Using Dropbox and other cloud storage services

What is cloud storage?

Cloud storage is effectively disk space made available by third parties over the internet. They provide large amounts of space for low cost, and often provide a basic service for free.

What cloud storage services can I use?

We are going to focus here on Dropbox, which is one of the 20 most-used applications on LSE’s network, and therefore by far our most popular cloud storage service.

There are many other providers, all with different end user licence agreements, service standards and security levels, some of which are very risky for LSE use – by asserting intellectual property rights over any data put in them, for instance – and some of which are more benign.

If you want to use another provider, please talk to us. We’ll check that the Terms and Conditions don’t break such critical issues as control over our intellectual copyright.

What LSE data can I put into Dropbox?

We would recommend that Dropbox is fine to use where the leaking, accidental exposure or deletion of the data wouldn’t cause any reputational or financial damage to the School.

Research using anonymised, previously published data, would be one example of data that can be put in Dropbox.

If you’re in doubt about whether or not your data is suitable, please contact the Records and Information Manager| or the Information Security Manager.|

You can find LSE’s data classification scheme, which will help you make such decisions, here| [PDF].

What LSE data shouldn’t I put into Dropbox?

We would advise against putting anything into Dropbox that would contain very sensitive information, such as School financial data or datasets that contained the name, address, ethnicity and passport numbers of individuals. This includes information the School classifies as ‘Secret’.

Data classed as ‘Secret’ or ‘Confidential’ should be carefully assessed by the owner for the risk of reputational and financial damage if it leaked before putting it in Dropbox.

If you’re working with research data, there may be rules from your project funder about data handling. These will take precedence over any other consideration.

What are the risks to my LSE data?

Some of the risks you have to consider when putting your data into any cloud storage are:

  1. The data will most likely sit outside the European Economic Area, so will not be covered by EU data protection laws, and if it resides in the US will become subject to the US law and may be accessed or removed without your knowledge or consent.
  2. You put data into it at your own risk, with no safeguards about the continuing existence of the data and no guarantee that the access rights you set will be maintained.
  3. The data may be altered or corrupted without your knowledge, and you won’t have any way of getting uncorrupted copies back
  4. There is no guarantee of data availability (i.e. if the files are accidentally deleted there’s no backup. There is also no guarantee of the service continuing to exist)
  5. There is no guarantee of data confidentiality. The data may be held in the manner you expect, but may not.
  6. Dropbox has suffered a recent major security breach that resulted in end users being spammed in 2012:
  7. Most cloud storage providers give no way of auditing who has accessed or downloaded your data
  8. Dropbox administrators can access ANY content on the dropbox site, and if their access is compromised, it means all Dropbox data is automatically at risk of compromise

What are the Terms and Conditions I’m signing up to?

They key clauses in the Dropbox terms and conditions (|) to take note of are reproduced below.

  • We may stop, suspend, or modify the Services at any time without prior notice to you. We may also remove any content from our Services at our discretion
  • You give us the permissions we need to do those things solely to provide the Services. This permission also extends to trusted third parties we work with to provide the Services, for example Amazon, which provides our storage space (again, only to provide the Services).
  • We are not responsible for the accuracy, completeness, appropriateness, or legality of files, user posts, or any other information you may be able to access using the Services.
  • You are responsible for any activity using your account, whether or not you authorized that activity.
  • You acknowledge that if you wish to protect your transmission of data or files to Dropbox, it is your responsibility to use a secure encrypted connection to communicate with the Services.    
  • We reserve the right to delete or disable content alleged to be infringing and to terminate repeat infringers.
  • The Services may contain links to third-party websites or resources. Dropbox does not endorse and is not responsible or liable for their availability, accuracy, the related content, products, or services.