Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users(new window) in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions of people.
Turns out, there are some serious issues. Not only does Dropbox collect a lot of information about you, it can also share it with whomever it wants, including commercial partners and law enforcement. Being a Dropbox customer means giving the company a large measure of control over your data.
This article breaks down the Dropbox privacy policy and explains how our private Dropbox alternative, Proton Drive, differs in fundamental ways.
Taking a look at Dropbox privacy
Dropbox’s privacy policy(new window) is effectively split into two sections: the first part describing the data the service collects and a subsequent section listing all the entities Dropbox might share your data with. To its credit, Dropbox lays out all these terms clearly in a way anyone can understand. There’s also an FAQ(new window) page that goes into a bit more depth on certain topics.
What data Dropbox collects
The first thing you notice in the privacy policy is how much information Dropbox collects. Besides your email address — a core part of your online identity — Dropbox also collects your name, phone number, physical address, and your payment information.
Dropbox also collects and stores data associated with the files you upload, referred to as “Your Stuff.” This includes the size of the file, when and from where it was uploaded, with whom it was shared — Dropbox also collects data about your contact list — and any activity in the files.
In fact, file activity gets its own subsection in the privacy policy, and it’s clear why. Dropbox seems to keep a record of practically anything you could do with a file. Creating, editing, sharing, etc. — it all gets logged somewhere for Dropbox’s use.
Finally, Dropbox also gathers a lot of information about the devices you use to access the service, as well as your IP address(new window), a unique identifier that can help determine your physical location. While this can have a legitimate purpose, like troubleshooting, it seems odd that Dropbox preemptively collects this.
There’s more, but these seem to be the main data points that Dropbox seems to gather on its customers. What does the company do with this treasure trove, though?
What does Dropbox do with all that data?
Dropbox states it does not sell your data to advertisers or third parties.
However, that doesn’t mean that it doesn’t share it.
What’s most surprising is the number and kinds of third parties on the receiving end of your data. They include companies with extremely poor track records when it comes to privacy, including Google, Amazon, and OpenAI.
Some of these make sense in the context that Dropbox provides, like support portal ZenDesk, or payment provider Stripe, or even Amazon Web Services, which likely hosts Dropbox’s servers. However, there are also some that should make anybody think twice, like Google, a company that sells data as a business model.
Other less well-known companies include Kissmetrics, which analyzes data for advertisers, and OpenAI, the company that developed ChatGPT, known for cutting corners when it comes to users’ privacy.
That’s not all of it, either. As a business headquartered in the United States, Dropbox has to comply with US search warrants and other orders, which may be secretive(new window) and are often easy to get(new window). This means your data could be seized on even flimsy pretexts. As a result, Dropbox gets a lot of requests from law enforcement(new window).
However, it gets worse: Dropbox also makes explicit that it’s more than happy to share data with the authorities on its own judgment. Where all cloud services are forced to cooperate with law enforcement when a warrant is served, Dropbox makes it very clear that it will volunteer information. No wonder Edward Snowden called it a “wannabe PRISM partner(new window).”
What it means for consumers
Dropbox doesn’t advertise as a privacy service, but even with that in mind it’s shocking how much data it collects and with whom it shares it. It pretty much knows everything it’s possible for them to know about you, and is more than happy to share it with marketers — its own, as well as third parties.
Worse yet, it also makes clear it will share data with police in the “public interest,” a term so vague it can be used to justify any kind of situation. All we know for sure is that privacy isn’t a matter of public interest according to Dropbox.
What makes it worse is that to harvest all this data it has made its users less secure. To see what users are doing on your platform, you must be able to decrypt their files. In other words, Dropbox does not use end-to-end encryption, the most secure form of data protection. This weak focus on security has led to a long string of Dropbox security incidents.
Even if you’re fine with Dropbox knowing about your private data (and why would you be?), the fact that this practice also makes it unsafe should give you pause.
A private Dropbox alternative
We developed Proton Drive to give our community a secure cloud storage service that takes your privacy seriously. Unlike with Dropbox, your privacy isn’t something we can take away on a whim — it’s included by default.
For example, we don’t collect much data about our customers. We have your email, your payment information if you upgrade your plan, and that’s about it. (You can see how we minimize data collection in our privacy policy.) We just have no interest in having that data because our business model is based on offering private and secure services to our customers. We’re funded entirely by our community and thus don’t need to sell data to advertisers.
We’re also less exposed to law enforcement orders since we’re based in Switzerland and thus are subject to Swiss privacy laws, some of the strictest in the world.
Even if we wanted to access your data or share it, we can’t. Proton uses end-to-end encryption on all our apps. This means your files are encrypted on your device before they’re uploaded to our servers. This protects your privacy, but also makes it so there’s not much for hackers to steal in case of a breach.
All this is part of our mission to create a better internet. If that, as well as a more secure, private cloud storage alternative, sounds like something you’d want to be part of, create a free Proton Drive account and join us.