• Is DropBox ok to use?

    Because I have a background of being involved in discussions around data protection I sometimes get a prod about online storage and web 2.0 tools. Over the last 6 months I have had quite a few over online storage options, but I have never really stuck down on (electronic) paper what my concerns are and why I have them. There are a few concerns I have, some centre around ownership of files and data, some around data protection and some around management of the tools.

    Online storage often comes under attack over IPR of images, concerns about control, heated rants about how company x is making use of *our* files / photos to generate revenue on a free service, etc … and we only have ourselves to blame for not reading the T&Cs fully, for not keeping abreast of changes to the T&Cs (though some companies make life extremely difficult to find the changes or contribute to those changes) and for not accepting that if we take part in a free service then there are likely to be limitations and issues. We take on that risk ourselves and we need to accept some responsibility for that. Whether we are talking about LinkedIn using profile photos of members in their marketing by default, changes to FaceBook privacy options, changes in security / ownership when companies merge products… there have been so many times when the masses rise up indignantly to protest and then rush around making changes and, in the worse cases, swap services … and yes, I have been there, expressing my frustration too.

    This is increasingly important if we are asking children to make use of these tools as we are being trusted in our judgement and selection of these tools … after all not all children, across the broad age range we have using these tools, are emotionally, intellectually or perhaps even legally in a position to make some of these choices on their own … but that is a discussion for another time probably.

    But discussions today centred around online storage, and in particular the growing use of DropBox to remove the need for USB memory devices. For those who have not come across DropBox.com, it is a an online storage system which will synchronise selected folders from one or multiple devices to an online repository. Folders or sub-folders can be shared for automated synching with other users, making it a fantastic tool for collaborative sharing of files and materials. There are a number of other tools like this ranging from Microsoft’s SkyDrive, shared document libraries in Sharepoint, Moxy, Box.net, ADrive and many more. DropBox and SkyDrive are both free so that is why you will see them in heavy use … especially in education. Free comes with limits though and sometimes that can be the amount of space, sometimes the SLA doesn’t really exist and sometimes there is a lack of control over certain aspects of functionality or how it changes.

    When it comes to DropBox though, my main concern is that users are significantly at risk of breaching the Data Protection Act and they don’t even know it. This is especially important right now as it is being recommended to NQTs who might not know any better … let’s face it, there is not that much about Copyright law, Data Protection and IPR within teacher training and, from what I have seen and been told, there is a presumption that this is covered within schools by school policies … and we all know how wonderful many schools are for having decent Data Protection policies and explaining them to *all* staff.

    I know that my blog is read by a wide range of people so I just need to go back a little to cover an aspect or two of the Data Protection Act. The DPA has 8 principles, which are pretty self explanatory and the 2 most important principles to look at for this conversation are 7 & 8.

    If we start with DPA Principle 8 first … this about where data can be stored, moved through, processed, accessed, etc. And this is the first place we fall down with DrpoBox. There is an ongoing query that has never been fully answered about whether DropBox.com is compliant with this.

    Originally Posted by :
    Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
    Now, what this means is that if you use your online storage and sharing to move about or access anything that can be deemed ‘personal data’ (which for teachers can range from pictures of children, their personal details, information about their progress, medical information and so on) then you have to do it within the European Economic Area or other countries where we have set agreements. With the US this is called the U.S. – EU Safe Harbor and there is a list of companies who have been certified with this and across what aspects. It is important to remember that being certified is only part of this … the specifics of what has been agreed is equally as important and that will differ from company to company. I have previously commented about iCloud and Apple before to reflect this.

    When you look at the list you will spot that DropBox.com is not there. When you dig through the T&Cs for DropBox you will find that they use Amazon for their storage facilities … which is good … Amazon *are* on the Safe Harbor list so that seems to tick the boxes … apart from they don’t say that they will only ever use Amazon and they don’t say how they use them, and what agreements they have in place. Ah … so we are back to square one then.

    I have asked the question twice now of DropBox.com and not even had tickets opened. There is a discussion at the moment about this on the forums and still no definitive answer.

    To deal with this I know some users of DropBox will make use of other security solutions to bolster how they deal with DropBox. This involves using an encryption tool to create a secure folder / file which is then synchronised via the only service. A common tool for this is TrueCrypt and that works fine at a technical level … meeting the criteria of DPA Principle 7, where you are taking suitable technical measures to ensure the security of data … but the principles are not pic and mix … you have to meet them all. Right now I use an encrypted folder on Dropbox for my non-sensitive files (so only I and others I trust can access them) and do not use it at all for sensitive items.

    For sharing pictures for stimulus with others (teachers / children), for sharing videos, etc, especially cross-platform and when using apps on mobile devices, then I can see that it will be fine for use in UK schools … but for staff to share in general … no … not yet.

    SkyDrive does meet the criteria as the data centre used is in Ireland, but I know that there are some who have issues about a tie in or lock in with Microsoft and what happens to Live@Edu and Office365. It is still worth thinking carefully about what you are sharing with others and how.

    .
    Comments 94 Comments
    1. GrumbleDook's Avatar
      GrumbleDook -
      After speaking with ICO, OFSTED and legal advice I have the following ... again paraphrased until I have agreement on text to stick up.

      As far as the ICO is concerned there is a risk about Safe Harbour and the Patriot Act, but to some extent this is negated because data can be seized / released anyway under section 35 of the DPA. The key thing is that you need to tie in any contract arranged within the EU with companies that might be affected by The Patriot Act with breach of contract should any data be released. It can then become a civil matter, but backed up by DPA should it not fall within section 35 exemptions. As far as OFSTED are concerned they do not deal directly with looking at DPA policies / procedures within Section 5 or Section 8 inspections, and it does not look as if this would change even should an Undertaking be signed between the school and the ICO. They would, however, be looking at other safeguarding aspects so should it be linked in with that (including loss of data about children in care) or should a concern be raised by the Local Safeguarding Children's Board then it would be looked at.

      I have asked OFSTED to confirm that they would not change any approach to inspection should an Undertaking have been signed, and in a manner I can share with schools.

      So ... it looks as if I will have to change some of my stance on this as it seems as if no matter what some bodies say in meetings or seminars, they are not willing to back it up with real authority. Oh well ... I am sure that this would go down well with the Daily Fail!
    1. CyberNerd's Avatar
      CyberNerd -
      It seems that if any company that stores your private data goes bankrupt - they can just sell off your private data. Not specifically a cloud issue, just thinking about some of those flakey cashless catering systems....

      To perhaps to no one's surprise, Borders bookstore collected a ton of consumer information - such as personal data including records of particular book and video sales - during its normal course of business. Such personal information Borders promised never to share without consumer consent. But now that the company is being sold off as part of its bankruptcy filing, all privacy promises are off.

      Reuters wrote this week that Barnes & Noble, which paid almost $14 million for Borders intellectual assets including customer information at auction last week, said it should not have to comply with certain customer privacy standards recommended by a third-party ombudsman. In court papers, Barnes & Noble said that its own privacy standards are sufficient to protect the privacy of customers whose information it won during the auction.
      Layer 8: Privacy stink erupts over Borders bankruptcy deal
    1. GrumbleDook's Avatar
      GrumbleDook -
      Well, I have a few more answers now and it covers a range of areas.


      1 - After some discussions with a Duty Inspector at OFSTED I had a partial response to the theoretical question about what affect having to sign an Undertaking with the ICO would have on an inspection. Unfortunately I am only allowed to paraphrase the response as no individual answer can be published at the risk of it seeming to be policy advice, which can only be gained from the relevant DfE page on Safeguarding Children and Safer Recruitment (which is a reference to the 2006 paper on this subject https://www.education.gov.uk/publica...FES-04217-2006 ). OFSTED do not, for Section 5 or Section 8 inspections, check compliance with the DPA as this is the job of the ICO. However, they will look at how well the governing body and the school leadership fulfils its responsibilities in relation to statutory requirements and/or statutory codes of practice or guidance, including the relevant Health & Safety legislation. They will also evaluate any non-compliance with relevant legislation, including DPA, on pupils' safety, care and well-being. Putting it bluntly, if this leads to Safeguarding to be found to be inadequate, then the 'overall effectiveness' judgment for the school is also likely to be judged inadequate. So ... an Undertaking is not just a slap on the risks but can risk OFSTED judging your school inadequate. I will be watching those schools who have recently had to sign Undertakings to see what happens at their next inspections.


      2 - The Patriot Act has been a bit of a concern for a few of us ... after all, there is nothing wrong with a bit of paranoia ... it is what we get paid for ... and just because you aren't paranoid it doesn't mean the world *isn't* out to get you! After a bit more delving with the ICO (again ... that paraphrasing thing) I got the following. The Patriot Act and The DPA do match quite well. We have our own equivalent section, section 35, and co-operation between Law Enforcement Agencies and Governments around the world will mean information is disclosed as required. In fact there was a darned good article which @rayfleming refers to in his blog How safe is my cloud data? And what which links to another good article from Jeff Bullwinkel. Whilst it is related to Australia it does also cover a number of similar concerns from the UK too.


      So ... to summarise. Breaches of DPA are bad, Undertakings are not just a slap on the wrist as they put you at risk of issues during OFSTED inspections, and The Patriot Act is a bit of a Red Herring that should not overshadow the other concerns around Data Protection. Official strategy and guidance is limited, open to interpretation (think 'rope to hang yourself' stuff) and no matter what anyone says you will find people taking on a lot of risk.


      The key messages ... If you want to take a risk then be aware of the possible implications, there is still a matter of the law, but make sure people are as informed as possible because ignorance is no excuse in the eyes of the Law.


      Thanks to everyone who has taken part in this discussion...
    1. smithson83's Avatar
      smithson83 -
      Quote Originally Posted by localzuk View Post
      Kinda expensive... $299 a year for 3 users.
      There is a free option, you just have to look for it, click sign up, go down to the bottom. You get 5GB of storage. It has to be registered to an individuals email account, but as far as I'm aware there nothing stopping each teacher setting up a Free account for themselves.

      https://www.sugarsync.com/signup?startsub=5
    1. itevo's Avatar
      itevo -
      i user it no issues.. works with proxy too !
    1. gshaw's Avatar
      gshaw -
      Only seen a few pages of this but what data are people looking to store on Dropbox? I'd never put anything with student names, reports, grades etc up there, too risky but resources and learning materials would be OK... although that relies on users understanding the restrictions which I guess could be as dangerous as allowing anything up there?
    1. zag's Avatar
      zag -
      Yeh I can understand not using dropbox for Student details but I use it for everything else.

      I was hoping to do the same for students one day.
    1. gshaw's Avatar
      gshaw -
      Quote Originally Posted by zag View Post
      Yeh I can understand not using dropbox for Student details but I use it for everything else.

      I was hoping to do the same for students one day.
      BYOD will make this interesting... if a student brings their own laptop \ tablet and wants to use a personal Dropbox account then at that point the agreement isn't related to the school... only one step removed from the organisation provisioning the accounts but yet in theory completely different application of DPA (or maybe it's not, hence raising the point )
    1. GrumbleDook's Avatar
      GrumbleDook -
      The original article was sparked off by a number of folks on twitter and at meetings I had been to talking about how DropBox could replace the USB Memory Stick as a way of storing and transferring files around *including* stuff that would have SIROs fuming!

      Sharing of files as stimulus for curriculum activities is one of several good examples of using dropbox, but staff using it for mark sheets, contact databases, etc ... *shudder*

      On the note of BYOD/BYOT/BYOC (I wish someone would make a definitive choice about which it is) this is linked to a serious of conversations about eSafety law in Education that some folk may have seen or been part of. The idea that if you instruct a child to use a tool or resource, even if it isn't the school's, can mean the school takes on the responsibility for what happens with it. This part of the discussion is around eSafety but I suppose it can readily be pointed to similar issues with data protection.
    1. SYNACK's Avatar
      SYNACK -
      Quote Originally Posted by GrumbleDook View Post
      The idea that if you instruct a child to use a tool or resource, even if it isn't the school's, can mean the school takes on the responsibility for what happens with it.
      Off topic but this whole idea (above) is based on the same flawed premise that demands internet filters be 100% and that everything be fixable with technology. A view usually held and promoted by those least qualified to understand the technology and most aversed to people taking responcibility for themselves.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by SYNACK View Post
      Off topic but this whole idea (above) is based on the same flawed premise that demands internet filters be 100% and that everything be fixable with technology. A view usually held and promoted by those least qualified to understand the technology and most aversed to people taking responcibility for themselves.
      The discussion being held is purely based on the Law involved, and it is quite extensive. It has been an eye-opener for me and whilst I still view some of the position unrealistic the points of law still have to be looked at and followed.
    1. SYNACK's Avatar
      SYNACK -
      Quote Originally Posted by GrumbleDook View Post
      The discussion being held is purely based on the Law involved, and it is quite extensive. It has been an eye-opener for me and whilst I still view some of the position unrealistic the points of law still have to be looked at and followed.
      Ah, yes, some laws do have tend to have that issue, my above point stands just pointed at the lawmakers which seems to be where the blame lies.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by SYNACK View Post
      Ah, yes, some laws do have tend to have that issue, my above point stands just pointed at the lawmakers which seems to be where the blame lies.
      The focus on the discussions tends to be around identifying what the Law is, how it is checked for ALARP, where the responsibility lies and what the impact is of breaking the Law or following the Law.

      Dr Bandey is looking to do some stuff at BETT around it (supported by our friends at SmoothWall) so that will be interesting for folk to follow.
    1. danielstucke's Avatar
      danielstucke -
      So I guess this helps matters along a lot with Dropbox? The Dropbox Blog » Blog Archive » US-EU Safe Harbor Certification now safe harbor compliant.
    1. steele_uk's Avatar
      steele_uk -
      Does the new Dropbox safe harbour certification now make Dropbox something we can now recommend to staff, or is there still an issue with data leaving the EU?
    1. SimpleSi's Avatar
      SimpleSi -
      or is there still an issue with data leaving the EU
      I'm sure GD will find one

      [Comment of whole thread]
      (Its non-issues like this that make me despair of modern society! )

      Do a risk assesment - count the possible data breaches - count the possible damage - do the maths
      Simon
      [/]
    1. GrumbleDook's Avatar
      GrumbleDook -
      Apologies for not putting an update on for this after Daniel's post ... I have been trying to follow it up to try and cover the other queries about The Patriot Act too. I'll stick up a longer article shortly but the summary is as follows.

      Dropbox have now agreed and certified to the US-EU Safe Harbor Agreement, and have put in their entry what they comprehensively cover, process, store, etc ... and this does indeed meet the requirements under the DPA for transfer of data outside of the European Economic Area. The issue that surrounds them being a US company and under The Patriot Act has to be a judgement by the school (as they would for any other service such as Google, Microsoft, Apple, Box, etc) as to whether they believe this is a risk (that a law enforcement agency may seize the data), but understand that we have a similar section in our DPA to cover our companies operating overseas. I have requested an update from the ICO as to whether this needs to be considered a risk and so far, again there is no quotable response, but the points raised previously stand.

      If the issue was the lack of Safe Harbor Agreement then that has now been met, if the issue is with it being outside of the EU then we know that DropBox use Amazon servers in San Francisco and if the issue is one of the The Patriot Act then it is a judgement call as to whether you believe that it is or isn't correct that a law enforcement agency from another country can seize data, in the same manner we have equivalent laws to seize data in the UK and this already applies to many services already used within schools (and there has been no issue so far or significant legal challenge).

      For me ... it is no longer a risk assessment about whether they are a risk as to whether there could be a problem (i.e. break the law but no harm, no foul) but now simply a case of they *can* follow the law ... but, as with all such firms, you are making an assessment about whether they will and there is nothing to indicate that they won't.
    1. CyberNerd's Avatar
      CyberNerd -
      Quote Originally Posted by GrumbleDook View Post
      If the issue was the lack of Safe Harbor Agreement then that has now been met, if the issue is with it being outside of the EU then we know that DropBox use Amazon servers in San Francisco and if the issue is one of the The Patriot Act then it is a judgement call as to whether you believe that it is or isn't correct that a law enforcement agency from another country can seize data, in the same manner we have equivalent laws to seize data in the UK and this already applies to many services already used within schools (and there has been no issue so far or significant legal challenge).
      TBH the patriot act is the last of our worries; the US government can already close you down and have you extradited to the states without presenting any evidence to a British court. The fact they might be able to cease my data sort of pails into insignificance given that I could face an indeterminate sentence in a US prison if one of my users so much as looked at some copyrighted material.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by CyberNerd View Post
      TBH the patriot act is the last of our worries; the US government can already close you down and have you extradited to the states without presenting any evidence to a British court. The fact they might be able to cease my data sort of pails into insignificance given that I could face an indeterminate sentence in a US prison if one of my users so much as looked at some copyrighted material.
      For some organisations it is an issue and the proposed changes to the EU data laws which are likely to deal with these concerns might make some consider it as an issue too, until it is resolved.

      Whilst some may make light of it, the law is there for a reason.
    1. zag's Avatar
      zag -
      So what are peoples thoughts on this now?

      We are just rolling out skydrive desktop app to all staff. I need to be able to give them some guidelines on its usage.

      I've heard all the arguments and to be honest I am pretty happy them saving files to their skydrive accounts. They have already been using live@edu email in the same way for a year now with no problems so far.