topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Wednesday December 11, 2024, 5:30 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Dropbox and privacy (or lack of)  (Read 15406 times)

dr_andus

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 851
    • View Profile
    • Dr Andus's toolbox
    • Donate to Member
Dropbox and privacy (or lack of)
« on: February 26, 2014, 11:46 AM »
This caught my eye...

Dropbox erects sueball shield with new T&C and privacy legalese • The Register

There are a couple of interesting-looking additions to the policy. Here's one:

    “If you are not a Dropbox for Business user but interact with a Dropbox for Business user (by, for example, joining a shared folder or accessing stuff shared by that user), members of that organization may be able to view the name, email address and IP address that were associated with your account at the time of that interaction.”

That may give you pause before you download something from a Dropbox for Business account.

How would this actually work? I presume that one would need to have the Dropbox app running on the PC or be logged on in a browser for Dropbox to see who exactly had downloaded the given file (?)

Also, is there a way to identify that you're downloading from a Dropbox for Business user, in order to avoid such an interaction? This sounds all too murky to me, and disconcerting...



tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,964
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #1 on: February 26, 2014, 01:16 PM »
I wonder does all that stick - I mean does it really work if they just say you agree to not do a/b/c? A lot of it seems unreasonable, but I guess the real point is whether it's legal.

I almost posted about the email from dropbox the other day:


email from dropbox about changes to TOS:
We want to let you know about some upcoming updates to our Terms of Service and Privacy Policy. These updates will go into effect on March 24, 2014.

You can find more details on our blog, but here’s a quick overview:

    We’re adding an arbitration section to our updated Terms of Service. Arbitration is a quick and efficient way to resolve disputes, and it provides an alternative to things like state or federal courts where the process could take months or even years. If you don’t want to agree to arbitration, you can easily opt out via an online form, within 30-days of these Terms becoming effective. This form, and other details, are available on our blog.
    We’ve added a section to our Privacy Policy that discusses our recently launched Government Data Request Principles. We’ve also made clarifications to better explain how our services will use your information. For example, we explain that when you give us access to your contacts, we’ll store them so that you – and only you – can do things like share your stuff easily, no matter what device you’re using.
    We’ve also updated our Terms of Service and Privacy Policy to better explain and reflect our growing list of features for Dropbox for Business customers.

While we’ve simplified much of the language, our commitment to keeping your stuff safe and secure hasn’t changed. We don’t sell your personal information to third parties. We don’t serve ads based on the stuff you store in our services. As always, your stuff is yours.

If you have any questions about these updates, you can read more on our blog or email us at [email protected].


TOS: https://www.dropbox.com/terms2014
Blog: https://blog.dropbox...ur-terms-of-service/
Tom

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #2 on: February 26, 2014, 01:42 PM »
This caught my eye...

Dropbox erects sueball shield with new T&C and privacy legalese • The Register

There are a couple of interesting-looking additions to the policy. Here's one:

    “If you are not a Dropbox for Business user but interact with a Dropbox for Business user (by, for example, joining a shared folder or accessing stuff shared by that user), members of that organization may be able to view the name, email address and IP address that were associated with your account at the time of that interaction.”

That may give you pause before you download something from a Dropbox for Business account.

How would this actually work? I presume that one would need to have the Dropbox app running on the PC or be logged on in a browser for Dropbox to see who exactly had downloaded the given file (?)

According to their website there's a web-based admin interface. I suspect there's also some way to download some kind of activity log using desktop software or a mobile app.

Dropbox_Admin_Console.png
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

dr_andus

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 851
    • View Profile
    • Dr Andus's toolbox
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #3 on: February 26, 2014, 03:14 PM »
How would this actually work? I presume that one would need to have the Dropbox app running on the PC or be logged on in a browser for Dropbox to see who exactly had downloaded the given file (?)

According to their website there's a web-based admin interface. I suspect there's also some way to download some kind of activity log using desktop software or a mobile app.
 (see attachment in previous post)

Thanks. But actually I was thinking about it from the non-business users' perspective who do not want to have their personal data collected by Dropbox for Business users. E.g. does one need to log out from all Dropbox accounts and exit Dropbox apps before clicking on an innocent-looking URL of a file that might be coming from a Dropbox for Business account (to avoid being "data collected")?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #4 on: February 26, 2014, 03:18 PM »
I think that if you want no information to be passed, you'd have to do more than that.  But it could possibly work for identifying information.  It might not even work for that, depending on how they correlate.  When you use the dropbox for PC app (or are logged in for pretty much anything) the IP is there and can be recorded.  If they correlate that to your account, then they have the information, even though you might be currently logged out.  Some sort of anonymizing connection would be your defense.

dr_andus

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 851
    • View Profile
    • Dr Andus's toolbox
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #5 on: February 26, 2014, 05:29 PM »
Yes, that's what I was concerned about. I really liked Dropbox so far, so it's such a pity that they are turning it into some sort of spyware now.

I guess one could argue that they need to monetise the "free" Dropbox users, but it doesn't sound like becoming a paid Dropbox user would provide one with any more privacy.


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #6 on: February 26, 2014, 06:49 PM »
I wouldn't go as far as to call it 'spyware'- they're using the business intelligence of what you voluntarily give them with your account, with what you involuntarily give any site.  I just hate conflating the term 'spyware' with other practices.

dr_andus

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 851
    • View Profile
    • Dr Andus's toolbox
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #7 on: February 27, 2014, 03:39 AM »
I wouldn't go as far as to call it 'spyware'- they're using the business intelligence of what you voluntarily give them with your account, with what you involuntarily give any site.  I just hate conflating the term 'spyware' with other practices.

OK, I take your point. I should have used inverted commas to emphasise that I was using the term metaphorically, not literally.

But... in the email they say to you "We don’t sell your personal information to third parties," which sounds reassuring. You will have to bother to click on the Privacy Policy link to find out that they may share your " name, email address and IP address" with Dropbox for Business users. Now, how is a "Dropbox for Business user" not a third party? It may not be to them, but they would be to me, as a bog-standard Basic (non-paying) or Pro (paying customer)?

So is it no longer spying if they tell you in convoluted ways that they are spying on you and selling that on to "second parties"? Or are they just enabling these "second parties" to spy on you?

I suspect that the vast majority of the Basic and Pro account users will never learn that this is happening unless they find it out from the media (like I did). Thanks, El Reg!

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #8 on: March 01, 2014, 08:39 AM »
I think you are mis-interpreting this.

If something is uploaded to any Dropbox account and made available to others for download, it is perfectly reasonable for the poster to be able to know who has downloaded the file. 

I don't see anything nefarious about that or any kind of invasion of privacy.

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #9 on: March 01, 2014, 05:36 PM »
I think you are mis-interpreting this.

If something is uploaded to any Dropbox account and made available to others for download, it is perfectly reasonable for the poster to be able to know who has downloaded the file. 

I agree with this interpretation. This pertains to Dropbox for Business accounts. The way I see it Dropbox is making available a way for business owners to see what kind of file transfers their employees are engaging in and with whom.

This is perfectly reasonable. If I was shelling out the money so my employees could use Dropbox, I'd want to know how my employees were using company resources.

dr_andus

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 851
    • View Profile
    • Dr Andus's toolbox
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #10 on: March 01, 2014, 06:15 PM »
If something is uploaded to any Dropbox account and made available to others for download, it is perfectly reasonable for the poster to be able to know who has downloaded the file.

My problem is this: will any Basic or Pro Dropbox user (i.e. not a Dropbox for Business customer) know that every time they download a file that originates from a Dropbox for Business account, their name and email address may be made available to that account?

E.g. what does "accessing stuff shared by that user" mean? It doesn't sound legally or technically precise. So, let's say that you're browsing the internet while being logged in as a Basic Dropbox user. You end up on a website (unrelated to Dropbox) where you can download a PDF file. You download it without realising that it was hosted on a Dropbox for Business service, and your name and email address will be made available to the owner of that Dropbox for Business account without you knowing. How is that reasonable?

I have a Wordpress blog and I do not get told the name and email address of everyone who has visited my blog or downloaded stuff from it. The same goes for files available in general for download on the internet. You don't expect that the sites where you download them from get your full name and email address. Quite possibly people would change their internet usage drastically if they knew beforehand that they would be personally identified every time they download something.

dr_andus

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 851
    • View Profile
    • Dr Andus's toolbox
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #11 on: March 01, 2014, 06:19 PM »
I agree with this interpretation. This pertains to Dropbox for Business accounts. The way I see it Dropbox is making available a way for business owners to see what kind of file transfers their employees are engaging in and with whom.

Not so. The privacy policy clearly says “If you are not a Dropbox for Business user but interact with a Dropbox for Business user..." So this is not about employees. It's about Basic and Pro account users who have no relationship with that particular business, they just happened to download a file from that account, perhaps even without realising it was a file on a Dropbox account. E.g. some people host image files on Dropbox. You visit their webpage and automatically download the image. According to this the owner of that website may receive your full name and your email address. Is that reasonable?

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #12 on: March 01, 2014, 11:17 PM »
So, a 1 pixel transparent gif file embedded on a web page, served from a Dropbox for Business account would be a great way to gather a big list of names & email addresses of your website's visitors. And since you are paying for this wonderful service provided by Dropbox, it's essentially the same as them selling you that information about your site's visitors. That's a mighty powerful web bug service they are selling there. More powerful than serving that 1 pixel gif from your own server, which would not collect names and email addresses.

dr_andus

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 851
    • View Profile
    • Dr Andus's toolbox
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #13 on: March 02, 2014, 07:18 AM »
So, a 1 pixel transparent gif file embedded on a web page, served from a Dropbox for Business account would be a great way to gather a big list of names & email addresses of your website's visitors.

Yes, this was exactly my concern. Moreover, this would be segmented data of potentially higher-value visitors because we can presume that Dropbox Basic and Pro users are more sophisticated than your average internet user. E.g. they are more likely to be syncing data across various platforms and own and use smartphones and tablets.

If this is really how this is going to work, then this raises again the question whether this is approaching a spyware situation. They are definitely not going out of their way to alert Basic and Pro users about this significant change. They don't mention this either in the email users receive, or on the blog post they link to. You will have to read the Privacy Policy yourself to find this out, which only a tiny fraction of users are likely to do, especially as there is nothing in the email suggesting that there is a drastic change. I find this a very underhanded way of selling out the Basic and Pro user base to the Dropbox for Business user base.

There is an analogy here with LinkedIn, whereby you can opt in to the feature which allows you to see who has visited your profile. However, there is a very clear warning step where you need to agree to participate, and it's reciprocal, i.e. others will also see when you have viewed their profile. Moreover, this feature is available to both free and paying users. What Dropbox is doing is very hush-hush. It looks to me like they don't want Basic and Pro users to find out that their identity is being sold to Dropbox for Business users.

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #14 on: March 02, 2014, 12:51 PM »
So this is not about employees. It's about Basic and Pro account users who have no relationship with that particular business, they just happened to download a file from that account, perhaps even without realising it was a file on a Dropbox account.

If I am a business owner & people who have no relationship with my business are downloading files from my repository, I want to know who downloaded and what was downloaded. Besides, if you have no relationship with my business then what are you doing downloading my files?

People downloading files and not even knowing what the source is of those files is the problem. What's going on here is just an audit trail for business activity.

dr_andus

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 851
    • View Profile
    • Dr Andus's toolbox
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #15 on: March 02, 2014, 02:01 PM »
Besides, if you have no relationship with my business then what are you doing downloading my files?

I may be downloading your files because I am a potential customer, I am visiting your website, considering your business, and I may download some product spec PDF document that you have made public and which is hosted on the Dropbox for Business account. That is the scenario we are talking about.

Just because I have visited your website and downloaded your file, it doesn't mean that I want Dropbox to give you my name and email address without me even realising it. It's another thing if you tell me that you only let me download the file if I give you my details. Then at least I have the choice and can decide not to proceed.

And as app103 had described above, I may not even be knowingly downloading a file. It might be that I just happen to stumble upon your website and download an image file hosted on your Dropbox account, thus being tricked into sharing my name and email address with you.

Are you really happy to make your name and email address available to any website you visit or for every file you download from the internet?

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,964
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #16 on: March 02, 2014, 02:38 PM »
... so the only solution I can see here is to *not* have a dropbox account,
or,
become a business user -
an easy choice there when 'asked' under those conditions :-/
Tom

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #17 on: March 02, 2014, 06:44 PM »
Besides, if you have no relationship with my business then what are you doing downloading my files?

And as app103 had described above, I may not even be knowingly downloading a file. It might be that I just happen to stumble upon your website and download an image file hosted on your Dropbox account, thus being tricked into sharing my name and email address with you.

If I were a Dropbox for Business user (which I am not), merely visiting this page would be enough to give me your name and email address. (That animated gif is served from my Dropbox account.)

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #18 on: March 02, 2014, 07:56 PM »
If I were a Dropbox for Business user (which I am not), merely visiting this page would be enough to give me your name and email address. (That animated gif is served from my Dropbox account.)

And since I am not a Dropbox user at all, how are they going to obtain my email address and name to give to you? I guess I would have to be a Dropbox user and logged on to the Dropbox service at the time I visited your web page.

If one were to have the Dropbox service running on their PC and logged on 24/7 this might be a real concern, but I guess if enough people complain Dropbox will either change or people will go to other services. Dropbox has never been the most competitively priced or most privacy-minded service anyway.
« Last Edit: March 02, 2014, 08:31 PM by Innuendo »

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,193
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #19 on: October 13, 2014, 11:07 PM »
Hundreds of Dropbox Passwords Leaked, Change Yours Now
A few hundred Dropbox usernames and passwords have leaked on Reddit, likely from a third-party app and possibly as part of a much larger breach. Time to change your passwords.

The leak, which contains hundreds of accounts with email addresses starting with the letter "b", come from an anonymous user taking Bitcoin donations for the full leak, which they claim consists of millions of accounts, according to The Next Web. We're not sure how old these credentials are or which third party app they came from, but no matter what, it's time to do the same old song and dance we're pretty used to by now

http://lifehacker.co...yours-now-1645982533

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,964
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #20 on: October 14, 2014, 05:11 AM »
^ thanks for the tip :up:
Tom

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #21 on: October 14, 2014, 10:45 AM »
Dropbox also has two-factor authentication- which you should turn on, no matter what.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,776
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Dropbox and privacy (or lack of)
« Reply #22 on: October 14, 2014, 12:37 PM »
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.


Update: 10/14/2014 12:30am PT

A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.