Cloud file storage and syncing service Dropbox is arguably one of the hottest startups in Silicon Valley. It recently hit two big milestones: 25m users, and 200m files saved each day, and appears to have a very bright future.

But it also has a bit of explaining to do following a change to its Terms of Service.

The change: a clause indicating that Dropbox will "[cooperate] with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox".

As part of this, the company "will remove Dropbox’s encryption from the files before providing them to law enforcement." Standard fare legal terms typical for such a service, right?

Yes, but there's just one problem: Dropbox isn't supposed to be able to do this. As noted by software developer Miguel de Icaza, who started the GNOME project, Dropbox has previously created the impression that it can't access user files even if it wants to.

In addition to promoting the fact that "All files stored on Dropbox are encrypted", it tells prospective users that "Dropbox employees are unable to view user files." This is reiterated over and over again: "Dropbox employees aren't able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)".

To lay users in particular, the message seems clear: "your files are safe with us, and even we can't access them".

Obviously, this issue is somewhat academic, as most users aren't going to find themselves the subject of a legal process. But it does call into question how Dropbox promotes itself. At a minimum, it seems fair to say that it is being misleading in how it presents its security features.

That's a bad strategy for a company with a lot of potential. Already, Dropbox's Terms of Service change is only serving to highlight serious questions about the company's entire security architecture, and it provides an opening for companies that are more transparent about theirs. Will this put a dent in its growth? Probably not, at least in the immediate term.

But as we've seen, where there's a vulnerability, there's a way, and if and when a Dropbox security issue emerges in the real world, Dropbox may learn the hard way that users are a lot less forgiving when they feel like they've been misled.

Patricio Robles

Published 21 April, 2011 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2642 more posts from this author

You might be interested in

Comments (5)


Peter Austin, MarketingXD

Dropbox seem to be changing this wording every day. The current version seems to have got even looser. It's at:

"Compliance with Laws and Law Enforcement Requests; Protection of Dropbox's Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox."

So Dropbox will provide files to "parties outside Dropbox" if "we have a good faith belief that disclosure is reasonably necessary to comply with a ... regulation".

This means they would not only give your information to the police, but also to e.g. tax authorities such as the IRS or Inland Revenue. And I wonder what would happen if the RIAA came knocking?

about 7 years ago



Data protection is a very important entity of any business dealing.

It is therefore important that Cloud file storage and syncing service Dropbox ensures people using the service are protected and ofcourse in compliance with the law.

Compliance with the Law cannot be overlooked as this is vital and good for the security of the general public.

about 7 years ago


Lewis LaLanne aka Nerd #2

The internet is still in the Wild Wild West era.

Being that's the case, I don't trust any kind of storage online, especially when it comes to a government who uses force to get what they want.

Prison/freezing of assets/and god knows what else they threaten... or let them see what I have in my folders in the interest of national security... not a tough decision when I put myself in the shoes of 99.9% of the the the corporate boards running these companies.

Unless I know there's a Larry Flynt behind a company, I don't pay any mind to any promises of keeping my data secure from the government.

about 7 years ago


Teran Vista

Misleading your customer do nothing except of spoiling your image. It take too much time in developing good will but you lose all in just one second. Always be supportive to your customers and help them as much as you can. Ensure them that you are here for there help not for to just earn money.

about 7 years ago


Jesse Barnes

Yikes~! That's unfortunate. For them, I mean. People don't react to this type of thing well at all. At least not on the internet where you've got mob mentality AND anonymity.

about 7 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.