60 comments

[ 2.9 ms ] story [ 36.3 ms ] thread
This isn't surprising. Most service providers (including Facebook and Google) actively scan for known PhotoDNA hashes of CP provided by NCMEC and other groups, and will report if they detect and then verify any of them. I recall someone getting charged after using Gmail in a similar way. This isn't a legal mandate, they do this voluntarily.

This isn't "Dropbox employees digging through everybody's files hunting for CP". It's all automated, likely triggered by uploads of certain types of files (images/videos). They almost certainly have a human verify the validity before reporting (which is probably a 100% manual process). They're required by law to report it once they have reasonable suspicion.

An interesting abuse edge case here I've pondered for a while: someone hacks into your account and intentionally posts bad stuff to get you in trouble. It could be pretty difficult to prove that someone did this if the company's logs were inadequate. A similar flavor of this: someone sent Brian Krebs heroin in the mail, and then "tipped off" the police. Fortunately, it didn't work https://krebsonsecurity.com/2015/10/hacker-who-sent-me-heroi...

> This isn't "Dropbox employees digging through everybody's files hunting for CP". It's all automated.

If a script can access users' data what's the difference?

Permissions?
How would Dropbox function if their scripts couldn't access user data?
For the storage functionality, they could encrypt/decrypt on the frontend, and store encrypted data only.
Someone else has pointed out that Dropbox has never promised end-to-end encryption of data, partly because it would be difficult to provide various user-friendly features. Also because it would be difficult on their end to apply the efficiency measures they have for doing diffs and file history.
Can't do de-duplication if you're encrypting. No way Dropbox's storage back-end remains viable without de-dupe.
Is that true though? I use Tarsnap and as I understand it, it does de-duplication server-side AND client-side encryption.

That said, the point probably still stands that encryption is probably not feasibly with Dropbox feature set (or while maintaining a certain performance).

Tarsnap deduplicates your data with respect to your data. It can't compare your data with everybody else's data, because your data is encrypted with keys which only you hold.

Dropbox deduplicates everybody's data, so that they'll be able to take advantage when you and someone else both store the same file. (Of course, this trivially means they can recognize when someone stores a file which the FBI has previously provided to them.)

Ah, of course! Thanks for clearing that up (I was hoping you would chime in).

Oh, and thanks for a product that does what I need it to do. I'd maybe have liked a bit more documentation (for example, how to speed up retrieving a backup), but other than that I'm very happy with it!

Attic/borg can do most (all?) of what Dropbox does without access to user data.
Barring client side encryption, Dropbox's servers are going to have your data.
serious question: who is tasked with collecting and classifying these awful photos?
My Uncle had to do something similar for the NZ police. He had young children at the time, it was a distressing job for him.

I don't envy anyone that has to deal with child abuse at any level but I guess someone has to do it.

The kind of scary thing is that if someone else hacked into your account and posted bad stuff, even if you are later able to prove it wasn't you (alibi/IP address/etc), it may already be too late. Personal relationships will have severed. You will have lost your job. People may never look at you the same way.

Passwords are everywhere, and most people don't use MFA. If dozens of celebrities had their iCloud accounts hacked, there's no doubt that thousands of normal people could have their dropbox accounts hacked - for the purpose of adding nefarious files, not downloading sensitive ones.

I'm pretty sure if you asked a bunch of their customers (certainly corporate) they would find this very surprising.

I mean, I just went to their "about us" page and here is what it says:

We create products that are easy to use and are built on trust. When people put their files in Dropbox, they can trust they’re secure and their data is their own. Our users’ privacy has always been our first priority, and it always will be.

Wholesale scanning of user data with heuristics and automatic police reports out of no legal necessity whatsoever certainly doesn't spell "privacy always our first priority" to me.

(comment deleted)
I find it surprising that Dropbox has access to its users files. I thought cloud storage companies kept everything encrypted, or at least access.

My company uses Dropbox extensively for storing documents with sensitive information.

It's probably a safe assumption that if you can view files online, they are able to access any of the files.

Although there is a database of hashes and whatnot for child porn that service providers can access, so they don't necessarily need unencrypted access to the files, since they can hash locally and send that to their servers.

That's the value proposition of something like Siacoin or Filecoin.

If Dropbox did that, you wouldn't be able to reset your password (since they do not store your password, just a salted hash, I hope).

Dropbox does plenty of interesting things with its users' files to optimize storage. I know they dedupe files, probably using a file hash. Perhaps they optimize even further.

> If Dropbox did that, you wouldn't be able to reset your password

Right, or course. I'm thick today.

Dropbox holds all the encryption keys. They do not use end to end encryption.
Nope. Dropbox has never claimed they don't have access to your files, and you should generally assume that cloud providers are always looking through your data unless they explicitly claim otherwise (and maybe even if they do).

Dropbox has been in the news for scanning user files for years (eg, [1][2][3]). Note that the third link dates back to 2011; not a new issue.

If you do want to keep your data secure from the cloud provider, encrypt it yourself, or use a service that encrypts it before uploading using a key you provide (and with a client you trust not to be compromised). Spideroak makes a big play for this market[4], but I can't vouch for them.

[1]: http://www.pcworld.com/article/2048680/dropbox-takes-a-peek-...

[2]: https://www.extremetech.com/computing/179495-how-dropbox-kno...

[3]: https://readwrite.com/2011/04/20/how-to-keep-dropbox-employe...

[4]: https://spideroak.com/no-knowledge/

Will features like content search work on the website if contents are encrypted?
It could create a catalog like Spotlight does before encrypting
Dropbox is actually pretty invasive. They save space and bandwidth by recognizing media files that other people have stored and just copying internally instead of uploading from your computer.
Any source on that?
No, this is from memory, I could be wrong.

Specifically I recall a story that pirates were using their api to just upload the hash and basically use it as a file transfer service. They had to start requesting random chunks of files to make sure you actually had the file you were trying to sync.

Edit - I found a link: http://www.wired.co.uk/article/dropbox-dmca-position

I remember a story where someone uploaded a large file known to be popular (a new torrented movie if I recall correctly) that would have a reasonably chance of already being in someone elses dropbox.

The file uploaded in an instant, lending a lot of credibility to the theory that the software hashes a file and looks for the same hash in a central database, and if there's a match doesn't bother to upload the file but simply adds a pointer to it.

It's basic dedup tech

Not really surprising

The standard problem is "define encryption".

I have no knowledge of Dropbox' internals, but I've been involved with several cloud backups solutions that "fully encrypt your data". Only to have a hard time convincing people that "Full Disk Encryption on a server" will do little to prevent an employee of that company accessing data.

Yikes. Ok, let's abstract the topic to debate it.

Dropbox scans user accounts. It alerts the police that objectionable material appears on an account.

The police attempt to associate the account with a person. Social media profiles and IP adresses turn up a name and general geographic location.

Police find a person's name associated with said profiles, email, and IP.

They show up at his address, and ask him, hey, are these accounts yours?

"Maybe, why?"

The police then execute a warrant, confiscate his phone.

The phone contains an app, which is logged into an account with objectionable material on it.

You are now charged with possession of child porn.

Child porn is a terrible and heinous crime. Put that aside for a moment.

What happens if someone illegally accessed your account and placed those images there?

That objection applies to almost any possible evidence gathering technique. Framing someone has always been a possibility. It's the subject of many stories, and more than a few real life cases. But we don't know or (IMO) have reason to believe it's become more common in the digital age. You need motive and ability to do it still, and those often don't come together.
The duty of law is to prove guilt "beyond a reasonable doubt".

Is it unreasonable for my account to have been hacked and used to hold illegal material?

There are accounts of mine that I don't even remember existing.

Multiple use multiple devices of mine from time to time.

Should my dad be hauled to prison when I use his computer, and I catch a virus that stores child porn in his dropbox account from 5 years ago?

> Is it unreasonable for my account to have been hacked and used to hold illegal material?

I wouldn't necessarily say unreasonable. Incredibly unlikely, though.

How unlikely is that, though?

The question is whether there could be reasonable doubt that, given there is CP on an account, it was put there by the account owner.

What we don't know is what proportion of Dropbox accounts that contain CP had that CP planted by a hacker. If a significant enough proportion of CP on Dropbox was not put there by the account owner, it's reasonable to at least consider the possibility.

It doesn't have to be an attempt to frame the account owner: somebody who wants to exchange CP with other people might well use a hacked Dropbox account to do that, in an attempt to cloak their identities.

Getting charged with a crime is definitely not nothing, and the age of automation brings with it new kinds of problems (or at least, ones of different scale). But as the prior comment points out, the possibility of getting framed applies to virtually every other kind of evidentiary process. Such as eye-witness testimony, which is why (ideally), you aren't convicted based on that evidence alone.

If it's the case that someone illegally accessed your account and stored child porn on it, there would presumably be evidence to show that illegal access, such as IP addresses that you don't use that were used to upload that porn.

I do mostly agree with you. What if someone roots my machine and uploads from my house?

What if it was (somehow) accidentally uploaded byy little brother who torrents?

Technical evidence, is difficult to associate with meatspace users.

I'm not trying to give criminals potential defenses---

I am trying to prevent people from going to jail for malleable evidence.

If Dropbox logs the IP address used when the files were uploaded, and the ISP can verify that the IP was assigned to the user's home when the files were uploaded, I'd think that gives more weight.

There's still the possibility that some malware on the user's laptop uploaded the files and then deleted itself, but if that were a reasonable excuse, you could use that to get out of basically any computer-related crime.

I think some grandmas were invaded by a SWAT team because someone used their wifi to seed copyrighted material.
And a grandma in texas has been served thousands of warrants due to her address being closest to the geographical center of the US in Kansas, where IPs default to on a map.
What has changed in the last few decades is the possibility of framing someone with little personal risk to the framer.
>What happens if someone illegally accessed your account and placed those images there?

Depends who planted them...

How will they know? It could be a virus, or someone desiring to frame me, or someone who did it inadvertantly.
> What happens if someone illegally accessed your account and placed those images there?

You'll go to jail, and have to figure out how to post a $100,000 bail right then or stay there for quite some time, sometimes indefinitely (see current Riker's Island cases in NYC), you'll have to figure out how to find a good lawyer who maintains a reputation AND won't take the state's charge and media smearing at face value, and also pay their retainer.

Your lawyer will have hoped you actually didn't say "Maybe, why?"

Why do you ask, were you expecting some enlightening thought exercise on changing the process? This happens everyday in this country.

I'm afraid I am right there on the same page as you. I have a hunch many readers are consciously, or unconsciously, ignorant to the problems you described above.

I suspect that you should feel some of these things should change.

Perhaps a lower bail? Perhaps house arrest instead of jail? Perhaps a less costly legal process that vehemently screens for reasons to not go to trial in non-violent crimes? (child porn possession is debatably non-violent).

How do we increase the possibility of bringing about these changes?

> Perhaps a less costly legal process that vehemently screens for reasons to not go to trial in non-violent crimes?

If you can't do any of the things I mentioned above, you will take the plea deal and there will be no trial, you will go to prison for at least several years, possibly decades, but either way you'll be a felon and unemployable for the rest of your life, also a sex offender for the rest of your life, and not for one of those debatable reasons either. But thanks for keeping the process quick, that was very considerate.

But change? Good question. Something broad that isn't about the topic and laws at hand, perhaps leaning on another country's system while being sensitive of our punishment culture. Yeah, I've got nothing, rehab perhaps? I do have to commend you for trying here, and I do hope less people are ignorant to the user experience problems in our justice system.

No let's not put that aside for a moment. That isn't a reason for not doing this. Obviously no evidence would not be taken alone and it would not come from your ip address if it does then you have some explaining to do - and quite rightly so. Where rights are concerned there is a hierarchy.
I assume that Dropbox knows where and how you access their service... TFA said there was a single IP. If there were multiple then there would be reason to doubt that you were in the sole possession of those files.
Too bad an IP address isn't really proof of anything. Do you mind if I use your phone for 5 minutes? How about if I don't ask nicely? How good at jiu jitsu are you?

I'm guessing 90% of the time a dirtbag just confesses, but the potential for abuse and negligence here is nearly unlimited.

We keep commercially sensitive documents on Dropbox yet have to keep nearly all of those documents encrypted locally. If someone broke into our network they'd have a very hard time opening any of them, yet it seems Dropbox could just jump in and read them. Not sure how Dropbox got approved as secure?
You are fooling yourself securing your own network, while open a huge back door to Dropbox. Dropbox is not secure by design. They choose not to do end-to-end encryption, so that they can actively read your files.
There have been cases where someone getting busted at airport because one of his wechat groups have images of potentially underage girls someone else posted from a country where that is legal.
God that is torturous to think about.

Once again proves that "don't go to the US" is a viable legal strategy.

Most companies that host content have a "report" function. You might have once reported a post on facebook, a file link on dropbox, or an image on imgur (to take a few examples) for being bad in some way.

If the reason for your report is that the content involves child abuse, then the company is generally accountable for checking it out. This means different things depending on the type of content, the country, and lots of other moving parts, but it is the "safety of the children" argument at work. In practice, often an American content host will let NCMEC know, since they compile and forward on reports to law enforcement. Sometimes content will simply be removed. Again, it depends on the details.

This is indeed one of those cases where your privacy, and the rights you have over your property, are impinged upon as a regular person. The courts where I live (Australia) take this quite seriously and are aware that a balance must be struck. I get nervous and uncomfortable when the "think of the children" argument is misused during discussions involving encryption, intellectual property violations, and general freedoms - but I'm aware that on some occasions it is important.

A lot of work goes into identifying and where possible rescuing the children involved in this stuff, and preventing more. That is always the focus, in my experience.

A final note - the child protection industry is keen to remove the word pornography from the lexicon, and to refer to this type of material as "child abuse" or "child exploitation" material. I think it would be good to reflect that in the headline, because while most everyone knows what child porn means, calling it such mentally associates it with the pornography aspect (the end user) rather than the victim (the child).