Recent revelations about how Dropbox handles its customers' data have prompted a cybersecurity researcher to file a complaint about the company with the Federal Trade Commission.

Recent revelations about how Dropbox handles its customers' data have prompted a cybersecurity researcher to file a complaint about the company with the Federal Trade Commission.

Christopher Soghoian, a cybersecurity fellow at Indiana University, wants the FTC to investigate Dropbox and force the company to notify its customers that data stored on the service is not as protected as Dropbox might suggest.

Last month, in response to questions surrounding an updated privacy policy, that its employees are banned from accessing user data, but that a "small number" of workers have access for legal purposes. The company also said that even though files stored on the Dropbox servers are encrypted using the AES-256 standard, Dropbox can decrypt certain data because encryption at all times would make certain features too cumbersome. Users have the option to encrypt their files before placing them on Dropbox, however, making them inaccessible to Dropbox.

That admission, however, surprised some users. In his complaint, Soghoian points to security expert Jon Callas, who tweeted on April 19 that he was deleting his Dropbox account because "they lied and don't actually encrypt your files."

"If a prominent cryptographer and security expert was misled by Dropbox's statements regarding its use of encryption, it seems entirely unreasonable to expect that the average non-technical user would have been able to read between the lines and determine that the company was not in fact using encryption with a key only known to the user," Soghoian wrote.

Soghoian accused Dropbox of misleading its customers and unnecessarily exposing them to risk. "If Dropbox encrypted its users' data with a key only known to each user, it would not be possible for rogue employees to snoop on users' data, or for hackers who had broken into the company's servers to get access to users' unencrypted data," according to the complaint.

Dropbox is also giving itself an unfair competitive advantage, Soghoian continued. Other services that do provide encryption are more expensive than Dropbox, but the average person might select Dropbox because it promises encryption for a cheaper price.

"Dropbox uses the same terminology to market the security of its products, but has lower operating costs, due to its inferior security," the complaint said.

Soghoian has asked the FTC to open an investigation and force Dropbox to stop telling customers that it encrypts its data, as well as inform all 25 million Dropbox customers about its practices. Soghoian also requested a refund for "Pro" customers who might feel misled.

In a Monday update to its April 21 blog post, Dropbox said "we openly discuss how Dropbox security works. Part of our challenge is that we have to communicate with people both familiar and unfamiliar with the intricacies of encryption and online security."

When it said that files are encrypted, "We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials," Dropbox said. "However, a security professional could incorrectly infer that the encryption key comes from the user's password, so we've separated the two points for clarity."

In saying that employees cannot access user files, Dropbox meant "we prevent such access via access controls on our backend as well as strict policy prohibitions," it said.

"We understand that many of you have been confused by this situation  and some folks even felt like we misled them, or were careless about their privacy," Dropbox concluded. "We apologize for this confusion. All of us here at Dropbox care deeply about the security and privacy of your data, and the last thing we want to do is let you down."