I think your article glosses over the fact that we have privacy concerns beyond training on my data.
I'm a working professional and I have clients that are governed by confidentiality agreements and regulations regarding where information goes, and I would just prefer using a service where my data rests on a server instead of having more and more points for a data breach to be introduced.
I don't really understand why my data isn't fully encrypted at all times and only I can view it in the first place, but the idea that they are actively sending it across the internet to be ingested by other companies and processed without my consent or interest is so terrible.
I often use AI features when I opt into them, but having a company just sending my personal files all over the internet without my consent is insanity.
Honestly, OneDrive has a migration tool and I got a trial for dropbox business and moved all my files automatically last night. It's just the last straw in their company constantly doing things I don't ask them to do like introducing crap and popups into my desktop interface and never offering the feature I constantly ask for... end to end encryption.
If you want a couple click migration from Dropbox Business to an Office 365 Onedrive account, it's right here: https://learn.microsoft.com/en-us/sharepointmigration/mm-dro...
Is OneDrive end-to-end encrypted? I think Microsoft will introduce a similar feature soon, if they haven’t already.
Nope, but it just makes sense as a quick and easy stopgap measure until I find time to figure out who to use, because it's easily compatible with my mac and pc, I already pay for a subscription so it saves money, it can run without putting all the files on every machine that I own, they aren't sending my info everywhere.
If anyone has suggestions on a reliable end-to-end encrypted solution with a lightweight cross platform sync software that doesn't force you to download all the files to your device (my Mac's HD is too small) and is generally fully featured. That won't take very much time to migrate with a trustworthy migration vendor. I'm willing to pay a premium price for it and I'm all ears.
There are several: iCloud, ProtonDrive, Sync.com, etc.
iCloud isn't cross platform enough ProtonDrive is going to pull down every file to every device and act in a dumb way Sync might be a good choice actually. I have to investigate them further
iCloud with Advanced Data Protection turned on is the only one I know of. And it’s obviously Mac only.
They’ve already announced “M365 Copilot”, which is in the same ballpark as the Dropbox features (ask questions about your documents, etc.), and of course uses OpenAI like Dropbox does. So the only real difference here would be trust.
I would imagine it doesn’t use OpenAI’s servers, but their hosted versions of OpenAI’s technology though right? Like whatever they’re currently selling to enterprise customers via Azure?
I don’t really know the structure there. Does OpenAI actually have servers? Or do they use Azure servers?
iCloud Files is the only major cloud file syncing service that is e2e encrypted afaik. Was my reason to migrate over from OneDrive (especially since I was already using Apple devices and paying for iCloud for photos anyway).
Thanks! I would use iCloud, but I have a few windows devices I need for work unfortunately. It doesn't let me use the advanced security and maintain a windows device. Ironically, like many of these services I already have an Apple One subscription and am paying for it anyways.
Can you trust anyone who claims that things are end-to-end encrypted? Microsoft could take the point of view that you are one "end" and DropBox is the other "end". If they encrypt the data in transit and decrypt it on their end, it's still technically "end-to-end encrypted".
They could also just lie. Having a company claim end-to-end encryption still means that I have to trust that the company isn't being sleazy.
The only encryption you can really have some measure of trust in is the encryption you apply yourself.
Dropbox issued this statement literally yesterday:
Good luck thinking a cloud provider has YOUR best interest at heart. This is Hacker News, I feel like trust should be earned, never implied.That word, "temporarily", is doing a lot of heavy lifting in a digital world where things can be duplicated for free.
Seems like an s3 bucket would have been a better alternative. We have no idea what OpenAI does with Dropbox customer data outside of storing it for 30 days. They're doing something, basically all Dropbox customer files with get propagated to OpenAI by default and that should be scary, not feel good.
What makes you think this is about "basically all Dropbox customer files"?
If it’s turned on by default and one of its capabilities is to use AI to search your files, then why wouldn’t we assume it applies to basically all files? How could it not?
So that depends entirely on how they implemented the feature. There are a few ways this could be working:
- They gave their chat interface the ability to run regular full-text searches against Dropbox - when you ask a question that can be answered by file content, it searches for relevant files and then copies just a few paragraphs of text into the prompt to the AI.
- They might be doing this using embeddings-based semantic search. This would require them to create an embeddings vector index of all of your content and then run vector searches against that.
- If they're doing embeddings search, they might have calculated their own embeddings on their own servers... or they might have sent all of your content to OpenAI's embeddings API to calculate those vectors.
Without further transparency we can't tell which of these they've done.
My strong hunch is that they're using the first option, for cost reasons. Running embeddings is an expensive operation, but storing embeddings is even more expensive - to get fast results from an embeddings vectors store you need dedicated RAM. Running that at Dropbox scale would be, I think, prohibitively expensive if you could get not-quite-as-good results from a traditional search index, which they have already built.
If they ARE sending every file through OpenAI's embedding endpoint that's a really big deal. It would be good if they would clarify!
Turning on AI by default seems to indicate they're sending your data somewhere automatically before seeking approval or opt-in. I could be very wrong, but the wording alone would at the very least make me cautious.
Also, temporarily doesn't necessarily mean a time period less than one hundred years.
It's such an obvious obfuscation of what everyone can assume is a permanent ownership of user data. As well as the assumption that it's use will be limited. There are no supports for user data retention in the ToS. Unless a whistleblower reveals specific uses of the data and users litigate the issue, they do what they want with zero opposition.
I moved to Mega recently, who now have a very tidy full E2EE cloud storage dropbox equivalent: https://mega.io/storage.
No affiliation, but it does exactly what you're asking for, and I've been very happy with it.
I'm a little bit scared of using Mega, because it's linked to Kim Dot Com, a wanted fugitive and Megaupload used to be known for hosting tons of pirated files.
I know they have a cheap solution, but it's not exactly something that checks my box for stability and high character for hosting my very important files.
I thought that too, but according to Wikipedia Kim Dot Com "severed all ties with the service in 2015".
https://en.wikipedia.org/wiki/Kim_Dotcom
Didn't he also claim that the new Mega was Chinese malware?
it may be, but the dude isn't exactly know for credibility or integrity
so what you're saying is this service is probably slightly more trustworthy than the typical VC funded Silicon Valley company?
Neat, can you share a link to "Privacy and Data Policy" they mention?
The better solution is to use a separate encryption overlay like Cryptomator over whatever cloud storage you use. If you have confidentiality agreements with clients, you shouldn’t be using Dropbox without E2EE anyway, nor OneDrive.
Is it going to work on my iPad or iPhone? How long is it going to take? I tried to research that once, but it looked like Dropbox bought whatever service worked well and no longer seemed like a good solution. I would prefer the service to just work out of the box.
Yes, it works on iOS [0]. Personally I’m still using the standalone mode of Boxcryptor (the iOS app is still receiving updates), which unfortunately was bought up by Dropbox, and in the past there were opinions that it worked better than Cryptomator, but many people seem to be happy with Cryptomator now, so I’d give it a shot.
[0] https://apps.apple.com/us/app/cryptomator-2/id1560822163
I found solutions like Boxcryptor cumbersome to use. Unless you stored the data redundantly locally, you had to download big encrypted files in order to access a small file.
Also searching files was impossible unless you downloaded everything, decrypted it, and searched locally.
I quickly realized it was adding huge delays in my day-to-day work and a lot of stress during time-sensitive tasks.
Have these e2ee overlays improved in usability since then?
Obviously you can’t search contents in encrypted state, and with E2EE this means that server-side search is not possible.
I rarely use indexed file contents search (filename search is usually enough and that works well, and tools like grep work transparently), however the Boxcryptor drive can be added to the Windows Search Index (or whatever search software you use), and I assume it’s similar on Mac. You don’t have to decrypt manually. Indexing causes more system load due to the necessary decryption, of course.
On desktop systems I always store all relevant data locally, exactly for the redundancy. I’m not sure what you mean by “big encrypted files”, because each original file is encrypted individually and thus has basically the same size as the original.
Do you want your cloud storage to "just work everywhere" or do you want to have full control of your data? Basically you get to choose one of the two options.
Cryptomater on top of any of the cloud storage providers is a great setup for home / personal use. I have been doing this for the past 3 years with minimal issues. Google Drive + Cryptomater on Windows + Cryptomater on ios, working pretty seamlessly.
What you're describing is a deeper problem not only with "AI" but with the entire cloud-centric side of the tech world. Homomorphic encryption might save the day for delocalised computing but we're some years away from that being a reality. Meanwhile de-clouding, "repatriation" to on-prem and hybrid private cloud cooperatives within a trusted group are how we get there. Another good reason is simply to stem the enormous wealth transfer to big-data from individuals and smaller companies.
I'm glad to see that fantasies about omniscient AI taking over the world are giving way to a better grasp of the more mundane realities; AI just accelerating the already obscene power imbalances present in our world. Keep your private stuff private.
I really do genuinely think is that at the core the is problem that it's very hard to address your real computer from the Internet. There are programs that effortlessly can make a directory on your PC into the quite secure "cloud". Windows lets you share a password-protected directory right out of the box!
It is that easy to buy a few Tb disk and just run a program, if not for the: 1. Routers that doesn't allow easy port forwarding (or even ban certain ports) 2. Dynamic IPs 3. People selling domains pushing their own VPS services. 4. The amount of steps you have to take to allow
A lot of small organizations I know didn't need a system administrators to configure and run programs like this. A lot of them are beginner friendly! They needed them to configure the network.
Same applies for self-hosting sites. If there was a program that just hosted on your PC address any html-page you put into it, a lot of people would self-host something. But you can't unless you can wrangle your router and figure out how to buy static IP – two tasks that are way harder than basic html.
The stack for easy and secure self-hosting is here, but the network changed too much. Hopefully, ipv6 will help to solve this problem.
Tailscale is a huge step forward here: it makes creating a secure IPv6+Wireguard network for accessibg your home devices from anywhere genuinely easy.
Yeah, the problem is that I just need something quick and easy. I'm not an idealist. I just need something simple that checks most of the boxes and works easily across my blended eco-system of devices.
It's why I use dropbox to begin with.
I get you, but when you say "sending my personal files all over the internet without my consent is insanity", that sounds like pretty strong affect. Maybe it's time you re-evaluated your choice for expediency and ease in tension with something sane you believe in.
In today's world just championing sanity is already an "ideology" :)
I agree with most of your points, but why not encrypt sensitive information yourself before it gets uploaded/shared on your dropbox account?
Sure, it's not end to end encryption but it prevents the company from using the encrypted data as a training corpus.Are shared folders and files created by co-workers and family not tech savvy enough to know about encryption?
I agree this is a good practice, but if you have to do this to defend yourself against the rogue actions of a service you’re paying for, you’re probably better off not suing the service.
Different services have different and unclear expectations. For example, you'd imagine that a big online storage service would have some access controls in place to limit what uploaded data random employees in operations and engineering can see, but in at least one case you'd be totally wrong. This strikes me as a perfectly reasonable expectation - the data isn't just sitting there exposed to arbitrary employees and that only trusted employees have that kind of access, and not broadly.
I don't think this is rogue actions, I think it falls into the category of perfectly reasonable expectations that are not actually met by a wide variety of cloud services.
Nit, but what you’re describing is e2ee (except for the metadata). If you encrypt your files before uploading and decrypt it only locally then only the logical sender and recipient have access. That it goes through Dropbox is not important (and also the beauty of e2ee).
This is a bit unusual, otherwise it’s typically people (and shady service providers) who say that something is e2ee when it isn’t.
Because Dropbox acquired Boxcryptor -- one of the tools that easily let people encrypt files before upload -- to be replaced with "plans for end-to-end encryption"
https://techcrunch.com/2022/11/29/dropbox-acquires-boxcrypto...
I've worked for multiple department of defense contractors where they have their entire code base, to the tune of a few dozen terabytes - including highly sensitive ML training data - in their dropbox accounts. I bet they are in full panic.
I wouldn't have much faith in OneDrive either. Just use Cryptomator for everything.
I very much agree with you, however, do you really think that Microsoft, of all companies, isn't using your data for training LLMs, with all the data leakage risks? What makes you think that your data is safer on OneDrive?
Bing Chat (based on ChatGPT), Copilot, etc. As a GitHub user, I never got a checkbox to opt-out of GitHub Copilot's training on my code. At least Dropbox provides a checkbox.