Cloud file storage and syncing service Dropbox is arguably one of the hottest startups in Silicon Valley. It recently hit two big milestones: 25m users, and 200m files saved each day, and appears to have a very bright future.

But it also has a bit of explaining to do following a change to its Terms of Service.

The change: a clause indicating that Dropbox will “[cooperate] with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox“.

As part of this, the company “will remove Dropbox’s encryption from the files before providing them to law enforcement.” Standard fare legal terms typical for such a service, right?

Yes, but there’s just one problem: Dropbox isn’t supposed to be able to do this. As noted by software developer Miguel de Icaza, who started the GNOME project, Dropbox has previously created the impression that it can’t access user files even if it wants to.

In addition to promoting the fact that “All files stored on Dropbox are encrypted“, it tells prospective users that “Dropbox employees are unable to view user
files.
” This is reiterated over and over again: “Dropbox employees aren’t able to access user files, and when troubleshooting
an account they only have access to file metadata (filenames, file sizes, etc.,
not the file contents)
“.

To lay users in particular, the message seems clear: “your files are safe with us, and even we can’t access them“.

Obviously, this issue is somewhat academic, as most users aren’t going to find themselves the subject of a legal process. But it does call into question how Dropbox promotes itself. At a minimum, it seems fair to say that it is being misleading in how it presents its security features.

That’s a bad strategy for a company with a lot of potential. Already, Dropbox’s Terms of Service change is only serving to highlight serious questions about the company’s entire security architecture, and it provides an opening for companies that are more transparent about theirs. Will this put a dent in its growth? Probably not, at least in the immediate term.

But as we’ve seen, where there’s a vulnerability, there’s a way, and if and when a Dropbox security issue emerges in the real world, Dropbox may learn the hard way that users are a lot less forgiving when they feel like they’ve been misled.