Dropbox stands firm on privacy, despite Heartbleed risk and board appointments
Dropbox says it is committed to security and privacy, despite admitting that its services were vulnerable to Heartbleed and users should be changing their passwords.
Dropbox says it is committed to security and privacy, despite admitting that its services were vulnerable to the Heartbleed internet encryption flaw.
But while the company has assured users that a password change will protect their data, Dropbox vice president Ross Piper was today unable to give assurances that security had not been breached in the past.
Piper confirmed that the company was using the version of OpenSSL encryption affected by Heartbleed, but that all of its servers had been patched to address the problem.
"We notified all of our users that this had occurred and updated that we had patched our services through our blog, and have suggested that users change their passwords," he said. "We also have Perfect Forward technology – so any of the vulnerabilities that were open don't go into past access. Any past access that a key might have had, it doesn't allow it to be re-used...and that's been one of the technologies that has protected a lot of users.
"But we did patch all of our services, we rotated all of our keys, all of our encryptions, every user-facing aspect of the service."
Dropbox users are advised to change their passwords, though company has not issued an email notification to its customers. Instead, Piper said Dropbox has "chosen to communicate through the [Dropbox] blog".
Although Dropbox patched its servers to address the problem when it was discovered last week, it has emerged that the Heartbleed flaw has been leaving OpenSSL-encrypted websites vulnerable for two years, raising questions about potential data breaches that may have gone unnoticed in the past.
When asked whether users could be sure their data was not breached in the past, Piper said, "We can only look forward and keep trying to protect them as best we can".
"With security and privacy there is no finish line, and you can only keep striving to become better and better," he said. "The moment we delved into this, we operated to close the vulnerability as fast as possible."
It's not just Heartbleed that has some Dropbox users concerned about privacy – the company announced last week that it would be appointing former US Secretary of State Condoleezza Rice to its board, spurring protest in some corners of the internet and calls for users to "Drop Dropbox".
A website dedicated to the Drop Dropbox movement admonishes the decision, saying "Rice not only spoke in favor of the Bush administration's warrantless wiretap program and expansive domestic surveillance program, she authorized the warrantless wiretap of UN Security Council members.
"Given everything we now know about the US's warrantless surveillance program, and Rice's role in it, why on earth would we want someone like her involved with Dropbox, an organization we are trusting with our most important business and personal data?
"When a company quite literally has access to all of your data, ethics become more than a fun thought experiment."
Speaking today, Dropbox's vice president said the company stood by its decision and believed Dr Rice was a good fit for the company's board.
"It doesn't change our privacy principles in any way," said Piper. "Our reasons for bringing Dr Rice on the board really centre around her incredible experience managing very large scale organisations...as well as dealing with very highly-talented individuals, which suits our engineering culture very well.
"We think we've built a pretty good and trusting relationship with our users, and we want to maintain that through everything. We've made the decision about Dr Rice based on the reasons that I've described, and we think it's still our responsibility to earn that trust every day and we will continue to do everything to create clearer transparency and conform to the privacy requirements of our users."