Dropbox has been getting a lot of flack recently for misleading users. Their attempt to address these issues on their blog is ridiculous; their marketing department spinning nuance into very serious security claims leaves them with a permanent stain on their brand, one of being utterly untrustworthy and incompetent. They tried to walk the line of ambiguity and it's come back and ruined what was once a shining example of a consumer brand done right.

Here's a link that highlights that incompetence, and here's an excerpt from a recent post on the Dropbox blog illustrating how full of shit they are:

For example, one help article formerly stated that “files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user’s password, so we’ve separated the two points for clarity.

Another statement read “Dropbox employees aren’t able to access user files.” That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this.

In summary, anything you put in Dropbox should be considered public, just like Facebook and Twitter. While all your data in Dropbox is "encrypted" the keys to decrypt all your data is accessible and stored with Dropbox in the cloud, not with you. Meaning the encryption is totally meaningless. Aside from the fact that Dropbox now openly co-operates with anyone who makes a request to peak at your files, any hacker that gains access to the Dropbox servers or codebase can easily get your encryption key and your data is compromised.