Boxcryptor divests strategic assets to Dropbox: the implications for customers

In recent weeks, the American company Dropbox and the German company Boxcryptor reached an agreement for Dropbox’s acquisition of technologies from the latter. Boxcryptor expressly mentions the purchase of intellectual property, including ‘key technological assets.’

The dynamics of the Boxcryptor acquisition

The acquisition of Boxcryptor was announced back in November by the Californian company, which had emphasised that the agreement focused on acquiring certain key assets in order to strengthen Dropbox’s security:

‘Today, we’re excited to share that we’ve signed an agreement to acquire several key assets from Boxcryptor, a provider of end-to-end “zero-knowledge” encryption for cloud storage services. The combination of Boxcryptor’s leading encryption capabilities and Dropbox’s easy-to-use product, with our already robust security features, will help us better meet our customers’ evolving needs.’

So it does not seem to be an outright corporate takeover. But there will be repercussions for its customers, as the company tried to clarify. Before briefly presenting them, it therefore seems appropriate to profile the two players.

Dropbox – file hosting services

Dropbox is a file hosting service operated by San Francisco-based Dropbox, which offers cloud storage, automatic file synchronisation, personal cloud and client software. Dropbox uses a freemium business model, where a free account is offered with a base capacity of 2 GB, extendable in various ways up to 18 total GB. Paid rate plans allow to increase space up to 1 TB and earn additional space by inviting new people to use the service. These can also be used via web, uploading and viewing files via browser or via local driver that automatically synchronises a local folder of the file system with the shared one, notifying the user of its activities. Dropbox is based on the Secure Sockets Layer (SSL) cryptographic protocol: the files stored and accessible via password are encrypted using AES with a 256-bit key. The program to use the service can be downloaded free of charge and is available for Windows, macOS, Linux, iOS, BlackBerry OS, Android, Windows RT and Windows Phone. In summary, Dropbox allows complete synchronisation, offering a centralised location for securely storing documents, managing access to data and collaborating on projects. Dropbox itself states that around 600,000 companies alone (i.e., without considering personal users, who number several million) use this service.

Boxcryptor – encryption for cloud services

Founded in 2011, Boxcryptor is a German company that currently boasts compatibility with various cloud services, including OneDrive, SharePoint, Google Drive and of course Dropbox. One of the advantages offered by Boxcryptor is end-to-end encryption, meaning the ability to encrypt files directly on the device, with the data therefore being encrypted and protected before it is moved to the cloud storage/server of the user’s choice. Boxcryptor makes it possible to protect NAS, file servers and even local data; in other words, the German company’s services guarantee the confidentiality of information, while the cloud provides availability and a backup option. Boxcryptor allows companies to define customised policies, manage users and protect accounts with two-factor authentication. In other words, the company stood out for its security features that can be exploited with Dropbox and other cloud services to encrypt files, add security, and offer advanced and secure collaboration capabilities with teams. Its data centres are located in Germany.

Dropbox’s acquisition of Boxcryptor: changes for Boxcryptor customers

Let’s take a look at some possible effects of Dropbox’s acquisition of Boxcryptor, with particular reference to the German company’s customers. There is no doubt that the combination of the two companies’ technologies could be a trump card for Dropbox, offering very high security standards to both individual users and companies.

But what should Boxcryptor users know? The company has made it clear that it will continue to support its users and customers according to the terms of their contracts. This means that Boxcryptor will be available to all existing users on all platforms and with all previously supported cloud providers. It will provide critical security updates, if necessary. However, it is no longer possible to create new accounts or purchase new licences. In addition, all free licences were cancelled within 31 January 2023.

Existing customers

Customers with a one of its paid subscriptions – Boxcryptor Personal, Business, Company and Enterprise – will also receive, if they have not already, an e-mail with a termination notice at the end of the respective contract period, indicating the last day of use. Boxcryptor Company and Enterprise customers whose licence expired before 28 February 2023 automatically received a termination notice with a free extension until that date. This was to ensure enough time for migration. The licence can be cancelled directly via the webapp. At the end of the cancellation period, the corresponding accounts will be blocked and the connected devices will be disconnected.

The suggestion for users is to decrypt their data as soon as possible and export their access keys by the end of the deletion period.

Those who are currently using Boxcryptor for Teams with a Company or Enterprise licence can continue to do so with their existing licence, as the functionality of the software will not change. Boxcryptor customers can also continue to use the software on another device. The German company also communicated that the customer can continue to use the service with the usual high level of security until the end of the contractual period.

Privacy concerns for European customers: which rules apply?

There is instead an important aspect that Dropbox has not yet addressed. As is well known, there is a conflict in data protection between the GDPR in force in Europe and the US CLOUD ACT, which creates grey areas on the protection of the data of European individuals and companies managed by US service providers that have to comply with the latter. Are there differences in rules that should be clarified by Dropbox following its acquisition of Boxcryptor, unless the sale of technological assets and not of the entire company was intentional in order to circumvent them?

Boolebox CEO Marco Iannucci commented, “For our part, we feel we can confirm that our only priority is, and will always remain, the security of the data that our customers decide to protect with our solutions, wherever they are.’

For any Boxcryptor users who decide to migrate, we recommend that they always make security a priority when choosing an alternative solution to Boxcryptor.