How Safe Is DropBox?
DropBox is a cloud storage service which replicates files on your computer to the DropBox datacentre and thence to your other computers and devices. DropBox provides a small amount of space for free, and larger amounts for a fee. DropBox is an excellent service for backups and replicating files across multiple devices. However, like all “cloud” services, there is a tradeoff between the security of your data and the utility provided.
- All your data remains on your computer — the data stored in the cloud is a copy. So an outage in the DropBox service means your files are still located on your computer. (Unless you specifically configure it otherwise.)
- Data transmission between your devices and the DropBox datacentre is encrypted with SSL (as used with, say, internet banking), so it is safe to use even across potentially unsafe or untrusted networks such as public wifi.
- Files “at rest” in the DropBox data centre are encrypted. (Also see Cons.)
- DropBox has strong policies disallowing access to files by their employees. (See also Cons.)
- Files deleted from the DropBox-side (ie. via a fault in DropBox or malicious activity or via synchronization from deletions on another device) are stored in a hidden folder on your computer and purged later. So erroneous deletions are not lost immediately. (See also Cons.)
- Files deleted from the client-side remain hidden in your DropBox account before being purged. (See also Cons.)
- Two-factor authentication can be enabled on the account.
- Devices connected to the account can be disconnected via the DropBox website (eg. for lost or stolen devices). (See also Cons.)
- Files deleted from the account are not purged immediately. To remove a file completely requires manual intervention via the DropBox website.
- Files shared with others are not removed from their systems immediately when removed from your source folder. Neither are they securely expunged. Thus you must trust people you share with, and for additional security of files you must trust that they wipe their hard disks prior to disposal.
- A device that is disconnected from the DropBox account will retain any files already synced to that device.
- Data in the DropBox data centre, while encrypted at rest and in transit, may be decrypted by DropBox administrators.
- The DropBox data centres are located within the United States. Some argue the US is an unsafe domicile for cloud data due to some Government agencies' ability to request data or metadata from such providers.
- Use a strong password, and don't use that password for any other service. Since the password is effectively cached on devices connected to DropBox, the password can be very long and complex because it does not need to be entered very often.
- If you are confident you can keep the emergency codes safe, enable two-factor authentication so every login requires a second code. (If you lose your password and the emergency code, you will be locked out of your account. Without two-factor authentication, you can gain access to your account with a password reset sent to your email address.)
- Use a strong login password or PIN on any devices linked to the DropBox account.
- The DropBox smartphone/tablet apps allow the use of a PIN to open the app itself.
See the following for a description of DropBox's security.