Dropbox: We Access Your Private Documents, But It’s For Your Own Good

Dropbox says its systems are accessing docs in order to provide previews

Cloud storage provider Dropbox has explained why its systems open user documents, following concern from a security researcher.

Posting on the Western North Carolina InfoSec Community site, a user calling himself (or herself) Vintsurf said Dropbox files were being accessed soon after they were uploaded.

Dropbox privacy problem?

dropbox-ico-100004576-largeThe researcher used a tool called HoneyDocs, which initiates an embedded GET request when a document is opened. When they uploaded files to their Dropbox private folders, a “buzz” came back.

When they deleted the files from Dropbox and uploaded them again, no “buzzes” came back. It appeared an Amazon EC2 instance in Seattle was accessing to the files. Only .doc files were affected.

Vintsurf was even more confused when, having uploaded more HoneyDocs files to their Dropbox folder from a different computer and ISP, different Amazon EC2 instance IPs were used to access the files.

“I’m curious if this is still an automated process or one that involves human interaction,” the researcher said.

“All in all, I made three attempts to upload embedded documents and all appeared to be opened from different Amazon instances.  This could have something to do with how Dropbox’s storage architecture is configured while using Amazon S3 buckets.

“Regardless, the .doc files seemed to have been opened for some reason.  I’d like to know why.”

But Dropbox said it was only doing this to ensure previews of documents worked.

“Dropbox allows people to open and preview files from their browser. This blog post relates to backend processes that automatically create these document previews, making it easier for people to view docs within their Dropbox,” a company spokesperson said, in an emailed statement.

Similar cases of apparent privacy infringements have emerged in recent months. Microsoft received some criticism for scanning Skype instant messages, even though it was doing so to identify spam or malicious URLs.

Whilst the intentions of the companies appear to be good, many want better transparency from companies on how their systems might access users’ content.

Are you a pedant on privacy? Try our quiz!