"The researchers noted that they and Dropbox employees could view no personally identifiable information." Of course not. Honi soit qui mal y pense. May I recommend to use Swisscom's "myCloud", a Dropbox clone set up by the national carrier? No API available, uploaded / synchronized data not encrypted... "Data is not encrypted on storage (at rest). All data is subject to Swiss data protection." (Not a joke.) https://preview.tinyurl.com/y89uou86 "myCloud" is closely related to the PHR "evita.ch" provided - again - by Swisscom. Currently, a document, prepared by the Federal Administration ("Eidg. Dept. des Innern"), spanning 1,519 pages, lists pending security issues pertaining to Swisscom's cloud systems. https://preview.tinyurl.com/ycjdso2h Obviously, those two articles about Dropbox make unsettling reading. Then again: With cloud services, be they encrypted (Dropbox) or not encrypted (Swisscom "myCloud"), there always is a considerable risk, especially of course regarding the unencrypted ones... In terms of functionality and convenience, Dropbox is the standard. I use a third party software to upload and download my files. Prior to uploading files to Dropbox, I encrypt them on my computer. Note: I write: "Uploading" and NOT "synchronizing". That gives me peace of mind and I strongly believe that is how cloud storage services should be handled. Your post is a good wake-up call, I might add.
To me, "folder structure" implies folder names. Although of course, names could have been replaced with random strings. I'm not sure what "shared folder access" might mean. If usernames were in fact anonymized, this might mean that user "m1S1c2_P4UBc" shared folder "BUtajAiVasu0" with users "i38S3Qk3jyH6" and "t8owSIqHIYMo". So that wouldn't be such a big deal. Unless, of course, folder names weren't actually anonymized. You can imagine, right? This does imply that usernames weren't actually anonymized Maybe "rendering any identifying user information unreadable" didn't work as planned?
