• Is DropBox ok to use?

    Because I have a background of being involved in discussions around data protection I sometimes get a prod about online storage and web 2.0 tools. Over the last 6 months I have had quite a few over online storage options, but I have never really stuck down on (electronic) paper what my concerns are and why I have them. There are a few concerns I have, some centre around ownership of files and data, some around data protection and some around management of the tools.

    Online storage often comes under attack over IPR of images, concerns about control, heated rants about how company x is making use of *our* files / photos to generate revenue on a free service, etc … and we only have ourselves to blame for not reading the T&Cs fully, for not keeping abreast of changes to the T&Cs (though some companies make life extremely difficult to find the changes or contribute to those changes) and for not accepting that if we take part in a free service then there are likely to be limitations and issues. We take on that risk ourselves and we need to accept some responsibility for that. Whether we are talking about LinkedIn using profile photos of members in their marketing by default, changes to FaceBook privacy options, changes in security / ownership when companies merge products… there have been so many times when the masses rise up indignantly to protest and then rush around making changes and, in the worse cases, swap services … and yes, I have been there, expressing my frustration too.

    This is increasingly important if we are asking children to make use of these tools as we are being trusted in our judgement and selection of these tools … after all not all children, across the broad age range we have using these tools, are emotionally, intellectually or perhaps even legally in a position to make some of these choices on their own … but that is a discussion for another time probably.

    But discussions today centred around online storage, and in particular the growing use of DropBox to remove the need for USB memory devices. For those who have not come across DropBox.com, it is a an online storage system which will synchronise selected folders from one or multiple devices to an online repository. Folders or sub-folders can be shared for automated synching with other users, making it a fantastic tool for collaborative sharing of files and materials. There are a number of other tools like this ranging from Microsoft’s SkyDrive, shared document libraries in Sharepoint, Moxy, Box.net, ADrive and many more. DropBox and SkyDrive are both free so that is why you will see them in heavy use … especially in education. Free comes with limits though and sometimes that can be the amount of space, sometimes the SLA doesn’t really exist and sometimes there is a lack of control over certain aspects of functionality or how it changes.

    When it comes to DropBox though, my main concern is that users are significantly at risk of breaching the Data Protection Act and they don’t even know it. This is especially important right now as it is being recommended to NQTs who might not know any better … let’s face it, there is not that much about Copyright law, Data Protection and IPR within teacher training and, from what I have seen and been told, there is a presumption that this is covered within schools by school policies … and we all know how wonderful many schools are for having decent Data Protection policies and explaining them to *all* staff.

    I know that my blog is read by a wide range of people so I just need to go back a little to cover an aspect or two of the Data Protection Act. The DPA has 8 principles, which are pretty self explanatory and the 2 most important principles to look at for this conversation are 7 & 8.

    If we start with DPA Principle 8 first … this about where data can be stored, moved through, processed, accessed, etc. And this is the first place we fall down with DrpoBox. There is an ongoing query that has never been fully answered about whether DropBox.com is compliant with this.

    Originally Posted by :
    Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
    Now, what this means is that if you use your online storage and sharing to move about or access anything that can be deemed ‘personal data’ (which for teachers can range from pictures of children, their personal details, information about their progress, medical information and so on) then you have to do it within the European Economic Area or other countries where we have set agreements. With the US this is called the U.S. – EU Safe Harbor and there is a list of companies who have been certified with this and across what aspects. It is important to remember that being certified is only part of this … the specifics of what has been agreed is equally as important and that will differ from company to company. I have previously commented about iCloud and Apple before to reflect this.

    When you look at the list you will spot that DropBox.com is not there. When you dig through the T&Cs for DropBox you will find that they use Amazon for their storage facilities … which is good … Amazon *are* on the Safe Harbor list so that seems to tick the boxes … apart from they don’t say that they will only ever use Amazon and they don’t say how they use them, and what agreements they have in place. Ah … so we are back to square one then.

    I have asked the question twice now of DropBox.com and not even had tickets opened. There is a discussion at the moment about this on the forums and still no definitive answer.

    To deal with this I know some users of DropBox will make use of other security solutions to bolster how they deal with DropBox. This involves using an encryption tool to create a secure folder / file which is then synchronised via the only service. A common tool for this is TrueCrypt and that works fine at a technical level … meeting the criteria of DPA Principle 7, where you are taking suitable technical measures to ensure the security of data … but the principles are not pic and mix … you have to meet them all. Right now I use an encrypted folder on Dropbox for my non-sensitive files (so only I and others I trust can access them) and do not use it at all for sensitive items.

    For sharing pictures for stimulus with others (teachers / children), for sharing videos, etc, especially cross-platform and when using apps on mobile devices, then I can see that it will be fine for use in UK schools … but for staff to share in general … no … not yet.

    SkyDrive does meet the criteria as the data centre used is in Ireland, but I know that there are some who have issues about a tie in or lock in with Microsoft and what happens to Live@Edu and Office365. It is still worth thinking carefully about what you are sharing with others and how.

    .
    Comments 94 Comments
    1. GrumbleDook's Avatar
      GrumbleDook -
      @localzuk
      I know the risk is likely to be low, but it has to at least be registered as a risk ... something that I can see falling through the gaps in a number of institutes.

      Also, having spoken with the ICO Helpline and getting advice from the Policy Unit (nothing definitive) it is likely that a company would not release under The Patriot Act, but under Section 35 of the DPA (as part of legal proceedings) ... the same clause that can be invoked when UK authorities required data held overseas.

      I am still investigating as having spoken to 2 companies who deal with similar services but for other sections of the public sector, they have said that DPA is only one aspect of protecting data. I might see if I can prod @Drummer_Boy for a chat about it.
    1. localzuk's Avatar
      localzuk -
      Quote Originally Posted by GrumbleDook View Post
      @localzuk
      I know the risk is likely to be low, but it has to at least be registered as a risk ... something that I can see falling through the gaps in a number of institutes.

      Also, having spoken with the ICO Helpline and getting advice from the Policy Unit (nothing definitive) it is likely that a company would not release under The Patriot Act, but under Section 35 of the DPA (as part of legal proceedings) ... the same clause that can be invoked when UK authorities required data held overseas.

      I am still investigating as having spoken to 2 companies who deal with similar services but for other sections of the public sector, they have said that DPA is only one aspect of protecting data. I might see if I can prod @Drummer_Boy for a chat about it.
      Indeed. There are many other possible issues with external hosting that aren't specific to foreign data centres as well too - such as collateral damage from law enforcement raids. I know of at least 2 raids on data centres which had hundreds of servers confiscated as part of investigations by the FBI and police in 2 different countries - one of which is in the EU.

      Sure, they were targeting a specific user of those servers, but the knock on effect was hundreds of businesses were effected. In the USA, a raid caused multiple businesses to go out of business.

      Hence my trepidation at cloud services for file storage. Its also why I use a sync service for my work email, and will be getting everyone else to implement it at some point to ensure data continuity.

      Risk management, as you say, isn't about ignoring unlikely issues, its about adding them to your risk assessment and planning accordingly - even if the plan is 'do nothing, as the cost of alternative provision is unaffordable'.
    1. smithson83's Avatar
      smithson83 -
      I've seen this argument thrown back and forth with regards to DropBox, this is a simple answer. SugarSync IMO is just as good, and DOES comply with the Safeharbour Frameworkhttps://www.sugarsync.com/privacy.htmlIt allows you so specify which folders to sync (not just the one "DropBox" folder) and also allows you to sync specific with specific multiple computers. I think you may also get more storage as standard.
    1. localzuk's Avatar
      localzuk -
      Quote Originally Posted by smithson83 View Post
      I've seen this argument thrown back and forth with regards to DropBox, this is a simple answer. SugarSync IMO is just as good, and DOES comply with the Safeharbour Frameworkhttps://www.sugarsync.com/privacy.htmlIt allows you so specify which folders to sync (not just the one "DropBox" folder) and also allows you to sync specific with specific multiple computers. I think you may also get more storage as standard.
      Kinda expensive... $299 a year for 3 users.
    1. zag's Avatar
      zag -
      I really dont care for these privacy issues. You could debate them until the sky falls in and be no closer to getting a definitive answer.

      What I do care about is the technology Now is there any way to map skydrive/dropbox to a drive letter? Or maybe have a shortcut in their current my documents automatically? We already have skydrive icon on student desktops but it tends to take ages to log in and upload something.

      Would be awesome to allow students to keep their work on their skydrive accounts, since they all have live@edu already.
    1. Butters's Avatar
      Butters -
      Really great timing with this as we are re-doing our Web Sense policies and have internal flack from IT tutors regarding Dropbox and the like. Think we will need to dig deeper into the SafeHarbour stuff and see where we really stand.
    1. smithson83's Avatar
      smithson83 -
      Quote Originally Posted by zag View Post
      I really dont care for these privacy issues. You could debate them until the sky falls in and be no closer to getting a definitive answer.
      If you work in education then you should care, or you will when you get sued up the yazoo for breaching the DPA where kids are involved
    1. CyberNerd's Avatar
      CyberNerd -
      Quote Originally Posted by zag View Post
      Now is there any way to map skydrive/dropbox to a drive letter? Or maybe have a shortcut in their current my documents automatically? We already have skydrive icon on student desktops but it tends to take ages to log in and upload something.
      Gladinet maps
      ""Mezeo Amazon S3 FTP WebDav AT&T Synaptic Storage Internap XIPCloud Storage Google Docs Google Storage EMC Atmos Online Box.net KT ucloud storage Open Stack Nirvanix Peer1 CloudOne Rackspace CloudFiles Windows Azure Windows Live SkyDrive CIFS/SMB Caringo CAStor"""
      to Drive letters

      GLADINET - Cloud Storage Access Platform & Solutions
    1. mavhc's Avatar
      mavhc -
      Quote Originally Posted by smithson83 View Post
      If you work in education then you should care, or you will when you get sued up the yazoo for breaching the DPA where kids are involved
      Has that ever happened?
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by mavhc View Post
      Has that ever happened?
      There are a growing number of examples of schools being tackled for breaches of the DPA. At the moment this has resulted in them signing Undertakings so no fines (consider it a suspended fine ... not quite right but it should give an idea about what would happen next if anything goes wrong) but we don't know yet if this will have any impact on the next time OFSTED come to visit either ... and, unfortunately, that is likely to have more of an impact than the threat of a fine with some senior leaders.
    1. simpsonj's Avatar
      simpsonj -
      Anyone point me towards an idiots guide to DPA for overworked School technicians?
    1. SimpleSi's Avatar
      SimpleSi -
      Just to address the balance occasionaly, can I emphasise Tony's comment about risk.

      Si
    1. localzuk's Avatar
      localzuk -
      Quote Originally Posted by mavhc View Post
      Has that ever happened?
      Also, kind of an irrelevant point - it doesn't matter if it has or hasn't happened. A geneticist has never created a hybrid human/lizard but the law is there to stop them before they do it. Whether or not a school has been prosecuted or sued for breaking a law is against the point.

      Not to mention, as a school it is kind of the institution's job to teach moral strength. Breaking random laws because they aren't always efficiently enforced kind of teaches the wrong thing to our kids 'its ok to break the law if you can get away with it'. Not a lesson I'm a big fan of.
    1. zag's Avatar
      zag -
      Quote Originally Posted by mavhc View Post
      Has that ever happened?
      Nope!

      Even the most serious breaches ended up with just a little paperwork.

      Pointless discussion in my opinion.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by zag View Post
      Nope!

      Even the most serious breaches ended up with just a little paperwork.

      Pointless discussion in my opinion.
      A little paperwork?
      Taking Action - Undertakings, Enforcement and Monetary Penalties - ICO
      How about you consider an undertaking as the equivalent of a caution?

      But I have sent a formal request to OFSTED to get their take on whether it would have any impact on an inspection as well. I do know, from talking with a few companies, that they would hesitate to deal with schools who have signed an undertaking in case there is another issue and it drags them down too.
    1. CyberNerd's Avatar
      CyberNerd -
      I don't think many/any ofsted inspectors have much of a clue about IT infrastructure, policies, procedures and how it impacts T+L at least thats why we as network managers never seem to meet Ofsted. Ofsted are teachers after all, and if SLT don't understand DPA you wouldn't expect Ofsted to.
    1. localzuk's Avatar
      localzuk -
      Quote Originally Posted by CyberNerd View Post
      I don't think many/any ofsted inspectors have much of a clue about IT infrastructure, policies, procedures and how it impacts T+L at least thats why we as network managers never seem to meet Ofsted. Ofsted are teachers after all, and if SLT don't understand DPA you wouldn't expect Ofsted to.
      It isn't just a DPA issue, its also a Child Protection issue, and that is something that as far as I'm aware, all Ofsted inspectors are supposed to look out for.
    1. CyberNerd's Avatar
      CyberNerd -
      Quote Originally Posted by localzuk View Post
      It isn't just a DPA issue, its also a Child Protection issue, and that is something that as far as I'm aware, all Ofsted inspectors are supposed to look out for.
      bet they don't though. We've consistently received 'outstanding' management, without a clear DPA policy in sight.
    1. zag's Avatar
      zag -
      Yeh same, we got outstanding last year and Ofsted didn't even talk to me.

      Its a non issue in my book.

      Both dropbox and Skydrive are perfectly safe to use in schools as far as I'm concerned.
    1. CyberNerd's Avatar
      CyberNerd -
      It really is something that Ofsted should do though; In the past we got a lot of information from Becta. We still get information, and the occasional audit from the LA. I bet new academies and Free schools don't get any of this at all. Ofsted should up their game.