Iris Classon
Iris Classon - In Love with Code

‘Stupid’ Question 22: Is it OK to use dropbox to store and share confidential client documents? Is this safe/good practice?

[To celebrate my first year of programming I will ask a ‘stupid’ questions daily on my blog for a year, to make sure I learn at least 365 new things during my second year as a developer]

Is it OK to use dropbox to store and share confidential client documents? Is this safe/good practice?

I want to start of by saying that I don’t do this, but I can share the story behind the question.

On our first school project (we were building a mini-CRM in windows forms) we had to find a way to share code. The school wasn’t able to set up the TFS server in time for the project, and we wouldn’t be able to use it on our private computers either. A few set up their own (and it ended up in disaster as we basically didn’t know how to use TFS) and a few used SVN (the group that did had previous experience with servers and SVN).

And what did the rest of the class do? Half of us used Dropbox, and the other half passed a USB around. My group used USB, and we had problems with corrupted data but otherwise managed great as we had one dedicated dev on our team that took the responsibility of patching the updates together (thank you Semyon!!!)

I haven’t thought about that much until I started working, and realized that many companies do use Dropbox to share sourcecode and confidential documents. But nobody talks about it. Or questions it. Even with the security breaches Dropbox has/had. And therefore I want to ask you this: Is it OK to use dropbox to store and share confidential client documents? Is this safe/good practice?

A popular question!

I posted this question on LinkedIn, Facebook and Twitter and was bombarded with replies. About 95% answered that no, it is not OK. Here are the comments I got:

Here is a summary of the replies that I got in a 2 hour span on Twitter, I’ll have to make a separate post about the facebook discussion (longer answers) :

NO:

  • Hard call. I personally wouldn’t do it. It’s not a practice that I would suggest.

  • I’d say never, too many security breaches. http://Box.net might be a better option at the moment.

  • Short answer no - as the person you shared to can again share to anyone. Sharepoint has better security features.

  • no IMHO. Save the transfer problem you cannot guarantee what DropBox will do with the info as well

  • Heard many times about security issues for dropbox. Doesn’t sound to me as a good idea…

  • cloud security will be a hot topic over the next few years. I store general stuff, not anything that would risk ip or security

  • I would say no. Mainly because dropbox is not secure seehttp://twit.tv/show/security-now/349 … for more details.

  • Not recommended and after ur candid acceptance please don’t ;-)

  • No, it’s not OK. Read the Dropbox TOS - it’s icky.

  • Depends how paranoid your client is…dropbox staff can access your files…probably won’t…but can. I’d check with the client

  • Storing them unencrypted is like painting a target on your back. I’m looking in to https://www.boxcryptor.com/ to mitigate this risk

  • I think it’s not a good practice to put sensitive data in ddl

  • Based on the recent security breaches, I wouldn’t chance it.

  • NO! I wouldn’t recommend any free services. Why don’t you just keep them your company email…

  • I wouldn’t recommend it unless you store them in an encrypted zip or something, you don’t want confidential stuff leaking

  • no not at all!

  • No :)

  • Usually, but the answer is no if you need to conform to certain rules including but not limited to HIPAA or ISO 9001.

  • I’d say not right now. http://www.engadget.com/2012/08/01/dropbox-confirms-security-breach-new-measures/ …

  • with all the security problems etc I would say no, not yet anyway

  • please…no!

  • in addition, they encryption can be “public”. never trust too much in public services.

  • I try to avoid Dropbox for that, but it is not bad. I use skydrive more often because it has better security

  • I hear most folks who want secure storage online citing SpiderOak as the better solution.

  • I think dropbox can access files if they need to. Also consider the patriot act - are you ok with US gov having your data?

  • If security is a concern, consider SpiderOak instead. And SpiderOak Blue for business. Safer. Let them know I sent you :)

ONLY IF…

  • only encrypted

  • I would say it’s okay if you encrypt them yourself.

  • No, unless the file is well encrypted using public/private keys (like PGP) and the keys are not stored in Dropbox also.

  • You should first determine if anything stored in those documents would damage the client, or your relationship with them.

  • it’s all encrypted in transmission. If you want extra security use trucrypt to encrypt before syncing

  • If the docs are confidential I do not think this would be good practice..but it ultimately depends on what your client thinks.

  • it depends on how confidential your client thinks their data is … I’d use secure ftp if confidentiality is paramount

  • Depends your relationship with client… It works well, but, doesn’t seem very professional. I only use as last resort!

  • I think it’s ok, but U could encrypt your files with a tool (i.e.: BoxCryptor) for better security

DON’T KNOW

  • I looked at this too. Based on their website they’re pretty hot on security but it’s always a risk.

  • I think it can be secure but is also a very big target. I imagine a lot of hackers would like to get access to Dropbox data

YES:

  • I dont see why not. Anything can be snooped or sniffed that travels the internet. I think mainly makes sure u use a really STONG password and never transmit it in the clear and u should be safe

  • If there is no other option the client may think DB is fine…otherwise they can setup a more secure solution for you to use.

Comments

Leave a comment below, or by email.
Mike
8/14/2012 5:23:16 PM
I graduated early this year and got my first glimpse into the industry. Luckily I came into a group that consider themselves continuous-learners. They have taught me a lot so far, but one of the most important things they have taught me is the importance of Git and how to leverage it. I agree that the learning curve is a little steep, but it seems as though it is soooo worth it in the long run. 
noraguta
8/14/2012 8:31:10 AM
"
You should first determine if anything stored in those documents would damage the client, or your relationship with them." and other on that topic  - you should not do that , is not up to you.
your client will reveal his public data but never really never you. what you are get from them is confidential. if not stated otherwise. 
Martin Vilcans
8/14/2012 8:41:16 AM
I don't know the answer to the Dropbox question, but nobody uses Dropbox for code. Or nobody should, at least. Dropbox is nice for sharing documents, but for source code there are better solutions. I don't know about TFS, but SVN is okay, and if you want to be in the in-crowd you really should learn Git. Unfortunately its learning curve is a bit steep, but it's worth it. In any case, version control is an industry practice that's unfortunately usually not part of programming education. I can't believe how we managed before it.

(It is possible to use Dropbox to host a Git repository though, which I'd recommend if you need to keep code private and don't want to set up your own server or use a hosted Git solution like GitHub.) 
Daniel Widegren
8/15/2012 2:50:02 AM
The Dropbox TOS have changed many times over, at times there been parts who say that they have the right to share the files you store to third paty, that part have been added and removed multiple times, but given that it's been there once, Dropbox should NOT be used because they can't garantee you that they won't give files or other informations to third part that you store there. That is just to top the security problems.

I personally closed my dropbox account after the first TOS change for this, not looking back.

Plus, if you have private documents that is at risk, never put them up on the internet if possible, specially not on public / cloud servers that don't have full control over. And if you must share them, share them encrypted. But all in all it depends on how important the files are. 
Daniel Widegren
8/15/2012 2:55:24 AM
Oh and I should add, Once you put a file on the internet it's "Public domain" sure not legaly, but thats how hte files are handled from there on. 


Last modified on 2012-08-13

comments powered by Disqus