Dropbox on Thursday defended its privacy policies after a recent update to its terms had some questioning just how secure their data was on the service.
The update clarified the circumstances under which Dropbox would hand over user data to law enforcement officials. The company said its old terms of service were "too broad, and gave Dropbox rights that we didn't even want."
The updated terms specify that Dropbox will turn over data: to comply with the law; protect someone's safety; prevent fraud or abuse on Dropbox; or protect Dropbox's property rights. If Dropbox agrees to hand over data, the company will decrypt it before doing so. If you have encrypted it before storing it on Dropbox, though, it will remain encrypted.
As Dropbox points out, this is nothing particularly shocking. Tech companies like Google, Twitter, and Apple are routinely asked by law enforcement to hand over user data. In April 2010, Google added a tool that details the number of government requests it receives to remove or otherwise filter content. Last month, a court ordered Twitter to hand over data related to the WikiLeaks case.
Dropbox said it receives about one government request per month for its 25 million users. It also stressed that it doesn't just hand over information when asked.
"Our legal team vets all of these requests before we take any action. The small number of requests we have received have all been targeted to specific individuals under criminal investigation," Dropbox said in a blog post. "If we were to receive a government request that was too broad or didn't comply with the law, we would stand up for our users and fight for their privacy rights."
In most cases, meanwhile, Dropbox will notify the user in question about the data request.
Dropbox also clarified employees access to user data. A previous Help Center article said that employees don't have access to user data, leading some to believe that Dropbox had no access to user data whatsoever. Dropbox said it will be updating that section to clarify that employees are banned from accessing user data, though Dropbox has "a small number of employees who must be able to access user data when legally required to do so."
As for encryption, files that are stored on Dropbox servers are encrypted using the AES-256 industry standard. But Dropbox has the ability to decrypt data because "many of the most popular Dropbox features — like accessing your files from the website, creating file previews, and sharing files with other people — would either not be possible or would be much more cumbersome without this capability."
Dropbox users can encrypt their data before adding it to the service, but they "will unfortunately lose access to some functionality."
The company also promised to encrypt metadata on its mobile app, and explore ways to provide greater protection for Dropbox accounts that are stored on compromised systems.
"We understand that many of you have been confused by this situation — and some folks even felt like we misled them, or were careless about their privacy," the company concluded. "We apologize for this confusion. All of us here at Dropbox care deeply about the security and privacy of your data, and the last thing we want to do is let you down."