It's always hard to be absolutely certain about what goes on at a company, but I'm pretty confident about Dropbox not participating in PRISM (defined as a government system that automatically collects considerable data from within a company's private systems).
I haven't been at Dropbox for a year now, but for most of the time I was there I was one of only two SREs that ran the production infrastructure. I knew every piece of server hardware in every datacenter, and what services ran on them. It was my job to qualify and deploy hardware, do the systems level automation, and run the user facing frontends. There is literally no way that something like PRISM could be put in place without my knowledge except by what would amount to sabotage.
Keep in mind that while Dropbox is large for a startup, it only recently surpassed 1,000 employees (150 when I joined). The vast majority of those people are in customer service, and the number of people with access to production is likely still well under 100. For the first five years of the company's life there was one datacenter manager and network engineer (the same person), one SRE up until I was hired, and so on. In operations, we did more with less.
However, this shouldn't make you feel like your data in Dropbox is guaranteed to be safe from prying government eyes. Dropbox can and does comply with government requests -- every company operating in the US does so, or they would not be operating anymore.
I agree with your distaste towards Condoleezza Rice joining the board. It doesn't look good, but I also doubt that she has any day-to-day authority or responsibilities whatsoever.
I'm still not confident. Don't actually answer these questions (NDA and all), but how much traffic do you guys get? Could you possibly inspect it all? Have you inspected the hardware itself? Can you trust the switching equipment?It's reasonable to think that collection happens at the pipes between data centers (like some of the Google collections - which didn't involve any of the hardware present although that collection program wasn't a cooperative one).
Some of the lengths they go for these programs are really impressive. It was revealed that AT&T had secret rooms built that blend into the building infrastructure but MITM every packet that gets sent through (what looks like) normal infrastructure lines.
At some point it feels like you're being asked to prove a negative. That's the thing about discussing secret operations. And it is why the documents are so important.
I wonder now that the Snowden leaks are getting dated about a year old (and it being a few since you've left Dropbox) how much has changed.
Finally, the other companies on Snowden's list are certifiably on the list of already onboarded products, so it's hard to trust them.
> I also doubt that she has any day-to-day authority or responsibilities whatsoever
For example she assigned a new CFO for Dropbox. I doubt she has day-to-day authority (she's a busy woman), but being on the board and selecting upper management is a lot of power.
You're right, there's no way to be completely certain. It's like the adage: "Two can keep a secret, if one of them is dead." When someone else has access to your data, there always exists the possibility that it can be used in some way you don't like.
What I wanted to convey is that user data was not used (at that time) in an untoward fashion by Dropbox. Everyone that I worked with took privacy and security very seriously, and we knew that user trust is tough to earn and easy to lose. Handing data to the government automatically, without a warrant or confirmation of authority, would not have been something that anyone was interested in doing. But the government does have ways of making you do things that you don't want to do (see: Yahoo).
The biggest problem that I have with all of the Snowden revelation stuff is this: people seem quick to blame the companies who are complicit rather than the government who is the root of the problem. The government's efforts against security and privacy are the biggest threat the technology industry has ever faced, and if left unaddressed I believe it will inevitably lead to the US losing it's leadership position.
One last point, regarding Dropbox's CFO. Sujay had been at Dropbox for over three years (since 2010) and was involved in the CFO search for a long time. That they picked him for the role says a few things, but I don't see it as Condoleezza stacking the deck.
Not too sure about the quote based on it's other implications - and I don't think it's exactly the appropriate analogy here...
As an aside the NSA keeps secrets between tens of thousands of employees (although I hear it's Orwellian and depressing to work there). You can keep secrets between small and even large groups of people. You just have to have the right processes and leverages.
'Punishing' companies that collaborate with the government has a few parallel goals:
1.) Wanting to use something that has not yet been purposefully subverted.
2.) Give the companies a real argument for resisting programs.
3.) Speak out against the practices (since it isn't on a ballot anywhere).
Yes, ultimately it isn't the companies' faults (however the complicit few with blinders on for profit motive should be shunned for not putting up a fight).
I haven't been at Dropbox for a year now, but for most of the time I was there I was one of only two SREs that ran the production infrastructure. I knew every piece of server hardware in every datacenter, and what services ran on them. It was my job to qualify and deploy hardware, do the systems level automation, and run the user facing frontends. There is literally no way that something like PRISM could be put in place without my knowledge except by what would amount to sabotage.
Keep in mind that while Dropbox is large for a startup, it only recently surpassed 1,000 employees (150 when I joined). The vast majority of those people are in customer service, and the number of people with access to production is likely still well under 100. For the first five years of the company's life there was one datacenter manager and network engineer (the same person), one SRE up until I was hired, and so on. In operations, we did more with less.
However, this shouldn't make you feel like your data in Dropbox is guaranteed to be safe from prying government eyes. Dropbox can and does comply with government requests -- every company operating in the US does so, or they would not be operating anymore.
I agree with your distaste towards Condoleezza Rice joining the board. It doesn't look good, but I also doubt that she has any day-to-day authority or responsibilities whatsoever.