by Swapnil Bhartiya

Why I won’t use Dropbox’s Project Infinite if it’s not open source

News Analysis
May 27, 2016
Cloud StorageOpen SourceSecurity

If Dropbox wants to get into the kernel, they should open source their client side software so the community can audit their codern

Dropbox recently unveiled Project Infinite that will go beyond the user-space level and go as deep as the kernel level to give users access to their content — even on devices with small hard disks.

What Dropbox is planning to do is work as a file system so everything that’s stored on your Dropbox will be accessible on your device without taking up any space. So even if you have only 50GB of storage on your PC and you have purchased over 4TB of Dropbox storage you don’t need a 4TB hard drive to keep your Dropbox data synced.

It has drawn mixed response. In fact, a lot of users are freaking out over the security implications.

I am no security expert, but I think that Project Infinite is a great idea for those devices that don’t have that much storage capacity.

Frank Karlitschek, founder of the ownCloud open source project agrees. “Project Infinite looks like an interesting idea to give users a unified view on their files even if they don’t fit on the local hard-disk,” Karlitschek told me. “This is an interesting approach that we experimented with at the ownCloud project. It is of course crucial to implement this in a secure way.”

Exactly. It has to be done in a secure way and that’s where people panic because, as Karlitschek puts it, “This approach requires to run a kernel module or at least software very low in the stack depending on the operating system. Such a library, driver or filesystem has way more privileges than a normal user application which could run in a sandbox.”

It’s true that by going that deep in the operating system Dropbox gets more more privileges, and that’s where serious issues arise. It’s not about a kernel module; it’s more about how it’s implemented. How much do you trust Dropbox?

That’s where open source comes in. “I think it would be a very important move for Dropbox to open source their clients if they want users to trust them,” Karlitschek said.

How much do I trust Dropbox already?

I am not averse to Dropbox. In fact, I am a paid Dropbox user. I travel a lot for work and I conduct a lot of video and audio interviews when I cover technology events. I upload those files to Dropbox because I don’t want to risk losing that important data if something should happen to my laptop or hard drive during travel.

I also save all of my stories on Dropbox. None of this is sensitive or critical data. As I am working on this story in a text editor and hitting the save button, Dropbox syncs the file with the server immediately.

But that’s all that I use Dropbox for.

There are many more files that I never…never…never put on the public cloud. If I want portability, I encrypt the data and carry it on a portable hard drive or flash drive. If I do want to put such data on the cloud, I use open source cloud technologies like Seafile or ownCloud that I can install on my own server to have complete control from client to server.

Why not Dropbox? Because the open source community can’t see the Dropbox source code, there is no way to know what Dropbox does to my stuff. Experts should be able to audit Dropbox source code to ensure there are no security vulnerabilities, that there are no back doors.

Beyond that, I am not comfortable with making any company a co-owner of my files. I don’t want to be at the mercy of a company that can revoke access to my data for whatever reason. I am not comfortable with the idea that my data could be subject to scanning and privacy-invading laws that otherwise don’t apply to my local data.

At the same time, the economics are working against Dropbox. Storage is now dirt cheap. I can get a 4TB hard drive for the price of a 1TB annual Dropbox subscription. And this will be my data, under my control.

As far as I am concerned, I won’t be giving Dropbox complete access to my filesystem if I can’t trust their source code. Neither should you.