• Is DropBox ok to use?

    Because I have a background of being involved in discussions around data protection I sometimes get a prod about online storage and web 2.0 tools. Over the last 6 months I have had quite a few over online storage options, but I have never really stuck down on (electronic) paper what my concerns are and why I have them. There are a few concerns I have, some centre around ownership of files and data, some around data protection and some around management of the tools.

    Online storage often comes under attack over IPR of images, concerns about control, heated rants about how company x is making use of *our* files / photos to generate revenue on a free service, etc … and we only have ourselves to blame for not reading the T&Cs fully, for not keeping abreast of changes to the T&Cs (though some companies make life extremely difficult to find the changes or contribute to those changes) and for not accepting that if we take part in a free service then there are likely to be limitations and issues. We take on that risk ourselves and we need to accept some responsibility for that. Whether we are talking about LinkedIn using profile photos of members in their marketing by default, changes to FaceBook privacy options, changes in security / ownership when companies merge products… there have been so many times when the masses rise up indignantly to protest and then rush around making changes and, in the worse cases, swap services … and yes, I have been there, expressing my frustration too.

    This is increasingly important if we are asking children to make use of these tools as we are being trusted in our judgement and selection of these tools … after all not all children, across the broad age range we have using these tools, are emotionally, intellectually or perhaps even legally in a position to make some of these choices on their own … but that is a discussion for another time probably.

    But discussions today centred around online storage, and in particular the growing use of DropBox to remove the need for USB memory devices. For those who have not come across DropBox.com, it is a an online storage system which will synchronise selected folders from one or multiple devices to an online repository. Folders or sub-folders can be shared for automated synching with other users, making it a fantastic tool for collaborative sharing of files and materials. There are a number of other tools like this ranging from Microsoft’s SkyDrive, shared document libraries in Sharepoint, Moxy, Box.net, ADrive and many more. DropBox and SkyDrive are both free so that is why you will see them in heavy use … especially in education. Free comes with limits though and sometimes that can be the amount of space, sometimes the SLA doesn’t really exist and sometimes there is a lack of control over certain aspects of functionality or how it changes.

    When it comes to DropBox though, my main concern is that users are significantly at risk of breaching the Data Protection Act and they don’t even know it. This is especially important right now as it is being recommended to NQTs who might not know any better … let’s face it, there is not that much about Copyright law, Data Protection and IPR within teacher training and, from what I have seen and been told, there is a presumption that this is covered within schools by school policies … and we all know how wonderful many schools are for having decent Data Protection policies and explaining them to *all* staff.

    I know that my blog is read by a wide range of people so I just need to go back a little to cover an aspect or two of the Data Protection Act. The DPA has 8 principles, which are pretty self explanatory and the 2 most important principles to look at for this conversation are 7 & 8.

    If we start with DPA Principle 8 first … this about where data can be stored, moved through, processed, accessed, etc. And this is the first place we fall down with DrpoBox. There is an ongoing query that has never been fully answered about whether DropBox.com is compliant with this.

    Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
    Now, what this means is that if you use your online storage and sharing to move about or access anything that can be deemed ‘personal data’ (which for teachers can range from pictures of children, their personal details, information about their progress, medical information and so on) then you have to do it within the European Economic Area or other countries where we have set agreements. With the US this is called the U.S. – EU Safe Harbor and there is a list of companies who have been certified with this and across what aspects. It is important to remember that being certified is only part of this … the specifics of what has been agreed is equally as important and that will differ from company to company. I have previously commented about iCloud and Apple before to reflect this.

    When you look at the list you will spot that DropBox.com is not there. When you dig through the T&Cs for DropBox you will find that they use Amazon for their storage facilities … which is good … Amazon *are* on the Safe Harbor list so that seems to tick the boxes … apart from they don’t say that they will only ever use Amazon and they don’t say how they use them, and what agreements they have in place. Ah … so we are back to square one then.

    I have asked the question twice now of DropBox.com and not even had tickets opened. There is a discussion at the moment about this on the forums and still no definitive answer.

    To deal with this I know some users of DropBox will make use of other security solutions to bolster how they deal with DropBox. This involves using an encryption tool to create a secure folder / file which is then synchronised via the only service. A common tool for this is TrueCrypt and that works fine at a technical level … meeting the criteria of DPA Principle 7, where you are taking suitable technical measures to ensure the security of data … but the principles are not pic and mix … you have to meet them all. Right now I use an encrypted folder on Dropbox for my non-sensitive files (so only I and others I trust can access them) and do not use it at all for sensitive items.

    For sharing pictures for stimulus with others (teachers / children), for sharing videos, etc, especially cross-platform and when using apps on mobile devices, then I can see that it will be fine for use in UK schools … but for staff to share in general … no … not yet.

    SkyDrive does meet the criteria as the data centre used is in Ireland, but I know that there are some who have issues about a tie in or lock in with Microsoft and what happens to Live@Edu and Office365. It is still worth thinking carefully about what you are sharing with others and how.

    .
    Comments 94 Comments
    1. Earthling's Avatar
      Earthling -
      I've just installed Skydrive app on my laptopm to see what it's all about.

      I'm still not really sure about it, or any 'cloud' based storage, that will potentially have student confidential data saved to it. It's a MS app after all, and it's Windows Live based, which to my mind, makes it a target for hacking, password-publishing and all the rest of it. One of the reasons I gave for retaining our Exchange server and not migrating to Live@Edu.

      I'm firmly of the opinion that, if we used Live@Edu or Skydrive or Dropbox here, someone, somewhere here would store something confidential, their account would get hacked amongst thousands of others and it would all end in tears........and I'm too short-time for that.
    1. zag's Avatar
      zag -
      Quote Originally Posted by Earthling View Post
      One of the reasons I gave for retaining our Exchange server and not migrating to Live@Edu.
      We've been on Live@edu for a while now for email and had all those conversations before moving. Now we are on it, I really do wonder what the fuss was all about.

      Touch wood, We have not had a single incidence of hacking or any kind of data loss since we started using it.

      Storing files in the cloud is just another step along that path I think. But I do have the same reservations as everyone else about the security. So far though I have not seen any evidence of this happening on live@edu.
    1. Earthling's Avatar
      Earthling -
      Quote Originally Posted by zag View Post
      We've been on Live@edu for a while now for email and had all those conversations before moving. Now we are on it, I really do wonder what the fuss was all about.

      Touch wood, We have not had a single incidence of hacking or any kind of data loss since we started using it.

      Storing files in the cloud is just another step along that path I think. But I do have the same reservations as everyone else about the security. So far though I have not seen any evidence of this happening on live@edu.
      Touch wood..........

      I think I'm being realistic when I think that it WILL happen sooner or later. Hotmail was always being hacked every couple of years and I'm sure Windows Live will be just as much a target, if (maybe) a bit harder to crack. But hey, if it works for you, good luck. I have other reasons for not wanting to go Live@Edu, too. That's just one of them.
    1. zag's Avatar
      zag -
      Thanks, as you can probably tell I'm trying to convince myself here as well
    1. Alis_Klar's Avatar
      Alis_Klar -
      If it is now just an issue of password security how is a pupil giving out their password for Dropbox or Live@EDU any worse than giving out their password for the school domain (if you have some form of remote access to your internal servers set up). In fact in this senario if users are compromised on your network then the piossiblilites for some heath-robinson remote access solution being hacked are worse as your INTERNAL network and servers could be compromised.

      My point is surely from a IT security point of view having less "vectors" into your internal network is preferable. Cloud storage is one way of allowing sharing between home and school without opening up your network.

      Google and Microsoft should be tailoring their products to allow lock downs on sharing files with users outside your organisation and the online editing/viewing features should be used to facilitate the disabling of download permissions entirely (of course copy and paste and screenshot is a loophole) so files could not be downloaded from a secure folder and then distributed.

      Another idea is that the web application detects that when you are sending e-mail to an external domain and pop's up a reminder of your responsibilities under the DPA and gives you an "are you sure" message.

      Just basic e-mail has allowed the worst kind of DPA infringements in history but we don't all block hotmail and gmail in schools.
    1. Alis_Klar's Avatar
      Alis_Klar -
      What I'm basically saying is PLEASE CAN WE HAVE GROUP POLICY (like functionality) FOR LIVE@EDU/GOOGLE APPS!!!!
    1. SYNACK's Avatar
      SYNACK -
      Quote Originally Posted by Alis_Klar View Post
      If it is now just an issue of password security how is a pupil giving out their password for Dropbox or Live@EDU any worse than giving out their password for the school domain (if you have some form of remote access to your internal servers set up). In fact in this senario if users are compromised on your network then the piossiblilites for some heath-robinson remote access solution being hacked are worse as your INTERNAL network and servers could be compromised.

      My point is surely from a IT security point of view having less "vectors" into your internal network is preferable. Cloud storage is one way of allowing sharing between home and school without opening up your network.
      The main reason you don't want people getting into your servers is so they can't get a hold of all the sweet gooey data inside them - sure them being trashed is annoying but the data is key - if all that data is now external you still have the issues but little control of the system. In short, your protecting your internal network by removing many/all targets of value from it, moving the problem, not solving it.
    1. CyberNerd's Avatar
      CyberNerd -
      Quote Originally Posted by SYNACK View Post
      In short, your protecting your internal network by removing many/all targets of value from it, moving the problem, not solving it.
      The key from a managerial point of view, is that you move it to being some one else's problem.
      Provided you jump through the correct hoops, you get the bonus of deny-ability to boot.
      If MS servers get cracked and data leaked, we've done all we need to from ICO point of view - we checked their safeharbour status and it isreasonable to assume that they have more technical security knowledge to secure their servers than I do. If my servers get cracked and data leaked, I'm in a whole heap load more trouble and could be criminally liable.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by CyberNerd View Post
      The key from a managerial point of view, is that you move it to being some one else's problem.
      Provided you jump through the correct hoops, you get the bonus of deny-ability to boot.
      If MS servers get cracked and data leaked, we've done all we need to from ICO point of view - we checked their safeharbour status and it isreasonable to assume that they have more technical security knowledge to secure their servers than I do. If my servers get cracked and data leaked, I'm in a whole heap load more trouble and could be criminally liable.
      Sorry, but that is wrong. What you are doing is sharing the responsibility and giving yourself the option of taking someone else to court *after* you have been hung, drawn and quartered first (though the knives will probably be well and truly blunt before they get to a school after having gone through the hosting provider but the risk is still there). You cannot completely devolve legal responsibilities on data protection and safeguarding, and it is the school's legal responsibility to appropriately choose the right partners to work with. This is one of several reasons why the large scale frameworks sorted out by LAs, RBCs and central Govt go through so many legal hoops ... to save schools having to the same amount of investigation because it has already been done and deemed as appropriate as possible.
    1. CyberNerd's Avatar
      CyberNerd -
      Quote Originally Posted by GrumbleDook View Post
      Sorry, but that is wrong. What you are doing is sharing the responsibility and giving yourself the option of taking someone else to court *after* you have been hung, drawn and quartered first (though the knives will probably be well and truly blunt before they get to a school after having gone through the hosting provider but the risk is still there). You cannot completely devolve legal responsibilities on data protection and safeguarding, and it is the school's legal responsibility to appropriately choose the right partners to work with. This is one of several reasons why the large scale frameworks sorted out by LAs, RBCs and central Govt go through so many legal hoops ... to save schools having to the same amount of investigation because it has already been done and deemed as appropriate as possible.

      That is correct from a certain point of view. Moving data to Google wasn't my decision, but we went through the correct processes and senior staff/governors accepted the risk. parents are informed via ICO. I have day-to-day responsibility for server and infrastructure maintenance - I am NOT in charge of data protection. It might be a problem for the school if someone hacked their data, but it if they even attempted to pin it on me they'd be in court for an unfair dismissal with victimisation charge quicker than I could say live@edu . If I opened our firewalls for everyone I'd be the one in deep trouble.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by CyberNerd View Post
      That is correct from a certain point of view. Moving data to Google wasn't my decision, but we went through the correct processes and senior staff/governors accepted the risk. parents are informed via ICO. I have day-to-day responsibility for server and infrastructure maintenance - I am NOT in charge of data protection. It might be a problem for the school if someone hacked their data, but it if they even attempted to pin it on me they'd be in court for an unfair dismissal with victimisation charge quicker than I could say live@edu . If I opened our firewalls for everyone I'd be the one in deep trouble.
      Very true ... and I tend to say 'you' and 'yourself' as meaning the school, your employer and the people you are trying to do a good job for ... my apologies that I didn't make that part clear.

      So ... the school still has legal responsibilities and will delegate actions to individuals, which should be part of established processes which are agreed by the SIRO / DPO and are part of job descriptions which, should you opt to follow these processes mean that you are complicit in them unless you can show you made serious attempts to refuse to do certain actions (ad nauseum to the point of dismissal / constructive dismissal, etc).

      There are some members who have been in this position already and have had to leave jobs because they were being left in it by those further up who believed that you cannot completely delegate responsibility and take shortcuts. That is the main point I was trying to make.
    1. CyberNerd's Avatar
      CyberNerd -
      Quote Originally Posted by GrumbleDook View Post
      So ... the school still has legal responsibilities and will delegate actions to individuals, which should be part of established processes which are agreed by the SIRO / DPO and are part of job descriptions which, should you opt to follow these processes mean that you are complicit in them unless you can show you made serious attempts to refuse to do certain actions (ad nauseum to the point of dismissal / constructive dismissal, etc).
      Trust me. I have ample evidence of supplying information to those delegated with responsibility for data protection. I also have a complete lack of evidence of me getting any relevant training in securing on-site systems, despite requests. Sure I am complicit in introducing cloud systems to our school, if I wasn't I wouldn't have a job. I am after all a minor part-time cog in the machine that is our school, if the teachers and senior team see a really good way to save money with marked improvements to pedagogy then I'm rather obliged to follow their lead.
    1. GrumbleDook's Avatar
      GrumbleDook -
      Quote Originally Posted by CyberNerd View Post
      Trust me. I have ample evidence of supplying information to those delegated with responsibility for data protection. I also have a complete lack of evidence of me getting any relevant training in securing on-site systems, despite requests. Sure I am complicit in introducing cloud systems to our school, if I wasn't I wouldn't have a job. I am after all a minor part-time cog in the machine that is our school, if the teachers and senior team see a really good way to save money with marked improvements to pedagogy then I'm rather obliged to follow their lead.
      Yep ... and if any members have it suggested to them that they become SIRO then unless you have to (because you are at a very senior level / sit on SLT / etc) then politely show the person the door ... and to think I even volunteered! I was mad, I tell you ... mad!!!
    1. alexyarm's Avatar
      alexyarm -
      Quote Originally Posted by Geoff View Post
      On a personal note (I know this isn't scalable at an organisational level) I use truecrypt and encrypt my data before it hits dropbox. Its an extra step, but I know my data is safe and secure that way.
      Nice idea, we're sharing folders with Linux, Windows and Mac users... encryption is a pain in the nuts
  • Recent Posts

    TheCrust

    What Car have you got?

    Mine: 1990 (G-reg) Sierra Sapphire 2.0i GLX with over 137k on the clock. It's been in Classic Car Mart, been on BBC TV, only costs peanuts to maintain

    TheCrust Today, 12:26 PM Go to last post
    FN-GM

    Windows 8 ISO

    Hello,

    I have just ordered a Dell Latitude E7240 for myself as a personal purchase.

    First job is to erase the drive and

    FN-GM Today, 12:21 PM Go to last post
    Jasbo

    Supporting windows 8.1 - 70-688

    Same here, I'm looking to upgrade my server Certs to 2012/r2 from 2008/r2 but I am not going to do anything around 8/8.1 until I see what comes along

    Jasbo Today, 10:53 AM Go to last post
    FragglePete

    Help - New Macs and iPads - need help setting up

    Thanks for the suggestions; we finally had a session on Friday with our ICT Supplier that involved getting a basic understanding.

    We purchased

    FragglePete Today, 10:45 AM Go to last post
    XiJ

    Best Quadcopter?

    Me and my 4 year old we're watching a young lad flying a model plane the other day - he loved it. Thinking this quad copter would be a good way for us

    XiJ Today, 10:20 AM Go to last post