14 Feb 11 Dropbox

In the past months, I have been in touch with Microsoft Office Groove several times. This is a productivity software for global workgroup file sharing. While it serves its purpose very well, it has got one major drawback: the software needs to run in Windows which makes it impossible for me to use in daily work (a second disadvantage is that the files are in a virtual file system and even locally not accessible without the Groove software). When thinking about an alternative, I crossed Dropbox, a file sharing service which seems quite similar at first glance. In brief, it works as follows:

• You register at dropbox.com to get an account. This is free (of charge) for the first 2 Gigabytes. If you want more, you need to pay a monthly fee.
• You install the (closed source) software on your PC(s). It is available for several OSes. Upon installation, one folder in your file system is defined as the Dropbox folder. That’s it.
• You copy files to this folder. They are transparently uploaded to the Dropbox storage. As soon as another connected PC goes online, the files are automatically synced there (the mobile variants only sync on demand).
• Optionally, you invite other Dropbox users to selected subfolders. Files can thus be shared cross-account.

I do not want to list all the features and functions here but leave looking up Dropboxʼ website as an exercise to the reader.
All the synced files stay in your local file system (and those of all connected PCs). This means that you can access the files offline and even if the Dropbox daemon is not running. Furthermore, synchronization does not depend on the availability of another PC of your collection. As the files are stored “in the cloud”, file transfers are not peer to peer. While this can be an advantage, it leads to security issues:

• Your files are held in a third-party storage (Dropbox uses Amazonʼs cloud service). While Dropbox claim that your files are stored AES-encrypted so they have no access to them, it is a matter of trust whether you believe this. Also the question is whether the files are already encrypted locally, on your PC or the encryption takes place after the (SSL encrypted) transfer to the cloud server. I think that the latter is the case because sharing folders with other users would be difficult otherwise and there is no reference to a local AES key either. Therefore, I consider that a security gap which the user should bridge by locally encrypting the files before copying them to the Dropbox folder.
• The security mechanism is simply username and password. No two-factor authentication available.