However, Ferdowsi acknowledged that the claim could be misinterpreted, especially in the context of Dropbox's statement that it encrypts all files. As a result, Ferdowsi said the company would change the text to read "Dropbox employees are prohibited from accessing user files."
As of Thursday, the features page has been updated to remove the statement about employees not being able to access files; the updated version of the text has yet to appear, though. The help center document remains unchanged for the moment, though Dropbox's blog post says that it will be updated with more details as well.
Keys to the kingdom
Still, the fact that Dropbox can access files to provide to law enforcement means that the keys to those encrypted files are held not by the user, but by Dropbox itself. Ferdowsi confirmed that in a statement to Macworld:
The keys are known to Dropbox alone--Dropbox servers must be able to decrypt files in order to allow users to view their own files on our website. As with almost every other online service, there are a limited number of employees who must be able to access user data when legally required to do so, and to help troubleshoot users' accounts with their consent.
Without possession of the decryption keys, the security of users' files depends on just how much you trust Dropbox; it's a bit like your landlord having a key to your apartment. Dropbox claims, though, that it's only received about one government request per month over the last year--that's 12 requests for more than 25 million users--and that its legal team vets all requests before taking any action.
So, is there reason for concern? It depends on your level of comfort. As always, convenience and security exist in a balance--the more you get of one, the less you get of the other. Certainly, nothing has materially changed between yesterday and today: It's just as hard (or easy) to access Dropbox files now as it was then.
Overall, though, the concerns are less about the security of Dropbox than it is about the misleading claims--intentional or not--that the company made, versus the reality of the situation. In the case of a service on which many users store personal and private information, that lack of transparency may not exactly be reassuring.
Those who do store sensitive information on their Dropbox--and would rather that really only they can access it--should consider encrypting the files before putting them into Dropbox (for example, by using Mac OS X's Disk Utility feature to create an encrypted disk image). That has its own drawbacks though, since you lose access to features like Dropbox's versioning control and can't then view those files via the service's mobile applications.