BLOG HOME | SEPTEMBER 17, 2020
Should You Use Dropbox's Vault?
Dropbox is cool. We use it all the time. For millions, it’s a convenient place to store files and share them with others. It’s long been the name for file storage and sharing.
Recently, Dropbox rolled out a new feature called ‘Vault’. Here is what they say about it on their web site:
“Dropbox Vault is a feature that lets you create a location in Dropbox with an additional layer of security for your most sensitive files and share it with trusted contacts. This location, or “vault”, in your Dropbox account is guarded by a numeric password, or “PIN”, and can't be opened or accessed by third party apps.” (Source)
Vault is touted as a place you can store your “most sensitive files”. Sounds great, right? However, the security of a PIN code doesn’t fix the most glaring problem behind Dropbox and some of its competitors. Dropbox holds the encryption key to your files. You don’t. Think of it like owning a house, yet some big company has the keys to it, you don’t. That company tells you that you can put your stuff in the house, but at any time they can rummage through it and take a look at what’s inside. Who would want that? No one right? Well, that is exactly what millions of people do with their files when they use Dropbox and similar cloud storage providers.
As we said, we use Dropbox for our business. Dropbox just works, and it works well. It is very convenient to be able to share a folder with a client to allow them access to artwork, files, logos, and whatever else we’ve designed. We also love the ability to allow clients to upload files to us. It’s much easier than email attachments. But, we would never upload sensitive files to Dropbox. Why? Because Dropbox has the keys to those files!
We believe the problem with Dropbox’s new Vault feature is it can easily cause a false sense of security. The way the service is marketed makes it sound like you’re safe to put sensitive files in Vault and no one can see them. People will take that to mean they can upload tax returns, medical records, passwords, and all other files that contain personal information. In fact, on the FAQs page on Dropbox’s site they write that you can safely and securely upload, “Any files that include personal or sensitive information—like your Social Security number, driver’s license number, passport number, date of birth, or home address—can be added to Vault for extra security.” (Source)
We’ve dug through the documentation for Vault on Dropbox’s website and cannot find any information that would even hint at Vault using zero-knowledge encryption. (Zero-knowledge means that Dropbox wouldn’t have the keys to your files, you would.)
Until Dropbox takes the much-needed step to providing zero-knowledge encryption, you’ll need to consider if placing sensitive files on their service is wise. It's unlikely that Dropbox is just rummaging through people's files just to be nosey. That would be a public relations nightmare for them. However, all it would take is a rogue bad employee at Dropbox or a massive security breach for your personal and private information to be exposed if someone gets those keys Dropbox holds.
We want to stress that we’re not tin-foil hat wearing anti-technology types. We’re geeks. We use Dropbox. We love the service. We use it regularly for storing and sharing files, especially for our clients. However, we choose not to use Dropbox to store any sensitive or private information until they adopt encryption standards that truly protect the privacy and security of the customer at a level where even Dropbox couldn't decrypt the file.
We’d love to see Dropbox roll out an upgraded version of Vault that encrypts the files client-side using the PIN as the master password. Our understanding is that their new password service offers that level of encryption, so why not implement that on the vault service? If they did that, we might be more inclined to trust them with more than just our design files. Until then, we believe storing anything that contains personal or sensitive information on any cloud provider that is not zero-knowledge is playing with fire. Just like our homes, we feel much safer when the keys are in our hands, not a stranger's.
So what are the alternatives? There are a few good options. You can always keep using Dropbox for your everyday files. It’s a great service. But, for those sensitive files that have your personal info (tax returns, social security numbers, passwords, etc.) you are much better off storing them on a service that utilizes zero-knowledge encryption or using a third-party app that locally encrypts your files before uploading them to Dropbox. A popular zero-knowledge cloud storage provider is SpiderOak. SpiderOak has been around a long time and has a lasting reputation for data privacy. Another service that is similar to Dropbox is called Sync. Sync claims to offer zero-knowledge encryption with data plans comparable to Dropbox.
Ready for some retro tech? There is nothing wrong with good-old local backups. You can purchase several external drives for the price of only one year of cloud hosting and backup/store all your sensitive files using backup software or just manually copying them to the drive. Store your drive in a safe location and you're all set! This way, your files never leave your possession. As a bonus, restoration from local drives is also considerably faster than the cloud.
You have a plethora of options when it comes to cloud and local storage. You just need to decide what is best for you and what level of trust to extend to third party storage providers.
So Dropbox, if you’re listening, we’d love for you to implement zero-knowledge encryption for your new Vault service. That would be super-duper cool. Fingers crossed!
The information provided here is for informational purposes only and is provided as-is. The content here carries no guarantee or promise to the validity or content or any performance claims. Links to third parties and references to third parties do not indicate endorsement or agreement to those parties by 18 Street Design, its owners or affiliates.