Zhang wrote a note and put up flyers about the theft, which was picked up by ABC News and which a friend of his posted to his Facebook page, and which was then posted to Reddit and many other websites beyond that. He offered $1000 to the thieves for the data, telling them exactly where on the disk they could find it, giving them the password, and telling them they could keep the computer already; he just wanted to graduate.

Now, in honor of the “Everything Wrong With … in X Minutes” CinemaSins YouTube movie spoofs (and they’re hysterical), here’s everything wrong with this story.

1. “Zhang’s laptop had been in an unlocked room in Wright-Rieman, which houses laboratories.” People can walk into Rutgers University lab rooms and walk out with laptops? Doesn’t campus security worry about thieves stealing other equipment, student records, dangerous chemicals, and so on?
2. “Rutgers is an open campus,” said [Rutgers Police Lt. Paul ] Fischer. “It’s not like a small liberal arts college where it’s gated in. So, even if the buildings are secured, people can piggyback in.” This is the reaction of the security guy, whose job it supposedly is to keep the campus secure? Oh well, people can walk in and take things?
3. Campus security doesn’t have security cameras, even in laboratories where people are working with chemicals and on laptops?
4. Does Rutgers really want their security guy on national television telling everyone how easy it is to steal things from the campus?
5. Just how many things get stolen from Rutgers, anyway?
6. If it’s so easy to steal things from Rutgers, wouldn’t it be a good idea for the campus police to tell this to the students, before students lose five years of research?
7. “Fischer said that he wouldn’t suggest offering monetary rewards in the future” because it can invite fraud. Okay. What should the student have done differently (other than your barn-door suggestion that he hang on to his laptop next time)? Can’t he get the student to withdraw the reward if it’s such a bad idea?
8. Is the Rutgers security guy working with this student to ensure he doesn’t agree to meet someone, get bopped on the head, and also be out $1000? Or to otherwise protect him from fraud?
9. Does the Rutgers security guy think that having the theft nationally publicized on ABC News is a smart move? And on Facebook? And on Reddit?
10. Shouldn’t the Rutgers security guy suggest to Facebook that maybe it would be a good idea to redact the student’s personal information from the posting, which has more than 33,000 shares?
11. Is the Rutgers security guy maybe checking Craigslist? And eBay?
12. Doesn’t the chemistry department have a server to which students can save their data? Hell, I went to Boise State and we had that.
13. If it’s this easy to steal things from campus, and there’s no provision for students to back up their data on campus, and nobody warns students their work is that vulnerable, and the student may have to start his research over, doesn’t he have the basis of a nice lawsuit?
14. Just what sort of chemical research is this student doing, anyway? Do we need to worry about a new kind of poison gas or IED springing up in New Jersey?
15. How competitive is the chemistry research program at Rutgers? Is it possible the thief is someone in his department who’s fighting with him for grants or something?
16. What are the chances that the student isn’t actually ready for his thesis defense and this is his way of procrastinating until the laptop is “found”?
17. This student’s been going to Rutgers for five years and he didn’t know the buildings are insecure?
18. “…from where his computer was taken sometime between 10 a.m. and 5:15 p.m.” This student leaves his laptop unattended in an unlocked room from 10 am to 5:15 pm and is surprised that it’s gone? Are we sure that Lost & Found didn’t pick it up?
19. We’ve got a student smart enough to be getting a PhD in chemistry but not smart enough to keep from leaving his laptop in an unlocked room?
20. Or to copy his data to a DVD?
21. To a thumb drive?
22. To a cloud storage service?
23. To an external hard disk?
24. To email it to himself?
25. To do a backup? “’A lot of people are asking me why I didn’t back up my data,” Jim told the Daily Dot. ”I think the reason is that I am pretty busy recently and this kind of thing never happened to me before.’”
26. “The posters contained very specific instructions and details regarding his dilemma, including his laptop’s password.” Well, that certainly makes it easier for the thieves to use the laptop.
27. Where is the student getting the $1000, anyway? And how did he come up with that figure?
28. The posts also included his phone number. If the thieves even wanted to call, would they be able to make it through the blizzard of harassing phone calls he must be getting by now?
29. He has also suffered several scamming attempts. “’There are a few people sending me messages saying they have my laptop and asking for money, but when I asked for proof, they cannot give anything to me,’ he said.” You think?
30. Really, should this student even be allowed to be messing with chemicals in the first place?
31. Does the student think that the thief is stupid enough to show up to a meeting to exchange the data and money?
32. Or to pick it up at a mailbox?
33. How exactly does the student think this is going to work? The thief will send him the data and trust him to send the money? He’ll send the money and trust the thief to send him the data? The thief will hand him the data and hang around while he checks it?
34. Even if he gets the data back, how is he going to know that the thief didn’t change some of the data just to mess with him?
35. How many backup companies are offering to pay all the student’s expenses in return for his doing an ad for them?

“Dropbox will be acquired by a major enterprise infrastructure player,” the company wrote. “In another sign that “consumerization” doesn’t mean mimicking consumer technologies in the enterprise but actually acquiring and/or integrating with widely adopted consumer offerings in the enterprise, IDC predicts that Dropbox will be acquired by a major enterprise infrastructure player in 2013. This will certainly be an expensive acquisition, but it will be one that brings an enormous number of consumers (many of whom are also employees), and a growing number of ecosystem partners, along with Dropbox’s technology.”

“Expensive” is putting it mildly; a $250 Series B funding round last fall gave the company a $4 billion valuation, which is expected to be even higher now (though GigaOm still thinks the market is small). Only a major enterprise infrastructure player would be able to afford it.

Part of what makes this prediction interesting is that a Dropbox IPO has been rumored — and highly anticipated — since last year. Dropbox founder and CEO Drew Houston had reportedly received a nine-figure acquisition offer from Apple early on, Forbes reported last year, but  turned it down because he wanted to run a big company — though he sounded at the end of the article as though he might be reconsidering that.

As he walked out of [Facebook founder Mark] Zuckerberg’s relatively modest Palo Alto colonial, clearly enroute to becoming the big company CEO he had told Steve Jobs he would be, Houston noticed the security guard parked outside, presumably all day, every day and pondered the corollaries of the path: “I’m not sure I want to live that life, you know?”

The downside with getting a big funding round is that eventually investors want to see some return on their investment — and typically that means either an IPO or an acquisition. Employees also typically want their big buyout, though Dropbox employee stock has reportedly been available on the secondary market.

The advantage of an acquisition by a major vendor is that it could give Dropbox the credibility and structure it would need to fit into the enterprise. It’s not that people aren’t using Dropbox. Quite the contrary — a recent survey by storage vendor Nasuni found that 20% of corporate users were using Dropbox.

This is despite the security and governance holes inherent with using a system such as Dropbox, the security holes in Dropbox in particular, and rules that corporations have attempted to put into place to keep people from using it. (Nasuni found that 49% of the people whose companies had rules against it were using it anyway.) As long as people have multiple devices — and they show no signs of stopping — and need access to their files, as well as the ability to send large files to other people, there’s going to be a need for the functionality, and all the rules in the world aren’t going to stop it, especially when, as Nasuni’s survey indicated, some of the worst offenders are executives.

“The most blatant offenders are near the top of the corporate heap — VPs and directors are most likely to use Dropbox despite the documented risks and despite corporate edicts,” writes GigaOm’s Barb Darrow. “C-level and other execs are the people who brought their personal iPads and iPhones into the office in the first place and demanded they be supported.”

So being purchased by a major player offers the opportunity to rein in some of these users, while still giving them the functionality they need. The company itself has also indicated that it plans to address the issue to make the product safer for corporate users — which would also make it more attractive to an acquirer.

The other likely aspect is that, as we’ve seen with e-discovery and other emerging markets, when the first big vendor goes, many of the smaller vendors quickly follow like dominoes. A Dropbox acquisition would likely presage a whole round of other ones; Wikipedia lists 17 “notable competitors,” including Box.Net and YouSendIt, and there are others. Acquisitions would also help simplify the complicated market.

Although major players such as Apple, Google, and Microsoft already offer their own cloud storage solutions, the vendors might want to acquire other ones for their technology, their people, or simply to get them off the market, while other vendors (dare I suggest HP, which doesn’t have a great track record on acquisitions these days?) would do so simply to get a toe in the market.

Either way, it seems likely that something will happen to this market next year.

At present, the function works only with Google Docs — that is to say, document files using Google Drive — but is expected to be available for spreadsheets and presentations at some point in the future, Google said in its instructions. It is also only available for the Chrome browser, and Google didn’t say whether it expected to make the feature available to other browsers.

Pundits are claiming this functionality will negatively affect other consumer cloud storage systems, such as Dropbox. “Google Kneecapped Dropbox,” proclaimed Business Insider.

The one other point that’s worth noting is that changes made to the online file while the user is offline take precedence over whatever changes the offline user makes.

“If an online collaborator deletes the text you edit while offline, their changes will override yours. If a collaborator deletes the document you’re editing offline, your changes will be lost when you come back online because the document will no longer exist. Try to use offline editing for documents that you own and that won’t be deleted without your knowledge.”

Well, yeah, but that sort of defeats the purpose of using Google Drive for collaboration in the first place, doesn’t it?

Another point — only enable Google Drive on your own computers.

“Enabling offline access on public or shared computers can put your data at risk, since others may be able to view your synced Google documents and spreadsheets.”

Which also sort of seems to defeat the purpose — wouldn’t a great use case for this feature be “I’m traveling without my computer or it broke, and so I’m using somebody else’s”? Might be nice to have a “Mr. Phelps” feature that automatically deleted itself after syncing a file, or on command.

Needless to say, features that require the Internet won’t be available online — sharing, publishing, reporting a problem, etc. Surprisingly, however, so is inserting an image or a picture.

Google made the announcement at its sold-out I/O conference in San Francisco.

So here we are today, and we have a batch of cloud storage and cloud synchronization services — Box, Dropbox, Drive, SkyDrive, and so on, not to mention my venerable Qwest Digital Vault, which magically changed its name to the CenturyLink Digital Vault when CenturyLink bought Qwest.

I have quite an assortment of space kicking around — 25 GB with Google Drive, 2 GB with Dropbox, 5 GB with Box, and I think 7 GB with SkyDrive; I already missed out on a 25-GB offer there, and if there’s an easy way to find out what my capacity is there, I’m not finding it. (I can consider myself lucky I don’t have iCloud. I don’t think.)

My Digital Vault is a whole other kettle of fish. I thought I had 25 GB there — but when I try to log in, it doesn’t recognize my password. Then again, unless my mother has come back from the dead and changed her maiden name, it doesn’t recognize that, either, so perhaps I’m actually using the wrong ID — but the site doesn’t offer me a way to be reminded what that is, and so far I’ve gone through two separate kinds of chat sessions and neither of them can tell me, either. In any event, its website says it only offers 2 GB free, so that’s probably what I have.

(Plus I have BackBlaze for my actual backups, but I’m not counting that.)

That all totals up to 41 GB, which sounds pretty impressive.

The problem is, it’s not really enough to do anything with. It’d be great to store all my pictures in the cloud, so I could always retrieve them and have plenty of copies to keep them safe, but the picture folder on my NAS (aka “The Big Brick,” 2 terabytes) is 57 GB all by itself. Yes, some of those are duplicates — remember the part about copies to keep them safe? — and some of those are videos, now that I have a camera that can take both still photos and videos.  Plus every few months or so I collect all my pictures from all the various sources and save those to the big brick, so they’re all together.

Yes, I should delete all the picture copies sometime — but I’m petrified about making a mistake, and who’s got time?

But for the sake of argument, let’s pretend that I’ve found something I can store in the cloud, something that fits. So then I have to try to keep track of which of my fistful of services I’ve stored it in. I also have to keep track of how to get into each one — something I’ve already demonstrated I have trouble with.

I can sign up for Spanning Stats for Google Drive, but that’s yet another site I have to remember to go check. Plus it turns out that it’s actually a sales tool to encourage you to sign up for its Google Drive backup service. Great. Google doesn’t back up its own cloud service?

That brings up my next level of fear — how do I make sure that what I put into the cloud is still there the next time I look for it? I certainly wouldn’t put my *only* copy of my pictures up there — what if there was a problem? What if the service went out of business? If I have to keep copies and worry about backups and synchronization with the cloud, too, then what’s the point?

(I’m not even worrying yet about the different levels of privacy that the different products offer — and I probably should.)

Spanning Stats also helps me only for Google Drive — I would need an application for Box, Dropbox, SkyDrive, and so on. So that’d be at least five applications and websites (each with their own user ID and password) that I’d have to remember.

What I really want is one thing that would check all my cloud storage systems and tell me what’s in each of them. And maybe while it’s at it, it could also keep track of all the various special offers I get for more free cloud storage space — and when they’re going to expire, and how to move the files around so I don’t get charged for anything.  Because you know that’s coming, if it’s not already here. We’ve seen it with the credit cards.

Speaking of which, maybe someone could write an app like that for credit card offers, too.

The initiative has more than 50 members, including Amazon, AT&T, Facebook, Google, Microsoft, Twitter, and Yahoo!, which were called out in April as being major computer vendors that should support the proposal. Steps included in the proposal include telling users about data demands, being transparent about government requests, fighting for user privacy in the courts, and fighting for user privacy in Congress. Companies received from one to four stars (including partial stars) depending on how well they are implementing each of these policies.

Dropbox was a particularly interesting addition, because the company has been criticized about its policies regarding protecting user data in its cloud storage service.

Other vendors pf the 13 that the EFF called out in April that have not yet responded include Comcast, Myspace, Skype (since purchased by Microsoft, which is a member), and Verizon.

Organizations such as the American Civil Liberties Union and the Center for Democracy & Technology are also members.

The complaint was filed on May 11 by Christopher Soghoian, who was a busy boy this month; as you may recall, he also hit the front pages by breaking the story on May 3 of an unknown perpetrator, which turned out to be Facebook, attempting to smear Google with privacy accusations.

It turns out that the whole reason Dropbox changed its privacy policy and brought up the issue of law enforcement in the first place was due to Soghoian, who did some research on encryption, deduplication, and how Dropbox saves storage space. As it happens, it checks to see whether it already has the file being uploaded, and, if so, puts in just a pointer to it in the new user’s space. Very efficient.

The problem is, that’s something someone else can see, too. They can upload a file, and, if much less data transmits than the file size, they know it’s a file Dropbox already has. This is where law enforcement comes in. Writes Soghoian:

What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.

Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.

Do you see how this is even worse than simply Dropbox having to cough up a specific user’s data upon request from law enforcement? Law enforcement can now say, we *know* you have this data online, *you* tell *us* who has it.

And think of how this would play with the new PROTECT-IP bill that’s being proposed, which would let a third party shut down a site for having a copy of its intellectual property: Viacom, say, uploads a copy of a movie it suspects is available on Dropbox, finds it’s already there, demands to know who it owns it, and then shuts down that company’s site — potentially all without ever getting a warrant, because if Dropbox won’t tell, Viacom can shut *it* down for having a copy of the file. And if Dropbox gets shut down, what happens to all its other, innocent users’ files?

Moreover, Soghoian writes in his complaint, users now run the risk of having either rogue employees or hackers breaking into the Dropbox system to steal files and the stored keys that enable the company to decrypt and deduplicate files.

Recent high profile data breaches experienced by RSA, 32 Comodo, and Lastpass demonstrate that hackers are increasingly sophisticated, and are now seeking out high‐value infrastructure targets that can deliver more than just a few million credit card numbers.

(Oddly, Soghoian doesn’t list Epsilon as one of his examples, the electronic mail service bureau that was broken into in March in a data breach, the costs of which could eventually reach $3 to $4 billion.)

Soghoian’s not asking for much in return: Just that Dropbox tell people they can decrypt files, by emailing all its users rather than just changing its terms of service, make Dropbox give their money back to anybody who wants it, and never, ever to do it again.

While Dropbox has responded to the basic facts of the complaint in its blog, it hasn’t addressed the security hole associated with law enforcement or other data owner being able to tell what’s already on the service by sending another copy of it up.

Between this and Facebook/Google, one wonders what Soghoian’s going to do for an encore.

“As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox,” the company said in a rewrite of its terms of service. “In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.”

Dropbox made a point of telling Steve Kovach at Business Insider, who broke the story, that this was a rephrasing of its terms of service, not a change in policy. “The TOS update was merely a clarification for users, not a policy update,” the company said.

Dropbox also pointed out that it wasn’t alone in this. “It is also worth noting that all companies that store user data (Google, Amazon, etc.) are not above the law and must comply with court orders and have similar statements in their respective terms of service.”

A number of articles about the incident concurred with this, including Business Insider’s. “This is nothing groundbreaking, but Dropbox has updated its security Terms of Service to say that if the government asks, they will have to decrypt user’s files and turn them over. That’s standard practice for any online storage service from Gmail to Amazon”.

But Business Insider went on to say, “and shouldn’t affect the average user unless they’re doing something wrong.”

That’s where it gets sticky.

Several other articles on the subject made similar comments. “In the meantime, don’t go doing anything that’ll get you in so much trouble that the G-Men need to decrypt your email or cloud storage,” said David Gerwitz of ZDNet, whose article headline, “If you have something to hide from the government, don’t use Dropbox” also implied that only those who had something to hide should be concerned. “Ok, so no worries–so long as you’re not doing anything wrong, you should be fine,” agreed Sarah Jacobsson Purewal of PC World. Comments in the PC World story went so far as to say that the only people who would be concerned about this would be pedophiles.

Really?

Recall that in 2005, the New York Times revealed that the National Security Agency was monitoring telephone calls, without warrants, of domestic callers. A few months later, USA Today revealed that this was going on with the cooperation of a number of telephone companies, including AT&T, Verizon, and Bell South.

“[T]o say that only the “guilty” have any reason to care about privacy shows a dangerous lack of awareness of how easy it is to violate some law or regulation and thereby become “guilty” yourself,” says William Morriss, a Senior Associate patent attorney of Frost Brown Todd, writing in the Ephemeral Law blog. “Even worse, when the government goes about collecting enormous amounts of data without having to justify itself and without any oversight, there will inevitably be false positives which have the potential to literally ruin someone’s life.”

The one solution Dropbox has to offer is that users can encrypt their own files before upload them to a data storage service like Dropbox — so that if the data storage service decrypts stored files, they continue to be encrypted, which only the user can decrypt. “Dropbox does not discriminate between the types of files stored in your Dropbox nor the applications used to open those files. This means you can use your own software encryption methods, such as third-party encryption software, to keep your files secure on your terms,” the company’s Terms of Service said.

However, it doesn’t say exactly how one goes about finding or using third-party encryption software. Moreover, there are those who fear that any encryption software — unless it’s open source, where people can examine it — could have a “back door” that would allow government agencies to decrypt it without user assistance. Attempts have been made, and continue to be made, to require such a back door. Some people, consequently, are sticking with “better safe than sorry” and using only open source encryption software. Unfortunately, this goes beyond the area of “easy to use” for the average — law-abiding — user.