Q: Is File Sync (Dropbox, et al.) Safe?
This is a world you’ll never understand. And you always fear what you don’t understand. — Carmine Falcone, in Batman Begins
A: Yes, essentially. And fine under the ethics rules. Most of what you may have heard to the contrary comes from people who don’t understand the cloud — so they fear it.
What is file sync?
File sync is awesome, that’s what it is. The basic idea is as the name suggests: software that syncs up your files across your devices (in other words, you can have the same files on all your computers, tablets, phones, etc.). With most services, you can also access your files using a browser. It sounds simple, but the ability to have all your files, all the time, no matter where you are, is amazing. It gives you ultimate flexibility when it comes to how, when, and where you work.
When I talk about file sync, I default to talking about Dropbox. That’s because it was one of the first file sync services, and it continues to do it better than anyone else. If you are using file sync (or thinking about it), you are probably using Dropbox.
Is file sync safe?
I think Eric Cooperstein covered this rather well:
Dropbox is more secure than anything most lawyers have used to secure their files from the Battle of Hastings until about 5 or 10 years ago. Only the rare lawyer doing unusually sensitive work, such as cutting-edge IP and M & A of publicly traded companies, such that the lawyer is likely to be a target for motivated hackers, needs to worry about a higher level of security. 11 jurisdictions that have issued opinions on cloud security have said that the standard for protecting confidential information is reasonableness. Dropbox is just fine for most solo and small firm lawyers’ client files.
He’s right. Whatever security issues Dropbox may have (and I will get to those in a moment), it is almost certainly more secure than whatever you could accomplish on your own. Here is how Dropbox — and most file-sync services, for that matter — work.
First, you install a small Dropbox utility on your computer, which creates a Dropbox folder on your computer. Anything you put in that folder (or, in the case of other sync utilities, in a folder you tie to the sync utility) gets synced. The utility keeps track of changes to your files and takes care of uploading and downloading changes.
Your data is uploaded over an encrypted connection. The data itself is not encrypted, but the “pipe” is secure. This is similar to how your bank transmits your financial information when you view your accounts or make transactions online. Once the data gets to Dropbox’s servers, it is encrypted and stored. That means Dropox technically has the key to your data. Ordinarily, it only uses that key when you ask it to, such as when you upload or download data using your utility, or when you log into the website to view your files in a browser. Of course, Dropbox will also decrypt your files pursuant to a subpoena or court order.
For some people, the fact that Dropbox keeps the encryption key is unacceptable. It does not bother me, because I figure I would have to give up my data if it were subpoenaed or if a court ordered me to, too. I also want the extra features, like the ability to access my files from a browser, and the ability to let third-party software store data in my Dropbox account. (Lots of mobile apps give you the option to do this — and it makes mobile apps far more useful. John Gruber even believes Apple should buy Dropbox, because iOS is nowhere near as good without it.)
But if that is a dealbreaker, you can get more security and sync your files.
If you fear a subpoena of your data more than I obviously do, check out Mark Bennett’s post at Defending People.
Do you need more security?
If you just can’t stomach the idea of trusting Dropbox with your data, but you still want to be able to sync your data, there are alternatives. You could use SpiderOak or Wuala. Neither gives you anything like the full range of features you get from Dropbox, but they do encrypt your files before uploading them, which means only you can decrypt them.
Before you decide to go with SpiderOak or Wuala “just to be safe,” consider a few things. First, Dropbox is huge, and it has been tested. I am fairly sure Dropbox is a huge target for mailicious hackers, but it has so far had only minor problems. I am satisfied with its performance under fire, which is why I still trust Dropbox with my files.
Second, no matter which service you choose, anyone with your username and password will be able to access your files. When it comes to people who do not know your username and password, SpiderOak and Wuala are theoretically safer only from those who might be able intercept your data in transit. This is because they essentially double-encrypt your data in transit, while Dropbox only encrypts the pipe through which your data is transmitted, not the data itself. Since Dropbox stores your data encrypted, your data is just as secure sitting on Dropbox’s servers as on SpiderOak’s or Wuala’s.
Finally, if SpiderOak and Wuala are handed a subpoena or a court order for your data, they can only hand over the encrypted files, which will not be particularly useful to anyone. If you are the sort of person who would fight such a subpoena, this would give you the option to do so. I am not sure how hard Dropbox would fight (if at all) before handing over your data, or if they give you notice in time to fight it yourself.
Oh, and one last thing. Consider how many people have a “key” to your data now. If you do not encrypt your hard drive, that includes anyone who could walk off with your laptop. At a minimum, it includes everyone with access to your computer. It also includes everyone with a physical key to your office.
In short, before you worry too much about which file sync service to use, make sure you have taken care of the security in your home and office.