Does anyone use Dropbox?

Difference is: ...

What Wuala don't have and cannot create are the keys to decrypt the files.  All they can pass on is the a/c name, IP address, contact email address etc.   

Very, very different to passing on the actual files.

What HAS Mr Forbes against Wuala?

daveforbes wrote:

wuala have your encrypted files

they have the encryption keys for decrypting those files stored all together in one file encrypted using your password.

all this they could hand over under the terms of the agreement.

What they don't have is your password, which is probably less than a dozen characters long.

Also - take a look at http://www.bbc.co.uk/news/uk-england-11479831

Where exactly does wuala store your data ? In data centres in EEA but also redundant copies in the "wuala cloud" which is basically the computers of wuala customers. Could some of your data could be on a PC in Yemen and vice versa ? Hmmmm.

Yes Wuala have ONLY the encrypted files, which are useless without the key (generated by one's password).  To quote from them directly: - 

http://www.wuala.com/en/support/faq/c/20

Every file you store in Wuala gets encrypted before it leaves your computer. This includes file metadata (e.g. name, description, tags). Every file is encrypted with a different key and the list of these keys is encrypted with your password and stored on our server. The password itself never leaves your computer so that not even we can access your data.

Wuala encrypts and decrypts all files locally. Your password never leaves your computer, hence, we do not know your password. This protects your privacy, but also means that apart from sending you password hint (specified when creating your account or check your account settings) we cannot help you recovering it. For a more indepth discussion see: http://wualablog.blogspot.com/2011/04/wualas-encryption-for-dummies.html from which the following extract is taken: -  . . . This helps to guard a little against brute-force attacks because if it takes 10ms to calculate the key from a password, an attacker can try at most 100 passwords per second. Still, if you want an attack to take millions of years, you should choose a password with ten characters, better more. In fact my own password is more than double the length suggested by Mr Forbes AND the whole Wuala installation runs from an encrypted drive. (again a seriously long password). The link to the BBC news item is both disingenuous and slightly offensive ... the party 'jailed for 16 weeks for refusing to disclose his password' was suspected of having child [***] on his computer.  Is Mr Forbes suggesting that a child [***] enquiry is relevant to this discussion and, if so, in what way?  Yes, we all know that it is an offence not to disclose passwords under RIPA in the UK which is why I don't bring any data into the UK (or USA come to that).  Even so, I would  not disclose my passwords to any government agency anywhere - and take my chances.  The danger to my clients is fishing expeditions rather than direct "assaults" upon their data, and government agency, anywhere, is going fishing in my data if I can help it. With regard to redundant data ... it is just that, pieces of encrypted files in the same way that Skype (and DB) drop bits of data all over the place.  The point is though, it is encrypted and therefore useless without both the key & password.  

Dropbox/Wuala and Security Requirements

0103953 wrote:

If I dealt with a high-profile politician / personality / businessman, billionaire, senior military figure, someone of major interest to the British or US Government etc. then I probably wouldn't use Dropbox for that data.  But for the type of clients I have, the standard Dropbox encryption and security procedures appear sufficient for me.

Yes, I suppose that is probably part of my reason for staying with Dropbox too. Having said that, if 50% of my clients moved to Wuala, I would probably follow them.

Dropbox: what would you litigate for?

JC wrote:

If I were a client and found out that my accountant was prepared to use Dropbox on my information whilst at the same time using more secure means for '.. high-profile politician / personality / businessman, billionaire, senior military figure, someone of major interest to the British or US Government etc ..' I don't think that I would be impressed - definately litigation on the cards with this one

What would you litigate for JC? I don't think you could sue unless you suffered some loss, and if you had suffered a loss then the aditional security used for other clients would be irrelevant; all that would matter would be if Dropbox had sufficient security.

How Dropbox sacrifices user privacy for cost savings

daveforbes wrote:

The ICO have certainly been thinking about "cloud" and the data protection act and specifically refer to dropbox in

http://www.ico.gov.uk/conference2012/~/media/documents/dpo_conference_2012/afternoon_workshop_a.ashx

... but appears not to give any answers.

Storing encrypted fragments of personal data outside the EEA and not in a "safe harbour"  - does that break the DPA ? Technically yess. How small a fragment and how encrypted ? It is a bit of a nonsense. Here for example is an encrpyted fragment of my credit card number .... 7 

@ hansa - the example was actually from a link wuala's website. I think RIPA would still apply if it were encrypted data in a say a tax evasion case.  You say "it is just that, pieces of encrypted files in the same way that Skype (and DB) drop bits of data all over the place", I agree skype uses peer to peer storage (and processing power) but as far as I am aware there is no peer to peer storage in dropbox it is all within Amazon AWS data centres.

Data Redundancy - I'm not at all sure Wuala does any more - you may be thinking of their launch scheme (ended Oct 2011) where uses could gain 'space' by allowing encrypted information to be saved.  In any event, I am pretty sure the DP rules refer to 'personal' data which by it's very definition must be identifiable.

RIPA - yes, of course it applies to all electronic data but I've yet to hear of any professional person being prosecuted (let alone convicted) for refusing to hand over a password. I also have a feeling that RIPA applies to the computer itself, not remote services (but I've no desire to test that!).  We are however digressing as it is the security (or otherwise) of Dropbox vs. the others which is the question. The link following might be of interest: -

http://paranoia.dubfire.net/2011/04/how-dropbox-sacrifices-user-privacy-for.html

In summary: 

Dropbox can allow its staff to access your data, it allows data de-duplication, it can reset passwords thus it is NOT safe for confidential files

Wuala cannot NOT give staff access to your data as it is encrypted.  It does not allow data de-duplication, it cannot reset passwords therefore it IS safe for confidential files.

secure area on own website :-)

coolmanwithbeard wrote:

. . . For others I have a secure area on my own website - I can provide clients with a log in to their own private directory and they can upload stuff for me.. . 

This is the best solution of all for limited amounts of data.  I've been planning to implement a "secure area" on my various sites for some time but not really sure where to start (and worse still, neither is my site designer!) ... Any tips or pointers would be most welcome :-) 

For the rest, it all boils down to how confidential the data is ... In my field, the answer is "very" in almost all cases.  I even delete emails from my phone daily!