Dropbox is that massively successful tech startup that mostly stays out of the limelight, under the radar, and toils away out of sight – much like the core service that it provides: file hosting and syncing. Dropbox nowadays works across every imaginable platform and has hundreds of millions of users around the world.
In other words, Dropbox is working tucked away in the background, it’s doing its thing – and unless there’s a technical problem resulting in your desktop/phone OS seizing up – why would you even have to think or care about Dropbox’s existence in your digital life – once, that is, you install it, and grant it all its “due app rights”?
But make no mistake. Dropbox is a veritable tech giant in the making, both in terms of its market share and dominance, and the power that its position and the nature of the service affords it – over both the userbase and over its competition. And if Dropbox wants to, or has to – it could undermine its users’ privacy with little consideration, and little recourse offered to them – as it turns out.
Like any startup growing exponentially into the big leagues, Dropbox has felt the existential threat and the need to diversify its original portfolio ASAP: enter Dropbox Paper. Introduced in 2017, it was designed as a competitor to the likes of Google Docs and Evernote – in other words, an app that allows users to create documents and collaboratively edit them – while storing, sharing, and syncing the content of those documents on Dropbox.
Pretty great, many thought at the time – so easy, and so convenient. But those digging just a little deeper under the appealingly clean interface are coming up with some serious issues – not just with the way the service is structured, but also with the attitude Dropbox is taking toward any issues raised over its treatment of the privacy of its users.
Netherlands-based security engineer Koen Rouwhorst is now informing his own, and Dropbox followers on Twitter that if they share a Dropbox Paper document publicly – “any viewer can see the full name and email address of any Dropbox user who ever opened that document, which seems problematic.”
If you share a Dropbox Paper document publicly, any viewer can see the full name and email address of _any_ Dropbox user who ever opened that document, which seems problematic. pic.twitter.com/HkxbE5cJ9r
— Koen Rouwhorst (@koenrh) September 24, 2019
He adds: “This ‘feature’ is just waiting to be abused. It is trivial to crawl for public Dropbox Paper document URLs, and harvest personal details of tens (or hundreds?) of thousands Dropbox users who have opened those documents.”
Why is this even bad? Because it looks to be an egregious violation of user privacy, while aiding, as comments to the tweet suggested, every spammer, doxxer and/or spy out there on the internet – looking to exploit something that Dropbox sees as a legitimate “feature” but that the rest of the world may see as a vulnerability, squarely to their own malicious use.
Something you should be aware of as a Dropbox user, because Dropbox considers this to be a feature, not a privacy bug. Also, there is no way to hide your personal details.
— Koen Rouwhorst (@koenrh) September 24, 2019
Rouwhorst goes on to explain exactly why this is bad. Not only has Dropbox decided to treat this as “a feature, rather than a bug” – in other word, the company has decided to use that perennial go-to, passive-aggressive reaction to any criticism of any code – but Dropbox has also doubled down on its effort, and did it in plain sight, by responding to Rouwhorst’s concerns on Twitter.
…user not on their team that their information will be visible in a screen that pops up before the Paper doc loads. Displaying this information is needed to enable collaboration and security features for our users. Users and admins can control who can view a Paper doc..[2/3]
— Dropbox Support (@DropboxSupport) September 25, 2019
Another thing you should be aware of as a Dropbox Paper user is that, as per the service’s response to Rouwhorst’s tweets – it’s not just the owner of a document that has access names and emails – but that anyone viewing the document can do that.
Dropbox, of course, is no stranger to some serious accusations, or at the very least, suspicions as to how the company conducts its data – and privacy-sensitive global business.
When whistleblower Edward Snowden revelations into the scope and range of internet surveillance carried out by the US and other affiliated agencies came to light in his 2013 revelations – there were suggestions that the NSA considered including Dropbox into its PRISM program.
But no more than that. However – a year later, Snowden was quoted by TechCrunch as advising anybody listening and valuing their privacy and personal integrity on the internet, should – at least from his experience – stay away from the likes of Google, Facebook – and – Dropbox.