Privacy & Encryption Concerns

Users discovered a 'third-party AI' setting that was switched on by default for most of the world, fueling fears that Dropbox was quietly feeding personal files to OpenAI. Dropbox said no data was passively sent and that files were not used to train models.

When the EU's top court struck down the EU–US Privacy Shield in 2020, Dropbox — which had self-certified under the framework — was among the US cloud services left exposed to European data-protection regulators questioning whether personal data could lawfully be transferred to the United States.

Dropbox gave Northwestern University researchers project-folder metadata covering some 16,000 scientists to study collaboration patterns. Users were never told their activity would be used for research, and academics warned the 'anonymized' data could re-identify individuals.

In January 2017 files and folders that users had deleted — in some cases as far back as 2009 — suddenly reappeared in their accounts, revealing that 'deleted' data had been retained on Dropbox's servers far longer than its own policy promised.

Researchers revealed that Dropbox's Mac client used a user's admin password to directly edit macOS's protected TCC.db permissions database, inserting itself into the Accessibility list — a privacy/trust list that grants near-total control over the machine — without a clear, informed prompt.

Dropbox's April 2014 appointment of former Secretary of State Condoleezza Rice — a defender of warrantless wiretapping — to its board triggered the grassroots 'Drop Dropbox' campaign, and months later Edward Snowden publicly branded the service 'hostile to privacy.'

A viral 2014 incident revealed that Dropbox compares the cryptographic hashes of files users try to share against a blacklist of DMCA-flagged content and blocks matches — surprising users who assumed their files were entirely private.

Researchers found that Dropbox's shared links to supposedly private documents could leak to third parties — exposed through browser referer headers and, in some cases, surfacing in Google search results — revealing tax returns, bank records, and business plans.

At Black Hat Europe 2013, a researcher demonstrated 'DropSmack,' a technique that abused Dropbox sync to slip malware past corporate firewalls and quietly exfiltrate company files.

Among the classified NSA PRISM documents leaked by Edward Snowden, Dropbox appeared as a provider the surveillance program planned to add, listed as 'coming soon' — placing the company squarely inside the post-Snowden surveillance debate.

An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

Security researcher Christopher Soghoian filed a complaint with the U.S. Federal Trade Commission alleging that Dropbox made deceptive claims about its encryption, because Dropbox employees could in fact access users' files.

Security researcher Christopher Soghoian filed an FTC complaint alleging Dropbox had told users their files were inaccessible even to Dropbox employees, while its actual architecture — and a quietly revised Terms of Service — made clear the company could decrypt and hand over files.

For nearly four hours on 19 June 2011, a code update left Dropbox accounts accessible with any password at all — anyone could sign in to any account by typing anything.