A blog post on WNC InfoSec yesterday queried whether online storage service Dropbox was opening documents shortly after they were uploaded on their service.

And the answer is yes.

Sort of.

With all the media attention on the topic of surveillance these days reading such a posting could make Dropbox users feel very nervous indeed – I know I certainly wouldn’t want anyone unauthorised to read any of my documents, irrespective of their contents.

But the behaviour noted here is not as sinister as some casual consumers of news may have thought…

The article on WNC InfoSec explains how, as part of an experiment, a web app known as HoneyDocs – which can be used to log when and where a document was opened – sent a ‘buzz’ ten minutes after a new doc was uploaded to Dropbox.

HoneyDocs generates this callback via a unique embedded GET request that is sent as and when the associated document is opened. The user will receive an email or SMS notification at the time of opening and will also receive a map that details the location of the device that was used.

The first buzz received by WNC InfoSec came from an IP address which appeared to be an Amazon EC-2 instance IP in Seattle. (Dropbox, incidentally, uses Amazon web services). HoneyDocs also identified the User Agent as LibreOffice which many of you may know is an open source competitor of MS Office.

“It appears that only .doc files are being opened…,” wrote vintsurf who wondered, “are the files being accessed for de-duplication purposes or possibly malware scanning?  If so, then why are the other file types not being opened?”

Further testing saw more files uploaded from different ISPs and computers yet the result was the same – all of the .doc embedded HoneyDocs appeared to have been accessed by differing Amazon EC-2 instance IPs.

Now this does, on the face of it, sound like suspicious behaviour but the answer is actually quite simple – Dropbox needs to open documents in order to generate ‘previews’ of the same; and that really is all there is to this.

There is no suggestion that docs are being opened and read in any way by humans. Indeed the company say themselves that,

“Dropbox employees are prohibited from viewing the content of files you store in your account. Employees may access file metadata (e.g., file names and locations) when they have a legitimate reason, like providing technical support. Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances.”

So it seems there is no cause to be concerned in terms of privacy. That said, especially considering recent news stories about the NSA and others, I would still have reservations about placing sensitive documents on Dropbox or any other similar service. At the very least I would recommend <tongue in cheek> encrypting </remove tongue from previous location> any such files before uploading them.