I finally uninstalled Dropbox. Here’s why you should do it, too.

I’ve always been a heavy Dropbox user. Thanks to the Dropbox Campus Cup and several other promotions, I’ve always had enough storage space without ever paying a single dollar. As my needs increased I even subscribed to Dropbox Pro and happily paid a monthly fee for 1 TB worth of storage space. I suddenly needed that much storage space because I had to find an alternative to Backblaze for my online backups after I learned that their encryption was effectively useless.1 I settled with Dropbox in combination with the fantastic Arq. Arq creates a backup of your hard drive, encrypts it locally and then uploads it to your own cloud account.2 Dropbox simply was the cheapest option at that time—plus, I was already familiar with it and I liked the additional features a Pro subscription would give me, e.g. link expiration.

But when Dropbox appointed Condoleezza Rice to its board in April 2014, I began worrying about Dropbox’s hostility to privacy. She was National Security Advisor and then Secretary of State under President George W. Bush. She was one of the main drivers of the Iraq War and lied about Iraq’s non-existent weapons of mass destruction. And with this person on their board of directors they want me to trust them that they keep their word? The assurance that “the security of your data is our highest priority”? Come on, seriously?

Besides, I do believe them that they’ve “implemented multiple levels of security”. I do believe them that they’re backing up my files to save me from data loss. I really do believe them that they’re encrypting my data using 256-bit Advanced Encryption Standard (AES) to protect me from hackers. But that’s useless if they have the private key to decrypt my data; when they are able to access my data when they’re legally required to. It’s not security I’m concerned about, it’s privacy! I don’t worry about data loss, or Chinese or Russian hackers. I worry about Dropbox itself spying on me and collaborating with the NSA.

Additionally, the famous whistleblower Edward Snowden warned against using Dropbox. But he also warned against Google. Would that make me ditch every single Google service I used? Probably not. I’m way too accustomed to Google Search, Gmail, Google Maps, even Google Chrome. It’s scary how dependent we are on Google.3 But all these worries and warnings still weren’t enough to make me quit using Dropbox. I mostly store freely available documents in Dropbox, e.g. homework assignments and lecture notes for my university courses. They can read those if they want to… The rest of my stored data is online backups of my laptop’s hard drive. They get encrypted by Arq anyway before they’re uploaded to Dropbox’s servers, so that’s not an issue too.

But there was reason to believe Dropbox was getting interested in what its users stored outside of their Dropbox folder. Everytime you start an I/O operation with high disk activity—like unzipping a big zip-file—the Dropbox client would hog the CPU. But why? The file is outside of the Dropbox folder, it shouldn’t concern the Dropbox client!? The way Dropbox works is that it computes the hash of a file to determine whether it has changed and needs to be re-uploaded or not. And calculating hashes takes CPU power. Dropbox’s explanation: “there’s a lot of complexity under the hood!”. There surely is a lot of complexity, when you’re monitoring the entire filesystem activity, thus basically spying on your users.

In any case—whether you denied or granted them access—each application which has once asked for root permission will be listed at System Preferences > Security & Privacy > Accessibility. Additionally, there’s a checkbox next to each application which has to be checked individually in order for the app to actually be able to control your system. In case you didn’t provide your password, the checkbox remains unchecked and the unauthorized application attempting to use Accessibility will fail.5 If you granted root permission by entering your password, the checkbox will get activated automatically. The status of its checkbox is the only difference between an application with root permission and one without root permission.

Dropbox is listed in this preference pane. Even its checkbox is activated. But Dropbox has never asked for a password. And I certainly never gave them root permission to my system nor did I accept any dialog. How the hell did they get there? They hacked their way into the system to achieve root permission. Dropbox uses a SQL attack on the TCC database to circumvent Apple’s authorization policy. You can read more on that here. But even if you remove Dropbox’s entry from the Accessibility tab, Dropbox will always put itself back there as long as you have the DropboxHelperTools installed. So go ahead and delete them. This alone makes me never ever trust Dropbox again.

The worst part is: not only Dropbox can (and does) use this hack but anybody. This is a huge security hole in macOS and it’s existed for years. With macOS Sierra, Apple finally fixed this hack by putting the TCC database TCC.db under System Integrity Protection. For whatever reason El Capitan didn’t receive this important security update. Unfortunately, macOS Sierra is so bug-ridden I really don’t want to upgrade yet. This security update however makes me consider it.

Furthermore, the DropboxHelperTools are responsible for many other hacks of your Operating System. This is also nothing new. Here’s a blog post from 2011! In their newest beta update the Dropbox developers have even implemented a new way to hack your Operating System instead of finally stopping this bullshit. They certainly never run out of ideas. Just delete the DropboxHelperTools already (or even better, uninstall Dropbox completely).

Now consider:

• they have someone like Condoleezza Rice in their board
• they don’t have the slightest respect for your privacy

It’s not a conspiracy theory anymore. People thought the same about the NSA until we eventually learned from Edward Snowden that it’s actually the truth. And since communication between Dropbox’s client and servers is encrypted, nobody except for Dropbox even knows what information about you they’re transferring to their servers.

I’m aware that nobody wants to give up the comfort of file synchronization. But I’d rather go with an open-source alternative than with Dropbox. If you know how to host it on your own server, I would suggest Seafile which is a German company and therefore not required by the Patriot Act to comply with NSA, FBI or CIA data requests.6 If you don’t know how to do that and happen to have a Synology NAS, you can also use the brilliant Cloud Station Suite from Synology. And if you just want Dropbox’s simplicity back and don’t want to deal with self-hosted cloud storage at all, then just switch to Google Drive and encrypt your sensitive data before you store it in the cloud. Google Drive at least neither abuses root permission nor does it operate outside of its designated folder.

If you’re interested in how I use online (and offline) backups, there’s a dedicated blog post about my backup strategy which goes into much greater detail than this one. This post right here is only meant to name alternatives in order to facilitate moving away from Dropbox.