Defend free speech and individual liberty online. 

Push back against big tech and media gatekeepers.

Dropbox Paper leaks the email address of anyone who’s ever viewed a document

Dropbox says it's a feature, not a bug.


If you're tired of censorship, cancel culture, and the erosion of privacy and civil liberties subscribe to Reclaim The Net.

Dropbox is that massively successful tech startup that mostly stays out of the limelight, under the radar, and toils away out of sight – much like the core service that it provides: file hosting and syncing. Dropbox nowadays works across every imaginable platform and has hundreds of millions of users around the world.

In other words, Dropbox is working tucked away in the background, it's doing its thing – and unless there's a technical problem resulting in your desktop/phone OS seizing up – why would you even have to think or care about Dropbox's existence in your digital life – once, that is, you install it, and grant it all its “due app rights”?

But make no mistake. Dropbox is a veritable tech giant in the making, both in terms of its market share and dominance, and the power that its position and the nature of the service affords it – over both the userbase and over its competition. And if Dropbox wants to, or has to – it could undermine its users' privacy with little consideration, and little recourse offered to them – as it turns out.

“Dropbox Paper”

Like any startup growing exponentially into the big leagues, Dropbox has felt the existential threat and the need to diversify its original portfolio ASAP: enter Dropbox Paper. Introduced in 2017, it was designed as a competitor to the likes of Docs and Evernote – in other words, an app that allows users to create documents and collaboratively edit them – while storing, sharing, and syncing the content of those documents on Dropbox.

Pretty great, many thought at the time – so easy, and so convenient. But those digging just a little deeper under the appealingly clean interface are coming up with some serious issues – not just with the way the service is structured, but also with the attitude Dropbox is taking toward any issues raised over its treatment of the privacy of its users.

Netherlands-based security engineer Koen Rouwhorst is now informing his own, and Dropbox followers on that if they share a Dropbox Paper document publicly – “any viewer can see the full name and email address of any Dropbox user who ever opened that document, which seems problematic.”

He adds: “This ‘feature' is just waiting to be abused. It is trivial to crawl for public Dropbox Paper document URLs, and harvest personal details of tens (or hundreds?) of thousands Dropbox users who have opened those documents.”

Why is this even bad? Because it looks to be an egregious violation of user privacy, while aiding, as comments to the tweet suggested, every spammer, doxxer and/or spy out there on the internet – looking to exploit something that Dropbox sees as a legitimate “feature” but that the rest of the world may see as a vulnerability, squarely to their own malicious use.

Rouwhorst goes on to explain exactly why this is bad. Not only has Dropbox decided to treat this as “a feature, rather than a bug” – in other word, the company has decided to use that perennial go-to, passive-aggressive reaction to any criticism of any code – but Dropbox has also doubled down on its effort, and did it in plain sight, by responding to Rouwhorst's concerns on Twitter.

Another thing you should be aware of as a Dropbox Paper user is that, as per the service's response to Rouwhorst's tweets – it's not just the owner of a document that has access names and emails – but that anyone viewing the document can do that.

Dropbox history

Dropbox, of course, is no stranger to some serious accusations, or at the very least, suspicions as to how the company conducts its data – and privacy-sensitive global business.

When whistleblower Edward Snowden revelations into the scope and range of internet surveillance carried out by the US and other affiliated agencies came to light in his 2013 revelations – there were suggestions that the NSA considered including Dropbox into its PRISM program.

But no more than that. However – a year later, Snowden was quoted by TechCrunch as advising anybody listening and valuing their privacy and personal integrity on the internet, should – at least from his experience – stay away from the likes of Google, – and – Dropbox.

If you're tired of censorship, cancel culture, and the erosion of civil liberties subscribe to Reclaim The Net.

Defend free speech and individual liberty online. 

Push back against big tech and media gatekeepers.

Big Tech alternatives:

Push back against online censorship, 

cancel culture, and privacy invasion. 

Informed by principles on digital rights.