Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III

As the dust from Edward Snowden’s Prism revelations begins to settle, it’s time to think again about whether it is safe to use Dropbox. In Part I (June 2011) we said:

You don’t need to stop using Dropbox, or any of its competitors, or Google Docs – just never, ever put anything confidential or legally dubious anywhere in the cloud. Just don’t.
Is it safe to carry on using Dropbox? Yes and No

In Part II (August 2012) we said:

Dropbox is registered in the US, and is subject to the PATRIOT Act – the US authorities are able to demand details of you and your account simply because they want them. So Dropbox is just not safe for confidential or incriminating content (and nor, note, is any other US-based cloud company).
Is it safe to carry on using Dropbox? Yes and No: Part II

What we’ve now learnt from Snowden is that not only can the US authorities (in the form of the NSA and the FBI) demand details of you and your account, they do as a matter of course have access to your actual files. We also know that if you encrypt those files, it will be taken as a red flag and they will pay particular attention to the files, and by implication to you as well.

So if we ask the basic question once again — but expand it from Dropbox to ‘any US cloud-based service’ — we actually come to a similar conclusion but with more riders.

The first part of the question is, is it safe? Absolutely, categorically and emphatically, No. It is not safe to use any US cloud service.

Ladar Levison ran a ‘secure’ email service, Lavabit. Last week he suddenly shut it down after ten years. If you read his statement, you see a man of principle:

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.

(For the Americans, and especially in this instance, ‘the American people’ is a metaphor for ‘everyone in the world’ — it’s just that it has never legally been a crime for the NSA to spy on non-Americans.) It is clear that he is now subject to a court order from the secretive US FISA court — the one that the NSA and FBI use to justify their surveillance practices — complete with a gag order: that is, you must hand over your customers’ data but you may not tell anyone about it. However, it is Levison’s last comment that is specifically relevant here:

I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Kim Dotcom ran the Megaupload website, long since seized — quite possibly illegally — by the US authorities. While fighting extradition from New Zealand to the US he has set up a new and far more secure service, simply called Mega. He has first-hand experience of the reach and practices of the US authorities. His take is this:

Remember, move your Internet business to small nations that are free of conflict and therefore don’t have a massive spy agenda. Look for countries that have robust privacy and human rights laws. Stay out of the US. Don’t even host a single server there.

It looks as if he is preparing to move Mega to Iceland. New Zealand is, after all, one of the Five Eyes global surveillance countries with very close ties to the other four: the US, the UK, Canada and Australia.

But what of the other part of our question: can we carry on using Dropbox (and other US cloud services)? Clearly, we shouldn’t; but can we? As with everything else, it’s a risk-based decision: we have to weigh the risks against the advantages.

Snowden has shown us that the risks are far greater than we thought. The danger, however, is that we will conclude, ‘I’m not doing anything wrong so why should I worry: for me there is no risk.’ Think again. Adam Curtis has shown that the intelligence authorities see a plot behind every shadow: MI5 founded on a lie, maintained on a lie, and still lying today – allegedly. There is no reason to suspect that the NSA and FBI are any different; because if they don’t find the plots they will lose their budget and shrink.

Just because you do no wrong does not mean that they will see no wrong.

So the answer to our question today has to be, technically and possibly, perhaps yes; but realistically, no, no, no. Do not use Dropbox. Do not use Drive. Do not use any US cloud service. And if you are already doing so, get ready to move as early as possible to a non-US service. Don’t trust Europe — it is too closely allied to the US. As Dotcom suggests, Iceland currently looks attractive (at least until it joins the EU and gets caught up in EU subterfuges and becomes just another US and US-business puppet). As things currently stand, quite frankly the only secure solution is do not use cloud.

See also: Is it safe to carry on using Dropbox (client vulnerability)? Yes and No: Part IV, which discusses the latest ‘vulnerability’ in the Dropbox client (31/08/2013)