A closer look at how Dropbox sniffs out pirated files

A closer look at how Dropbox sniffs out pirated files

Over the weekend, it emerged that Dropbox has the ability to stop you from publicly or privately sharing copyrighted content – in other words, Dropbox has a system in place that prevents piracy.

At first, this sounds rather sensible – otherwise Dropbox just becomes the next RapidShare or Mega – but when you think about it some more, your assent slowly turns to outrage as you realise that Dropbox must be scanning all of your files, and working with copyright holders, to put a stop to your dirty pirating ways. Plus, if Dropbox can stop you from sharing copyrighted content, what’s to stop the company from selling out and telling the feds?

Before we get into that, though, let me quickly run through how Dropbox prevents you from sharing copyrighted stuff.


As you may know, in computer science terms, a hash is a long string of letters and digits that results from running something (usually a file) through a cryptographic hash function. Basically, this function takes the contents of a file, applies some crazy maths to it, and then a long hash string comes out of it (something like 31d55cf1d40f3cc7e82356b764669b84).

If the hash function is perfect (if it doesn’t have any collisions), every file that goes through it will generate a unique hash. The hash is like a fingerprint for that file. Two identical files, however, would have the same hash. (You can probably see where this is going…).

When you upload a file to Dropbox, before it’s encrypted, it is fed through a hash function, and the hash is put to one side (the above diagram shows a cryptographic hash function – notice how a single different input letter results in a completely different hash). Dropbox might use the hash for other purposes, but in this case we’ll just talk about its use in piracy prevention.

Then, when Dropbox receives a DMCA request from a copyright holder – say, Disney or Universal Music – Dropbox adds the hash of that copyrighted file to a list. Any time you try to share a file on Dropbox, its hash is checked against the list of known-to-be-copyrighted hashes – and if there’s a match, Dropbox blocks you like so:

This is one of the most graceful methods of preventing piracy that I’ve ever seen – but it’s still not without its risks and limitations.

“We don’t look at the files in your private folders”

Dropbox stresses that this entire process is automated, and that it never actually looks at your files – it just automatically generates hashes for your files, which are automatically matched against a list of copyrighted hashes. Furthermore, Dropbox says your files are only checked against that list when you try to share a file – if you just upload a bunch of movies and albums to your Dropbox for your own personal consumption, they won’t get blocked.

What does it really mean to look at your private files and folders, though? Does it mean that Dropbox looks at the file names and hashes, but not the contents? What about if 100 users all have a file with the same hash (an uploaded song) – does Dropbox do the sensible thing and only store one of those files on its servers, or does it store 100 separate versions, wasting storage space? Does Dropbox draw the line at copyrighted hashes, or does it also maintain a list of child pornography hashes, or hashes for known resources on how to make a bomb?

What if the US government asked Dropbox for a list of every user with a certain file? Dropbox would fight it, I’m sure, but as we know, when it comes to the US government and its intelligence agencies, what actually constitutes “overreach” is very nebulous indeed. It’s also worth pointing out that while Dropbox does encrypt your data, it remains the sole custodian of your encryption key and retains the right to decrypt your data if required.

In short, there’s nothing stopping Dropbox from outing you as a scumbag copyright infringer – except, of course, the fact that it would very quickly lose the confidence of its users, which would then probably torpedo its entire business model.

How to use Dropbox without being spied on

There are two easy options if you want to use Dropbox without having your files blocked: Encrypt your files before uploading them (with a tool like Boxcryptor) – or more simply, just zip them up (7-Zip is all you need, baby). There’s a possibility that Dropbox looks inside zip files – but in that case, just put a password on the archive.

Ultimately, the most important takeaway from all this is that using a centralised, US-based service like Dropbox for sharing copyrighted files is stupid. If anything, you should remember that Dropbox is probably one of the more reputable cloud storage/file hosting services – other sites might look at your files, or more readily sell you out to the feds.

If you really want to share some files privately, you are far better off using something like BitTorrent Sync, or some other service that avoids centralised servers owned by a US company.

Image Credit: Darrell Whitelaw

Leave a comment on this article