• Is DropBox ok to use?

    Because I have a background of being involved in discussions around data protection I sometimes get a prod about online storage and web 2.0 tools. Over the last 6 months I have had quite a few over online storage options, but I have never really stuck down on (electronic) paper what my concerns are and why I have them. There are a few concerns I have, some centre around ownership of files and data, some around data protection and some around management of the tools.

    Online storage often comes under attack over IPR of images, concerns about control, heated rants about how company x is making use of *our* files / photos to generate revenue on a free service, etc … and we only have ourselves to blame for not reading the T&Cs fully, for not keeping abreast of changes to the T&Cs (though some companies make life extremely difficult to find the changes or contribute to those changes) and for not accepting that if we take part in a free service then there are likely to be limitations and issues. We take on that risk ourselves and we need to accept some responsibility for that. Whether we are talking about LinkedIn using profile photos of members in their marketing by default, changes to FaceBook privacy options, changes in security / ownership when companies merge products… there have been so many times when the masses rise up indignantly to protest and then rush around making changes and, in the worse cases, swap services … and yes, I have been there, expressing my frustration too.

    This is increasingly important if we are asking children to make use of these tools as we are being trusted in our judgement and selection of these tools … after all not all children, across the broad age range we have using these tools, are emotionally, intellectually or perhaps even legally in a position to make some of these choices on their own … but that is a discussion for another time probably.

    But discussions today centred around online storage, and in particular the growing use of DropBox to remove the need for USB memory devices. For those who have not come across DropBox.com, it is a an online storage system which will synchronise selected folders from one or multiple devices to an online repository. Folders or sub-folders can be shared for automated synching with other users, making it a fantastic tool for collaborative sharing of files and materials. There are a number of other tools like this ranging from Microsoft’s SkyDrive, shared document libraries in Sharepoint, Moxy, Box.net, ADrive and many more. DropBox and SkyDrive are both free so that is why you will see them in heavy use … especially in education. Free comes with limits though and sometimes that can be the amount of space, sometimes the SLA doesn’t really exist and sometimes there is a lack of control over certain aspects of functionality or how it changes.

    When it comes to DropBox though, my main concern is that users are significantly at risk of breaching the Data Protection Act and they don’t even know it. This is especially important right now as it is being recommended to NQTs who might not know any better … let’s face it, there is not that much about Copyright law, Data Protection and IPR within teacher training and, from what I have seen and been told, there is a presumption that this is covered within schools by school policies … and we all know how wonderful many schools are for having decent Data Protection policies and explaining them to *all* staff.

    I know that my blog is read by a wide range of people so I just need to go back a little to cover an aspect or two of the Data Protection Act. The DPA has 8 principles, which are pretty self explanatory and the 2 most important principles to look at for this conversation are 7 & 8.

    If we start with DPA Principle 8 first … this about where data can be stored, moved through, processed, accessed, etc. And this is the first place we fall down with DrpoBox. There is an ongoing query that has never been fully answered about whether DropBox.com is compliant with this.

    Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
    Now, what this means is that if you use your online storage and sharing to move about or access anything that can be deemed ‘personal data’ (which for teachers can range from pictures of children, their personal details, information about their progress, medical information and so on) then you have to do it within the European Economic Area or other countries where we have set agreements. With the US this is called the U.S. – EU Safe Harbor and there is a list of companies who have been certified with this and across what aspects. It is important to remember that being certified is only part of this … the specifics of what has been agreed is equally as important and that will differ from company to company. I have previously commented about iCloud and Apple before to reflect this.

    When you look at the list you will spot that DropBox.com is not there. When you dig through the T&Cs for DropBox you will find that they use Amazon for their storage facilities … which is good … Amazon *are* on the Safe Harbor list so that seems to tick the boxes … apart from they don’t say that they will only ever use Amazon and they don’t say how they use them, and what agreements they have in place. Ah … so we are back to square one then.

    I have asked the question twice now of DropBox.com and not even had tickets opened. There is a discussion at the moment about this on the forums and still no definitive answer.

    To deal with this I know some users of DropBox will make use of other security solutions to bolster how they deal with DropBox. This involves using an encryption tool to create a secure folder / file which is then synchronised via the only service. A common tool for this is TrueCrypt and that works fine at a technical level … meeting the criteria of DPA Principle 7, where you are taking suitable technical measures to ensure the security of data … but the principles are not pic and mix … you have to meet them all. Right now I use an encrypted folder on Dropbox for my non-sensitive files (so only I and others I trust can access them) and do not use it at all for sensitive items.

    For sharing pictures for stimulus with others (teachers / children), for sharing videos, etc, especially cross-platform and when using apps on mobile devices, then I can see that it will be fine for use in UK schools … but for staff to share in general … no … not yet.

    SkyDrive does meet the criteria as the data centre used is in Ireland, but I know that there are some who have issues about a tie in or lock in with Microsoft and what happens to Live@Edu and Office365. It is still worth thinking carefully about what you are sharing with others and how.

    .
    Comments 94 Comments
    1. Geoff's Avatar
      Geoff -
      On a personal note (I know this isn't scalable at an organisational level) I use truecrypt and encrypt my data before it hits dropbox. Its an extra step, but I know my data is safe and secure that way.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Yep, a good model and DropBox has a good entry on their wiki for it, for those who may not have thought about this.TipsAndTricks/Truecrypt - Dropbox Wiki
    1. CHR1S's Avatar
      CHR1S -
      I have asked my LEA several times now, each time no answer other than "Be a little careful with Dropbox "!

      Okay, I'm being very lax with my quoting, but what alternatives to dropbox are there that give the same freedom and functionality?
    1. Arthur's Avatar
      Arthur -
      Quote Originally Posted by CHR1S View Post
      what alternatives to Dropbox are there that give the same freedom and functionality?
      AeroFS. Once it's out of beta, I'm ditching Dropbox for good!

      @GrumbleDook. You may find this useful (slide 16 onwards)...
      http://fak3r.com/geek/defcon-19-taki...nd-going-home/
    1. CHR1S's Avatar
      CHR1S -
      Quote Originally Posted by Arthur View Post
      AeroFS. Once it's out of beta, I'm ditching Dropbox for good!
      Because AeroFS is completely distributed, even if we experience downtime, you won't!
      So if non of your "friends" computers are on where does it sync to?

      Are all your "friends" signed up with safe harbour?

      Not sure I like it for a school
    1. GrumbleDook's Avatar
      GrumbleDook -
      If you are looking at free (or at least no cost in licence or contract) then at the moment the only thing I can point to that I have not come across any show stopping concerns is SkyDrive. There are UK based firms with UK based data centres which can do commercial offerings (and so fit in with DPA, etc) but I don't have a list of those ... and with my day-job hat on ... I can't recommend any of them anyway.

      Some VLE / Learning Platform providers will provide storage, but I am not aware of any who will do anything that does automated synchronising, other than Sharepoint-based options with synching document libraries ... again, YMMV on how good the performance is on these.

      I know of some schools who have been using RSYNC or other synching solutions, but I am not aware of anyone getting these running over the tinterweb in a happy manner ... but I am prepared to be pleasantly surprised (if anyone from Open Source Schools is about they may have examples).

      LAs are often a tad reluctant to give categoric information, especially if you don't buy advice from their legal service / information management / etc ... and the cost of some teams within an LA getting a definitive answer from legal folk is outside of available budgets (if they still have a budget ... which I don't!).
    1. MK-2's Avatar
      MK-2 -
      I'll be perfectly honest, I misread the title and wondered why you were asking "Is Dos_Box ok to use?"
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by Arthur View Post
      AeroFS. Once it's out of beta, I'm ditching Dropbox for good!

      @GrumbleDook. You may find this useful (slide 16 onwards)...
      fak3r » DEFCON 19: Taking your ball and going home
      I had tried to steer clear of some of these points and purely take items based on DPA as why it is an issue. I like the look of LipSync and can see how it could be good in a school (synching back to school servers) and hope to see what it develops into.
    1. SimpleSi's Avatar
      SimpleSi -
      to paraphrase...
      DP - Its a sad, sad situation. And its getting more and more absurd

      and

      for evil to triumph, all its needs is for good men to stand idle (a bit OTT I realise [like the article ] - but I couldn't come up with a good alternative!)

      Lets worry about important things!

      Si
    1. Arthur's Avatar
      Arthur -
      Quote Originally Posted by CHR1S View Post
      So if none of your "friends" computers are on where does it sync to?
      Nowhere, if you have the cloud backup feature turned off.

      Quote Originally Posted by CHR1S View Post
      Are all your "friends" signed up with safe harbour?
      The main advantage to AeroFS is that you can sync files between two or more computers without your data being stored (temporarily or permanently) in a random data centre somewhere in the world. It works exactly like Dropbox except you have far more control over where your files are located.

      The files are transferred directly between computers via an encrypted connection without passing through a middleman. Your friends could simply be "me, myself and I" (there's nothing stopping you from setting up multiple accounts).
    1. box_l's Avatar
      box_l -
      I don't believe that even SkyDrive meets the criteria, I understand that the US "Patriot Act" trumps all others if the company or subsidiaries are US owned.
      This means that any Microsoft owned service can be accessed at any time id the US so desires.

      I know that the need a good reason to look, but -Nothing- will stop them if the want to see your data.
      Search "patriot act data protection uk"
      Just one of may links:Data Protection and the Patriot Act

      I am not concerned for my own rather boring collection of scripts and so on that I store in DropBox, SkyDrive or where-ever, but students, (or even staff), personally identifiabled information should NEVER be stored outside the school without being heavily encrypted.Even things like Sims Learning Gateway, E-portal accessible from the CMIS VLE offering worry me.

      BoX
    1. box_l's Avatar
      box_l -
      double post
    1. GrumbleDook's Avatar
      GrumbleDook -
      I have asked for clarification re Patriot Act but from what I had previously been told during DPA discussions the reference to accessing data from EU customers is when it is already outside of the EEA, i.e. if the data centres used are in the US. With DropBox we don't know what they are using or where. They say Amazon ... but nothing guaranteed. At least with SkyDrive we know it is within the EEA (Ireland and fail over to the Netherlands IIRC)

      If the Data Centres are in EEA and are run within the EEA then any seizure of data is the a factual breach of DPA. A company cannot transfer the data from within the EEA to outside of the EEA without your consent, even if the Patriot Act is used. To do so would mean that an individual is being forced by the US authority to breach the laws of another country, ... and if you consider the number of companies who operate on Govt contracts who have US sections (or are US based) then there could be a royal bun fight should it be tried.

      But, as I have said, I have asked for clarification on that.
    1. dhicks's Avatar
      dhicks -
      Quote Originally Posted by GrumbleDook View Post
      I know of some schools who have been using RSYNC or other synching solutions
      Why does a school need to use any kind of syncing solution in the first place? Surely users either want direct access to their file area or, ideally (especially for staff handling pupil data and so on), a remote access solution that lets them edit their files using the school's system. That could be something a bit cludgy like letting them access an RDP desktop, or do it peoperly and make your system web-based. The fewer files containing pupil data you have wandering around outside the school the better.
    1. Geoff's Avatar
      Geoff -
      Also you might want to look at AeroFS which has end to end encryption and is (optionally) serverless.
    1. Ric_'s Avatar
      Ric_ -
      @dhicks I am with you on this one. I really don't like the thought of all this data flowing backwards and forwards. Do you ever really know who is accessing it and where it is ending up?

      For access to data, I'd much rather use something like XenApp that can prevent data being saved and printed over the remote connection. You will never get around the fact that people can steal anything that you need your eyes to read but it does limit opportunities. Plus all your data stays on your systems.

      Of course, this does then open up the question of cloud-based backup but I imagine 'free' solutions are too limited for this anyway.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by dhicks View Post
      Why does a school need to use any kind of syncing solution in the first place? Surely users either want direct access to their file area or, ideally (especially for staff handling pupil data and so on), a remote access solution that lets them edit their files using the school's system. That could be something a bit cludgy like letting them access an RDP desktop, or do it peoperly and make your system web-based. The fewer files containing pupil data you have wandering around outside the school the better.
      There is a presumption that people will never work offline, will never work on multiple devices and that people are happy to spend time uploading files in that response ... or am I wrong? Most people like the use of the file sync / file storage tools because it automates a lot of work for them. Being able to share a folder ( and contents) with specific people has its benefits, and being able to automatically distribute changes is something that has a fair bit of precedent. Yes, there are concerns about *what* people put in the folders as well, but that is a user-education piece of work and exists anyway, without having to consider the security implications of any particular tool / technology. I also think you mentioned an important word in your response ... cludgy. Are we still in the age where we think people will accept cludgy or reduced functionality? Every time we make it difficult and overly complex for a user do do something we put back the cause of IT as a ubiquitous tool that simply works. It is one thing to do it for a specific security reason, but when there could be solutions out there to do what is needed that *aren't* a bit Heath-Robinson then it sometimes comes down to the simple matter of time / cost / training ... except that it is never that simple when you introduce those three.

      File sync tools and online file storage are being pushed as an alternative to all those USB memory devices being moved around (usually unencrypted devices too) ... if you make it awkward then people will just go back to using (and losing) them instead.
    1. localzuk's Avatar
      localzuk -
      Regarding Patriot Act vs EU Data Protection - look at it from the point of view of a US company. On one hand they have the UK/EU saying 'you've agreed to follow EU data protection rules' and on the other you have the US government saying 'hand over the data else your CEO and board of directors will end up in Guantanamo bay'. I know the example is ridiculous but it highlights my point here - for a US company, the Patriot Act will always trump third party country rules.I have reservations about these services, but have just adopted an already in place google apps installation at my new school. When I get a moment, I will highlight my concerns.However, as an institution it is also a risk management exercise. What is the likelihood that the data held on the US servers will ever be requested under the Patriot Act? I'd estimate 'so low, you're more likely to get hit by lightning 1000 times in a row'...
    1. localzuk's Avatar
      localzuk -
      Also, take a look at this vote https://www.dropbox.com/votebox/4986...ur-for-dropbox and see if it will help.
    1. vikpaw's Avatar
      vikpaw -
      Yeah? They said the Banks were 'Too big to fail' but the 0.5% Gross Interest rate on my account says otherwise. I don't like those stats!