Reference

Glossary

The recurring technical, security, and legal terms behind Dropbox's issues — explained in plain language so any reader can follow the archive.

Security & encryption

Zero-knowledge encryption: An architecture where only the user holds the keys to decrypt their data, so the provider literally cannot read the files even if compelled or breached. Dropbox's core sync is NOT zero-knowledge — Dropbox holds server-side keys — which is the root of most of the trust criticisms in this archive.
Server-side encryption: Files are encrypted at rest on the provider's servers, but the provider holds the keys. It protects against someone stealing the raw disks, but not against the provider itself accessing files, handing them to law enforcement, or an attacker who reaches the provider's systems. This is Dropbox's model for core sync.
End-to-end encryption (E2EE): Data is encrypted on the sender's device and only decrypted on the recipient's, with no readable copy in between. Dropbox added E2EE for some Teams/Business folders in 2024–2025 but it is not the default for ordinary accounts.
Mark of the Web (MOTW): A Windows tag attached to files that came from the internet; it triggers SmartScreen warnings and Office Protected View. A 'MOTW bypass' (e.g. CVE-2024-5924 in the Dropbox client) strips that tag, making a downloaded, untrusted file look local and safe.
Command-and-control (C2): The channel malware uses to receive instructions and exfiltrate stolen data. Because Dropbox traffic is trusted and rarely blocked, threat groups have abused the Dropbox API as a C2 channel — abuse of the platform rather than a breach of it.
Credential stuffing: Attackers replay username/password pairs leaked from other breaches against a service, exploiting password reuse. Several Dropbox account-compromise waves were credential stuffing rather than a fresh breach of Dropbox itself.
Data breach vs. data disclosure: A breach is unauthorized access by an attacker; a disclosure is the provider lawfully handing data to a government under legal process. Both put user data outside the user's control — which is why this archive tracks each separately.
OAuth token: A credential that lets a third-party app access your Dropbox without your password. Over-broad token scopes and token theft (as in the 2024 Dropbox Sign breach) are recurring risks.
SOC 2 / ISO 27001: Third-party security-compliance certifications Dropbox holds. They attest to having controls and processes; they are not a guarantee against breaches, and Dropbox has had significant incidents while certified.

Privacy & surveillance

Hash matching / PhotoDNA: Comparing a file's cryptographic fingerprint against a database of known files (e.g. PhotoDNA for CSAM, or copyright hashes for DMCA). It lets Dropbox detect specific known files without a human reading them — but it only works because Dropbox can compute hashes of your files server-side.
Deduplication: Storing one copy of an identical file shared by many users to save space. A side effect is that the provider can tell whether a given file already exists in its system, which has privacy implications.
CLOUD Act: A 2018 US law that lets US authorities compel US-based providers to produce data they control, even when stored abroad. It is central to why files held by a US company like Dropbox are reachable by US legal process regardless of where servers sit.
PRISM: An NSA surveillance program disclosed by Edward Snowden in 2013. Leaked slides listed Dropbox as a company that was 'coming soon' to the program, fueling long-running questions about government access.
Transparency report: A provider's periodic public tally of government data demands and how often it complied. Dropbox has published one since 2012; its own numbers show a steady, multi-year rise in law-enforcement requests.
Subprocessor: A third-party company a provider shares your data with to deliver its service (e.g. cloud hosting, analytics, or AI partners like OpenAI). Expanding subprocessor lists is why privacy-policy changes draw scrutiny.

Legal & consumer

Class action: A lawsuit brought by named plaintiffs on behalf of a larger group of similarly-affected people. Data-breach class actions (e.g. Guiffre v. Dropbox over the 2024 Sign breach) must clear standing and class-certification hurdles before any trial or settlement.
Inter partes review (IPR) / PTAB: A US Patent Trial and Appeal Board (PTAB) proceeding that lets a defendant challenge a patent's validity outside court. Dropbox has used IPRs heavily to defend patent suits (e.g. against Motion Offense).
Automatic Renewal Law (ARL): State laws (notably California's ARL and New York's GBL §527-a, both strengthened in 2025) requiring clear consent, advance renewal reminders, and easy online cancellation for auto-renewing subscriptions — the legal backdrop to scrutiny of Dropbox's renewal and refund practices.
Dark pattern: A user-interface design that nudges people into choices against their interest — e.g. defaulting auto-renew on, burying cancellation, or making a refund hard to obtain. A recurring theme in Dropbox billing complaints.
GDPR / right to erasure: The EU's General Data Protection Regulation, which grants rights including data access, portability, and erasure ('right to be forgotten'), and gives EU/UK users statutory refund and cancellation protections that US users often lack.

Product & sync

Selective Sync / Smart Sync: Features that keep some folders only in the cloud (not on the local disk) to save space. Bugs in these features have caused documented data-loss incidents, including permanently deleted files.
Conflicted copy: When Dropbox can't reconcile two versions of a file edited at once, it makes a duplicate named 'conflicted copy' instead of merging — a long-standing source of confusion and accidental data loss.