowledgedthatsomeoftheiremployeeshavetheabilitytoaccessusers’unencrypteddata:
“Likemostmajoronlineservices,wehaveasmallnumberofemployeeswhomustbeabletoaccessuserdatawhenlegallyrequiredtodoso.Butthat’stheexception,nottherule.Wehavestrictpolicyandtechnicalaccesscontrolsthatprohibitemployeeaccessexceptintheserarecircumstances.”26
38. “Insider”attacksareamajorsourceofprivacyviolationsanddatabreaches.EmployeesatGoogle,27Facebook,28theStateDepartment,29andKaiserPermanente30haveallreportedlyaccessedtheprivatefilesofcustomers.
39. AlthoughDropbox’spoliciesprohibititsemployeesfromaccessingusers’unencrypteddataexceptwhenlegallycompelledtodoso,31similarpolicieslikelyexistedatGoogle,FacebookandKaiserPermanente.
40. Inadditiontothethreatofrogueemployees,Dropboxhasexposeditsusers
tounnecessaryriskofdatatheftbyhackerswho,iftheybreakintothe25RobertVamosi,ProtectYourOnlinePrivacy(WithoutReadingAlltheFinePrint),PCWorld,March30,2011,availableathttp://www.pcworld.com/businesscenter/article/221104/protect_your_online_privacy_without_reading_all_the_fine_print.html26DrewHoustonandArashFerdowsi,Privacy,Security&YourDropbox,TheDropboxBlog,April21,2011,availableathttp://blog.dropbox.com/?p=73527AdrianChen,GCreep:GoogleEngineerStalkedTeens,SpiedonChats(Updated),Gawker,September14,2010,availableathttp://gawker.com/#!563723428RyanTate,WhyYouShouldn’tTrustFacebookwithYourData:AnEmployee’sRevelations,Gawker,January11,2010,availableathttp://gawker.com/#!5445592/why‐you‐shouldnt‐trust‐facebook‐with‐your‐data‐an‐employees‐revelations29Passportfilesofcandidatesbreached,AssociatedPress,March21,2008,availableathttp://www.msnbc.msn.com/id/23736254/30KaiserPermanenteBellflowerMedicalCenter,AssociatedPress,March31,2009,availableathttp://www.foxnews.com/story/0,2933,511721,00.html31DrewHoustonandArashFerdowsi,Privacy,Security&YourDropbox,TheDropboxBlog,April21,2011,availableathttp://blog.dropbox.com/?p=735
12
company’sservers,maybeabletostealusers’dataandthekeysnecessaryfordecryption.
41. RecenthighprofiledatabreachesexperiencedbyRSA,32Comodo,33and
Lastpass34demonstratethathackersareincreasinglysophisticated,andarenowseekingouthigh‐valueinfrastructuretargetsthatcandelivermorethanjustafewmillioncreditcardnumbers.
42. IfDropboxencrypteditsusers’datawithakeyonlyknowntoeachuser,itwouldnotbepossibleforrogueemployeestosnooponusers’data,orforhackerswhohadbrokenintothecompany’sserverstogetaccesstouser’unencrypteddata.
DROPBOX’SMISLEADINGSTATEMENTSABOUTENCRYPTIONGIVEITANUNFAIRADVANTAGEOVERCOMPETINGCLOUDBACKUPSERVICESTHATDO
PROTECTTHEIRCUSTOMER’SDATA
43. SeveralofDropbox’scompetitorsdoinfactencryptuserdatawithakeyonlyknowntothatuser.ThesefirmspayhigherbandwidthandstoragecoststhanDropbox,astheydonotdeduplicatedataacrossuseraccounts.35
44. Dropboxanditscompetitorsallmentiontheiruseof“encryption”whenmarketingthesecurityoftheirproducts.EspeciallypriortoApril2011,theaverage,non‐technicalconsumerwouldhavenowayofknowingthat
32JohnMarkoff,SecurIDCompanySuffersaBreachofDataSecurity,TheNewYorkTimes,March17,2011,availableathttps://www.nytimes.com/2011/03/18/technology/18secure.html33RivaRichmond,AnAttackShedsLightonInternetSecurityHoles,TheNewYorkTimes,April6,2011,availableathttps://www.nytimes.com/2011/04/07/technology/07hack.html34AmyGahran,Password‐storingservicemayhavebeenhacked,CNN,May5,2011,availableathttp://www.cnn.com/2011/TECH/web/05/05/last.pass.gahran/35DannyHarnik,BennyPinkasandAlexandraShulman‐PelegSideChannelsinCloudServices,theCaseofDeduplicationinCloudStorageIEEESecurityandPrivacyMagazine,specialissueofCloudSecurity,Vol.8,No.2,pp.40‐47,2010.(“Bystoringandtransmittingonlyasinglecopyofduplicatedata,deduplicationsavesbothdiskspaceandnetworkbandwidth.Forvendors[likeDropbox],itofferssecondarycostsavingsinpowerandcoolingachievedbyreducingthenumberofdiskspindles.”);Seealso,AlanFairless,WhySpiderOakdoesn'tde‐duplicatedataacrossusers(andwhyitshouldworryyouifwedid),SpideroakBlog,August27,2010,availableathttps://spideroak.com/blog/20100827150530‐why‐spideroak‐doesnt‐de‐duplicate‐data‐across‐users‐and‐why‐it‐should‐worry‐you‐if‐we‐did
13
Dropbox’suseofAES‐256encryptionissignificantlyinferiortothatofitscompetitors.
45. Theseotherfirmsareunfairlyplacedatacompetitivedisadvantage.Dropbox
usesthesameterminologytomarketthesecurityofitsproducts,buthasloweroperatingcosts,duetoitsinferiorsecurity.
46. IftheCommissionwishesforcompaniestoembracePrivacybyDesign,36it
mustguaranteethatthosefirmsthatpayacostfordoingsoareabletoeffectivelycompeteinthemarket.THISISNOTANISOLATEDISSUE:DROPBOXHASALSODECEIVEDITS
USERSREGARDINGTHESECURITYOFITSMOBILECLIENT
47. Untilmid‐March,2011,the“HowSecureisDropbox”pageinthe“HelpCenter”sectionofDropbox’swebsitepageincludedthefollowingstatement:
"Alltransmissionoffiledataandmetadataoccursoveranencryptedchannel(SSL)."
48. Contrarytotheseunqualifiedclaims,thecompanyisinfactnotusingSSLencryptiontotransmitallfiledataandmetadata.OnMarch10,2011,technologistMikeCardwellrevealedthatDropbox’sAndroidmobileclientisnotusingSSLtotransmitfilemetadatatoDropbox’sservers.37
49. WhenMr.CardwellcontactedDropbox’ssupportteamtoaskaboutthevalidityoftheclaimonthecompany’swebsite,hewastoldthat:
“TheinformationinthehelpcenterisinrelationtotheDropboxdesktopandwebsiteanddoesn'tapplytothemobileinterface.I'msorrythatthisisn'tmoreclearlydefined.Iwilldiscussthisfurtherwithourmobileteamtoseeifwecanoffertheoptionoftotaltransmissionencryptiononthephoneandupdatethisdocumenttoreflectthecurrentstatusofmetadatatransmission.”
36Seegenerally,ProtectingConsumerPrivacyinanEraofRapidChange:AProposedFrameworkforBusinessesandConsumers,PreliminaryFTCStaffReport,December2,2010,availableathttp://www.ftc.gov/os/2010/12/101201privacyreport.pdf37MikeCardwell,DropboxMobile:LessSecureThanDropboxDesktop,PosttoGrepularBlog,March10,2011,availableathttps://grepular.com/Dropbox_Mobile_Less_Secure_Than_Dropbox_Desktop
14
50. TheApril2011blogpostbyDropbox’sCEOandCTOalsoacknowledgedthatthecompanyhadoptedtotradesecurityforperformanceonthemobileclient:
“Wemadethisdecisiontoprovidebetterperformance(inourtesting,enablingSSLforallmetadatatransfersmadetheappseveraltimesslower).We’velistenedtotheseconcerns,andareworkingonafasterwaytotransmitmetadataoverSSLonthemobileapps.”
DROPBOX’SSTATEMENTSABOUTENCRYPTIONAREADECEPTIVEBUSINESSPRACTICE
51. AccordingtotheFTCPolicyStatementonDeception,38therearethreeelementstoanydeceptioncase.
a. Theremustbearepresentation,omissionorpracticethatislikelytomisleadtheconsumer.
b. Thepracticemustbedeceptivefromtheperspectiveoftheaverageconsumer.
c. Therepresentation,omission,orpracticemustbea"material"one,
andthuswhethertheactorpracticeislikelytoaffecttheconsumer'sconductordecisionwithregardtoaproductorservice.
52. Asdocumentedearlierinthiscomplaint,the“HowSecureisDropbox”pageinthe“HelpCenter”sectiononDropbox’swebsiteincludedseveralmisleadingstatementsuntilthepagewasmodifiedinApril,2011.Theseincluded:
a. “AllfilesstoredonDropboxserversareencrypted(AES‐256)andareinaccessiblewithoutyouraccountpassword.”
b. “NobodycanseeyourprivatefilesinDropboxunlessyoudeliberatelyinvitethemorputtheminyourPublicfolder.”
c. “Dropboxemployeesaren’tabletoaccessuserfiles,andwhen
troubleshootinganaccounttheyonlyhaveaccesstofilemetadata(filenames,filesizes,etc,notthefilecontents).”
38FTCPolicyStatementonDeception,October14,1983,availableathttp://www.ftc.gov/bcp/policystmt/ad‐decept.htm
15
d. “YourfilesareactuallysaferwhilestoredinyourDropboxthanonyourcomputerinsomecases.”
53. Thecompanycontinuestomisleadconsumersonthe“Install”and“Features”pagesonitswebsite.Bytellingconsumersthattheirdatais“alwayssafe,”andthatthedataisencryptedwithAES‐256withoutinformingthemthatthecompanyhasaccesstothekeyusedtodecryptit,thecompanyisomittingamaterialfactregardingthedegreeofsecurityandprivacydeliveredbytheservice.
54. HadDropboxnotmadethesedeceptivestatements,itscustomersmighthaveoptedtoprotecttheirdatabyusingacompetingcloudbasedbackupservicethatencryptstheirdatawithakeyonlyknowntothem,byusing3rdpartyencryptiontools,oroptingtonotstoretheirsensitivedatainthecloudatall.
REQUESTFORRELIEFIrequestthattheCommissioninvestigateDropboxandenjoinitsdeceptivebusinesspractices.Specifically,IrequestthattheCommission:
a. CompelDropboxtoclarifyexistingstatementsonthe“Install”and
“Features”sectionsofitswebsitetonotethatthecompanydoesinfacthaveaccesstousers’unencrypteddataandthatadatabreachofthecompany’sserverscouldleadtothetheftofusers’unencrypteddata.
b. CompelDropboxtocontactits25millionexistingcustomersbyemailtonotifythemthatithasaccesstotheirunencrypteddataandtosuggestspecificstepstheycantaketosecureit(suchasbyusing3rdpartyencryptionsoftware).
c. CompelDropboxtoofferrefundstoanyonethathaspurchasedits
“Pro”servicethatfeltmisleadbythecompany’sstatementsregardingsecurity.
d. ProhibitDropboxfrommakingdeceptivestatementsinthefuture
regardingtheprivacyandsecurityofitsservices.
16
Ireservetherighttosupplementthispetitionasotherinformationrelevanttothisproceedingbecomesavailable.
Respectfullysubmitted, /s/
ChristopherSoghoian