Editorial

Analyzing the Terms of Service (or “Not Every Company is Evil”)

With more and more data being placed into the ubiquitous cloud, it’s becoming ever more important for users to read the terms of service and privacy policies that companies put out. Although studies show that users rarely read these legal documents, they are the binding forces that determine what a company can do with your personal information and private data. The recent changes to the Dropbox terms of service highlighted the fact that the company can do what they want with your files, although there is still some question on exactly what that means. The article promoted a lot of questions from users wondering if competitors to Dropbox had similar terms and whether all online companies take control of your works. The short answer is, “No, they don’t.”

We decided to examine a few different services to get an idea of how they differ. We looked at a couple of cloud services, namely Google Docs and Amazon Cloud Drive. We looked at Dropbox and a couple of its competitors, Syncplicity and Spideroak. We ended by looking at two popular backup solutions, Mozy and Crashplan.

Cloud Storage: Google Docs vs. Amazon Cloud Drive

Cloud based storage has been around for awhile and one could argue that anything stored on the Internet falls into this category. For the sake of our analysis, we looked at Google Docs and Amazon’s Cloud Drive. While both services are similar, there are some notable differences. Amazon is mainly focusing on music delivery, whereas Google Docs allows users to read/write/edit documents from any Internet capable machine.

Google, the company that prides itself in “doing no evil” has a terms of service very similar to that of Dropbox, but actually takes things one step further by granting access to your data to third party companies that do business with Google. Even more frightening is the word “irrevocable.” While I’m no lawyer, only Google and Syncplicity used that language in their terms of service and it seems to imply that once you post data to the service, you can never take away their rights to do with it as they will. In addition the agreement seems vague in that access to your data can be used to “promote the Services,” implying that an image you upload to Google Docs could potentially be used royalty-free for their next advertising blitz.

    11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

    11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

Amazon’s Cloud Drive seems a bit more consumer-friendly compared to Google’s offering, but it still has some worrying terminology. Although Amazon does not give themselves an irrevocable license nor do they give themselves the ability to use your files royalty-free, they still have the ability to “access, retain, use, and disclose your files.” The upside is that, compared to Google, it doesn’t appear to give them permission to use your files in an advertising campaign.

5.2 Our Right to Access Your Files. You give us the right to access, retain, use and disclose your  account information and Your Files: to provide you with technical support and address technical  issues; to investigate compliance with the terms of this Agreement, enforce the terms of this  Agreement and protect the Service and its users from fraud or security threats; or as we determine  is necessary to provide the Service or comply with applicable law.

Syncing Software: Dropbox vs. Syncplicity vs. Spideroak

There are several competing products on the market, all that do similar tasks: Allow you to access your files from any Internet-enabled device. Dropbox recently changed their terms of service so that they have the legal right to modify and distribute your data and while some maintain that it’s only for use within the system, the terms are similar to Google’s and seem to imply that it can be used for marketing purposes, amongst other things. The text of the terms of service is listed below.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and  those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable  rights to use, copy, distribute, prepare derivative works (such as translations or format  conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the  Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

Neowin users made several comments that all of Dropbox’s competitors have similar legalese wrapped around their products. In the case of Syncplicity, our users were wrong: The terms are much worse than those of Dropbox. In addition to the royalty-free license to use your files for the service, Syncplicity also maintains an irrevocable license to “use and exploit” the files. On top of that, they also grant the same license to all users who you share your data with. So if you decide to share a file with your friend Bob, then he has the ability to do whatever he wants with your files. While this clause is probably in place to protect Syncplicity, it sounds like users would have little recourse if a friend uses their file, even if asked not to sometime in the future.

YOU ACKNOWLEDGE AND AGREE THAT BY UTILIZING THE SITE, SERVICES AND/OR SYNC FILES, TO PROVIDE YOU  WITH THE SERVICES YOU CONSENT TO SYNCPLICITY ACCESSING AND/OR SCANNING (I) YOUR COMPUTER AND/OR ANY  FILES, DATA OR INFORMATION THEREIN AND (II) ANY FILES OR CONTENT LINKED TO AS A RESULT OF YOUR  ADDITION OF THIRD PARTY ACCOUNTS OR APPLICATIONS TO YOUR ACCOUNT PROFILE. IN THE EVENT THAT YOU  CHOOSE CERTAIN SETTINGS (INCLUDING THE SELECTION OF “SYNCPLICITY FOLDERS”) IN YOUR ACCOUNT  PREFERENCES YOU CONSENT TO PROVIDING OTHER SYNCPLICITY USERS ACCESS TO THE SYNC FILES YOU INDICATE.

While you retain all rights in any Sync Files, by using Site or Services, you hereby grant to  Syncplicity a non-exclusive, worldwide, royalty-free, sublicensable, perpetual and irrevocable right  and license to use and exploit such Sync Files as necessary to provide you with the Services. In  addition, you hereby grant all other Syncplicity Users who you invite to access the Sync Files you  indicate a non-exclusive, worldwide, royalty-free, sublicensable, perpetual and irrevocable right  and license to use and exploit such Sync Files.

We then examined another competitor, Spideroak. This service also has a different terms of service than Dropbox, but this time for the better. According to their documentation, the company has no access to any of your files due to the encryption that they maintain. Employees of the company can’t even see the names of your files because they store your data inside of encrypted containers. Of the three file syncing services we examined, Spideroak clearly has the most customer-friendly legal documentation and would be a recommended choice.

SpiderOak's encryption is comprehensive -- even with physical access to the storage servers,  SpiderOak staff cannot know even the names of your files and folders. On the server side, all that  SpiderOak staff can see, are sequentially numbered containers of encrypted data.

Backup Services: Mozy vs. Crashplan

For our last set of services we decided to investigate the terms of two popular online backup programs, Mozy and Crashplan. It turns out that both services have similar legal documentation and both of them promise not to view your data.

Mozy states that the only thing they maintain the right to view is file system information like extensions and sizes but not the data itself. In addition they promise not to sell any of your personal information.

We will not sell or market the email addresses or other collected personal information of registered Users to third parties. We will not view the files that you backup using the Service. We may view your file system information (file extensions, sizes etc. but not your file contents) to provide technical support. You acknowledge and agree that Decho may occasionally send you administrative communications regarding your account or the Service via email.

Crashplan has almost the same terms but they add an extra layer of consumer protection. Although the default key is stored on the company’s servers, if you choose to use your own password or encryption key, the company will have no way to restore your files. Mozy has a similar service available but it was not spelled out as clearly in the terms of service.

DATA SECURITY. CrashPlan Software uses encryption to secure your backup data prior to transmission.  The encryption key used is secured and escrowed on Code 42 Servers. You may elect to secure your key  with a private password or use your own encryption key. If you elect to use a private key password  or your own key, they will be required before decrypting backup data. IF YOU ELECT NOT TO HAVE CODE  42 STORE YOUR PRIVATE KEY AND YOU LOSE YOUR KEY OR PASSWORD, YOUR ENCRYPTED DATA WILL NOT BE  RECOVERABLE.

Conclusion: Read the license agreements

Although we reviewed only a small sample of EULAs, it’s apparent that there are some companies that value their customers’ data and those who want to protect their own bottom lines. It’s probably true that a company like Dropbox will never search through their users’ files, take an image file, and modify for their own promotional marketing literature or put it on the front page of their site. Unfortunately the terms of service seem to imply that they could do that if they wanted to. On the other hand, it’s clear that companies like Mozy and Crashplan value data security, giving users the option to prevent even the provider from reading the files.

If you take away only one thing from this analysis, we hope that it’s to at least give a cursory review of the terms of service documents you’re forced to agree to, especially when your own personal data is what’s covered. Nobody cares more about your data than you do.

Image Courtesy of maxconsole.net

Report a problem with article
Previous Story

Prototype iPhone 4 skyrockets to $999,999 on eBay [Update]

Next Story

iPad 2 jailbreak leaked; JailbreakMe.com up for auction

13 Comments - Add comment