• Is DropBox ok to use?

    Because I have a background of being involved in discussions around data protection I sometimes get a prod about online storage and web 2.0 tools. Over the last 6 months I have had quite a few over online storage options, but I have never really stuck down on (electronic) paper what my concerns are and why I have them. There are a few concerns I have, some centre around ownership of files and data, some around data protection and some around management of the tools.

    Online storage often comes under attack over IPR of images, concerns about control, heated rants about how company x is making use of *our* files / photos to generate revenue on a free service, etc … and we only have ourselves to blame for not reading the T&Cs fully, for not keeping abreast of changes to the T&Cs (though some companies make life extremely difficult to find the changes or contribute to those changes) and for not accepting that if we take part in a free service then there are likely to be limitations and issues. We take on that risk ourselves and we need to accept some responsibility for that. Whether we are talking about LinkedIn using profile photos of members in their marketing by default, changes to FaceBook privacy options, changes in security / ownership when companies merge products… there have been so many times when the masses rise up indignantly to protest and then rush around making changes and, in the worse cases, swap services … and yes, I have been there, expressing my frustration too.

    This is increasingly important if we are asking children to make use of these tools as we are being trusted in our judgement and selection of these tools … after all not all children, across the broad age range we have using these tools, are emotionally, intellectually or perhaps even legally in a position to make some of these choices on their own … but that is a discussion for another time probably.

    But discussions today centred around online storage, and in particular the growing use of DropBox to remove the need for USB memory devices. For those who have not come across DropBox.com, it is a an online storage system which will synchronise selected folders from one or multiple devices to an online repository. Folders or sub-folders can be shared for automated synching with other users, making it a fantastic tool for collaborative sharing of files and materials. There are a number of other tools like this ranging from Microsoft’s SkyDrive, shared document libraries in Sharepoint, Moxy, Box.net, ADrive and many more. DropBox and SkyDrive are both free so that is why you will see them in heavy use … especially in education. Free comes with limits though and sometimes that can be the amount of space, sometimes the SLA doesn’t really exist and sometimes there is a lack of control over certain aspects of functionality or how it changes.

    When it comes to DropBox though, my main concern is that users are significantly at risk of breaching the Data Protection Act and they don’t even know it. This is especially important right now as it is being recommended to NQTs who might not know any better … let’s face it, there is not that much about Copyright law, Data Protection and IPR within teacher training and, from what I have seen and been told, there is a presumption that this is covered within schools by school policies … and we all know how wonderful many schools are for having decent Data Protection policies and explaining them to *all* staff.

    I know that my blog is read by a wide range of people so I just need to go back a little to cover an aspect or two of the Data Protection Act. The DPA has 8 principles, which are pretty self explanatory and the 2 most important principles to look at for this conversation are 7 & 8.

    If we start with DPA Principle 8 first … this about where data can be stored, moved through, processed, accessed, etc. And this is the first place we fall down with DrpoBox. There is an ongoing query that has never been fully answered about whether DropBox.com is compliant with this.

    Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
    Now, what this means is that if you use your online storage and sharing to move about or access anything that can be deemed ‘personal data’ (which for teachers can range from pictures of children, their personal details, information about their progress, medical information and so on) then you have to do it within the European Economic Area or other countries where we have set agreements. With the US this is called the U.S. – EU Safe Harbor and there is a list of companies who have been certified with this and across what aspects. It is important to remember that being certified is only part of this … the specifics of what has been agreed is equally as important and that will differ from company to company. I have previously commented about iCloud and Apple before to reflect this.

    When you look at the list you will spot that DropBox.com is not there. When you dig through the T&Cs for DropBox you will find that they use Amazon for their storage facilities … which is good … Amazon *are* on the Safe Harbor list so that seems to tick the boxes … apart from they don’t say that they will only ever use Amazon and they don’t say how they use them, and what agreements they have in place. Ah … so we are back to square one then.

    I have asked the question twice now of DropBox.com and not even had tickets opened. There is a discussion at the moment about this on the forums and still no definitive answer.

    To deal with this I know some users of DropBox will make use of other security solutions to bolster how they deal with DropBox. This involves using an encryption tool to create a secure folder / file which is then synchronised via the only service. A common tool for this is TrueCrypt and that works fine at a technical level … meeting the criteria of DPA Principle 7, where you are taking suitable technical measures to ensure the security of data … but the principles are not pic and mix … you have to meet them all. Right now I use an encrypted folder on Dropbox for my non-sensitive files (so only I and others I trust can access them) and do not use it at all for sensitive items.

    For sharing pictures for stimulus with others (teachers / children), for sharing videos, etc, especially cross-platform and when using apps on mobile devices, then I can see that it will be fine for use in UK schools … but for staff to share in general … no … not yet.

    SkyDrive does meet the criteria as the data centre used is in Ireland, but I know that there are some who have issues about a tie in or lock in with Microsoft and what happens to Live@Edu and Office365. It is still worth thinking carefully about what you are sharing with others and how.

    .
    Comments 94 Comments
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by zag View Post
      Yeh same, we got outstanding last year and Ofsted didn't even talk to me.

      Its a non issue in my book.

      Both dropbox and Skydrive are perfectly safe to use in schools as far as I'm concerned.
      You think running a system where you know it is quite easy for staff to breach DPA is perfectly safe (i.e. dropbox) and you think it is a non-issue? In which case why don't you just stick up your home address, bank details, any interesting medical facts about yourself if you care so little for the DPA? Or is it that you just don't care because you don't think anything bad will happen to you personally if the people you work with get collared for it?

      Do you not care about safeguarding?
      Do you not care about protecting children?
      Do you not care about protecting your colleagues?

      If not ... then fine, we can happily ignore your contribution to the discussion.

      If trolling ... then Meh! Considering the amount of hard work some people are doing to try and get this sorted in schools it is poor taste.
    1. zag's Avatar
      zag -
      What I don't understand is why Dropbox or Skydrive are any less safe than our VLE, My document shares, USB sticks, hard disks in a server room ect.

      I have all kinds of confidential stuff on my personal drop box. But its protected with a username and password just like our other IT systems.

      Just to explain where im coming from we use Skydrive everyday in a large secondary school. In the future I hope to move all our storage into the cloud just like I have our email systems which has already been a great success.
    1. SYNACK's Avatar
      SYNACK -
      Quote Originally Posted by zag View Post
      What I don't understand is why Dropbox or Skydrive are any less safe than our VLE, My document shares, USB sticks, hard disks in a server room ect.
      You have the admin password or at least know the people who do, the cloud services don't have that luxury so unless you are encrypting all of your stuff again before uploading it you have less knowlege about the conditions of its storage.

      Personally its up to you what you want to do with your own data but when that data is the schools it is up to the school to take that into consideration.

      You also have local speed access to it on a locally hosted VLE when at school, with a cloud service you are limited to internet speed all the time.
    1. localzuk's Avatar
      localzuk -
      Quote Originally Posted by zag View Post
      What I don't understand is why Dropbox or Skydrive are any less safe than our VLE, My document shares, USB sticks, hard disks in a server room ect.

      I have all kinds of confidential stuff on my personal drop box. But its protected with a username and password just like our other IT systems.

      Just to explain where im coming from we use Skydrive everyday in a large secondary school. In the future I hope to move all our storage into the cloud just like I have our email systems which has already been a great success.
      It comes down to this - UK and EU laws are directly controlled by our own government and representatives. Countries outside the EU are not. They can do whatever they want with their own laws, and therefore do whatever they want with your data.

      If you don't have the protections of the EU data protection laws when you host your data in the USA, what is to stop them from exploiting a weak state's data protection law there and selling your data? Or making it public? You'd have no recourse in the UK/EU, and you'd have no recourse in the USA as they would be abiding by the state law...

      We are legally required to ensure the integrity and security of our data, it isn't that difficult. Skydrive is covered by SafeHarbour as Microsoft are a certified provider. Not only that, but the data is stored on servers within the EU. So whichever way they handle it, it is covered by the law.

      Dropbox isn't.
    1. zag's Avatar
      zag -
      That's actually the first good explanation I've seen about this.

      I still think the likelihood of dropbox selling my users data is remote though. Especially as its stored most probably in the USA who you would imagine have similar laws and moral values.
    1. localzuk's Avatar
      localzuk -
      Quote Originally Posted by zag View Post
      That's actually the first good explanation I've seen about this.

      I still think the likelihood of dropbox selling my users data is remote though. Especially as its stored most probably in the USA who you would imagine have similar laws and moral values.
      It isn't just about selling etc... though. Its also about protections from, say, hackers etc... The company say they're using encryption but they could simply be lying. If someone managed to circumvent their security and get in and steal your data, in the UK they would be subject to various DPA related crimes. In the USA? Likely not...
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by zag View Post
      What I don't understand is why Dropbox or Skydrive are any less safe than our VLE, My document shares, USB sticks, hard disks in a server room ect.

      I have all kinds of confidential stuff on my personal drop box. But its protected with a username and password just like our other IT systems.

      Just to explain where im coming from we use Skydrive everyday in a large secondary school. In the future I hope to move all our storage into the cloud just like I have our email systems which has already been a great success.
      This could almost be a separate article all on its own.

      A quick summary then ... and this is almost a stand-alone post so trying not to refer back to lots of previous posts.

      1) There is a law in the UK (and equivalent laws within the EU which are compatible with it) called the Data Protection Act. This is a very clear law as to what people can and can't do with data and information of belonging to others, how you let others know you are going to use / handle their data and supported by 8 clear principles.

      What this means : The 8 principles are pretty simple to follow and the key areas of concern with cloud based systems is where the data is stored, how it gets there and how access to it is controlled. This is not about risk management where you can be willing to accept the risk, as the law says you *must* comply with all aspects of it.

      2) When you provide access to, manage or create a tool which may hold such data you have to apply all aspects of the law. This includes remote access to MIS, WebDAV based storage, cloud-based file sync solutions, IdPs, etc. If you have a contract with a system provider (e.g. VLE provider) they have a responsibility to also be within the law, but you ... as the purchaser of the system ... are also responsible to ensure they are doing.

      What this means : If you provide a VLE then you are solely responsible for making sure you follow the law. If you buy a product in then you have to be happy that you know the vendor will also follow the law. If there is a breach then you are both at fault. If you don't know what they are doing and it is pointed out that there is the possibility of a problem (even if there hasn't been yet) then you are also at fault. An example would be that CEOP have had to sign an undertaking because their online forms did not transit over https ... they should have checked the creators of the tools did the job properly. You cannot pass the buck by claiming you didn't know any better.

      3) Some systems are aimed at particular groups of people and will have contracts / T&Cs to reflect this. Although the T&Cs will have to operate within the laws of the land, you may be asking them to do more than can be expected to fit in with laws you also have to adhere to.

      What this means : If you sign up for Dropbox it is expected that you know what you are doing, that you know that if you are using it for 'business' use that you are happy it fits within the laws you have to follow and that they are not held responsible for when things go wrong (and so begins a long discussion about whether companies can get away with this!) ... because you should have known better. It also expects that you are signing up for it as an individual and that you are not using it to provide a heap of other stuff to others ... If you want that then you go into a different contract and that is why they have Teams. In short ... as tempting as it is just to click 'I Accept' you really do need to read the T&Cs.

      I know there are some generalisations in the above points but it should give enough of a background.

      Discussion about whether the law is appropriate, will be enforced to the full extent, whether the guidance available (including previous stuff from Becta) covers everything it should do ... these are almost moot points. The law says "do X ... don't do Y!"
    1. zag's Avatar
      zag -
      OK, all makes sense

      Simple question then.....

      Assuming A Cloud Service doesn't loose/sell/hack our data: Do I have to worry about anything?
    1. localzuk's Avatar
      localzuk -
      Quote Originally Posted by zag View Post
      OK, all makes sense

      Simple question then.....

      Assuming A Cloud Service doesn't loose/sell/hack our data: Do I have to worry about anything?
      Scatter gun police raids on data centers taking all the servers and with it your data?
    1. SimpleSi's Avatar
      SimpleSi -
      Assuming A Cloud Service doesn't loose/sell/hack our data: Do I have to worry about anything?
      Well - they are not going to sell it and I'd be amazed if the year 7 cat scores ended up in the Guardian

      Si
    1. CyberNerd's Avatar
      CyberNerd -
      Quote Originally Posted by GrumbleDook View Post
      1) There is a law in the UK (and equivalent laws within the EU which are compatible with it) called the Data Protection Act. This is a very clear law as to what people can and can't do with data and information of belonging to others, how you let others know you are going to use / handle their data and supported by 8 clear principles.

      What this means : The 8 principles are pretty simple to follow and the key areas of concern with cloud based systems is where the data is stored, how it gets there and how access to it is controlled. This is not about risk management where you can be willing to accept the risk, as the law says you *must* comply with all aspects of it.
      This seems contrary to the ICO link you posted earlier in the thread, which actually says that you can store data in 'non-approved' countries by doing a risk assessment. ie - it is about risk management. Clearly it is easier to 'prove' to a court that you are satisfied if X were safeharbour, but DPA doesn't prohibit use of non-EU non-Safeharbour sites. It does seem to be directed more towards the county they are stored in, rather than the company though.

      Obviously you couldn't assess that dropbox's servers have an adequate level of protection if you don't know what country they are stored in.

      the ICO page says this:

      How do I assess adequacy?

      You will need to be satisfied that in the particular circumstances there is an adequate level of protection. For UK personal data the Act sets out the factors you should take into account to make this decision. These relate to:

      the nature of the personal data being transferred;
      how the data will be used and for how long; and
      the laws and practices of the country you are transferring it to.
      This means doing a risk assessment. You must decide whether there is enough protection for individuals, in all the circumstances of the transfer. This is known as an assessment of adequacy. To assess adequacy you should look at:

      the extent to which the country has adopted data protection standards in its law;
      whether there is a way to make sure the standards are achieved in practice; and
      whether there is an effective procedure for individuals to enforce their rights or get compensation if things go wrong.
    1. GrumbleDook's Avatar
      GrumbleDook -
      I had hoped that now referring back to previous posts would have worked ... I didn't quite put enough information in it. I should have repeated that this is in reference to Dropbox and Safe Harbor.

      The countries which have been assessed and show an adequate level of protection is covered within the same page. The US is not in the list but
      Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the “Safe Harbor” scheme is adequately protected. When a US company signs up to the Safe Harbor arrangement, they agree to:

      follow seven principles of information handling; and
      be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes.

      Certain types of companies cannot sign up to Safe Harbor. View a list of the companies signed up to the Safe Harbor arrangement on the US Department of Commerce website.
      In the example you have given (assessment of adequacy) is an assessment of whether they comply with the law. This differs from a Risk Assessment where there is risk that they might not comply with the law yet you are happy to accept this. Apologies if I didn't explain that bit fully. In the US a company is deemed adequate if they have signed up and been certified under Safe Harbor (remembering to check what they have agreed to within that agreement ... as they may not be covered for everything you want), although it is a voluntary scheme and some sections are restricted from being part of this (and covered under other acts and regulations to do with finance and telecommunications) a company who has not signed up to it (never mind the wooliness of the T&Cs) gives no guarantee of adequacy.

      Paraphrasing from a conversation with a DP expert who worked on the Becta advice ...
      If you go down the route of trusting to a contract which has the terms to dictate adequacy then you take the responsibility on yourself as you can only deal with them for breach of contract and not breach of law. At that point the school itself cannot guarantee the law is being complied with. The school has a responsibility to ensure all who process the data comply with the law ... (I forget the exact section of the act but part of principles 7 & 8) and if this cannot be guaranteed then the school is in breach. The example given to me (and pretty relevant) is if you have an insecure online form you don't have to lose data to be in breach ... the fact that it is possible means you have not done your job right. This is pretty relevant right now since this is what CEOP got collared for recently and had to sign an undertaking.

      I have probably mangled the explanation a bit now ... (might have to clean it up tomorrow when awake) but I'm just trying to point out the difference between accepting risk and assessing adequacy. Drawing the line of how you then firm up that is looking like a grey area, but all the advice I have had so far (Becta, ICO, Cabinet Office) has been that for US they have to have signed Safe Harbor for the relevant data uses you want. Since Dropbox can't even guarantee using US data centres, have a history of security problems, then I don't think it would be beyond the realms of acceptance to say it is doubtful whether we could say they are taking the right measures to allow users / schools to regard them as adequate. Especially since they will not respond to questions on their forums about it and have yet to respond to 5 requests that I am aware of asking them this question (3 from me and 2 from teachers looking at the same issue). We can only work with hard facts at this point ...

      Sleep calls ... out tomorrow so I'll look at any response tomorrow night.
    1. CyberNerd's Avatar
      CyberNerd -
      That does make sense to me, although it does seem like a minefield, even without taking into account what actually constitutes private data!
      I've already given SLT advice against using dropbox, although we use a google apps domain. I believe that I've made the correct decisions so far with regards to google, dropbox. And MS's track record for complying with the law (assessment of adequacy) kind of put them out of the frame anyway, regardless of where there data sits.
    1. znova's Avatar
      znova -
      Just to add my twopenneth - did a fair ammount of research on DPA & US Safe Harbor, and I have a BIG issue with Safe Harbor - unlike the DPA, it NOT legally enforcable. So if anyone wanted to be picky, your data stored in a data centre in US is pretty vulnerable. Grumbledook is correct in saying that you do not need to store data in the EU PROVIDED you can insure it will receive the same level of protection. But if Safe Harbor isn't legally enforcable and trigger-happy US government can raid data centres at any time, US for me isn't really an option. The other point which came up during discussions on this issue in my uni course; what happens to the data which crosses country boundaries? That data will have to be encrypted to the level on lowest common denominator between the countries it crosses during the transfer. If I remember correctly, one of our lecturers (from States) was travelling to the States with an encrypted memory stick but the encryption was higher than the US goverment permits and he could have been tried under some obscure weapons law (can't remember which one though) To be honest, it is a maze, I was thinking about all the cloud-centred software schools use (mymaths springs to mind) and we really don't have a clue where these companies really store the data...
    1. SimpleSi's Avatar
      SimpleSi -
      I was thinking about all the cloud-centred software schools use (mymaths springs to mind) and we really don't have a clue where these companies really store the data...
      so lets stop bothering worrying about it then
      Si
    1. PiqueABoo's Avatar
      PiqueABoo -
      Re. "trumping" I posted an angle on thatl last Dec. Re: SkyDrive I thought MS explicitly said data stored there could end up anywhere in the world (unlike Live@edu which is, and Office365 sharepoint which is supposed to bee EU)? Have they changed that?
    1. SlimBUK's Avatar
      SlimBUK -
      I use sugarsync, but not for any sensitive information. (sorry if it's already been mentioned, I've not read the whole thread)
    1. zag's Avatar
      zag -
      Well I'm going to continue to use dropbox as my main storage area.

      Will take my chances I think! Its just too convenient.
    1. localzuk's Avatar
      localzuk -
      Quote Originally Posted by zag View Post
      Well I'm going to continue to use dropbox as my main storage area.

      Will take my chances I think! Its just too convenient.
      I'll continue storing all my money in a big box outside my door. Its just too convenient...
    1. SimpleSi's Avatar
      SimpleSi -
      I'll continue storing all my money in a big box outside my door.
      ..and the url for that is?
      Si