Dropbox Privacy Concerns

I finally uninstalled Dropbox. Here’s why you should do it, too.

I’ve always been a heavy Dropbox user. Thanks to the Dropbox Campus Cup and several other promotions, I’ve always had enough storage space without ever paying a single dollar. As my needs increased I even subscribed to Dropbox Pro and happily paid a monthly fee for 1 TB worth of storage space. I suddenly needed that much storage space because I had to find an alternative to Backblaze for my online backups after I learned that their encryption was effectively useless.1 I settled with Dropbox in combination with the fantastic Arq. Arq creates a backup of your hard drive, encrypts it locally and then uploads it to your own cloud account.2 Dropbox simply was the cheapest option at that time—plus, I was already familiar with it and I liked the additional features a Pro subscription would give me, e.g. link expiration.

But when Dropbox appointed Condoleezza Rice to its board in April 2014, I began worrying about Dropbox’s hostility to privacy. She was National Security Advisor and then Secretary of State under President George W. Bush. She was one of the main drivers of the Iraq War and lied about Iraq’s non-existent weapons of mass destruction. And with this person on their board of directors they want me to trust them that they keep their word? The assurance that “the security of your data is our highest priority”? Come on, seriously?

Besides, I do believe them that they’ve “implemented multiple levels of security”. I do believe them that they’re backing up my files to save me from data loss. I really do believe them that they’re encrypting my data using 256-bit Advanced Encryption Standard (AES) to protect me from hackers. But that’s useless if they have the private key to decrypt my data; when they are able to access my data when they’re legally required to. It’s not security I’m concerned about, it’s privacy! I don’t worry about data loss, or Chinese or Russian hackers. I worry about Dropbox itself spying on me and collaborating with the NSA.

Additionally, the famous whistleblower Edward Snowden warned against using Dropbox. But he also warned against Google. Would that make me ditch every single Google service I used? Probably not. I’m way too accustomed to Google Search, Gmail, Google Maps, even Google Chrome. It’s scary how dependent we are on Google.3 But all these worries and warnings still weren’t enough to make me quit using Dropbox. I mostly store freely available documents in Dropbox, e.g. homework assignments and lecture notes for my university courses. They can read those if they want to… The rest of my stored data is online backups of my laptop’s hard drive. They get encrypted by Arq anyway before they’re uploaded to Dropbox’s servers, so that’s not an issue too.

But there was reason to believe Dropbox was getting interested in what its users stored outside of their Dropbox folder. Everytime you start an I/O operation with high disk activity—like unzipping a big zip-file—the Dropbox client would hog the CPU. But why? The file is outside of the Dropbox folder, it shouldn’t concern the Dropbox client!? The way Dropbox works is that it computes the hash of a file to determine whether it has changed and needs to be re-uploaded or not. And calculating hashes takes CPU power. Dropbox’s explanation: “there’s a lot of complexity under the hood!”. There surely is a lot of complexity, when you’re monitoring the entire filesystem activity, thus basically spying on your users.

But how is it possible that they’re able to do that? Isn’t it the Operating System’s job to prevent apps from doing shady things like that without your consent? Yes, it is! In Mac OS X 10.2 Apple introduced the Accessibility architecture through which you can allow trusted third-party applications to access and control your Mac. Simply said: applications may ask for root permission and you may grant them permission by entering your password. If you do so, these apps can from then on read all your emails, see your calendar entries, click buttons, open websites, activate your FaceTime camera or microphone, eject DVDs from your disc drive. They can do literally anything they want! Perfect conditions to spy on you. You’ve really got to trust an app to let it control your system.4 That’s the reason why your approval (in form of a password) is required to obtain root permission.

In any case—whether you denied or granted them access—each application which has once asked for root permission will be listed at System Preferences > Security & Privacy > Accessibility. Additionally, there’s a checkbox next to each application which has to be checked individually in order for the app to actually be able to control your system. In case you didn’t provide your password, the checkbox remains unchecked and the unauthorized application attempting to use Accessibility will fail.5 If you granted root permission by entering your password, the checkbox will get activated automatically. The status of its checkbox is the only difference between an application with root permission and one without root permission.

Dropbox is listed in this preference pane. Even its checkbox is activated. But Dropbox has never asked for a password. And I certainly never gave them root permission to my system nor did I accept any dialog. How the hell did they get there? They hacked their way into the system to achieve root permission. Dropbox uses a SQL attack on the TCC database to circumvent Apple’s authorization policy. You can read more on that here. But even if you remove Dropbox’s entry from the Accessibility tab, Dropbox will always put itself back there as long as you have the DropboxHelperTools installed. So go ahead and delete them. This alone makes me never ever trust Dropbox again.

The worst part is: not only Dropbox can (and does) use this hack but anybody. This is a huge security hole in macOS and it’s existed for years. With macOS Sierra, Apple finally fixed this hack by putting the TCC database TCC.db under System Integrity Protection. For whatever reason El Capitan didn’t receive this important security update. Unfortunately, macOS Sierra is so bug-ridden I really don’t want to upgrade yet. This security update however makes me consider it.

Furthermore, the DropboxHelperTools are responsible for many other hacks of your Operating System. This is also nothing new. Here’s a blog post from 2011! In their newest beta update the Dropbox developers have even implemented a new way to hack your Operating System instead of finally stopping this bullshit. They certainly never run out of ideas. Just delete the DropboxHelperTools already (or even better, uninstall Dropbox completely).

Now consider:

  • they’re monitoring your entire filesystem, not just your Dropbox folder
  • they have someone like Condoleezza Rice in their board
  • they don’t have the slightest respect for your privacy

It’s not a conspiracy theory anymore. People thought the same about the NSA until we eventually learned from Edward Snowden that it’s actually the truth. And since communication between Dropbox’s client and servers is encrypted, nobody except for Dropbox even knows what information about you they’re transferring to their servers.

I’m aware that nobody wants to give up the comfort of file synchronization. But I’d rather go with an open-source alternative than with Dropbox. If you know how to host it on your own server, I would suggest Seafile which is a German company and therefore not required by the Patriot Act to comply with NSA, FBI or CIA data requests.6 If you don’t know how to do that and happen to have a Synology NAS, you can also use the brilliant Cloud Station Suite from Synology. And if you just want Dropbox’s simplicity back and don’t want to deal with self-hosted cloud storage at all, then just switch to Google Drive and encrypt your sensitive data before you store it in the cloud. Google Drive at least neither abuses root permission nor does it operate outside of its designated folder.

If you’re interested in how I use online (and offline) backups, there’s a dedicated blog post about my backup strategy which goes into much greater detail than this one. This post right here is only meant to name alternatives in order to facilitate moving away from Dropbox.

I hope you found this article helpful. If you have any remaining questions, just hit me up on Twitter or leave a comment below.

  1. They store your private key on on their servers. Your password is used to encrypt and decrypt your private key on their servers. Your data is decrypted on their servers before it is sent to you over a SSL connection. Read more

  2. This means your data is encrypted before it enters the cloud. So unless the NSA has secretly built a quantum computer, they will have a tough time of it with decrypting your data. 

  3. They’re just the best, when it comes to services. 

  4. Accessibility was meant for developers to create applications for people with disabilities. Via System Events (an agent for some AppleScript features), specifically its Processes suite, applications could control other applications via GUI Scripting (i.e. click buttons and menu items). Imagine a voice control software for blind users. These applications understandably needed permission to control the Mac. When you’re dependent on such applications, you have no other choice but to trust them. However, more and more apps discovered hacky ways how to exploit loop holes or how to use features otherwise as intended, if only they had root permission. This way Dropbox used to control the Finder to display its synchronization status icons, Default Folder X could render its Save dialog, Bartender organized the Mac menu bar, and many more. 

  5. This is a feature for additional security, introduced in Mac OS X 10.9 (aka Mavericks). Quote: “Applications must now be individually authorized to use Accessibility using the Security & Privacy preference pane in System Preferences. If an unauthorized application attempts to use Accessibility, it will fail.” (Source

  6. Note: The Patriot Act was signed into law in 2001, when Condoleezza Rice was President Bush’s National Security Advisor.