The 2011 FTC complaint: a researcher accuses Dropbox of misleading users about encryption

On 11 May 2011, security researcher Christopher Soghoian — a former technologist in the FTC's own Division of Privacy and Identity Protection — submitted a complaint to the Federal Trade Commission asking it to investigate Dropbox. The complaint alleged that Dropbox had engaged in deceptive trade practices by telling users their files were encrypted and inaccessible to Dropbox employees, when in reality Dropbox held the encryption keys and its staff could access unencrypted user data.

The complaint pointed to Dropbox marketing language stating that files were inaccessible without the user's password and that employees were not able to view stored files. Shortly before the complaint, Dropbox had quietly revised its security and terms-of-service language to clarify that it could decrypt files when legally compelled — a change critics said amounted to an admission that the earlier representations were misleading. The complaint asked the FTC to compel Dropbox to correct its statements and to compensate affected users.

The FTC complaint was a request for the agency to act rather than a court case, and there is no public record that the FTC brought a formal enforcement action against Dropbox over these claims. The episode nonetheless became a foundational moment in the long-running scrutiny of Dropbox's security representations.