On SoloSez recently, someone asked whether Dropbox is secure or not, to which someone responded “Treat it as insecure, because the consumer version is insecure.” I thought my response might be worth posting here, as well:

Dropbox is most certainly not insecure.

In fact, secure/insecure is not a binary thing. There is a security spectrum, and Dropbox is somewhere in the pretty-secure-but-not-as-secure-as-it-could-be-if-it-made-a-few-more-tradeoffs range on that spectrum. It is secure enough for some (including some lawyers) and not secure enough for others. Or, if you like, Dropbox is secure enough for some uses, but not secure enough for others. Plus, there are ways to make Dropbox more secure so that it will make everybody happy.

Asking whether Dropbox is secure or not is asking the wrong question. What you need to figure out is (1) what security measures does Dropbox take, and (2) are you and your clients comfortable with those security measures. Most lawyers aren’t sufficiently technologically competent to accurately assess the first question, much less decide the second — and that is a problem. But maybe I can help a bit with that.

What measures does Dropbox take? Here are the ones I think are relevant:

  • Dropbox does not encrypt your files before they leave your computer.
  • Dropbox does transmit your files from your computer to its servers using SSL encryption.
  • Dropbox encrypts your files for storing on its servers.
  • Dropbox has the ability to decrypt your files.
  • Dropbox has strong internal protections against the wrong person decrypting your files, or any person decrypting your files for an unauthorized reason.
  • Dropbox will obey legal process, even if it means providing your data to another party without notifying you first.
  • Dropbox does not claim to own your data, although people routinely raise the alarm that it does.

If that sounds like Greek to you (assuming you do not speak Greek, in which case pretend I wrote “If that sounds like Chinese to you …”), then maybe the following comparisons will help.

Note that I wrote objectively, but we could probably have a lively argument about each of those statements that would involve a lot of words that sound like Greek/Chinese to most people. As in all things tech that relate to clients, I think you have a duty to become competent enough to judge for yourself. The ability to have those arguments is important. But hopefully this will help you make a decision in the meantime.

(As for me, I use Dropbox, but I also use Viivo for additional security for client files, among other things. This involves tradeoffs that make Dropbox less useful, but I’m willing to live with them.)


What I didn’t add — but probably should have — is that Dropbox is probably more secure than your own file and Exchange server unless you have an expert IT security professional keeping a close eye on it.