Today marks the anniversary of the Snowden revelations — the day all of us learned just how far governments were willing to take their online surveillance. At Dropbox, we find these practices unacceptable because your privacy and security come first.
We’ve been fighting for your rights all along, advocating for government surveillance reform and pushing for more transparency around government requests for your information. We’ve also recently published a set of transparency principles that guide how we stand up for your rights when faced with these requests.
Technical security measures also play a huge role in protecting your online privacy. That’s why we’re participating in Reset the Net, a day of action to highlight security best practices. Today, we want to share a technical perspective of how we safeguard your stuff.
When you store information on Dropbox, we defend it with multiple layers of security:
First, all files sent and retrieved from Dropbox are encrypted while traveling between you and our servers. Encryption helps to keep people from snooping on your stuff, regardless of what device you’re using to access it or if you’re on public WiFi.
Second, beyond regular encryption, we do certificate pinning on desktop and mobile. Certificate pinning is an extra check to make sure that the service you’re connecting to is really who they say they are, and not an imposter. We use it to guard against other ways that skilled hackers may try to spy on your activity.
Third, we store your files securely by encrypting them while at rest on our servers. We also fragment files into chunks as an extra precaution.
Fourth, every single file you store with us is encrypted while moving between our data centers so that no one can access it while it’s traveling on our infrastructure.
And finally, we use advanced techniques like perfect forward secrecy — meaning that we create new encryption keys every time you use Dropbox. Among other things, this prevents attackers from deciphering traffic in the future even if, for some reason, a key was previously compromised.
On top of all this, we’re always improving our security to be more effective against evolving threats from potential attackers. For example, we patched our services within hours of finding out about Heartbleed. We also test our apps regularly and work with experts outside Dropbox to identify and fix potential vulnerabilities.
We’re also committed to helping you do your part. Our top-notch password strength detector helps make sure yours is up to snuff, and we support two-step verification — an extra code sent to your mobile device — to ensure it’s really you who’s signing into your account. If you’re ever worried your account may have been accessed without your knowledge, you can always visit your security tab to check the last few places you accessed Dropbox. You can then disconnect any devices, web sessions, or apps connected to your account. Taking these steps, and others here, will help keep your stuff safe.
The privacy and security of your information has and always will be our top priority. Today’s an important anniversary, and an important reminder that we’ve always got your back.