The analogy you mention is not very good because the hole discovered in their security model is related to duplicate content identified via the same hash value. If you have unique content that's different than anything else, even by 1 bit, then you're secure until someone uploads exactly the same content (this is due to the way in which hash functions work); meanwhile, a key under the doormat would imply a totally different security threat model.

The downvotes I'm getting seem to indicate others agree I'm off the mark here. Perhaps I was too inflammatory, perhaps people just don't understand my analogy. Let me try again without the hyperbole. :-)

My point is, DropBox advertise proudly on their website that they use military grade encryption to protect their users' data. However, it has now been independently shown now that the keys to this data are in DropBox's direct possession and are in routine, daily use, decrypting one person's data so another can access it (this is what happens when deduping allows you to download something you never actually uploaded yourself).

To me, this implies that their claims of "military grade security" may be unjustified and just yet another example of security theater in the cloud.

Without knowing the exact architecture of their system it's hard to say for sure, of course. But think about what the encryption they claim to use is probably supposed to accomplish. Then think about whether it actually does that if a large proportion of DropBox's servers and employees have access to the decryption keys.

[edit: Amazon store data on S3, so it is in fact important that they encrypt it (even with relatively relaxed key management) as they have no direct control over the infrastructure. I still don't think this meets the bar of "military grade security", but I guess that's marketing for you.]

Modern deduplication breaks files into pieces, and a list of hashes is computed for each piece. So a single bit change wouldn't necessarily throw it off completely.