Data Vulnerabilities for Apple and Dropbox

As those who read me will know, I’m a big fan of Apple products, the proud user of an iPhone. And I think Dropbox is a cloud with silver on the outside and on the lining. In the last couple of days I’ve learned about vulnerabilities for each that make me realize again how exposed my data are and make me more determined to learn about — and use — encryption.

About a month ago I wrote about a German politician who was alarmed at the detailed nature and the duration of the data kept by his service provider (Mobile Phone Companies and Data About Our Lives). Now I have to bring it closer to home, at least for some of us. If you have an iPhone (or an iPad with a cellular plan), that device retains detailed information about your location at each of the times you use your phone. When you sync that device on an Apple machine, as you would to transfer music files or other data between the smart device and the desktop or laptop, the program performs a backup of the data currently on your iPhone or iPad, including your location data. All of your retained backups provide a shockingly clear picture of where you’ve been and when. Apple Inc. has access to the data.

iPhoneTracker is a free application you run on the Apple computer that you sync with your iPhone; it charts your locations on a map and provides a timeline slider as well. The image below illustrates what you’ll see:

The iPhoneTracker site explains how you can eliminate old files and how you can encrypt your backups (which will at least prevent local intrusions); and it points out that there’s nothing you can do to protect the data on your iPhone or iPad from being sent to Apple.

(I do not know whether RIM or Google collects location data from devices running their OSs.)

With Dropbox the vulnerability is different. They have clear company rules about keeping their noses out of the data you store in their cloud; and they encrypt your data so that it’s fairly safe from hackers and accidental releases. In this case it’s the US government that is a source of concern. As you would expect from a law-abiding corporation, Dropbox has made it explicit in its Security Overview that it will release your data to authorities “when it receives valid legal process,” and it will remove their encryption from the data before handing it over. This has caused something of a stir on the internet, even though US laws gave them no real choice.

Lawyers in Canada are using Dropbox. Indeed, it is becoming a basic tool for those who have virtual offices, those who want to cross the border with clean laptops and yet access their data from their destination, and those who simply like the convenience of a reliable cloud. Fortunately for them, it is possible to add client-side encryption to the mix, such that the data are protected against easy access, even by foreign authorities. Dropbox offers the suggestion itself in the same Security Overview:

Specifying Your Own Private Key Using TrueCrypt

Dropbox does not discriminate between the types of files stored in your Dropbox nor the applications used to open those files. This means you can use your own software encryption methods, such as third-party encryption software, to keep your files secure on your terms.

There are many sites that will help you configure an encryption system that’s compatible with Dropbox (this is one example).

I’m not Chicken Little here: the sky isn’t falling, and even if it is, it isn’t really news. But I am concerned that I, and some of you, be reminded from time to time of the exposed nature of digital data and of the fairly simple means available to reduce that exposure. For me, this feels a bit like the struggle it used to be to get people to back up their data: we knew our hard drives would fail and yet we avoided the relatively trivial work of backing them up — until, of course, the thinkable happened. Data breach is the new thinkable.

[hat tip re Apple: @mgeist]


  1. An secure alternative to trying to configure a joint dropbox/truecrypt solution is to use spider oak:

    It is a dropbox competitor that uses client-side encryption (and the company states that it is never sent your private encryption keys). Like dropbox, they have a free 2GB account. Spider oak isn’t quite as ultra simple to set up as dropbox, but it isn’t arduous either (and is simpler then running dropbox/truecrypt)…

    They are a US company but under this security approach the only data they should have to turn over to authorities would be encrypted data.