I wouldn't trust Dropbox with my bank details and such (because there are lots of people looking for that kind of information), but is it safe to keep things which might be valuable to a small number of people? E.g. commercially sensitive information, draft scientific papers, answer sheets for university assessments I tutor etc.

Is there anything relevant in the fine print about privacy or ownership of stored information which I may have missed?

As long as I have a reasonably strong password is it likely someone who knows my e-mail address would be able to hack it?


Dropbox's Terms of Service state that they do not claim ownership rights, and they seem to have good security. In order to reset your password, Dropbox sends you an email message with a reset code. Someone would need access to either your email account, your password or a computer that you had set up Dropbox on to access your files.

If you want more security, you can use TrueCrypt to encrypt files before uploading them. As long as you don't put files in your public folder, you should be safe anyway.

P.S. I recommend checking with your company's lawyers before uploading secret information anywhere, just in case.

    +1 for truecrypt, while dropbox seem to have security done well, if your data is sensitive you shouldn't be uploading it anywhere unencrypted.
    I use dropbox with a 500MB truecrypt container. It's great: If I put something in there, only the changes are synced (after unmounting!) --- that is not difficult, but also not trivial. Sometimes I get a conflict file, when a whole second container is downloaded. After mounting both and syncing them, I delete one of them. Therefore, for a more-then-newbie-user a perfect tool.
    I disagree that Dropbox has good security - that would require keeping the encryption keys on the client or, at the very least, encrypting them with your password. Of course, this would prevent features like accessing your files if you forget your password, but it still means that their security is at most "decent". I would definitively use some encryption scheme (I use encfs because it encrypts each file separately, which is less secure but more convenient, in my opinion) if I was to put commercially sensitive info. Commented May 30, 2011 at 14:41
  • @André If you need that kind of security, try link or link. These services keep your encryption keys client-side, although SpiderOak will allow you web access if you give it the password (they promise to only keep it in server memory for the duration of the session).
It all depends upon what level of "secure" you are comfortable with. Here's a few points to consider:

  • All (or a portion of) the files in Dropbox are also stored locally. You can choose to sync portions of your dropbox on other machines but one of your machines somewhere has the full state. This means that if your machine is ever lost, you're toast, because that information is not encrypted or secure.
  • Dropbox is only as secure as humanly-possible, and maybe not even that much. (As an example: Dropbox employees can see your content and will turn it over to the government if asked. They used to say they couldn't do this, but they later changed their statement.)
  • Truecrypt is great to use in conjunction with Dropbox. Note, however, that Dropbox won't be able to do single-file updates when any file in your TrueCrypt volume changes -- the whole volume will have to be pushed up again.
  • Ultimately it all depends on your comfort level and how much you trust both the networks you live on and the service and its employees.

As in the other answer, check with your company's lawyers first. Even if it were 100% secure, they may not like having secrets being stored in another place that they have to worry about.

You can use BoxCryptor to automatically encrypt all files which are uploaded to Dropbox.

I recommend KeePass (Classic Edition) for storing things like passwords or creditcard info. It is lightweight and supported on almost any platform (via Contributed/Unofficial KeePass Ports and Builds). Encryption is Rijndael (AES).

I should note that, with regard to draft scientific papers, most research institutions (universities/colleges included) have very strict data storage policies, and storing your papers off-site is likely to be a violation of that policy. Before doing anything like that, please check with a senior administrator or someone who knows what that policy states, because you can potentially have your funding pulled if you make that type of error.


Dropbox doesn't have good security from either the confidentiality or availability aspects, so if your data is sensitive or must be available at all times you need to do something about it yourself.

For confidentiality, encrypt it: truecrypt plays well with dropbox

For availability look at multiple alternatives.


Whatever you put on Dropbox, assume that it will be exposed to the public someday. Because that is what actually happened for 4 hours yesterday. Apply your own choice of encryption before storing anything on Dropbox.

You may want to give this InformationWeek article a read. It reports that there have been accusations of—potential—security and privacy issues with DropBox due to their de-duplication procedures. DropBox counters that their employees have limited, if any access to users’ files, though a few “need to”, and that they have sorted out some issues, but not about their ability to track and trace what users uploaded what, and their reporting policies to the authorities. The co-founder of PGP, the popular encryption protocol, has deleted his DropBox account and accuses them of not actually encrypting the files (although he is probably talking about how DropBox uses a global key instead of separate keys for each user—which of course would be much more secure).

Not surprisingly, it all comes down to the actual files you want to store and how important they are to you. In the end, you have to make a personal judgement call based on the information at hand.

As long as I have a reasonably strong password is it likely someone who knows my e-mail address would be able to hack it?

It looks like your password is completely irrelevant: Dropbox has, in the past (such a widely publicized incident happened on 2011-06-19, official Dropbox response here), accepted any password as valid, for an extended period of time - that is, anyone could have logged in as you, only knowing your username.

This, in addition to the recent change in security policy (which says, essentially, "we can access your files now, despite our previous statements to the contrary"), means one thing:

NO, it's not any safer than having those files publicly accessible: I can't find any kind of guarantee that a similarly massive problem won't happen again tomorrow, and the architecture of the system doesn't seem to protect your files by itself (and relying on external protection, such as if(password_ok = 1) gets you, uh, free access for anyone).

In other words: there apparently isn't any useful encryption in place (despite previous claims), therefore you should treat the files as if they were out in the open. So, if you plan to store anything sensitive there, don't store it unencrypted: use some external system of encryption (e.g. a Truecrypt container file - even Dropbox's wiki suggests using that [sic!]), and sync the container - it's encrypted on your side, and thus unreadable without your container password (which Dropbox doesn't have); or use a different cloud sync provider which provides actual client-side encryption.



Dropbox are obliged to turn over your data to the U.S. government should they decide to invoke the Patriot Act on you for whatever reason. There is also the 1986 Stored Communications Act where Fourth Amendment Rights to privacy do not apply and they can subpoena your data for some possibly reasonable reason.

Even if you encrypt your data and put it up on Dropbox, chances are that those friendly folks in the dark-government will be able to read your data if they really want to. Regardless of the latest and greatest encryption scheme, in real life the same factors that opened up the Enigma codes of WW2 come into play - your scientific paper/business proposal/pictures will start with the same bytes as last time you uploaded them, maybe not 'Heil Hitler!' but nonetheless enough duplicate content for the pro code-crackers to get to your private key.

From the U.S. side of the pond concerns about the Patriot Act may seem laughable. However, in the UK, it is quite reasonable and considered best practice to not store personal information on U.S. servers even if this information is completely harmless, e.g. a customer database. Time and time again the U.S. spying agencies have proven themselves to be untrustworthy, so why trust your data with companies accessible by them? Sometimes it is the principle that matters, not your data. It disappoints me that this has not been mentioned in the answers provided in this thread (to date).

