The recent outrage over Dropbox’s change in their terms and conditions appears to stem from a general perception by Dropbox users that the service will never reveal their personal information to anyone (Dropbox employees, law enforcement officials, and other Dropbox users.) I find the general reaction by users and the broader security community rather amusing. It should come as no surprise to anyone that information which is stored on your behalf by a service provider can be turned over to law enforcement officials with proper warrants. In any case, the lesson that all Dropbox (and really anyone who uses cloud based storage services) should take to heart is that if you really want to store your data securely in the cloud, you have to be responsible for your own data security.
I’ve been a Dropbox user for about 2 years now and regularly store sensitive personal information in my Dropbox folder. However, I don’t just trust that Dropbox is going to implement data security best practices to protect my data. Rather, I encrypt my sensitive files before storing them in my Dropbox folder. Solutions I’ve used are Truecrypt to create small data partitions that I can mount on my devices and 7zip with it’s built in AES encryption function. With these solutions, I alone am responsible for controlling when my encryption keys are disclosed. Even if Dropbox is required to share my files with law enforcement or if there is a major data breach in their service, my files are still safe because I control my private data encryption keys.
While it is perfectly reasonable to trust service providers with your information, it is not reasonable to always assume that you will have full control of your information. Users need to take responsibility for their own data protection.