"I really hope no one is storing their financial records and health information on Dropbox..."
In 2015, the only sensible approach to security is to consider every machine you touch to be compromised, all the time. And yet I still store financial information on Dropbox - pay slips, bank records, mortgage documents, wills. Why would I care? I don't put download links to them on every email I send out of course, but if they would 'leak', it wouldn't make a material difference to my life. While the ease with which I can access and keep track of them does.
Same with medical information - what do I care that anyone knows how strong my prescription glasses are? Or if I'd got some serious disease tomorrow, what sort of treatment I get? I'd have to disclose if I wanted to get life insurance anyway.
I no longer see a rational reason for trying for absolute secrecy on things like this. The cat's out of the bag.
You're not the only one who thinks that way, but I actually have a hard time justifying that level of concern to myself. I mean, how much added risk is there for the average user in storing her financial records and health information on Dropbox vs. anything else she might store in the cloud?
As far as worst case scenarios go, the financial system does a decent job of making you whole in the event of fraud, and doctors don't rely (solely) upon the stuff in your Dropbox account to make important medical decisions.
That's not to say there's no danger. There's obviously no shortage of Bad Things that could be done with your financial and medical information, but for most people, it's not much worse than the Bad Things that could be done with the photos they share on Facebook, the e-mails they archive in Gmail, or the phone numbers and addresses scattered across countless unsecured databases around the web. In fact, I'd argue that most Dropbox users would be more concerned about Dropbox leaking their private photos and letters than credit card statements and medical bills.
>True, but I don't think that's a concern for most people.
But that is the kind of thinking that lead to the whole issue with Dropbox in the first place. Its deceptively "secure" to any user who can't analyze the implementation implications themselves.
If you're a 'normal person', you shouldn't be making decisions about the security of my health-care or financial data; If you're in the position to make that decision, you should have been aware that dropbox was not a "safe" third party;
On the part of the _users_ of dropbox, I have empathy; In part of those running their medical/finance business on assumptions of dropboxes security, I have nothing but emnity.
Yes, I have to add to this sentiment. In my mind, I imagine Dropbox to be just as secure and private as my own hard drive. It's a bit of a fiction, I know, but until now nothing caused me to really question it. I use it for important files -- the sensitive ones that I really don't want to lose.
Maybe it's all perception, but this makes my private files feel dangerously close to the wide open web.
Dropbox, don't make me feel dumb for using your service for stuff that matters. If your service is meant for funny cat pictures and not my tax returns, please tell me now.
> but I just can't let anyone access my personal photos, my school work, my statements, etc.
They shouldn't be on Dropbox in the first place. What you put on Dropbox is essentially public - be it for their admins or for law enforcement agencies who don't need a warrant to access your dropbox.
Since day one I've stored an arsenal of Truecrypt archives in my Dropbox folder for anything that I really don't want anyone else to find out about. (Not that there is much of that.) Most of the rest of what I store there is ebooks, university lecture notes, my portfolio, and other stuff that I wouldn't worry about if Dropbox really dropped the ball. Seems reasonable to me to be a little more in charge of your own security instead of handing off responsibility to people you don't even know. Still, I agree that we should be holding Dropbox (and similar services) to a high standard, and they have indeed stumbled on this issue.
I continue to use Dropbox, but treat it like a semi public storage. I do not particularly fear that someone will go around looking at my files, but if they do, they won't find anything very valuable anyways.
I agree completely, although I do take comfort in someone claiming they cannot access my data. I wouldn't store any confidential data there in any event, but at least if they are trying to design it so that even they cannot access that data, it seems there is a slightly lower chance of it being leaked to the internet.
Dropbox already had one case where you could log in without a password. That could never happen if they actually needed the password to decrypt the data.
How many of those users care or need to know what encryption is? The argument appears to be that users treat Dropbox like a private store when it isn't, and somehow that's Dropbox' fault.
And anyone who stored that sort of data in dropbox more or less had it coming. HIPAA & finance laws are very clear about the security they require -- dropbox has always been hand-wavey in their explanation of their security.
These are good points. However, as a user of Dropbox I just don't care if they encrypt my data or not. If I back up anything sensitive, I encrypt it myself. For stuff that's not that private (e.g. pictures that I've shared) I assume that anyone at Dropbox could look at them.
You seem to be living in some imaginary world in which Dropbox is able to sell to enterprise companies of all sizes and yet privacy is not even a consideration. A little weird how most companies are extremely hesitant due to concerns about compliance, regulatory and privacy issues and yet unbeknownst to them (but known to you apparently), privacy isn't even a consideration at DB! You might have legitimate complaints about the level of security DB offers, but to claim privacy isn't even a consideration is just stretching it to absurdity because DB would have ZERO chance or selling to a large portion of its highest paying customers if privacy and security weren't considerations at all.
My email contains far more sensitive information than Dropbox holds. I still let Google see my unencrypted emails without bitching.
I can't comprehend why people who are less than 1% of dropbox users think the service should change to be something it isn't for a feature they don't get or demand elsewhere.
>I hope it's obvious to most people that Dropbox wouldn't be able to do stuff like reset your password if they didn't have access to the contents of your files at some level
Those are pretty damn high hopes even for the average user from the generation that grew up with computers.
I'm surprised there are not more people on HN who don't use Dropbox due to NSA/privacy concerns. Do you really want to worry about all your files, which are probably your most valuable ones, being out in the open to any Dropbox, NSA, or other law enforcement employee? Do you really trust Dropbox to not have a repeat of accidentally allowing your files to be publicly viewable by anyone? When there are encrypted alternatives that are as easy to use, there is seemingly no point of using Dropbox.
In 2015, the only sensible approach to security is to consider every machine you touch to be compromised, all the time. And yet I still store financial information on Dropbox - pay slips, bank records, mortgage documents, wills. Why would I care? I don't put download links to them on every email I send out of course, but if they would 'leak', it wouldn't make a material difference to my life. While the ease with which I can access and keep track of them does.
Same with medical information - what do I care that anyone knows how strong my prescription glasses are? Or if I'd got some serious disease tomorrow, what sort of treatment I get? I'd have to disclose if I wanted to get life insurance anyway.
I no longer see a rational reason for trying for absolute secrecy on things like this. The cat's out of the bag.
reply