The 2011 FTC complaint: marketing said staff couldn't read your files; the fine print said otherwise

For years Dropbox's marketing reassured users that their data was safe from prying eyes. Its help pages had stated that Dropbox employees were not able to access user files, and that all files were encrypted and inaccessible without the user's password. In April 2011 Dropbox quietly revised its Terms of Service and security language to clarify that it could, and would, remove its encryption from files to comply with law enforcement requests — language that flatly contradicted the earlier 'employees can't see your files' framing.

On 11 May 2011, Christopher Soghoian — a privacy researcher and former FTC technologist — filed a complaint with the Federal Trade Commission. He argued that Dropbox had engaged in deceptive trade practices by misrepresenting how its encryption worked. The technical heart of the complaint was deduplication: Dropbox compares uploaded files against everything already on its servers and stores just one copy of identical files, which is only possible if Dropbox holds the keys and can read file contents. Because Dropbox — not the user — controlled the encryption keys, the company could access plaintext, meaning the earlier privacy assurances were, at best, misleading.

Soghoian laid out the argument publicly in a post titled 'How Dropbox sacrifices user privacy for cost savings.' The complaint also alleged that Dropbox had overstated the encryption of its mobile apps. The episode reframed Dropbox not as a vault the company couldn't open, but as a service whose convenience depended on the company being able to.