By many measures, the Dropbox (news, site) file-sharing service is one of the Internet success stories: Going from 5 million to 25 million users in the past year, and with its users saving 300 million files each day and 1 million files every five minutes, for a total of more than 100 billion files. However, all this is occurring against what one might call a "cloud" of controversy.
The Good News
Speaking at this week's Startup Lessons Learned conference in San Francisco, Dropbox CEO and co-founder Drew Houston relayed a long list of numbers, such as the 300 million files per day and so on. The company has also grown from 20 to almost 60 employees, with most of the new hires being engineers.
The Bad News
However, the company is also under some criticism — including a lawsuit filed with the Federal Trade Commission — due to its original claim that files sent to Dropbox were encrypted and couldn't be read. But last month, Steve Kovach at Business Insider broke the news that Dropbox had changed its terms of service to say that if the government asks, they would have to decrypt user's files and turn them over.
This caused somewhat of an uproar in the Dropbox community, with some people saying that of course the company would have to comply with legal requirements like that, and the only people who needed to worry about it were bad guys, with others feeling betrayed by the revelation that Dropbox employees could read their files after all and simply weren't supposed to.
As it turns out, the change in terms of service was precipitated by Christopher Soghoian (yes, the same guy who blew the Facebook-Google story out of the water) realizing that the company's ability to detect duplicate files meant that it retained encryption keys for the files, which opened up a security hole.
Moreover, it's obvious via a sniffer whether a file already exists on the Dropbox service, because, if so, it sends up just a small pointer file rather than the entire file. This helps the company save storage space and time. But what it also means is, people ranging from law enforcement to copyright holders can get de facto proof that a certain file exists on Dropbox simply by trying to upload it — and if only a pointer file goes up, they know that the content of interest is already there, even if they don't know who did it. And because Dropbox will cooperate with investigations, finding out who did it is just a simple matter of a warrant.
Soghoian isn't asking much in his FTC complaint: Dropbox needs to tell people it can decrypt files, needs to email all its users rather than just changing its terms of service, give their money back to anybody who wants it and not to do it any more. Dropbox's blog post is likely an attempt to address at least part of this.
It will be interesting to see what Dropbox figures are like next year.