41

It looks like Wuala has made most of their paid features free in response to this latest Dropbox fuckup. I had switched to Spideroak because they offer all of their features for free accounts, but wasn’t thrilled that access with the web interface or mobile clients doesn’t support client-side encryption. Now that Wuala has made most (all?) of their paid features free, I’m going to give them another shot because even their mobile clients do client-side encryption.

42

I basically use Dropbox for remote access to certain images and documents, like my resume. Nothing really sensitive is on there, so is there any reason I should switch to someone else? I’m thinking not…

43

tiohn, aside from the differences for mobile use, what do you make of Spideroak vs. Wuala?

At first glance I tending towards Spideroak, but that’s based pretty much on the presentation of their website (e.g. their engineering section), but that’s a pretty weak hunch to go on…

44

Dropbox has updated its Terms of Service and Privacy Policy:

We want to let you know about some upcoming updates to our Terms of Service and Privacy Policy. These updates will go into effect on March 24, 2014.

You can find more details on our blog, but here’s a quick overview:

We’re adding an arbitration section to our updated Terms of Service. Arbitration is a quick and efficient way to resolve disputes, and it provides an alternative to things like state or federal courts where the process could take months or even years. If you don’t want to agree to arbitration, you can easily opt out via an online form, within 30-days of these Terms becoming effective. This form, and other details, are available on our blog.

We’ve added a section to our Privacy Policy that discusses our recently launched Government Data Request Principles. We’ve also made clarifications to better explain how our services will use your information. For example, we explain that when you give us access to your contacts, we’ll store them so that you – and only you – can do things like share your stuff easily, no matter what device you’re using.

We’ve also updated our Terms of Service and Privacy Policy to better explain and reflect our growing list of features for Dropbox for Business customers.

While we’ve simplified much of the language, our commitment to keeping your stuff safe and secure hasn’t changed. We don’t sell your personal information to third parties. We don’t serve ads based on the stuff you store in our services. As always, your stuff is yours.

If you have any questions about these updates, you can read more on our blog or email us at tos-questions@dropbox.com.

Thanks for using Dropbox!

  • The Dropbox Team

Dropbox’s Government Data Requests Principles:

We understand that when you entrust us with your digital life, you expect us to keep your stuff safe. Like most online services, we sometimes receive requests from governments seeking information about our users. These principles describe how we deal with the requests we receive and how we’ll work to try to change the laws to make them more protective of your privacy.

Be transparent: Online services should be allowed to report the exact number of government data requests received, the number of accounts affected by those requests, and the laws used to justify the requests. We’ll continue to advocate for the right to provide this important information.

Our Transparency Report discloses the number of law enforcement requests we receive and the number of accounts affected. Currently, our report doesn’t include specific details about the number of national security requests we receive from the US government, if any. We’ve urged the courts and the government to allow services like Dropbox to disclose the precise number of national security requests they receive and the number of accounts affected. We’ll continue this fight. In the meantime, we’re providing as much information about national security requests received and accounts affected as allowed.

Fight blanket requests: Government data requests should be limited to specific people and investigations. We’ll resist requests directed to large groups of people or that seek information unrelated to a specific investigation.

The US government has been seeking phone records from telecommunications companies related to large groups of users without suspicion that those users have been involved in illegal activity. We don’t think this is legal and will resist requests that seek information related to large groups of users or that don’t relate to specific investigations.

Protect all users: Laws authorizing governments to request user data from online services shouldn’t treat people differently based on their citizenship or where they live. We’ll work hard to reform these laws.

Certain laws give people different protections based on where they live or their citizenship. These laws don’t reflect the global nature of online services. We’re committed to extending fundamental privacy protections to all users: government data requests shouldn’t be in bulk, they should relate to specific individuals and investigations, and a neutral third party should evaluate and sign off on requests for content before they issue.

Provide trusted services: Governments should never install backdoors into online services or compromise infrastructure to obtain user data. We’ll continue to work to protect our systems and to change laws to make it clear that this type of activity is illegal.

There have been reports that governments have been tapping into data center traffic of other services. We don’t believe this is right. Governments should instead request user data by contacting online services directly and presenting legal process. This allows services to scrutinize the data requests and resist where appropriate.

45

While it’s cute that they say that they’ll “try” and “strive,” until a company’s got the balls (and willingness to get black-bagged into Gitmo 2: Electric Nippleshockaloo) and just tells us exactly what’s happening while simultaneously disclosing exactly what’s being done to them by the big bad US gov’t, I can’t really say I care. They’re all still giving in and giving up all our essential privacy out of fear.

Thanks, DB. I’m glad that at least you feel bad when you send Obamer my nudes.

46

Also arbitration clauses. Right. So pleased they’re basically banned for B2C trade here.

47

Sensitive stuff is encrypted in a Truecrypt container in Dropbox. Everything else is plaintext. I don’t see the harm; on the contrary, Dropbox has revolutionised my electronic life. Can’t live without it.

48

Watch out with that; truecrypt is not multi-user aware. If you have the container open on two separate computers, you can corrupt it.

49

Out of interest - Is there a good multi-user aware alternative? (that works in windows ^^)

50

I actually spent a fair amount of time researching this awhile back, as you can probably tell.

Sure, microsoft’s EFS is multi-user aware. Of course you need to trust MS to use it, which… I can’t type without cracking a smirk. I do use Bitlocker on flash and USB hard drives, because it is transparent to use and completely protects against “some jackass ripped off my flash drive”. It certainly would not protect against a nation state targeting me. But realistically, nothing will. I focus on protecting against criminals rather than going all crazy paranoid and worrying about the NSA.

There are various tools that claim to secure Dropbox like BoxCryptor, but I have not evaluated them.

The only cloud storage service that I’m aware of that offers client-side encryption (without the use of a third-party service like BoxCryptor) is SpiderOak. They’re the only ones that even really pretend to truly care about security.

I personally use Dropbox and Google Drive for various purposes and don’t worry about it all that much. I don’t store sensitive data in these services. I do store private data, but nothing that could be exploited to steal from me, etc.

If I needed to store private data in the cloud, I would either use Spideroak or a truecrypt container in dropbox/gdrive that is default mounted read-only to avoid corruption issues. If I need to write to it, I would just open it read-write, do my business, then close and re-open read-only. That would work fine.

51

I’m the only one who uses it, and I make monthly backups of my entire dropbox folder. No prob, bob.

52

If you only have one computer, that’s fine.

53

Yea, and I’m always willing to be lazy on those grounds :P

Shame there isn’t really any good solution, though. (Although most of what I store in the cloud is educational material I and other lecturers have written… sure, it’s copyright, but not sensitive)

54

Spideroak is pretty good. But if you don’t store sensitive material, the question is whether you really feel the need to secure it.

55

The number of computers I use (three) is irrelevant. The number of users who are using a truecrypt container at the same time (one) is the relevant factor. See what I mean?

56

Yep, that’s fine. Most people keep their dropboxen open everywhere, so that is an unusual usage model.