ProtonBlog(new window)
Is Dropbox secure?

Is Dropbox secure?

Share this page

Dropbox is one of the biggest names in cloud storage(new window), which is why you might be surprised to learn it doesn’t use the most secure encryption algorithms and doesn’t protect your privacy.

While Dropbox is secure from outside attack, it has suffered data breaches in the past. It also does not use end-to-end encryption, and the company can access your files at any time. In this article, we’ll explain what this means and how you protect your files in the cloud for free without giving up your privacy.

Is Dropbox encrypted?
How secure is Dropbox really?
What to use instead of Dropbox

Is Dropbox encrypted?

At first glance, Dropbox offers solid security, both in transit to and from your device as well as at rest on its servers. In-transit security is handled by TLS(new window), a standard but powerful encryption protocol used by pretty much all online services. For example, we also use it to encrypt your internet connection while you read this article.

Once the files arrive on Dropbox’s servers, they’re decrypted on receipt and then encrypted again, this time using AES-256. This is a secure encryption algorithm used by governments, militaries, and corporations around the world. We at Proton use it in all our services ourselves.

This method, where files are encrypted in transit, then decrypted before being encrypted again at rest, is used by many cloud storage services to protect against cybercriminals. The problem is that Dropbox overlooks a key threat to your security and privacy: itself.

How secure is Dropbox really?

When you talk about security, usually you mean threats from outside. When you rent a storage unit, you put a lock on it to make sure nobody enters it and steals your possessions. You’re not worried about your old furniture running away on its own. 

However, when you’re talking about data, you do need to worry a little about what is done with your information by the people you’re storing it with. It doesn’t matter how well the service protects you from outside attack, it’s not really secure if the company’s employees can access your files. 

In the case of the storage unit, you can use your own locks so only you have the keys. With digital storage, you can use something called end-to-end encryption(new window) (also called client-side encryption), a security method in which files are encrypted automatically on your device before being uploaded to the server. Your storage provider does not have a key to your data, and the files are inaccessible to the people operating the service.

Dropbox does not offer end-to-end encryption in any way. As the company makes clear on its website(new window), if you want to use end-to-end encryption, you’ll need to use a third-party encryption tool and upload the encrypted files to Dropbox. This is inconvenient and renders many critical functions, like file syncing, impossible.

Dropbox doesn't use private keys

Dropbox certainly has internal safeguards to prevent its employees from accessing user data, but this requires a lot of trust on the part of consumers. Even if Dropbox successfully avoids insider threats, there’s also the possibility of human error. One of the biggest breaches in cloud storage history was the 2012 Dropbox hack(new window) where an employee kept reusing his password, got hacked, and left 68 million users’ passwords compromised.

You’d think an employee of a tech company would know never to reuse passwords, but it goes to show that human error can play an important part even in high-tech scenarios.

Dropbox privacy issues

Apart from security risks, the lack of client-side encryption means Dropbox is not private. As Dropbox explains in its privacy policy(new window), it shares your files, account information, contacts, and other personal data with other companies, such as Google, Amazon, and OpenAI. Even if you don’t mind Dropbox having your data, you might not want Dropbox to spread them around the internet.

On top of that, Dropbox is an American company that must comply with government requests for data. Because Dropbox can access your files, the company can also share those files with the authorities(new window)

What to use instead of Dropbox

Dropbox may have been the first cloud storage service, but the way it handles customer data is outdated: There’s no need to forego client-side encryption. 

At Proton, we use end-to-end encryption for all our services, including on our 1 GB free plan. You can upload, sync, share, and even preview your files, secure in the knowledge that they can’t be read by anybody but you and whomever you choose to share them with — which is why we also call it zero-access encryption.

Our code is open source and audited by independent security experts. This gives our community confidence that our encryption works the way we claim, and there’s no need to take our word for it.

On top of that, we don’t share your data with anybody. Our business model is based on subscriptions for more storage and extra features, not on advertising. Even if we wanted to share your data, we couldn’t because we don’t have access to it. Our end-to-end encryption even applies to important metadata.

Unlike Dropbox, we’re based in Switzerland, where your data is protected by some of the world’s strongest privacy laws. We would only turn over the little data we do have if ordered to by a Swiss court.

The reason we do all this is because we believe that offering a good, easy-to-use storage service isn’t enough — we also need to be part of creating a better and more private internet. This has been our mission ever since we launched, thanks to community support(new window), back in 2014, and it continues to be today. If that sounds like something you’d like to be a part of, join us and create a free Proton Drive account today.

Keep your files private, share them securely
Get Proton Drive free

Share this page

Fergus O'Sullivan(new window)

Fergus has been a writer, journalist, and privacy advocate for close to a decade. In that time he has run investigations of the privacy industry, written on policy, and reviewed more programs and apps than you can shake a stick at. Before starting work at Proton, he worked for publications such as How-to Geek and Cloudwards, as well as helping host events at conferences like RightsCon.

Related articles

Your passwords are some of your most sensitive personal information. They’re the keys that allow you to access your online accounts, be it your cloud storage, email inbox, or banking accounts. Proton Pass helps millions of people safeguard their pass
In recent months, we’ve brought a lot of big additions to the Proton ecosystem, such as Proton VPN for Business, Proton Sentinel, Password Sharing in Proton Pass, and Proton Drive photo backups in beta. By comparison, we haven’t said a lot about Prot
Most email addresses use the default domain provided by their email service. For Proton Mail accounts, it’s proton.me. For Gmail, it’s gmail.com. These are usually free and work just fine for most people. But there are situations where it makes sens
Proton Drive MacOS launch
Cloud storage is a critical piece of our mission to build an internet that protects your privacy and secures your data. It’s where you keep your most sensitive files, from personal photos to identity documents. Unfortunately, the leading cloud storag
How to password protect a folder
Putting a password on your folders is a great way to protect sensitive files while they’re on your system. It’s pretty easy to do regardless of your operating system, and this article will take you through each step. Note though, that password prote
What is encryption?
Encryption is a way to hide information so private data is kept that way. Without encryption, anybody could access your communications. In this article, we go over how it works and some of the different types of encryption there are. The short expla