Dropbox's Terms of Service

sojourner
sojourner
Community Member
edited July 2011 in Lounge
They blatantly claim full rights for everything in "My Dropbox" folder. Moreover sublicenseable so they can sell it to anyone.

i just cleared out my dropbox. Does 1Password support Wuala? Or anyother alternatives?




Dropbox forum:
http://forums.dropbo...ic.php?id=40765

Comments

  • greptrick
    greptrick
    Community Member
    I think they currently only support Dropbox, but there is a thread requesting spideroak support. Seems to have a good number of followers. I agree I am moving everything off dropbox due to their new TOS
  • jwarthman
    jwarthman
    Community Member
    According to various comments posted in the thread referenced above, this is NOT new to the DropBox TOS.

    In any case, Dropbox responded to the comments they received in the past day, and just clarified their TOS in The Dropbox Blog:

    [Update - 7/2] – We asked for your feedback and we’ve been listening. As a result, we’ve clarified our language on licensing:

    By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.


    Some will find this acceptable, others will choose to leave Dropbox. Personally, I'm going to stay, as I find the service to be amazingly useful and robust.
  • thightower
    thightower
    Community Member
    edited July 2011
    Dropbox has issued an update to this

    http://blog.dropbox.com/?p=846

    THEY ARE LISTENING, please use the feedback email to let them know your concerns



    tos-feedback@dropbox.com

  • tb2thee
    tb2thee
    Community Member
    Hi -- I like Dropbox and I'm sure they're very nice people, but its latest TOS change (of too many) shows that its management is floundering around rather than adopting a principled, bright-line approach to their users' privacy concerns. Specifically, their TOS now states:

    We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.


    Now, while I think it's awfully unlikely that DB would ever publish a derivative work based on my 1P keychain, the policy says what it says very clearly -- and it isn't at all compatible with how or why I use 1P. I'm not alone in this. I appreciate the fact that Agile puts a lot of energy into making 1P incredibly easy to use, and DB meshes very well with that. But isn't it time you built in either (a) a more generic 'power-usery' interface that actively supports other services such as Spideroak, or (B) specific interfaces to make using those other services as easy to use as DB -- or as close as you can get? By building in explicit support for DB, Agile is in effect endorsing them as a company -- and their TOS with it.

    Is Agile seriously going to endorse DB's right to do any or all of these things to Agile's users' keychains? I'm sure the answer is no; if so, then as this saga drags on -- and based on DB's continued poor judgment -- Agile's own position will become more problematic.
  • thightower
    thightower
    Community Member
    edited July 2011
    Topic Moved to the lounge as it is more appropriate for this matter
  • khad
    khad
    1Password Alumni
    edited July 2011
    The wording was definitely poor. As jwarthman said, they clarified in an update today. I'll include an additional paragraph of the quote as well:

    You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

    We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

    It is much better now but still a bit ambiguous. We'll continue to evaluate other cloud sync solutions, but please be aware that 1Password for Mac has long supported Wi-Fi sync as well if you are not interested in using Dropbox but would like a sync alternative right now.

    Not that it makes it any better or worse, but, as jwarthman also points out, that particular section of Dropbox's Terms of Service had already been there for a long time for what that's worth.
  • defilmj
    defilmj
    Community Member
    edited July 2011
    It is rather sad that Dropbox has messed this badly. They are integrated in to so many Mac Apps. But even home users are security conscious today, and that is a good thing. I believe they have underestimated the emphasis users put on data security. It is a great leap to put you data in a public cloud. It can be a nightmare when there are issues like this.

    The policy was made worse based on the recent security blunder that just simply can not happen. It is actually giving public cloud services a bad rap. Of course my professional corporate view is that Dropbox is not a corporate cloud service. If their intention was to capture the business market, I think their foo bar's have put an end to that. Perhaps some small mom and pop's, but it is very difficult to win back eroded cofidence when issues are real security issues, and perceived intentonally avoided detail with respect to the issue of a single key for all safe deposit boxes. With security there are often no second chances and the consequences can be high for both.

    As a Wall Street technologist for 25 years and a managing director of Information Systems I was aware that many of our employees were using Dropbox. My infosec team manager brought the issues with Dropbox to my attention. I had no choice but to ban Dropbox for any official corporate use, data, or client data". I took a lot of heat from our developers who apparently would benefit when they developed from home. However with the most recent issue the fuss has nearly completely died down.

    I do hope that they resolve their issues. it does appear that they should consider some serious security leadership. The current policies are not going to serve them well and will continue to erode the paying customer base, and whatever, if any, confidence remains.
  • khad
    khad
    1Password Alumni
    edited July 2011
    Dropbox can be used for more than just syncing your own private data. It can be used to share information with selected others or with the world. When you put something in your Public folder on Dropbox to share, you are asking Dropbox to re-publish that data. Dropbox actually needs your permission to do so, and this paragraph is the bit of their Terms of Service which allows them to share the material you ask them to share.

    The bottom line is that there is nothing in these Dropbox Terms of Service that gives them the right to do anything with your data that you don’t ask them to do. (The one exception is in the paragraph of the Dropbox privacy policy which addresses compliance with law enforcement requests.)

    We will have a blog post soon which goes into much greater detail, but it is important to look at the facts behind the headlines and the tweets before jumping to conclusions.
  • thightower
    thightower
    Community Member
    edited July 2011
    Dropbox has once again updated the TOS


    http://blog.dropbox.com/

    https://www.dropbox.com/terms
  • khad
    khad
    1Password Alumni
    Jeff has just written a great blog post about this issue. I have reproduced it here:



    Dropbox Terms

    When in the course of network events rumors start flying about Dropbox a decent respect for the concerns of 1Password users compels me to blog about it.

    1Password users certainly enjoy the convenience of syncing their data across Mac, Windows, iPhone, iPad, iPod Touch, Android and Windows 7 Phone. This is managed using Dropbox, and so it is fit and proper for 1Password users to be attuned to news regarding Dropbox security and privacy.

    Yesterday (July 1) Dropbox provided an update of their terms of service. Since then the net has been a-twitter with very frightening accusations about what Dropbox may do with your data. Those accusations are incorrect, and the Dropbox terms of service do not give them any rights to your data that you wouldn’t expect. And as always the main thing to keep in mind is that your 1Password data are well encrypted before ever being sent to Dropbox (or even written to your own disk).

    Read the policy, not the tweets

    It appears some misleading (at best) and downright incorrect claims about the Dropbox Terms of Service are spreading via Twitter and blogs. So don’t trust what the bloggers say (I guess that includes me) and go read the Dropbox Terms for yourself.

    Permission to share what you ask them to share

    The portion that seems to be behind the panic is in this paragraph:


    We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission. [Emphasis added]


    Dropbox can be used for more than just syncing your own private data. It can be used to share information with selected others or with the world. When you put something in your Public folder on Dropbox to share, you are asking Dropbox to re-publish that data. Dropbox actually needs your permission to do so, and this paragraph is the bit of their Terms of Service which allows them to share the material you ask them to share.

    The bottom line is that there is nothing in these Dropbox Terms of Service that gives them the right to do anything with your data that you don’t ask them to do. (The one exception is in the paragraph of the Dropbox privacy policy which states that they will comply with law enforcement requests for data stored on Dropbox.)

    New Security Document

    I have complained in the past that Dropbox had been unclear about their security policy with respect to everyone’s data. I am very pleased that they have produced a new security document now and that they took the time to do it right. It contains no surprises. Also with this announcement, they have updated their applications and APIs for mobile devices to address an earlier concern about encrypted filenames and such.

    Why Dropbox and where are the alternatives?

    Dropbox seems to have shifted from an Internet darling to a boogyman in less than six months. The silly accusations regarding re-publishing permissions in their newly stated Terms of Service illustrates that any allegation about them will gain traction even when completely unfounded. But even though this current hysteria can be dismissed it doesn’t mean that we can brush off all concerns about Dropbox or any cloud syncing solution.

    I will try to briefly address some of the questions that come up in any discussion of Dropbox and 1Password. These are “Why Dropbox?” and “Have you considered X as an alternative sync solution?”

    Dropbox does two things that no other system (yet) does. It provides the necessary programming tools (APIs) for all of the platforms that we support: OS X, Windows, iOS, Android, and Windows 7 Phone; and it provides syncing to truly native filesystems on the Mac and PC.

    The short answer to “Have you considered X as an alternative sync solution” is “Yes” for every value of X that people have asked about. We have considered them, and have had to reject them for various technical reasons.

    Getting more technical

    Each item in your 1Password data is stored in its own, separate, file. This is great for syncing in that it means that only the changes need to sync and this can be done by file and folder syncing. This not only makes syncing faster and cheaper, it also makes it much more reliable and robust against potential data corruption. But this also means that 1Password needs to read lots of different files quickly as it runs. Dropbox does fast syncing while storing the local files on the native local file systems, allowing it to function properly.

    As an illustration, an alternative such as WebDAV (which we worked on extensively but had to abandon before we moved to Dropbox) provides a file system abstraction layer that is just too slow for 1Password. It can hang when we try to access some file that it hasn’t cached properly. Also WebDAV isn’t designed for updating many files is quick succession. It’s not that WebDAV is bad, but it isn’t suitable for how we would use it.

    Everything else we’ve looked at (and we have looked at many things) suffers not only from the same problems we saw with WebDAV, but they also lack usable APIs for all the platforms we need to support. It may be possible, for example, to sync data to an Android or iOS device using SugarSync or Wuala, but it isn’t possible to sync that data in a way that would make it available to 1Password on those devices.

    What’s gone before

    I’ve written about a number of things related to the security of your 1Password data in the cloud and on Dropbox in particular. Instead of repeating those, I will list some of those here.


    In Conclusion

    Thinking about security (and privacy) is hard. It is important to look at the facts behind the headlines and the tweets before jumping to conclusions.
  • jwarthman
    jwarthman
    Community Member
    This was an excellent, excellent summary by Jeff.

    Thanks, Khad, for posting this.

    It's unfortunate that popular opinion is so swayed by people who don't have correct or complete information. I'm sorry to see Dropbox taking so much unwarranted flack.

    No, Dropbox isn't perfect. But they are the best option for the sort of cloud-based file sharing that Dropbox requires, and I plan to stay with them.
  • tb2thee
    tb2thee
    Community Member
    khad wrote:

    Jeff has just written a great blog post about this issue. I have reproduced it here:


    [...] The bottom line is that there is nothing in these Dropbox Terms of Service that gives them the right to do anything with your data that you don’t ask them to do. (The one exception is in the paragraph of the Dropbox privacy policy which states that they will comply with law enforcement requests for data stored on Dropbox.) [...]



    A lot of what he wrote makes sense, but this statement is false or at best misleading. DB's TOS have been drafted in a maximalist way that grants them every in every case; there's no mention of fine-grained distinctions wherein by applying specific function X to a particular file (e.g., sharing it) you invoke clause Y (e.g., granting rights to derivative works). Granted, that kind of legal approach gets very complicated very vast, and I certainly understand why they'd want to avoid it. They pride themselves on an elegant interface and experience -- with good reason -- and implementing a fine-grained legal-technical approach would very quickly lead to a Facebook-like maze of obscure preferences. They're between a rock and a hard place, and I sympathize with them; but to say that "nothing in [their TOS] gives them the right to do anything with your data that you don’t ask them to do" is, like I said, at least misleading.
  • SJMvideo
    SJMvideo
    Community Member
    edited July 2011
    Whoa! You either don't read or you really are paranoid. What part of the bold below don't you understand? It's all included in the blog post you link to . They are covering their asses. If you didn't agree to give them the rights to copy and move your stuff around they couldn't make the transfers from one computer to another for you without some gold digging jerk coming back and suing them for making copies and keeping backups of their files. All DropBox has done is to write it in as plain English as possible so you can actually understand that's what they are doing and what you are giving permission to them for. They even say right off the bat, that essentially nothing has changed, except the wording to make it clearer.


    [Update - 7/2] – We asked for your feedback and we’ve been listening. As a result, we’ve clarified our language on licensing:

    You retain ownership to your stuff.
    You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.
    ...


    [Update 2 - 7/2] – ...

    Some of you have written us with very understandable concerns about the legal-sounding parts. In particular, our new TOS talks about the licenses we need to run Dropbox. We want to be 100% clear that you own what you put in your Dropbox. We don’t own your stuff. And the license you give us is really limited. It only allows us to provide the service to you. Nothing else.


    We think it’s really important that you understand the license. It’s about the permissions you give us to run the service, things like creating public links when you ask us to, allowing you to collaborate with colleagues in shared folders, generating web previews or thumbnails of your files, encrypting files, creating backups… the basic things that make Dropbox safe and easy to use. Services like Google Docs and others do the same thing when they get these permissions (see, for example, section 11.1 of Google’s TOS).

    We wish we didn’t have to use legal terms at all, but copyright law is complicated and if we don’t get these permissions in writing, we might be putting ourselves in a tough spot down the road. Not to bore you with the details, but please take a look at the license term in the TOS. We think it’s fair and strikes the right balance: “This license is solely to enable us to technically administer, display, and operate the Services.”
  • thightower
    thightower
    Community Member
    edited July 2011
    Thank you SJMvideo,


    For helping clarify this.


    Personally I hope many more people will actually take the time to read the TOS rather than gut reaction from what they read online etc.

    As I indicated in another thread they are listening to us please use the feedback email to voice your concerns. They have already made 1 set of changes after our feedback.


    tos-feedback@dropbox.com

    Also Parnoid,

    I have merged your topic with please also see the above posts.
  • Catcher
    Catcher
    Community Member
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited July 2011
    Hi tb2thee.

    tb2thee wrote:

    To say that "nothing in [their TOS] gives them the right to do anything with your data that you don’t ask them to do" is, like I said, at least misleading.


    I hope that you meant "mistaken" instead of "misleading". I may be wrong (though I think not), but I certainly don't wish to mislead anyone. My take on their ToS is clearly different than yours, but what I've been encouraging people to do is to read it for themselves.

    I've looked at the ToS's of other services that engage in sharing and find them worded almost identically, so I take the language in the Dropbox ToS to for the same purposes. The difficulty is that Dropbox is in the business of keeping some information for "your eyes only" while other information is meant to be shared. This makes writing a ToS to enable the latter difficult.

    If you have a web hosting service, you will see the identical issue. Some information (such as .htaccess files) are not be be shared, while other stuff you upload to your web host is to be shared. Yet, I believe you will find that the ToS of web hosting services are no clearer about this than Dropbox's. (I haven't surveyed these at this point, so I am speculating here.)

    There may be a general problem of ambiguity in ToSs about these sorts of things, but it is an issue that pretty much every service that involves sharing some information (at the users request) faces.

    We also need to look at how a court would read these ToSs. Courts are more reasonable than people think when approaching such issues. In the case of ambiguity they tend to go for the most "reasonable" interpretation based on what is implied by the service offered. As I've stated in many times over the course of this discussion, I have no legal training, but I have been reading the Dropbox ToS in that spirit. What is a user's reasonable expectation given the nature of the service?

    Again, my own non-professional view is that non-professionals who like dissecting legal documents tend to be overly literal. A couple of years ago, Texan voters passed a constitutional amendment banning same sex marriage. But they wanted to go further and also rule out things like civil unions, so the Texas constitution now contains the following:


    This state or a political subdivision of this state may not create or recognize any legal status identical or similar to marriage.

    Now a literal interpretation of that would suggest that Texans have actually banned the recognition of all marriage. After all, marriage is "identical or similar to marriage." I somehow doubt that the courts would take that view.

    Cheers,

    -j
  • jwarthman
    jwarthman
    Community Member
    Catcher wrote:



    Interesting de-construction of the Dropbox TOS. But the author don't seem to address the aspect of Dropbox that involves intentionally SHARING your contents with others of your choosing. It's been said that some of the TOS wording is specifically geared toward that use.

    I seriously doubt that the Dropbox business model involves searching user accounts for interesting content they can license to someone else.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited July 2011
    Hi jwharthman!

    jwarthman wrote:

    Interesting de-construction of the Dropbox TOS. But the author don't seem to address the aspect of Dropbox that involves intentionally SHARING your contents with others of your choosing.

    Exactly! I think that what has happened is that many people use Dropbox primarily for syncing, and not so much sharing. And so when we come across a clause that is common for sharing services (and in a context where everyone is expecting screw-ups from Dropbox) there is this panic that we've been seeing.


    It's been said that some of the TOS wording is specifically geared toward that [sharing] use.

    That is certainly my take on it.

    http://blog.agilebits.com/2011/07/dropbox-terms/


    I seriously doubt that the Dropbox business model involves searching user accounts for interesting content they can license to someone else.

    Exactly.

    Cheers,

    -j
  • Tacitus99
    Tacitus99
    Community Member
    Without TOS similar to those of DropBox I doubt any cloud storage/syncing service could operate.

    Surely the answer for the paranoid is to do your own encryption, although it has to be said that this often brings its own problems. Now if a company well versed in the creation of encryption apps and with a decent knowledge of the DropBox APIs, could come up with an encryption app that worked seamlessly with DropBox they would be onto a winner. Now if it worked in the same manner as a well known secure password repository, no problems - just works, they might even make shed loads of money.

    Just a thought :)
  • khad
    khad
    1Password Alumni
    I think the problem is that the encryption keys are needed, necessary, vital, essential, etc. to read the data. No service which is encrypting everything client-side can do what Dropbox does or provide the services that it does. I think some people are looking for a service that does something other or different than Dropbox does (which is fine, but lets not blame the zebra for his stripes). In order to be able to access your files from a web interface or share folders between users, the service needs the keys. There really isn't any way around this. The safest sex is abstinence and the safest syncing is sneakernet, but that doesn't mean everyone is willing to give up either one if they have the right amount of protection. :lol:
  • tb2thee
    tb2thee
    Community Member
    I mostly agree with the people here who are describing themselves as sane and pragmatic (as opposed to 'panicky' or whatever), but there are also a lot of straw men running around, right? A TOS is a contract, and a contract says what it says, not what one party later thought the other party meant to say. And, contrary to what someone said about courts being sensible, a lot of them do and say things that are batsh*t insane -- that's why there are appeals courts. But, really, no one wants to 'go there,' do they? What we want is for DB's TOS to say sensible stuff in a sensible way. They've distinguished themselves in the areas of UI and UX, which is really impressive; but when it comes to the legal stuff, unfortunately -- as the sane types are pointing out -- they pretty much copy-pasted boilerplate from hosting and related businesses. And those TOSes have become wack.

    It isn't that hard to say, "We'll do everything we reasonably can to keep your stuff the way you want it, private, unless you tell us to do otherwise (for example, by sharing it); but to do that really well, we need to make complete and partial copies (for example, to back our own systems up and make it seem like our globe-spanning network is right there for you). For us to do that, you'll need to grant us some rights that can sound a bit scary. And you'll also need to give us your best efforts to ensure that you have the right to let us do it. But the bottom line is that we'll do everything we reasonably can to keep your stuff the way you want it, private, unless you tell us to do otherwise."

    The problem is that DB stumbled into a really messy situation: some really embarrassing security mistakes, on the one hand, during an ongoing effort to incrementally adjust their TOS, on the other -- rather than starting from scratch. You might say that rewriting their TOS from scratch would have caused a much bigger scandal, and you might be right, but I don't think so. Instead, I think if they'd written a blog post that explained their predicament, people would have been more inclined to cut them some slack. People like chatty blog posts more than TOS.

    Basically, they need to get some lawyers who are as smart and sensitive to PR as their engineers are to UI and UX.

    HOWEVER, to get back to the point (IMO), as I said, as Agile succeeds -- and more power to you all, because 1P is brilliant -- you'll need to think more deeply about what it means to build explicit support for third parties into your software. Because, in doing that, you're hanging your hat on someone else's reputation and operations. You know better than anyone here that security is the alpha and omega of what you do, and you've made a stunning series of excellent choices: 1P is clear proof of that. But as you scale and your environment becomes more complex, hence riskier in new ways, you'll do well to look at these kinds of challenges as opportunities. Maybe strategic opportunities, maybe engineering opportunities, of maybe just opportunities to explain why, in an increasingly complicated world where there really can't be any absolute guarantees, 1P is the best choice.
  • Catcher
    Catcher
    Community Member
    @tb2thee Elegantly and eloquently put.

    C
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    tb2thee wrote:

    HOWEVER, to get back to the point (IMO), as I said, as Agile succeeds -- and more power to you all, because 1P is brilliant -- you'll need to think more deeply about what it means to build explicit support for third parties into your software. Because, in doing that, you're hanging your hat on someone else's reputation and operations.

    Indeed. It would be silly of us to hitch our wagon to a single third party over which we have no control. The exploration of alternatives is a continual process that has been in the works from before we built in Dropbox support and continues today. I discussed at why certain alternatives have problems which we are yet to surmount.

    On another note, I'd like to draw attention to a blog post by Simon Bradshaw, who specializes in intellectual property and the net. He makes it his business to study such Terms of Service.

    http://lawclanger.blogspot.com/2011/07/dropbox-terms-of-service-not-actually.html

    Cheers,

    -j
  • Last week Dropbox changed its terms of service, so it can legally read any of your files. Is using 1Password on any platform with Dropbox still secure ?
  • bswins
    edited July 2011
    Hello drzog and welcome to the Forums!

    I merged your topic with the appropriate thread.

    Please review the previous comments and let us know if you have additional questions.

    Cheers!

    Brandt
  • thightower
    thightower
    Community Member
    edited July 2011
    Dropbox TOS re clarified today oops yesterday, my rss reeder is slow :P

    What's yours stays yours
  • khad
    khad
    1Password Alumni
    edited September 2011
    The "What's yours stays yours" Dropbox blog post to which Tommy linked includes a snippet of the completely rewritten "disputed" section of Dropbox's Terms of Service:

    …By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”). You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below.

    We may need your permission to do things you ask us to do with your stuff, for example, hosting your files, or sharing them at your direction. This includes product features visible to you, for example, image thumbnails or document previews. It also includes design choices we make to technically administer our Services, for example, how we redundantly backup data to keep it safe. You give us the permissions we need to do those things solely to provide the Services. This permission also extends to trusted third parties we work with to provide the Services, for example Amazon, which provides our storage space (again, only to provide the Services).

    I don't think it could be any clearer than that. skype_wink.png

    Cheers,
This discussion has been closed.