Snowden: Dropbox is ‘Hostile To Privacy’

Edward Snowden claims that Dropbox is “hostile to privacy”. Speaking to The Guardian from Moscow, where he is residing in exile, the NSA whistleblower said that the cloud storage firm was a privacy disaster in the making.


Photo: The Guardian

He added that Dropbox’s appointment of Condoleezza Rice, former US Secretary of State, raised even more Dropbox privacy concerns, going as far as to label Rice “probably the most anti-privacy official you can imagine”.

Rice was appointed to the company’s board earlier in the year, which caused many privacy advocates to voice their concerns. During her tenure in the Bush administration, she was the cornerstone of the domestic ‘STELLARWIND’ surveillance program, Snowden revealed.

Stellar Wind was introduced in 2001 after the September 11 attacks by the NSA. It saw mass collection of metadata – emails too – from US citizens. The program was closed in 2011.

Rice’s record of backing warrantless collection of communications will have implications for Dropbox as such companies weren’t in the picture a decade ago but are now.

Data mining from their servers – intentionally or otherwise – could be the next privacy frontier. Snowden, who took asylum in Russia after leaking NSA data last year, also termed Dropbox a “wannabe PRISM partner”.

After the appointment of Rice, Dropbox also had to face grassroots campaigns demanding that people boycott Dropbox via the ‘Drop Dropbox’ slogan. Privacy advocates advise businesses and users to switch to cloud service providers that have no way of accessing user data.

Snowden claimed:

“By depriving themselves of the ability to read the information, of the ability to sort of analyse and manipulate the information without the customers’ consent or authorisation, that’s the only way they can prove to the customers that they can be trusted with their information,”

But he talks about a solution to the cloud problem.

“I think what cloud companies need to pursue in order to be truly successful is what’s called a ‘zero knowledge’ system, which means the service providers host and process content on behalf of customers, but they don’t actually know what it is.”


Photo: Monika Flueckiger / Flickr

He said that companies like SpiderOak are better because they offer ‘zero knowledge’: a term used to label services having zero access to the user data (documents, videos, images etc.) they store on their servers.

“Spideroak has structured their system in such a way you can store all of your information on them with the same sort of features that Dropbox does, but they literally had have no access to the content.”

“So while they can be compelled to turn it over, the law enforcement agencies still have to go to a judge and get a warrant to actually get your encryption key from you.”

Though this does not prevent the government from demanding access to user data, SpiderOak can’t hand over any decrypted or meaningful content.

The decryption key is only available to subscribing users, so the government will have to submit data access requests to individuals who the data belongs to instead. It is a long, unique numeric code that no one other than the user, including the service provider itself, can access unless a search warrant is issued by the government.

This means zero knowledge companies like SpiderOak are not open to similar data-mining perils as other cloud storage service providers. Snowden says this could help put an end to the ongoing warrantless surveillance of millions using the Internet. SpiderOak has around a million users, but after Snowden’s statement, it saw huge spikes in its traffic, and about five to six times higher signup rates.

In another interview with The Guardian, Chief Executive and Founder of SpiderOak Ethan Oberman said that due to the newfound awareness of security and privacy, the company has experienced “sustained and continued growth”, he said. “Privacy is a right, not a privilege,” he added.

According to the official website, SpiderOak is an online tool for sharing, accessing, backing up, syncing and storing data, and it offers users zero-knowledge privacy. It says “the server never knows the plaintext contents of the data it is storing.”

“Therefore, the data is never at risk of being compromised or abused by either internal threats or external hackers.”

A service similar to Mega by Kim Dotcom, SpiderOak takes pride in encrypting files before they are stored on its systems, preventing the company from seeing the content.

Dropbox, however, says it would play its part to protect user information and resist any PRISM-like programs:

“Safeguarding our users’ information is a top priority at Dropbox. We were not involved in PRISM, and would resist any program of its kind. We’ve made a commitment in our privacy policy to resist broad government requests, and are fighting to change laws so that fundamental privacy protections are in place for users around the world. To keep our users informed, we also disclose government requests in our Transparency Report.”