What’s in your Dropbox?
Many in the NC State campus community are now using Dropbox, a cloud-based storage service that allows users to share files (photos, docs, videos, etc.) across multiple platforms, including computers, smart phones and the Dropbox website. While there are some privacy and security concerns regarding the Dropbox product, it is both useful and widely used. Recommendations for using this service or similar cloud data storage in NC State’s campus environment include the following:
- Store only appropriate documents and data in Dropbox. Dropbox may be a convenient place to store and share only personal files that have no privacy concerns and files that only contain publicly available data.
- Do not use Dropbox to store documents or files containing high-risk and sensitive university/institutional information. This includes any data subject to university privacy regulations; protected by state and federal laws (such as FERPA, HIPAA, State Identity Theft Act, or Research and Export Regulations); under contractual provisions (such as PCI DSS, social security number, patented proposals, etc.); or whose release could cause financial or reputational harm to the university.
- Any private or sensitive personal data (such as your tax return, driver’s license number, etc.) should never be stored in your Dropbox public folder, which may be viewed via the Internet by anyone. Note: If you publish a Web link to your Dropbox public folder information, then it is likely that anyone can find and access your data using a search engine (e.g., Google, Yahoo, Bing).
- Dropbox globally encrypts your data both at rest on its servers and in transmission. Any folder you share with specific people or devices is decrypted by Dropbox to allow access to the files you have shared. Dropbox, however, provides a single security key to encrypt all of its customers’ data. Therefore, your shared files on Dropbox or your shared devices may need additional protection from hackers or others seeking to obtain information without your awareness. If you want further protection for your files, you can use tools like TrueCrypt to encrypt the entire Dropbox folder or Winzip v15 to encrypt individual files and subfolders on Dropbox.
- Safeguard access to your Dropbox control files – particularly your Dropbox configuration database file (named …/Dropbox/config.db), which contains your Dropbox login credentials. Do not allow others to copy this file. Anyone with this information on their computer can impersonate you and access any data you send via Dropbox. You will not be able to change or remove their access to your information by using your computer!
- Download Dropbox “apps” only from reputable software publishers to safeguard access to your information. Independent Dropbox app developers can, via their apps, access any data available to Dropbox on your device and send it anywhere for any purpose via your Internet connection.
- The terms of service for Dropbox are between you, the account owner, and Dropbox. The terms and conditions in the “click-through” Dropbox personal license have not been approved by NC State University Office of General Counsel for official university use.
If you need assistance in evaluating Dropbox or other cloud-based services, particularly for institutional data storage and sharing, please contact the OIT Security and Compliance unit at firstname.lastname@example.org.