Trusting the cloud storage – (Drop)Box breaking the confidentiality

A few weeks ago I wrote about OneDrive (for business) breaking the integrity of documents (although just metadata not visible to users). Integrity is one of the three qualities that the cloud has to have implemented to be trusted by users. The other two are confidentiality and availability.

It has been known for a few days now (as of May 6th 2014) that several links to the shared documents on Dropbox and Box cloud storage services have been listed amongst results of a search engine. This time the confidentiality has been compromised. For Dropbox, there are two ways this could have happened:

  • users unknowingly copy the link to the shared document in the search engine which can be then crawled and indexed by it (making it’s content available for everyone) and
  • when shared documents have links to external pages and when clicking on them while viewing the document it becomes available as referral page of the linked document.

Fortunately the Dropbox’s reaction was quick as they quickly disabled old shares while new shares are not vulnerable to the second issue listed above. This will cause some annoyance to users but better to be annoyed than having your personal information shared publicly (remember that we are talking about a free service!).

Unfortunately, the solution to copying shared links to Google will (and can) not be fixed by Dropbox. Some people make links to DB files available to the public and DB is in no way knowing which users posted links accidentally and which not. So it’s up to users to take care of it.

This is not the first time the Dropbox has been compromised. In 2011 just as it came out of beta a vulnerability in authentication has been uncovered (although the attack needed the access to the user’s computer).

It is clear that such services are vulnerable and it is wise to understand what we are doing privacy wise with our information in the cloud. PIM activities include also distribution of information and managing privacy. So we should be aware of both when dealing with our information. We have to know who are we sharing with and what. Two decades ago when our information was stored on our desktop computers only the privacy was not much of a concern. Nowadays when we store information in the cloud the privacy should be high on the list of PIM activities!