UPDATE: Dropbox answered, deny, and think it’s my error. See below.
Even if there were rumors that Dropbox could access files, I somehow felt safe having everything in there that I consider private documents. This changed this weekend.
A friend messaged me, telling me that I might have mistakenly moved a certain private document in a shared folder. Shocked (I thought no one ever saw this document), I looked at the shared folder, but the document couldn’t be found, neither in the iOS app, nor on the Mac. I asked my friend to send me screenshots, and he had the file there, and could also tell me the contents. (I don’t blame him, I’d have looked at it too)
Here are the screenshots. His is the Android screenshot with the critical file circled (“Eurowerte.doc”, which is in another folder called “Tim” in my Dropbox that I never ever shared):
I added two screenshots, one from my web login, and one from my finder. My web login (not showing Eurowerte.doc):
… and my Finder window, also not showing the file:
This means, I couldn’t delete that file, and I have no idea at all which of my other files appear in other peoples Dropboxes. I share a lot of folders via Dropbox, party at work, partly privately, but I’m 100% certain that I never shared that particular file. I have never experienced something like this before. But it clearly shows two things:
- Dropbox does
in no wayencrypt anythingeverything serverside, but they decrypt it for anyone else using their service, effectively making the encryption only protect the physical harddrives, in case they get stolen or accessed by non-dropbox software. In any way it’s no encryption that can only be decrypted by “your” dropbox-user, and also there’s no kind of sandbox in place, so in case of a bug those files can be accessed by other users.
- There are bugs that can let any of your files show up somewhere else. Still.
Technically, I guess this was a rare case of hash collision. Nevertheless, I have to move critical stuff from Dropbox, sadly. I wanted to trust you, but you’ve let me down.
UPDATE: I’ve contacted Dropbox about this, let’s see if they answer.
UPDATE 2: They answered this:
This appears to be false? No it is proven to be true. If it’s a case of hash-collision was just an educated guess, of course it can be any other kind of bug. I also checked my links, but I have never shared or linked to that file. Also, I don’t hate Dropbox, in fact, I like the service a lot. But if there’s a bug, that came to my line of sight more accidentally and usually wouldn’t have been found, I expect Dropbox to find and fix it.