Dropbox is favorite among Lawyerist writers and commentators. Although there has been a recent uproar over the security of cloud storage, there has not been much discussion about Dropbox.

Dropbox recently came under fire for a security issue with it’s mobile app and it is worth taking a closer look at.

The problem: unencrypted metadata

When you use the Dropbox mobile app on your smartphone, it transmits your metadata in the clear. Translation: when you look at a file on your Dropbox mobile app, the name of the file is visible and can be read by someone who happens to sniff out the transmission. The content of the file, however, is not visible.

Allegedly, in addition to the name, a snooper could also find out the modify time, size and whether the file is a directory or a file.

The risk seems remote, but it is very real

First of all, this risk requires someone to be snooping around and capturing data from your smart phone. Second, it requires that you have to be using your Dropbox app and accessing a file that has a filename that reveals something. The likelihood of both of those happening is low. That said, it is still a possibility, and potentially damaging.

Take the scenario to the next step. You are sitting outside court, reviewing your client’s affidavit on your Dropbox mobile app. Opposing counsel already has that document (in all likelihood). A data snooper would only see something like “March 5 Client Aff.”

The way this becomes an issue is if somehow your file name reveals something you do not want to disclose or something you have to hold in confidence. For example, you interviewed a witness and named your file “Notes from pcall with NAME.” Or if you represent a company that is in talks to buy another company, and named the file “Purchase agreement for COMPANY X.”

How to eliminate the risk

The easiest solution is to not use the Dropbox mobile app—delete it from your smart phone. The risk is minimal—there are easier ways to hack data—but it is still a risk. You can also be more careful about what you name your files. Or, purposefully avoid opening any file that reveals information in the file name when you are on the move.

Dropbox has said they are reevaluting how metadata is transferred, so the issue may get a fix in the near future.

(photo: http://www.flickr.com/photos/mdare55/5117139039)


  1. laura Thatcher says:

    It’s good to be aware f the potential risk using dropbox on my mobile app. The ability to use dropbox to access my files on my phone or iPad is the primary reason I use it. I think the best solution is simply to be careful how I name my files.

  2. Julie K. says:

    Most firms have long held naming conventions so I doubt it is realistic to change the names of a client file with all its contents when you go to trial. Especially in a paperless office. I guess you could use logmein or VPN to access files if the names are too revealing. How easy is it really for opposing counsil to see the metadata? What level of technical capabilities and software would they need? Most don’t bring a paralegal or associate to trial so how likely are they to have an IT person or the technical expertise? For that matter, many don’t even bring a laptop.

    • If someone is snooping your data, they are likely violating a number of laws. That said, it is still a risk, but it requires three steps. One, you have to access the actual file on your mobile Dropbox App. Two, someone has to be snooping. Three, it’s only an issue at that point if your file name reveals something.

  3. Julie K. says:

    I just read the article and it warns against- over public WiFI in particular. I think many of us know it is not a best practice for any attorney to use public WiFi and one should use their own. We tether wiith WPA2 encryption to iPhones. Would this alleviate the risk?

Leave a Reply