Another Problem for Dropbox

News broke this week that on Sunday, Dropbox, the web-based file hosting service used by 25 million people, experienced a major security issue. Unlike the multitude of recent headlines surrounding web security (Sony’s PlayStation Network problems, for example), the issue faced by Dropbox wasn’t due to a hack. Instead, a software error was allowed into production during a code update that gave Dropbox users access to any account using any sign-in password. This lasted for four hours.

Dropbox is saying that only a small number of users were accessing the service during this period. There’s no way to verify this, of course, but it’s not the most important issue in play.

Dropbox is perhaps the most well known of the consumer-grade cloud storage providers and, because of this event, user perceptions of the security and overall value of cloud services may change in what many are calling “the year of the cloud.”

Though users could encrypt files uploaded to Dropbox or any other cloud storage provider, is that at all realistic to expect when a consumer-focused service’s biggest advantage is convenience? Does the average Dropbox user know how to encrypt data? Have they even heard of such a thing?

I have to think not. For users of a mainstream service like this, there is an implicit expectation that their data is secure. But is it?

We don’t know what type of data is most frequently stored within Dropbox accounts, nor do we know how sensitive it may be – but Dropbox does. In an effort to find greater storage efficiency, Dropbox analyzes files before they are uploaded, and avoids saving identical files from multiple users. If another user has already uploaded the same file, your duplicate file will not be saved separately. This has copyright and law enforcement implications.

Additionally, information contained within this FTC complaint shows that Dropbox files are available in an unencrypted state to employees or anyone else that may request access (like the government). It is clear that Dropbox has placed a greater value on performance and storage efficiency than on security. This is also true for mobile devices, where their Android app was shown to be leaking metadata.

The details of the complaint and of the Dropbox architecture are probably too arcane to hold the interest of most, so perhaps this will be nothing more than a valuable teaching moment. But in a time when security attacks are at an all-time high, can a provider of a paradigm-shifting service survive such self-inflicted wounds?