Dropbox Privacy Concerns


I finally uninstalled Dropbox. Here’s why you should do it, too.

I’ve always been a heavy Dropbox user. Thanks to the Dropbox Campus Cup and several other promotions, I’ve always had enough storage space without ever paying a single dollar. When I was looking for a new cloud storage service to do my online backups, I even subscribed to Dropbox Pro and happily paid a monthly fee for 1 TB worth of storage space.1

But in 2014, when Dropbox appointed Condoleezza Rice to its board, I began worrying about Dropbox’s hostility to privacy. Condoleezza was National Security Advisor and then Secretary of State under President George W. Bush. She was one of the main drivers of the Iraq War and lied about Iraq’s non-existent weapons of mass destruction. With this person on their board of directors, they want me to trust them that they keep their word? Their word that “the security of your data is our highest priority”? Come on, seriously?

Apart from this, I do believe them that they’ve “implemented multiple levels of security”, I really do. I do believe them that they’re backing up my files to save me from data loss. I do believe them that they’re encrypting my data using 256-bit Advanced Encryption Standard (AES) to protect me from outside hackers. But it’s not security I’m concerned about, it’s privacy! I don’t worry about data loss or Chinese or Russian hackers. I worry about Dropbox itself spying on me and collaborating with the NSA. All that is useless if they have the private key to decrypt my data; if they can access my data when they’re legally required to.

Additionally, the famous whistleblower Edward Snowden warned against using Dropbox. But he also warned against Google. Would that make me ditch every single Google service I used? Probably not. I’m way too accustomed to Google Search, Gmail, Google Maps, even Google Chrome. It’s scary how dependent we are on Google. But all these worries and warnings still weren’t enough to make me quit using Dropbox. I mostly store freely available documents in Dropbox, e.g. homework assignments and lecture notes for my university courses. They can read those if they want to… it’s not like they weren’t on the internet for everyone to see anyway. The rest of my stored data is online backups of my computer’s hard drive. They get locally encrypted by the fantastic Arq before they’re uploaded to Dropbox’s servers, so that’s not an issue too.

But there was reason to believe that Dropbox was getting interested in what its users stored outside of their Dropbox folder. Everytime you start an I/O operation with high disk activity, say unzipping a big zip-file such as the latest Xcode beta, the Dropbox client would hog the CPU. But why? The file is outside of the Dropbox folder, that shouldn’t concern the Dropbox client!? The way Dropbox works is that it computes the hash of a file to determine whether it has changed and needs to be re-uploaded or not. And calculating hashes takes CPU power. That’s all fine and well, but why does it compute the hashes of files outside the Dropbox folder then? Dropbox’s explanation: “there’s a lot of complexity under the hood!”. There surely is a lot of complexity, when you’re monitoring the entire filesystem activity, thus basically spying on your users.

But how is it possible that they’re able to do that? Isn’t it the operating system’s job to prevent apps from doing shady things like that without your consent? Yes, it is! With Mac OS X 10.2 Apple introduced the Accessibility architecture. Through this architecture you can allow trusted third-party applications to access and control your Mac. Simply said: applications may ask for root permission and you may grant them permission by entering your password. If you do so, these apps can from then on read all your emails, see your calendar entries, open websites, click buttons, log your keyboard input, activate your webcam or microphone, eject DVDs from your disc drive. They can do literally anything they want! Perfect conditions to spy on you. You really have to trust an app to let it control your system. That’s the reason why your approval (in form of a password) is required to obtain root permission. But why did Apple introduce something like that if it can be used to invade your privacy in such a way. Well, Accessibility was originally meant for developers to create applications for people with disabilities. Imagine a voice control software for blind users. Blind users cannot use a mouse pointer to click on a button themselves. This new architecture allowed applications to control other applications via System Events (a faceless background application to enable GUI Scripting through AppleScript), more specifically through its Processes suite. Such powerful applications understandably needed permission first before they could control your Mac. But when you’re dependent on such applications, what other choice do you have?

Anyway, more and more apps discovered hacky ways how they could use these features otherwise as intended. They only needed to convince the user to give them root permission. They do not even have to convince the user, they just have to ask. Many people will provide their passwords generously as videos like this or, if you understand German, this even funnier video prove. Dropbox, for example, used to control the Finder to display its synchronization status icons, Bartender organized the menu bar this way, Default Folder X rendered its enhanced Save dialog, and many, many other applications do this. In any case—whether you denied or granted an applicaton root access—each application which has once asked for root permission will be listed at System Preferences > Security & Privacy > Accessibility from then on.

Accessibility

Notice the checkbox next to each application. This checkbox needs to be checked for an individual app before it is actually able to control your system. If you granted an application root permission by entering your password, its checkbox will get activated automatically. In case you didn’t provide your password, the unauthorized application will be listed but its checkbox remains unchecked, thus the application attempting to use Accessibility will not be able to control your system. The status of the checkbox is the only difference between an application with root permission and one without root permission.2

Dropbox is listed in this preference pane. Even its checkbox is activated. But Dropbox has never ever asked me for a password. And even if, I certainly wouldn’t have given them root permission to my system. How the hell did they get there? They hacked their way into the system to achieve root permission. Dropbox uses a SQL attack on the TCC database to circumvent Apple’s authorization policy. You can read more on that here. But even if you remove Dropbox’s entry from the Accessibility tab, Dropbox will always put itself back there as long as you have the DropboxHelperTools installed. This alone makes me never ever trust Dropbox again. So go ahead and delete the DropboxHelperTools right now.

The worst part is: not only does Dropbox use this hack, anybody can. This is a huge security hole in macOS and it has existed for years. With macOS Sierra, Apple finally fixed this hack by putting the TCC database TCC.db under System Integrity Protection. For whatever reason, El Capitan didn’t receive this important security update. Unfortunately, macOS Sierra is so bug-ridden I really don’t want to upgrade yet. This security update however makes me consider it.

Furthermore, the DropboxHelperTools are responsible for many other hacks of your operating system. This is also nothing new. Here’s a blog post from 2011. In their newest beta update, the Dropbox developers even implemented a new way to hack your operating system instead of finally cutting out this bullshit. They certainly never run out of ideas. Just delete the DropboxHelperTools already or—even better—uninstall Dropbox entirely.

Now consider:

  • they’re monitoring your entire filesystem, not just your Dropbox folder
  • they have someone like Condoleezza Rice in their board
  • they don’t have the slightest respect for your privacy

It’s not a conspiracy theory anymore. People thought the same about the NSA until we eventually learned from Edward Snowden that it’s actually the truth. And since communication between Dropbox’s client and servers is encrypted, nobody except for Dropbox even knows what information about you they’re transferring to their servers.

I’m aware that nobody wants to give up the comfort of file synchronization. But I’d rather go with an open-source alternative than with Dropbox. If you know how to host it on your own server, I would suggest Seafile which is a German company and therefore not required by the Patriot Act to comply with NSA, FBI or CIA data requests.3 If you don’t know how to do that and happen to have a Synology NAS, you can also use the brilliant Cloud Station Suite from Synology. And if you just want Dropbox’s simplicity back and don’t want to deal with self-hosted cloud storage at all, then just switch to Google Drive and encrypt your sensitive data before you store it in the cloud. Google Drive at least neither abuses root permission nor does it operate outside of its designated folder.

I hope you found this article insightful and are as upset as I was. If this article made you finally delete Dropbox from your system, please let me know down below in the comment section. Cheers!

  1. Dropbox simply was the cheapest option at that time—plus, I was already familiar with it and I liked the additional features a Pro subscription would give me such as link expiration. 

  2. This checkbox is an additional security feature that was introduced with Mac OS X 10.9 (aka Mavericks). Quote: “Applications must now be individually authorized to use Accessibility using the Security & Privacy preference pane in System Preferences. If an unauthorized application attempts to use Accessibility, it will fail.” (Source

  3. By the way, the Patriot Act was signed into law in 2001, when Condoleezza Rice was President Bush’s National Security Advisor.