Sophos Cloud Optix
On Sunday evening, a Dropbox user by the name of Darrell Whitelaw was startled upon receiving an error message when he tried to share a link to a Dropbox file via IM with a friend.
The message, posted over an icon of an empty file folder:
Certain files in this folder can't be shared due to a takedown request in accordance with the DMCA.
It was a takedown message triggered because the content of the folder was in violation of the Digital Millennium Copyright Act (DMCA).
Whitehall’s surprised tweet:
wow. @dropbox DMCA takedown in personal folders . . . this is new to me. pic.twitter.com/fSKxJUrFus
— darrell whitelaw (@darrellwhitelaw) March 30, 2014
It was new to plenty of others, as well.
In fact, his tweet set off a mini-panic at the idea of Dropbox’s peeking into supposedly personal folders.
One such response:
@rossipedia @darrellwhitelaw @dropbox Curious part: how do they “find” these private files? Is dropbox snooping on customer content?
— Bart Silverstrim (@Bsilverstrim77) March 30, 2014
Whitelaw had, in fact, been sharing a copyrighted video, he admitted, but he was still surprised to find that Dropbox was keeping its eye on a chunk of the internet that he considered, more or less, his own real estate:
@nery78 @Dropbox right? i treat it like my hard drive, this shows it’s not private, nor mine, even though i pay for it.
— darrell whitelaw (@darrellwhitelaw) March 30, 2014
Whitelaw went on to tell Ars Technica that technically, the IM to his friend was a public link that could have been shared with anyone.
This DMCA violation didn’t affect content in Whitehall’s folder – it just kept him from sharing that content, as Dropbox Support helpfully pointed out:
@darrellwhitelaw Hey Darrel – content removed under DMCA only affects share-links. DM us if you’re seeing something different so we can help
— Dropbox Support (@dropbox_support) March 30, 2014
In other words, it’s only when we try to share copyrighted material that DMCA comes into play – not when it’s just sitting in our Dropbox folders.
It comes into play rapidly because, in fact, it is completely automatic.
Multiple tech journals tried to calm flustered people by pointing out that none of this is new nor is it sinister.
Dropbox prevents you from sharing a file when a hash of that file matches a hash on its blacklist.
Hashing is a way of creating a unique, fixed length, signature for a file that is very difficult to reverse engineer. If two hashes that were created in the same way match you can be all but certain they’re hashes of the same file, but you can’t find out anything about the file from the hash (this property of hashes is also why they play such an important role in secure password storage).
Using hashes allows Dropbox to be certain that they are blocking a file on their blacklist without anyone involved knowing, or being able to find out, what that file is.
This was Dropbox’s official comment on the Whitehall tweet:
There have been some questions around how we handle copyright notices. We sometimes receive DMCA notices to remove links on copyright grounds. When we receive these, we process them according to the law and disable the identified link. We have an automated system that then prevents other users from sharing the identical material using another Dropbox link. This is done by comparing file hashes. We don’t look at the files in your private folders and are committed to keeping your stuff safe.
All of which raises some interesting questions.
On the one hand Dropbox are doing nothing more than YouTube or Google do when they are asked to stop public access to content because of a DMCA violation, and they’re doing it in a limited way, at arm’s length, whilst wearing a blindfold.
On the other hand, no matter how arm’s-length the system is, Dropbox can and do scan your stuff, at least when you make it public, and they will act as ‘cop’ to enforce the claims of ostensible copyright holders.
Technically there’s no difference between making a video public on YouTube or making a video public on Dropbox so there’s no reason why we should treat DMCA notices on the two systems any differently.
However, judging by the immediate reaction to this situation, there does appear to be a difference in the way that we think about them; as Darrell Whitelaw said of Dropbox in one of his tweets “I treat it like my hard drive”.
We are used to our hard drives being things that are entirely within our control.
Of course, the minute we share something from Dropbox it is less a hard drive and more a website. But we’ve had 30 years to get used to the idea of hard drives and for most of that time they’ve been ours and haven’t been able to morph into public websites.
This furore shows that we have some adjustments to make before we understand what it means to have, to own or to control something in The Cloud.
Increasingly that means allowing our stuff to be subjected to some degree of automated processing.
On this I can give you no more sound advice than that of former Naked Security writer Graham Cluley: for a better understanding of how you should approach security in The Cloud simply replace all instances of the words in The Cloud with the words on somebody else’s computer.
The only way to completely keep other people out of your business when it’s on-the-wire or in The Cloud on somebody else’s computer is to encrypt your files before they leave your system, using keys that you control.
so … is this dude’s name Whitehall or Whitelaw?
They don’t actually ‘scan’ your files. They just create a hash of it which they check against a list of prohibited hashes. They can access your files yes, but only if law enforcement requires them to! They have a lot of security in place to stop employees snooping around your personal stuff. It is your choice to use dropbox, don’t like the terms and conditions don’t use it!
thanks for the info Max it is good to know
If they can access your files for law enforcement then their employees can access your files… where’s all of that security to stop them? Once again all the security in the world boils down to the Honor System of the admins.
As Dropbox has shown, anything you put in the cloud is no longer your property, it is the property of the cloud company. If they do not want you to share a file to family members or friends, even though you paid for that file (video, audio, etc), then you do not have a choice but to follow their rules.
Personally I think if I buy a movie (for example) then I should be able to share that movie with friends and family. Maybe not sharing with an unlimited amount of people but at least 10 or so. After all, how many times have you borrowed a movie that was good but not good enough to buy?
I call that scanning. The difference that hashes make are that they simply change the question from “what files have you got?” or “what kind of files have you got?” to “have you got this file?”. It’s more limited – a shallower scan if you like – because you have to know what you’re scanning for, but it is a scan.
I use Amazon Cloud and I just recently started using Dropbox. I was hesitant at first, but the convenience is a nice perk. However, I always assume that anything I put on the cloud or dropbox can and will be seen by anyone, including a foreign national. I most certainly take care not to upload anything I can’t afford to lose, and I don’t upload anything I consider personal. No personal writings, no work-related items, and most certainly no export controlled information. Like they always say, if you post it, assume someone’s going to see it, steal it, share it, or use it.
Can’t help but agree with your conclusions yet it begs the question what benefit does Dropbox provide if you exclude personal and work items?
I agree with him. I rarely use the cloud, and when I do, it is only to share large files with people I am working with on the same project. I see no safe use for the cloud otherwise.
This sums it up nicely:
“for a better understanding of how you should approach security in The Cloud simply replace all instances of the words in The Cloud with the words on somebody else’s computer.”
I won’t keep my data on somebody else’s computer.
You offer an excellent analogy. You may want to take it a bit farther. The other person in this situation is a paranoid, schizophrenic, right wing religious fanatic convinced you are a social deviant that must be saved or incarcerated. You may also want to toss in overtones of a jealous spouse.
Stereotype much?
Hmmm personally I would not store any files of any description on any cloud based storage. not a good idea if you want to keep it private….NSA GCHQ you can both go to hell….
It’s “automatic for the people”
You know, email providers like AOL (I know, AOL), have been scanning attachments for years. I was an advisor on a criminal case (2005) where AOL discovered child exploitation files being shared via email, the discovery was made by the attachment hash matching that of a known CP image – the hashes are provided by the The National Center for Missing and Exploited Children based on other court findings and know cases. So to think of Dropbox as your own personal hard drive is foolish. Worst yet is Mr. Whitelaw was open about his intentions to violate copyright via dropbox.
Anyone that thinks they can share copyrighted files through Dropbox or any other free or “paid for” cloud is a fool.
Perhaps your only file stored on Dropbox should be a TrueCrypt drive image.
In our family we do not use any ‘cloud’ type services as they are viewed as being totally unsafe. As someone here said, would you put the contents of your computer onto someone else’s?
But there appears to be an insidious side to Dropbox – it suddenly appeared on one of our PCs without either of us asking for it to be installed. We are a family of two retired adults whose children live in their own homes, one 25 miles away and the other 3000 miles away in the US. So how did Dropbox get installed? We can only surmise that it was carried in by some wanted software install but without any notification nor request nor permission, just slipped in on the quiet. It has since been deleted as we neither want it, trust it nor use it. But how sneaky was it to be installed without permission.
Moral, always look very carefully at ALL installer messages and do not accept any foistware you do not want – but even that does not prevent every determined installer you don’t want.
No accounting for how daft some people are in thinking ‘everybody’ wants whatever they are hyping.
I had that happen when I installed an update to my antivirus software. I’ve noticed a trend to install extra stuff when you install an update to a number of things. They give you no choice as to whether you want it or not, and then you have to go to the bother of uninstalling it after the fact. 🙁
Try another anti-virus?
I thought this way too. Until our home was burglarized. My computers, my backup server and my external backup to the server were all stolen.
Ten years of digitized files all gone one day while I was at work.
In short: NO PLACE is absolutely safe. I just hope that Leo Notenboom’s theory of “I’m just not that interesting” works for me.
Shame on me for not encrypting my data. Yet.
Our back-up system is well hidden within the structure of our brick-built house! Could they find it? I suspect not easily as we had a friend who works for a government security agency to advise and then attempt to find what we had done – he didn’t find it after 5 hours!
So even if they stole our computers and visible means of making backups, they would still not have the whole story as we make automated backups daily and then remove any sensitive stuff ourselves. (We don’t even trust a script to do that in case it can be hacked.) Plus you can’t connect to our network and just ‘see’ it as it’s only visible at certain times of the day and at certain network locations that are not displayed normally plus they have a triple lock (not just 2FA) known only to my partner and me.
Certainly beats any ‘cloud’ service.
If we encrypt our files in Dropbox using Truecrypt or encfs, can Dropbox still find it out by comparing the hash?
No
I’m a complete dummy about encryption. Can someone please tell me how I can encrypt individual files and then upload said files, in encrypted form, to someone else’s computer?
The simplest solution is to use archiving software that supports encryption (i.e.: 7-Zip Free and Open-Source).
Hi, Lisa. Thanks for another informative piece. Headsup: You must have been thinking about UK government things when you were writing. Whitelaw has morphed into Whitehall in a couple of places. 😉 Best regards.
If it is a straigt hashing of the file, changing of the metadata, like the exif data on an image (things like f-stop, camera type etc) or the tags of an mp3-file would be enough to change the hash to something different.
Other file-types can have areas of unused data, which can be mangled, random data can be added at the end, or even a few bytes in the middle can be changed with little or no visible or audible changes detectable.
Perhaps even just zipping it together with a random file is enough to beat the scanner,
My view: if you have private – even copyrighted data e.g. movies you bought – data on whatever cloud service you use and share a link to that, that’s like sharing a link to your private network e.g. via VPN or like a remote desktop conection for someone else.
And now: who will prohibit you let someone else watch a video on your private computer, no matter if he sits on you sofa or lives in an antarctic science lab at that time?