Dropbox, privacy and business: what the new T&Cs reveal
Dropbox also made a point of dealing with government requests for data in its Government Data Request Principles which guide its responses to these requests:
- Be transparent
- Fight blanket requests
- Protect all users
- Provide trusted services
Trust has been essential since Snowden changed our understanding of how governments monitor us and Dropbox’s updates are clearly designed to alleviate our concerns about storing data with Dropbox. That said, the new terms and conditions don’t change the fact that Dropbox may decrypt your data if required to do so. Its Security Overview includes this reminder in the context of legal compliance and law enforcement:
Of course you could address this by adding your own encryption locally which would, in turn, affect the service’s usability. It is a trade off you may be comfortable with, though.
Dropbox for Business
Email address. If you sign up for a Dropbox account with an email address provisioned by your employer, your employer may be able to block your use of Dropbox until you transition to a Dropbox for Business account or you associate your Dropbox account with a personal email address.
Using Dropbox for Business. If you join a Dropbox for Business account, you must use it in compliance with your employer’s terms and policies. Please note that Dropbox for Business accounts are subject to your employer’s control. Your administrators may be able to access, disclose, restrict, or remove information in or from your Dropbox for Business account. They may also be able to restrict or terminate your access to a Dropbox for Business account. If you convert an existing Dropbox account into a Dropbox for Business account, your administrators may prevent you from later disassociating your account from the Dropbox for Business account.
This section is new to the Terms of Service and what may concern users who use their work email addresses as their Dropbox usernames is that their access to their Dropbox accounts can be limited if their employers start using Dropbox for Business and provision work email addresses as usernames for the business service. In particular, you may find your account blocked until you transition it to a Dropbox for Business account or unless you associate your account with a personal email address.
Many people use business email addresses for personal email and as their usernames for their social services. This is a really bad idea, largely because you don’t have much control over those accounts and because they are business email accounts, your employer can usually access your emails. If your employer has access to your emails and your email account is the primary email address associated with your Facebook, Twitter or other profiles, your employer potentially has access to those profiles too. Because your employer would have direct control over your Dropbox account, it won’t even need to decrypt your data were a government seeking access to your data.
Dropbox’s reminder about the consequences of associating a personal Dropbox account with a business email address highlights another reason you should associate your personal accounts and communications with personal email addresses you have meaningful control over and access to. Of course, if you are using Mailbox to manage your email, your email may be stored on Dropbox too and this only expands your potential exposure to scrutiny.
On the whole Dropbox is a pretty secure service. It uses pretty strong encryption and other security measures but these can be circumvented by law enforcement bodies and, if you happen to use a business email address as your Dropbox username, possibly even your employer. Perhaps the big lesson to take from the Dropbox terms and conditions is not whether you should trust Dropbox but more whether you are taking enough care to protect your data?