Dropbox is one of the biggest names in cloud storage, which is why you might be surprised to learn it doesn’t use the most secure encryption algorithms and doesn’t protect your privacy.
While Dropbox is secure from outside attack, it has suffered data breaches in the past. It also does not use end-to-end encryption, and the company can access your files at any time. In this article, we’ll explain what this means and how you protect your files in the cloud for free without giving up your privacy.
Is Dropbox encrypted?
At first glance, Dropbox offers solid security, both in transit to and from your device as well as at rest on its servers. In-transit security is handled by TLS, a standard but powerful encryption protocol used by pretty much all online services. For example, we also use it to encrypt your internet connection while you read this article.
Once the files arrive on Dropbox’s servers, they’re decrypted on receipt and then encrypted again, this time using AES-256. This is a secure encryption algorithm used by governments, militaries, and corporations around the world. We at Proton use it in all our services ourselves.
This method, where files are encrypted in transit, then decrypted before being encrypted again at rest, is used by many cloud storage services to protect against cybercriminals. The problem is that Dropbox overlooks a key threat to your security and privacy: itself.
How secure is Dropbox really?
When you talk about security, usually you mean threats from outside. When you rent a storage unit, you put a lock on it to make sure nobody enters it and steals your possessions. You’re not worried about your old furniture running away on its own.
However, when you’re talking about data, you do need to worry a little about what is done with your information by the people you’re storing it with. It doesn’t matter how well the service protects you from outside attack, it’s not really secure if the company’s employees can access your files.
In the case of the storage unit, you can use your own locks so only you have the keys. With digital storage, you can use something called end-to-end encryption (also called client-side encryption), a security method in which files are encrypted automatically on your device before being uploaded to the server. Your storage provider does not have a key to your data, and the files are inaccessible to the people operating the service.
Dropbox does not offer end-to-end encryption in any way. As the company makes clear on its website(nieuw venster), if you want to use end-to-end encryption, you’ll need to use a third-party encryption tool and upload the encrypted files to Dropbox. This is inconvenient and renders many critical functions, like file syncing, impossible.
Dropbox certainly has internal safeguards to prevent its employees from accessing user data, but this requires a lot of trust on the part of consumers. Even if Dropbox successfully avoids insider threats, there’s also the possibility of human error. One of the biggest breaches in cloud storage history was the 2012 Dropbox hack(nieuw venster) where an employee kept reusing his password, got hacked, and left 68 million users’ passwords compromised.
You’d think an employee of a tech company would know never to reuse passwords, but it goes to show that human error can play an important part even in high-tech scenarios.
Dropbox privacy issues
Apart from security risks, the lack of client-side encryption means Dropbox is not private. As Dropbox explains in its privacy policy(nieuw venster), it shares your files, account information, contacts, and other personal data with other companies, such as Google, Amazon, and OpenAI. Even if you don’t mind Dropbox having your data, you might not want Dropbox to spread them around the internet.
On top of that, Dropbox is an American company that must comply with government requests for data. Because Dropbox can access your files, the company can also share those files with the authorities(nieuw venster).
What to use instead of Dropbox
Dropbox may have been the first cloud storage service, but the way it handles customer data is outdated: There’s no need to forego client-side encryption.
At Proton, we use end-to-end encryption for all our services, including our cloud storage service Proton Drive. With Drive, you can upload, sync, share, and even preview your files, secure in the knowledge that they can’t be read by anybody but you and whomever you choose to share them with — which is why we also call it zero-access encryption.
With Docs in Proton Drive, you can also enjoy the freedom to create and edit documents with others, knowing your content is protected by end-to-end encryption by default.
Our code is open source and audited by independent security experts. This gives our community confidence that our encryption works the way we claim, and there’s no need to take our word for it.
On top of that, we don’t share your data with anybody. Our business model is based on subscriptions for more storage and extra features, not on advertising. Even if we wanted to share your data, we couldn’t because we don’t have access to it. Our end-to-end encryption even applies to important metadata.
Unlike Dropbox, we’re based in Switzerland, where your data is protected by some of the world’s strongest privacy laws. We would only turn over the little data we do have if ordered to by a Swiss court.
The reason we do all this is because we believe that offering a good, easy-to-use storage service isn’t enough — we also need to be part of creating a better and more private internet. This has been our mission ever since we launched, thanks to community support, back in 2014, and it continues to be today. If that sounds like something you’d like to be a part of, join us and create a free Proton Drive account today.
