Is Dropbox safe for client project work?

March 15, 2021 • Peter Sanchez • Business Consulting

Dropbox is an awesome tool to sync files between devices and people you share files and folders with. We use Dropbox every day, but we try to keep it limited to personal use or one to one shares internally. However we don't believe that Dropbox is a good solution for file sharing related to client work. Especially not for sharing directly with clients.

This article is not designed to trash Dropbox but will show some edge cases why we think it is the wrong choice for client work.

Sync far and wide #

The main benefit of Dropbox is that it can sync a folder and all its contents to everyone who has been given access. In common business account cases, this means everyone within the company. Of course, it can be more fine grained as well.

Say your company has a Dropbox business account, and each client project has its own folder. In this folder, you place all project specific files organized in sub-folders. Now you share the main project folder with project developers, designers, business analysts, and designers. PM's put their schedules and budgets in this folder, designers put their Photoshop designs there, developers put their spec documentation, etc.

This is great, and it is the entire purpose of tools like Dropbox. However, there are downsides. Let's consider this:

  • Do project managers need access to Photoshop PSD (design) files, or would they be fine with seeing an image of the design?
  • A front end developer may have use for Photoshop PSD files, but would a back end developer?
  • Why would a business analyst need access to an internal infrastructure design document describing wire protocols that are totally invisible to the end user?
  • Why would company management have a need for most of these documents?

There are countless examples. The point is that everyone with access will sync all files, whether they have use for them or not.

Now, of course, each person can customize their personal Dropbox sync settings to mark which subfolders to sync and which not to. This is a tedious task and needs to be done every time a new folder is added. This adjustment also needs to be done by every team member with sync access. There is no global setting within Dropbox that says: PM's sync these folders, dev's these different ones, etc.

While these items are small individually, when you look at them together, in total, and compounded by every single team member, it can start to add up.

  • Bandwidth lost downloading new files added to a sync'd folder. Remember, it auto syncs without asking for permission, so the files are downloaded automatically. Files can be huge in size (for example, PSD files are routinely several hundred megabytes and larger.)
  • Employee time spent dealing with customizing project folders each time new items get added that a specific employee does not need.
  • Even just annoying notifications (enabled by default) when a new file is added to a sync'd folder can interrupt someone in a deep state of work.

Since everyone with sync access can also add files to the sync'd folders, you end up with a time suck carousel that routinely pulls entire teams, or companies, into the fray.

There is rarely a need for every team member to have access to every project file. Usually, it is just a very small subset of the overall files that are needed. This is counter to the Dropbox design by default.

Loose permissions #

Following up from the point above, there is also the issue of permissions within a project folder. You can share your Dropbox folder, or sub-folders, with team members or outside users, which allows them to then sync that folder into their own Dropbox account. So it is common to share a project folder with all team members involved.

But what do you do when you don't want to share some information with everyone? Say, for instance, budget data or contractor hourly rates, etc. In these cases, you need to create different folders, each with its own access permissions. This means you will end up with either multiple folders to sync for some team members or duplicate files that need to be managed across multiple folders.

Either way is inconvenient for all involved.

File deletion by all #

When a user is given access to a sync'd folder, they are allowed to do more than just view/sync said folder. They are also able to add or delete files to/from it. A lot of people don't realize this, but when you delete a file from a sync'd folder, that file is then deleted for everyone else that is syncing.

This is a common issue, and some people have resorted to special workflows just to address it. Now, it's important to note that Dropbox does keep revision history for files so a deleted file can be restored. However, depending on your Dropbox account settings, it will more than likely require the account owner (senior management?) to get involved to restore it.

As I'm sure you can imagine, that isn't a fun request to make.

Hogging resources #

Dropbox is an application that runs in the background on your computer. It talks to the Dropbox servers and sends files back and forth, etc. In theory, this should be a fairly lightweight program, and initially, it was. However, there is a trend in computing (not limited to Dropbox) that since resources have become cheaper, there's no reason to limit the resources our software is using.

It seems Dropbox is not immune to this. As Ben Sandofsky pointed out over a year ago:

But it's not just Ben who has noticed the performance slowdown and resource hogging of the Dropbox software. John Gruber of Daring Fireball held nothing back when he wrote about the Dropbox software of late:

Now it’s a monstrosity that embeds its own incredibly resource-heavy web browser engine. In a sense, Steve Jobs was right — the old Dropbox was a feature, not a product. But it was a feature well-worth paying for, and which made millions of people very happy.

And he continued...

There’s simply no clarity to this new Dropbox. I don’t even understand much of what Dropbox is saying it can do. I think they’re trying to be Slack or something? I already have Slack. All I want is a folder that syncs with sharing.

Spreading malware #

The main way personal computers are hacked into or infected with malware, is by opening attachments from people you trust. This is usually via email. A trusted contact's computer is compromised with malware that then automatically sends an email to all their contacts with the malware attached. The contacts, who trust the sender, open the attachment infecting themselves and then spreading it to all their contacts. On and on it goes.

Naturally, people will inherently trust the files that are within their Dropbox folders. When they see the notification of a new file added (again, enabled by default) they will naturally be curious and investigate by trying to open the file, unwittingly infecting themselves with malware.

This scenario has been asked about by concerned users previously. Even Dropbox themselves confirm this possibility in their help section with a document titled How Dropbox handles viruses and malicious software.

Dropbox syncs any files added to it. If someone adds files with a virus or malicious software, that file syncs to any computers linked to the account. If the virus or malicious software is in a shared folder, shared folder members and computers may also be affected.

They also point out to use caution when opening files and suggest running anti-virus software. This advice is commonly given but, as evident by the constant flood of malware, is not usually adhered to.

Note: There is a note at the top of the Dropbox articles stating that the document is out of date and links to another article for reference. I find this "out of date" warning to be dishonest for a couple of reasons:

  1. The details in the document are not out of date and still, as of this writing, completely accurate.
  2. The linked document is mostly referring to email or website phishing and trying to deflect away from the actual syncing of malware within Dropbox folders themselves.
  3. Even the new article has a section titled "Devices" that references the same points but buries it beneath browser settings and operating system updates (both are important).

It seems to me like Dropbox is trying to hide the fact that it can be used to facilitate the mass spreading of malware at an extremely fast rate.

Spreading malware to clients #

It's one thing to spread malware to your team, but there can be other consequences that may not be being considered.

  • Spreading to clients. Many companies share project specific files and folders with their clients. You run the risk of spreading malware to your client and their computers/team.

This could be a potential violation of contracts and even be grounds for legal recourse (lawsuits anyone?). While most businesses will have liability insurance for these cases, who wants the headache?

Internal costs #

Assuming malware is spread to just a percentage of your team via Dropbox, there are additional costs that can be attributed to this.

  • IT costs of repairing infected computers.
  • Lost productivity.
  • Loss of value/trust in the eyes of your client(s).

Sharing outside of Dropbox #

In Dropbox, you can share files within your Dropbox folder with users outside of the Dropbox service via a share link. This allows someone to simply download the file(s) via their web browser and not link them to sync directly to the external user's Dropbox folder.

This is very convenient from a high level but comes with a drawback, and it's fairly serious.

There is no way to manage your share links. If you give someone a link to download a file, that link will work "forever." You have to move or delete the file for the link to no longer work.

Imagine sharing a set of files that contain sensitive details about a client project with an outside contractor. A year later, that contractor's email gets hacked, and the link is exposed to an outside party. Now that party can download the sensitive files, and you will never know that they have.

Of course, that's an extreme example but not an uncommon one. Every day it seems there are new leaks and email hacks being reported. Still, there are plenty of common cases where a share link can be given to an unauthorized person.

This very well could lead to a breach of contract or liability situation for your business. As you can see, guarding this private data is very important for all parties involved.

Alternatives #

Every business has its own unique requirements. You should consider the best way to securely share files within your team. However, we can share how we manage files within our team and with our clients.

Not surprisingly at all, we've used the AnyHow Files feature since mid 2019 when we first started rolling the feature out to production. So while we may be biased, it's important to point out why we added the feature to begin with.

We've been bitten by some of the issues described above by Dropbox. See, we built AnyHow specifically to manage our consultancy, Netlandish. We knew first hand the pain points discussed, so we set out to build a solution that works for us. We also knew that we're not the only agency experiencing these issues.

So what are some advantages of using AnyHow Files over Dropbox and similar applications? You can read more about the benefits of the Files feature on its feature page, but here I'll give you a brief listing.

Unlimited storage #

There is no limit to how much you can store in AnyHow. You will never run into an issue where you can't add a new file because you've reached a quota. In fact, we won't even notice your usage until it's approaching the 500GB mark.

Permissions #

Each file, individually or group, can have unique permissions and access levels. Like all permissions in AnyHow, this can be set to organization wide, specific team members, specific teams (in total), team members belonging to specific projects, and even belonging to all projects that belong to specific clients (ie, blanket client assignment).

This means that 1 file can be shared correctly with all necessary team members without oversharing other data. Each team member gets exactly what they need and nothing more and without extra work to make it happen, just as it should be.

Ownership #

Though the permissions system is very robust, it still leaves files with their correct ownership. Meaning only the owners of the files or organization managers can delete files in the system. No more accidental deletions from 3rd parties.

Clients #

In AnyHow you can give your clients access to your organization so they can participate in discussions, view project data in real time, and of course, participate in file sharing.

There is a special flag in a file's properties that you can set to allow the client (aka, guest) account access. This allows your clients to be able to participate in the project process. For instance, they can directly upload the files into AnyHow for your team. No more need for them to send them to a project manager first, who will then upload them.

Sharing outside of AnyHow #

Like Dropbox and similar services, you can share your organization files with users outside of AnyHow as well. With a few clicks, and you can share a single or multiple files with a simple share link.

You can also easily manage your share links from a special view we provide, where all links will be listed. So if you want to remove access to these files, you can quickly do so. It's also useful for pruning or maintaining shared files as usually, after a certain period, the sharing is no longer required.

Downside of AnyHow Files #

While we think the trade-offs are worth it, we definitely acknowledge that there are some disadvantages to not using Dropbox.

  • Lack of system sync. The main advantage to this is you can organize your files in your folders offline, and it will automatically sync up when your computer is online.
  • To follow the previous point, the entire process of uploading files to AnyHow is currently more manual. While you can do multiple at a time, you still have to select files for upload. This can be tedious.
  • You will need to provide some process updates to your team members, contractors, and clients who are already used to sharing files with your organization. Generally, a simple write up is enough, but as we all know, change can be hard.

There is no perfect solution, and we've done our best to make AnyHow Files useful and secure for freelancers, agencies, and consultancies to share files within their organization, with clients, or with outside parties.

That said, we still have more work to do...

Roadmap #

These are some of the items on the roadmap for Files. We don't have a set schedule for when they'll be completed, but we usually get these things out pretty fast.

  • Ability to discuss files directly on file view
  • Ability to upload versions of files
  • Ability to mark the new version as "accepted" to become the default file

Is there anything you'd like to suggest for files? How about feedback for this write up? Please just let us know via our support form or send us an email at [][].

[]: "Email us"

Email me your next post