Morton Police
By Jeff John Roberts
December 1, 2015

In October, a 19-year-old man armed with knives entered an Illinois public library filled with children, avowing he would “kill some people.” A brave veteran foiled the assailant, Dustin Brown, whose actions followed his recent arrest over possession of child pornography.

That arrest may never have occurred but for Dropbox, the popular cloud storage service where many people store photos, files, and videos. As Ars Technica explains, it may have been Dropbox who tipped off Illinois law enforcement about Brown’s online activities, which allegedly included the possession and distribution of sexual videos of pre-teen girls.

The case is obviously a victory for law enforcement and for public safety, as Brown appears to be a sick and dangerous individual. But it also raises hard questions about just how Dropbox and other cloud storage services treat the private data stored by their customers.

As Ars notes, the data customers send and store through Dropbox data is encrypted, meaning no one can decipher what’s stored there. No one, that is, except the company itself: “this only makes content sent to Dropbox secure from outsiders—not from Dropbox itself. The company possesses the crypto keys.”

The upshot, Ars suggests, is that Dropbox may be using PhotoDNA, an image processing tool developed by Microsoft (or another tool like it), in order to detect child pornography stored on its service. Other news reports likewise point to Dropbox tipping off federal or state authorities; the tips can give police an IP address, which can in turn yield a physical location where the illegal activity originated.

It is also possible Dropbox, in these cases, may be responding to a federal reporting law that obliges internet services to report discoveries of child pornography to the National Center for Missing and Exploited Children. The company, however, declined to provide official details of its policies beyond a stock statement it has issued in the past:

Child exploitation is a horrific crime. Whenever law enforcement agencies, child safety organizations or private individuals alert us of suspected child exploitation imagery, we act quickly to report it to the National Center for Missing & Exploited Children (NCMEC). NCMEC reviews and refers our reports to the appropriate authorities. We’re deeply supportive of their important work in the fight against the exploitation of children.

Dropbox is hardly the only cloud service to work with police in this way. In 2014, Google tipped off Texas police about a Denny’s cook and registered sex offender who was distributing child porn images via his Gmail account. At the time, a Google (GOOG) spokesperson observed, “Sadly, all internet companies have to deal with child sexual abuse.”

Indeed, as child pornography has become easier to distribute via the internet, few would fault Dropbox or Google or any other cloud storage service for trying to stop it. The hard part, however, is how far these efforts should go.

If it is appropriate for Dropbox and Google to scan consumer files for child pornography, should they do the same for illegal weapons? Narcotics? ISIS propaganda? And so on. Many people might be okay if the cloud companies strictly scour for underage porn, but would object if the range of targets becomes open-ended.

One option might be for cloud storage companies to offer Apple-style encryption. This involves a system, now used on every iPhone, in which Apple (AAPL) has made it nearly impossible for anyone other the iPhone’s owner (including Apple) to see what is on the owner’s account.

A further option could involve Dropbox and others explicitly informing customers that the company might search their data. Indeed, Google and others already scan email keywords for advertising purposes (and tell consumers they do so), so it would make sense to do so in other contexts. There is also an issue of transparency: the “Law & Order” section of Dropbox’s privacy policy contains a clause allowing the company to share data to comply with the law but does not provide further details.

This story was updated to include Dropbox’s comment, and to refer to a national reporting law for child pornography and to a section of Dropbox’s privacy policy.

For more on tensions over encryption, see this Fortune video about AT&T and the NSA:

Sign up for Data Sheet, Fortune’s daily newsletter about the business of technology.

SPONSORED FINANCIAL CONTENT

You May Like

EDIT POST