Explanation: Policy on Dropbox and University Information
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Explanation: Guidelines on Dropbox and University Information
Explanation: Policy on Dropbox and University Information
1 Dropbox
Dropbox1 is a free (for basic service) and easy to use service for synchronising a
Dropbox folder between one or more computers and cloud (internet) storage. A
Dropbox folder can also be accessed via a web browser or by using certain
applications on mobile devices such as the iPad. Access to subfolders may be
shared between users. There are many potential uses in the University, including, for
example, collaborative document sharing, distribution of meeting papers, and
allowing staff to move seamlessly between (say) a home computer and an office
computer.
Dropbox copies files to and from Amazon storage facilities in the United States.2 This
gives rise to concerns about security, privacy, and copyright. It is important that use
of Dropbox in the course of University work complies with the University IT Security
Policy,3 University Privacy Policy4 and related legislation, and with the Copyright Act
1968 (Cth).
Upon review of the Dropbox service, its Terms and Conditions and its assurances
about security, ITS is of the view that subject to due care being taken, there is no
reason not to use Dropbox in the course of University work. Careful use complies
with the security and privacy policies, poses no more copyright risk than use of email,
and has near-zero cost or lock-in. Section 1.7 of the guidelines on Dropbox and
University Information5 provides guidelines for careful use.
It must also be said that careless use of Dropbox poses significant risk to security
(particularly confidentiality) of information and therefore poses risk of privacy
infringement too. Taking Dropbox's website statements about security at face value,
Dropbox security can be very good, but it is limited by
• the security of users' email accounts;
• the strength of Dropbox passwords chosen by users; and
• user behaviour.
2 The Dropbox service
A basic Dropbox account with 2GB storage is free of charge. A person can use any
valid email address as their Dropbox user identifier; authentication relies on a user-
set password.
The files in a Dropbox folder can be used on any of the synchronised computers and
they can be accessed via any modern web browser. Changes made on any one
computer which is synchronised to a Dropbox account are automatically propagated
to the online storage and then to any other computers which are synchronised to the
same account.
The online files can also be accessed from mobile devices like the iPhone and iPad,
and there is a facility for sharing subfolders within the main Dropbox folder. This
makes Dropbox a most attractive platform for collaboration and sharing amongst
colleagues. One use scenario is provision of meeting papers by a committee
secretary to committee members, in PDF form for use before and during the meeting
on committee members' iPads. Computers and mobile devices have to be online for
updates but devices need not be online to use downloaded material.
V2 15 April 2011 1Explanation: Guidelines on Dropbox and University Information
3 Dropbox software
Dropbox client software is available as a free download for Windows, Linux and Mac
OS X. Seamless cross-platform operation is an attractive feature. There are also free
Dropbox client applications for iPhone, iPad and Android devices. Dropbox files are
not automatically synced to mobile devices - DropBox provides synchronisation
amongst computers and the cloud, and user-initiated file access from mobile devices.
For other web-enabled mobile devices (e.g. Blackberry), there is a mobile-friendly
interface at .
4 Related software
Although people may find the free Dropbox iPhone and iPad application sufficient,
there are other iOS applications which can be used to access Dropbox. These are
not free of cost, but people may choose to use them because they use them anyway
for access to other material, or because of their superior capabilities - for example,
the capability to open encrypted PDF files, and the capability to transfer files between
the mobile device and a personal computer via USB cable.
Two such iPad applications are GoodReader ($5.99) and Air Sharing HD ($12.99). In
both cases, there are iPhone versions too.
5 Dropbox sharing
Dropbox can be useful without sharing. For a person working alone, it provides
backup and facilitates working across more than one computer or other device.
Folder sharing6 opens further possibilities, and is key to scenarios involving
collaboration, committee support and executive support. It requires that each person
have a Dropbox account (free of charge). The key features of the sharing model are
described by Dropbox in How do I share folders with other people at
and more generally in Sharing Questions at
. The key points:
• The owner of a folder can invite others to share (join) the folder. One cannot
join a folder without an invitation.
• Those who join the folder can do nearly anything that the owner can do.
Anyone who joins a folder can add, delete or change files within that folder, can
invite others to share (join) the folder, can see who else has joined the folder,
and can see the event log for the folder. This is a sharing environment for
people amongst whom trust is high.
• Only the owner of a shared folder can unshare it or remove other people from
the sharing.
• Invitations are sent by email and contain a unique URL which allows anyone to
join the folder, using any Dropbox user identifier for which they know the
password. Invitations can be used only once.
6 Explanation of guidelines
6.1 Guideline 1
Dropbox should not be used with confidential or sensitive information unless
there is no alternative method, of comparable immediate availability and ease
of use and with better security, to achieve the required functionality.
ITS believes that Dropbox, used with care, is secure. But it is no more secure than
the least-well secured email account involved:
V2 15 April 2011 2Explanation: Guidelines on Dropbox and University Information
• A sharing invitation (a URL in an email), if intercepted, can be accepted by the
interceptor.
* The 'I've forgotten my password' process sends an email to the address which
is the Dropbox user ID; if intercepted, the URL in this email can be used by
anyone to reset the password.
For this reason, Dropbox should not be used with confidential or sensitive information
unless it is the best available option.
6.2 Guideline 2
Any Dropbox file sharing is limited to small groups of highly trusted colleagues,
using shared folders not public folders.
Under Dropbox's terms and conditions,7 if you place a file in a public folder, you grant
the public a non-exclusive, non-commercial, worldwide, royalty-free, sublicensable,
perpetual and irrevocable right and license to use and exploit the file. For this reason,
guideline 2 allows use of shared folders but not public folders.
Dropbox's model for sharing (other than public sharing) requires that all of the people
sharing a folder have Dropbox accounts. Dropbox takes care of authentication; users
(and particularly folder owners) take care of authorisation.8 This provides great
flexibility for small-group collaboration within and beyond the University but it does
not scale well and there is no option to automate authorisation. Dropbox is not an
'enterprise service'. The contractual relationship is direct between the user and
Dropbox, and only the user can manage the account and the associated sharing
arrangements. For these reasons, guideline 2 limits Dropbox file sharing to small
groups.
For reasons noted in section 6.1 above, Dropbox can be no more secure than the
least-well secured email account involved. For this reason, guideline 2 limits sharing
to highly trusted colleagues.
6.3 Guideline 3
If it is feasible to do so, any confidential or sensitive information stored on
Dropbox should be in encrypted form (for example, documents as encrypted
PDFs). In this regard, the iOS application 'Goodreader' is suggested as an
alternative to the Dropbox iOS application.
University IT Security Policy requires, at para 8.4:
If sensitive or confidential information must be communicated online, the
information and credentials used must be encrypted by a sufficiently strong
encryption method.
Guideline 3 is intended to comply with that provision. If, in a particular case, there is
no feasible encryption method of sufficient strength (considering the degree of
confidentiality or sensitivity involved), then Dropbox should not be used.
6.4 Guideline 4
Files should be left online for no longer than is necessary.
Why leave a file in the cloud once the need to do so no longer exists? Whatever the
risks involved in putting a file in Dropbox for (say) two weeks, there is greater risk if
files are left in Dropbox indefinitely.
V2 15 April 2011 3Explanation: Guidelines on Dropbox and University Information
6.5 Guideline 5
Owners of shared folders should frequently review Dropbox events and shared
folder membership, and promptly update shared folder membership to reflect
changes in colleagues' roles.
University IT Security Policy requires, at para 9.1:
When employees cease employment or change positions within the University,
systems should effect any necessary changes to roles and access privileges in
the appropriate system and according to established business processes.
Dropbox is not an 'enterprise' service; administration of access to shared folders is
not automated or in any way linked to University HR and student systems. Access
administration is the responsibility of the folder owner, and guideline 5 gives effect to
the intent of the IT Security Policy, para 9.1.
6.6 Guideline 6
Participants should not put anything on Dropbox that they would not be
comfortable sending as an email attachment.
As noted in section 6.1, Dropbox is no more secure than the least-well secured email
account involved. And, clearly, if a file is shared in Dropbox then those who are party
to the sharing are able to make and communicate further copies, as is the case with
email attachments. If it would not be OK to email it, it is not OK to Dropbox it.
6.7 Guideline 7
Dropbox is not to be used as the sole storage for any University Record, or as
a recordkeeping system.
The University as an entity has statutory record-keeping obligations which are not
met by storage of records using personal facilities like thumbdrives or Dropbox.
Dropbox does not provide sufficient management of context and records structure to
support keeping reliable records. Particularly, if the owner of a Dropbox account
leaves the University, the University would not have access to material stored in that
account. For this reason, Dropbox should never be used to store a sole copy of a
University Record.
6.8 Guideline 8
All University users of Dropbox should exercise self-discipline to ensure that
passwords are reasonably strong and are changed at reasonable intervals.
University IT Security Policy requires, at para 12.2:
Passwords should be "good passwords": easy to remember but difficult to
guess or crack. They should be at least eight characters long; they should
contain letters and digits, and they should not be dictionary words.
Passwords should be changed from time to time, and immediately if the user
has any reason to suspect that the secrecy of a password has been
compromised.
ITS testing indicates that Dropbox does not have any rules about password strength,
expiry or re-use. The onus is on the user to exercise self-discipline.
6.9 Guideline 9
As with any use of personal computers, those who use and manage the
computers should be vigilant against security threats including phishing,
viruses, trojan horses and key-logging.
V2 15 April 2011 4Explanation: Guidelines on Dropbox and University Information
A lack of such vigilance may well lead to other people gaining access to a person's
Dropbox login credentials, with obvious consequences for the integrity, confidentiality
and availability of any files in the person's Dropbox or in any Dropbox shared folder
to which the person has access.
6.10 Guideline 10
Dropbox should not be used on mobile devices connected via unencrypted wifi
networks
Recent reports9 10 suggest that
• Dropbox client software stores, in-clear, a 'host_id' string which, if captured by
an intruder, may allow the intruder access to the related dropbox account.
• In communication between dropbox clients running on mobile devices (not
desktop/laptop computers), the host_id, and file names, are transmitted in the
clear (file contents are encrypted).
ITS testing with a Macintosh and an iPad has confirmed in-clear storage of the
host_id string on Macintosh, fully encrypted transmission between Macintosh and
dropbox, in-clear transmission of host_id and file names between iPad and dropbox,
and encrypted transmission of file content between iPad and dropbox.
Vigilance against spyware, trojans, phishing and the like, and care about the physical
security of personal computers and mobile devices, substantially mitigates the risk.
Nevertheless, ITS testing found that when a mobile device is used with Dropbox on
an unencrypted wifi network, it is possible for a third party to intercept the host_id,
and file names. This risk does not arise on encrypted wifi networks or 3G
connections, and nor does it arise when using a personal computer.
7 Other considerations
In deciding whether or not to use Dropbox, three issues to consider as well as the
guidelines: copyright compliance, cost, and lock-in.
7.1 Copyright compliance
Unless fair dealing or another copyright exception applies, it would be an
infringement of copyright to place any copyright material in Dropbox (whether shared
or not) without explicit pr implicit permission from the copyright owner(s).
Infringement can have serious consequences for the University as well as the
individual.
In the case of material in which the University owns the copyright, use of Dropbox
with University-owned copyright material by staff and students to the extent
necessary in the course of University duties and studies would not be an
infringement.
In the case of material in which the copyright is owned by a student or a member of
staff, it is no copyright infringement for the copyright owner to place the material in
Dropbox. Unless a copyright exception applies, nobody else should do so without the
owner's permission.
Similarly, material in which the copyright is owned by external parties should not be
stored or shared on Dropbox without the owner's permission, unless a copyright
exception applies.
V2 15 April 2011 5Explanation: Guidelines on Dropbox and University Information 7.2 Cost A basic Dropbox account is free of charge and provides 2GB storage quota. Your own files, as well as those in shared folders that you are a member of, count towards that quota. The 2GB quota will meet most of the needs likely to arise in synching and sharing documents (Microsoft Office and related PDFs). It would likely prove limiting for those who want to sync or share large numbers of 'heavy' files - high-quality images or videos, for example. Premium accounts are available at US$99 per year (50GB quota) and US$199 per year (100GB quota). Every Dropbox operation involves internet traffic. The cost depends on the kind of internet connection used by participants and on the volume of data. Heavy use will involve noticeable cost. Internet traffic cost should be considered in deciding whether to use Dropbox in a particular case, but is not necessarily a reason not to use Dropbox. 7.3 Lock-in In the simplest use scenarios (a single user using Dropbox to share files between several devices under that user's control (e.g. a work desktop, a home laptop, an iPad and an iPhone), there is little lock-in. If you close your Dropbox account, the synced files remain present in the Dropbox folders on your computers, and you can move on to adopt another synching solution if required. If folder sharing is used, there is a sunk cost in that all of the people participating in the sharing will have had to set up Dropbox accounts and install Dropbox and perhaps related software on their computers and other devices. Also, appropriate sharing invitations will have been issued and accepted. The sunk cost represents a barrier to exit, in that adoption of an alternative solution will require that that work be repeated. For small groups, this would not be a significant lock-in. 1 Dropbox, Online backup, file sync and sharing made easy, Dropbox, USA 2010, viewed 17 November 2010, . 2 Dropbox, Where are my files stored?, Dropbox, USA, 2010, viewed 30 July 2010, . 3 University of Melbourne, IT Security Policy, University of Melbourne, 2010, viewed 29 July 2010, . 4 University of Melbourne, Privacy Policy, University of Melbourne, 2010, viewed 29 July 2010, . 5 University of Melbourne, Dropbox and University Information, University of Melbourne, 2010, viewed 14 April 2011, . 6 Dropbox offers two kinds of sharing. Public sharing is ignored in this discussion, but is clearly inappropriate for any non-public material. Folder sharing is a way of sharing a folder with specific people only. 7 Dropbox. Dropbox Terms of Service, Dropbox, USA, 2010, viewed 17 November 2010, . 8 Dropbox, Sharing Questions, Dropbox, USA, 2010, viewed 5 August 2010, V2 15 April 2011 6
Explanation: Guidelines on Dropbox and University Information 9 See Derek Newton 2011, Dropbox authentication: insecure by design, Derek Newton, viewed 14 April 2011, . 10 See Christian Pohle 2010, Security Test of DropBox Clients, Pohle & Schultes IT Consulting AG, Dorfen, viewed 14 April 2011, . V2 15 April 2011 7
You can also read
