[colechristensen]

And completely unreasonable not to suspect that the NSA can freely acquire those keys.

[JoshTriplett]

Only if they already have illicit access to the systems in question. In which case, considering Dropbox doesn't actually encrypt data at rest, it'd be much easier to get the data at the endpoints than in transit.

[skuhn]

Data is indeed encrypted on the storage systems (but not on client machines, if that's what you meant).

[JoshTriplett]

If it were only the end-user client systems, that'd be less of a concern, but the servers that run web frontends and similar also have full access.

[lwf]

https://www.dropbox.com/en/help/27

[JoshTriplett]

Not even remotely comforting. Talks all about how employees "are prohibited" from accessing your data, but that's unrelated to whether they're capable of doing so.

I much prefer the privacy policies of more secure services, which tend to say things like "we do not have the ability to access your data under any circumstances".

[colechristensen]

My point is that there are a few assumptions you should make

* A significant number of encryption technologies are broken or achievably breakable by the NSA

* The NSA has already or could easily acquire encryption keys from any large tech company with a court order in one of the secret courts

* The NSA has vast means for illicit access into systems and networks