A PhD student has filed a complaint with US regulators accusing Dropbox of offering an insecure service.
Christopher Soghoian first highlighted issues with Dropbox's security in April, but decided to follow that up by filing a complaint with the US Federal Trade Commission.
The complaint accuses the cloud storage firm of "deceptive trade practices" for not coming clean about how its security works.
Soghoian claims that although Dropbox files are encrypted, employees have access to the keys and can access users' data - despite the site previously claiming otherwise.
"If Dropbox disclosed the full details regarding its data security practices, some of its customers might switch to competing cloud-based services that do deploy industry best practices regarding encryption, protect their own data with third-party encryption tools, or decide against cloud-based backups completely," the filing said.
The document notes that rival cloud storage firms do offer full encryption, and have to charge more because they can#t deduplicate files.
For example, if a Dropbox user uploads a file that another user also has, Dropbox can identify the copy and retain only one version.
However, by claiming to offer a similar service as such rivals and charging less, Dropbox is being unfair to the competition, the filing said.
The filing also alleges Dropbox lied about the use of SSL for its mobile app, with the storage firm admitting it traded off security for performance for transferring metadata sent via mobile connections.
Soghoian is asking the FTC to force Dropbox to come clean about how its security works on its website, advise its 25 million users that it has access to their unencrypted data, and to offer refunds to any users that paid for Pro accounts.
"We believe this complaint is without merit," said company spokeswoman Julie Supan, noting Dropbox had addressed the issues in a blog post in April. "Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private.”
Soghoian is studying for his degree at Indiana University, but has previously worked for the FTC. He is also one of a few privacy specialists who spoke out after being approached by Facebook as part of a negative PR campaign against Google.