Marco Arment on Dropbox: Don’t use it for anything valuable

If you haven’t heard of Marco Arment–creator of Instapaper, co-founder of Tumblr, and
Internet-famous software developer–go follow him on Twitter…now.

Not only is Marco an amazingly successful entrepreneur, but his blog ( and weekly podcast (Build and Analyze) are consistently packed with unique and thoughtful insights on technology and, on occasion, coffee.

Build and AnalyzeOn episode 85 of Build and Analyze, Marco responds to a listener question about the (in)security of Dropbox.  In a nutshell, the listener asked whether Marco felt comfortable storing his data in Dropbox given that they hold the encryption keys.

Marco’s response echoes my personal feelings about Dropbox and other public cloud services – treat Dropbox as though it’s nearly public. Marco’s rule of thumb is that he doesn’t put anything in Dropbox that could potentially be harmful or embarrassing if it were leaked.

Arment says:

“Anything that is really sensitive or extremely valuable or needs to be kept very secret, I wouldn’t store on anybody else’s servers. That, to me, seems ridiculous unless I held the encryption keys like with the online backup service that I use.”

Marco makes some salient points worth repeating here for users who may not be fully aware of how services like Dropbox typically work and the ramifications of storing your data off-premise.

In case you didn’t realize, Dropbox holds the keys to encrypt and decrypt your data on their servers.

This means that a Dropbox employee could theoretically view (or steal) your data. Why do they hold the keys?  Dropbox isn’t just online backup, it’s a collaboration tool.  In order to offer public file sharing features, they have to be able to decrypt data that is stored on their servers.

They also need to be able to decrypt data for legal reasons – if they get a DMCA takedown notice or a subpoena from the US government requesting certain files, servers, or even racks of servers [1].  And because Dropbox hosts data for 25,000,000+ users, some of which are undoubtedly doing very bad things, the likelihood of being served with a subpoena is far greater for them than for an individual person or organization.

For similar reasons, public cloud services are more likely to be hit by hackers because they are high value targets and, by definition, accessible over the Internet.  Also worth noting – you don’t get to decide who Dropbox hires and which employees have access to encryption keys.

Marco and co-host Dan Benjamin briefly discussed Dropbox’s most recent (at the time) security snafu which allowed anyone to login to any account without a password. Coincidentally, a little more than a week after the show aired, Dropbox is involved in another security investigation.

Marco concludes by saying that there are ways to use public cloud services responsibly, but you can’t use them for everything.

I’m with Marco on this.  Any time I store something in the cloud–be it Dropbox or Twitter or Facebook–I ask myself, “How would I feel if this data were on the front page of the New York Times tomorrow?”

Listen to episode 85 of Build and Analyze to hear Marco talk about this topic in detail (it starts around 57:36). He also has a really interesting viewpoint on how leaked source code usually has no meaningful consequences.

[1] Marco experienced this first-hand with Instapaper when his hosting provider DigitalOne was raided by the FBI and one of his servers was confiscated:

Get the latest security news in your inbox.

  • Jason Marshall

    I have the same concerns with the instances I run personally on Amazons EC2. I have my code that isn’t quite ready to share with the world, as well as a project that was never set for public release. Should I consider this instance a “public server” in the same sense?

  • William

    There is a service that encrypts and does not necessarily keep your keys. Take a look at They allow you to publicly share files, in which case the client application sends them the decryption key for that file alone. Otherwise, your keys are safe, specifically to not have to (fully) comply with DMCA notices.

  • Jeff Siver

    I store my tax returns in my DropBox account to back them up. To minimize the security issues, I put my tax files in a virtual encrypted disk (managed with TrueCrypt). That way, even if somebody gets access to my DropBox account, they can’t see my tax returns.

  • Levi

    So what online backup service does Marco use?

  • Wandspiegel

    I just throw sensitive stuff inside a truecrypt volume. Dropbox works pretty well for that, as long as you don’t leave the volume open on one pc and then log into it from the next. Even then you just have a second copy you have to reconcile with the first.

  • Rob Sobers

    @Levi – I believe Marco uses Backblaze, but don’t quote me. He’s mentioned it on the podcast before.

  • Travis Reddell

    I follow Marco’s advice, to a certain extent. I feel comfortable keeping data in Dropbox that is slightly more sensitive, but I encrypt it myself before putting it in my Dropbox folder.

    Unfortunately, an encrypted file is still in danger of brute force attacks if it is leaked, so beware.

  • Rob Sobers

    People who use TrueCrypt are smart — that’s a terrific idea. Unfortunately, most of the people that use Dropbox don’t understand the need for extra encryption on sensitive stuff. They assume Dropbox is safe for everything.

    For most people, it’s best just to consider the stuff in Dropbox and other cloud storage platforms essentially public.

  • Rob Sobers

    Another solution is to use a file sync service that stores the data on your own servers. This is a great option for businesses specifically since they a) already have the infrastructure and b.) most of their files are meant to be private.

    Varonis launched one called DatAnywhere –