Subscribe for premier reporting on free speech, privacy, Big Tech, media gatekeepers, and individual liberty online.

Dropbox Paper leaks the email address of anyone who’s ever viewed a document

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Dropbox is that massively successful tech startup that mostly stays out of the limelight, under the radar, and toils away out of sight – much like the core service that it provides: file hosting and syncing. Dropbox nowadays works across every imaginable platform and has hundreds of millions of users around the world.

In other words, Dropbox is working tucked away in the background, it’s doing its thing – and unless there’s a technical problem resulting in your desktop/phone OS seizing up – why would you even have to think or care about Dropbox’s existence in your digital life – once, that is, you install it, and grant it all its “due app rights”?

But make no mistake. Dropbox is a veritable tech giant in the making, both in terms of its market share and dominance, and the power that its position and the nature of the service affords it – over both the userbase and over its competition. And if Dropbox wants to, or has to – it could undermine its users’ privacy with little consideration, and little recourse offered to them – as it turns out.

“Dropbox Paper”

Like any startup growing exponentially into the big leagues, Dropbox has felt the existential threat and the need to diversify its original portfolio ASAP: enter Dropbox Paper. Introduced in 2017, it was designed as a competitor to the likes of Google Docs and Evernote – in other words, an app that allows users to create documents and collaboratively edit them – while storing, sharing, and syncing the content of those documents on Dropbox.

Pretty great, many thought at the time – so easy, and so convenient. But those digging just a little deeper under the appealingly clean interface are coming up with some serious issues – not just with the way the service is structured, but also with the attitude Dropbox is taking toward any issues raised over its treatment of the privacy of its users.

Netherlands-based security engineer Koen Rouwhorst is now informing his own, and Dropbox followers on Twitter that if they share a Dropbox Paper document publicly – “any viewer can see the full name and email address of any Dropbox user who ever opened that document, which seems problematic.”

Click here to display content from Twitter.
Learn more in Twitter’s privacy policy.

He adds: “This ‘feature’ is just waiting to be abused. It is trivial to crawl for public Dropbox Paper document URLs, and harvest personal details of tens (or hundreds?) of thousands Dropbox users who have opened those documents.”

Why is this even bad? Because it looks to be an egregious violation of user privacy, while aiding, as comments to the tweet suggested, every spammer, doxxer and/or spy out there on the internet – looking to exploit something that Dropbox sees as a legitimate “feature” but that the rest of the world may see as a vulnerability, squarely to their own malicious use.

Click here to display content from Twitter.
Learn more in Twitter’s privacy policy.

Rouwhorst goes on to explain exactly why this is bad. Not only has Dropbox decided to treat this as “a feature, rather than a bug” – in other word, the company has decided to use that perennial go-to, passive-aggressive reaction to any criticism of any code – but Dropbox has also doubled down on its effort, and did it in plain sight, by responding to Rouwhorst’s concerns on Twitter.

Click here to display content from Twitter.
Learn more in Twitter’s privacy policy.

Another thing you should be aware of as a Dropbox Paper user is that, as per the service’s response to Rouwhorst’s tweets – it’s not just the owner of a document that has access names and emails – but that anyone viewing the document can do that.

Dropbox history

Dropbox, of course, is no stranger to some serious accusations, or at the very least, suspicions as to how the company conducts its data – and privacy-sensitive global business.

When whistleblower Edward Snowden revelations into the scope and range of internet surveillance carried out by the US and other affiliated agencies came to light in his 2013 revelations – there were suggestions that the NSA considered including Dropbox into its PRISM program.

But no more than that. However – a year later, Snowden was quoted by TechCrunch as advising anybody listening and valuing their privacy and personal integrity on the internet, should – at least from his experience – stay away from the likes of Google, Facebook – and – Dropbox.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Read more

Join the pushback against online censorship, cancel culture, and surveillance.

Already a member? Login.