Editorial

Analyzing the Terms of Service (or “Not Every Company is Evil”)

With more and more data being placed into the ubiquitous cloud, it’s becoming ever more important for users to read the terms of service and privacy policies that companies put out. Although studies show that users rarely read these legal documents, they are the binding forces that determine what a company can do with your personal information and private data. The recent changes to the Dropbox terms of service highlighted the fact that the company can do what they want with your files, although there is still some question on exactly what that means. The article promoted a lot of questions from users wondering if competitors to Dropbox had similar terms and whether all online companies take control of your works. The short answer is, “No, they don’t.”

We decided to examine a few different services to get an idea of how they differ. We looked at a couple of cloud services, namely Google Docs and Amazon Cloud Drive. We looked at Dropbox and a couple of its competitors, Syncplicity and Spideroak. We ended by looking at two popular backup solutions, Mozy and Crashplan.

Cloud Storage: Google Docs vs. Amazon Cloud Drive

Cloud based storage has been around for awhile and one could argue that anything stored on the Internet falls into this category. For the sake of our analysis, we looked at Google Docs and Amazon’s Cloud Drive. While both services are similar, there are some notable differences. Amazon is mainly focusing on music delivery, whereas Google Docs allows users to read/write/edit documents from any Internet capable machine.

Google, the company that prides itself in “doing no evil” has a terms of service very similar to that of Dropbox, but actually takes things one step further by granting access to your data to third party companies that do business with Google. Even more frightening is the word “irrevocable.” While I’m no lawyer, only Google and Syncplicity used that language in their terms of service and it seems to imply that once you post data to the service, you can never take away their rights to do with it as they will. In addition the agreement seems vague in that access to your data can be used to “promote the Services,” implying that an image you upload to Google Docs could potentially be used royalty-free for their next advertising blitz.

    11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

    11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

Amazon’s Cloud Drive seems a bit more consumer-friendly compared to Google’s offering, but it still has some worrying terminology. Although Amazon does not give themselves an irrevocable license nor do they give themselves the ability to use your files royalty-free, they still have the ability to “access, retain, use, and disclose your files.” The upside is that, compared to Google, it doesn’t appear to give them permission to use your files in an advertising campaign.

5.2 Our Right to Access Your Files. You give us the right to access, retain, use and disclose your  account information and Your Files: to provide you with technical support and address technical  issues; to investigate compliance with the terms of this Agreement, enforce the terms of this  Agreement and protect the Service and its users from fraud or security threats; or as we determine  is necessary to provide the Service or comply with applicable law.

Syncing Software: Dropbox vs. Syncplicity vs. Spideroak

There are several competing products on the market, all that do similar tasks: Allow you to access your files from any Internet-enabled device. Dropbox recently changed their terms of service so that they have the legal right to modify and distribute your data and while some maintain that it’s only for use within the system, the terms are similar to Google’s and seem to imply that it can be used for marketing purposes, amongst other things. The text of the terms of service is listed below.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and  those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable  rights to use, copy, distribute, prepare derivative works (such as translations or format  conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the  Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

Neowin users made several comments that all of Dropbox’s competitors have similar legalese wrapped around their products. In the case of Syncplicity, our users were wrong: The terms are much worse than those of Dropbox. In addition to the royalty-free license to use your files for the service, Syncplicity also maintains an irrevocable license to “use and exploit” the files. On top of that, they also grant the same license to all users who you share your data with. So if you decide to share a file with your friend Bob, then he has the ability to do whatever he wants with your files. While this clause is probably in place to protect Syncplicity, it sounds like users would have little recourse if a friend uses their file, even if asked not to sometime in the future.

YOU ACKNOWLEDGE AND AGREE THAT BY UTILIZING THE SITE, SERVICES AND/OR SYNC FILES, TO PROVIDE YOU  WITH THE SERVICES YOU CONSENT TO SYNCPLICITY ACCESSING AND/OR SCANNING (I) YOUR COMPUTER AND/OR ANY  FILES, DATA OR INFORMATION THEREIN AND (II) ANY FILES OR CONTENT LINKED TO AS A RESULT OF YOUR  ADDITION OF THIRD PARTY ACCOUNTS OR APPLICATIONS TO YOUR ACCOUNT PROFILE. IN THE EVENT THAT YOU  CHOOSE CERTAIN SETTINGS (INCLUDING THE SELECTION OF “SYNCPLICITY FOLDERS”) IN YOUR ACCOUNT  PREFERENCES YOU CONSENT TO PROVIDING OTHER SYNCPLICITY USERS ACCESS TO THE SYNC FILES YOU INDICATE.

While you retain all rights in any Sync Files, by using Site or Services, you hereby grant to  Syncplicity a non-exclusive, worldwide, royalty-free, sublicensable, perpetual and irrevocable right  and license to use and exploit such Sync Files as necessary to provide you with the Services. In  addition, you hereby grant all other Syncplicity Users who you invite to access the Sync Files you  indicate a non-exclusive, worldwide, royalty-free, sublicensable, perpetual and irrevocable right  and license to use and exploit such Sync Files.

We then examined another competitor, Spideroak. This service also has a different terms of service than Dropbox, but this time for the better. According to their documentation, the company has no access to any of your files due to the encryption that they maintain. Employees of the company can’t even see the names of your files because they store your data inside of encrypted containers. Of the three file syncing services we examined, Spideroak clearly has the most customer-friendly legal documentation and would be a recommended choice.

SpiderOak's encryption is comprehensive -- even with physical access to the storage servers,  SpiderOak staff cannot know even the names of your files and folders. On the server side, all that  SpiderOak staff can see, are sequentially numbered containers of encrypted data.

Backup Services: Mozy vs. Crashplan

For our last set of services we decided to investigate the terms of two popular online backup programs, Mozy and Crashplan. It turns out that both services have similar legal documentation and both of them promise not to view your data.

Mozy states that the only thing they maintain the right to view is file system information like extensions and sizes but not the data itself. In addition they promise not to sell any of your personal information.

We will not sell or market the email addresses or other collected personal information of registered Users to third parties. We will not view the files that you backup using the Service. We may view your file system information (file extensions, sizes etc. but not your file contents) to provide technical support. You acknowledge and agree that Decho may occasionally send you administrative communications regarding your account or the Service via email.

Crashplan has almost the same terms but they add an extra layer of consumer protection. Although the default key is stored on the company’s servers, if you choose to use your own password or encryption key, the company will have no way to restore your files. Mozy has a similar service available but it was not spelled out as clearly in the terms of service.

DATA SECURITY. CrashPlan Software uses encryption to secure your backup data prior to transmission.  The encryption key used is secured and escrowed on Code 42 Servers. You may elect to secure your key  with a private password or use your own encryption key. If you elect to use a private key password  or your own key, they will be required before decrypting backup data. IF YOU ELECT NOT TO HAVE CODE  42 STORE YOUR PRIVATE KEY AND YOU LOSE YOUR KEY OR PASSWORD, YOUR ENCRYPTED DATA WILL NOT BE  RECOVERABLE.

Conclusion: Read the license agreements

Although we reviewed only a small sample of EULAs, it’s apparent that there are some companies that value their customers’ data and those who want to protect their own bottom lines. It’s probably true that a company like Dropbox will never search through their users’ files, take an image file, and modify for their own promotional marketing literature or put it on the front page of their site. Unfortunately the terms of service seem to imply that they could do that if they wanted to. On the other hand, it’s clear that companies like Mozy and Crashplan value data security, giving users the option to prevent even the provider from reading the files.

If you take away only one thing from this analysis, we hope that it’s to at least give a cursory review of the terms of service documents you’re forced to agree to, especially when your own personal data is what’s covered. Nobody cares more about your data than you do.

Image Courtesy of maxconsole.net

Report a problem with article
Previous Story

Prototype iPhone 4 skyrockets to $999,999 on eBay [Update]

Next Story

iPad 2 jailbreak leaked; JailbreakMe.com up for auction

13 Comments

Commenting is disabled on this article.

HopeForP7Update said,
I even was to lazy to read the whole post about Tos

Same but it just proves the idiocy of most people these days that agree to something without reading it first

Check out Zoho, which have a much better terms of service agreement than Google and provide a similar service with online documents.

Google freely admits to:

1) data-mining email
2) tracking your location
3) tracking your searches
4) reading your documents
5) anaylizing your photos
6) saving your conversations
7) correlating all of the above together with your contacts, phone numbers, calendars, etc
8) using this data for their own 'purposes'

They can spy on individuals of interest or power (think goverments).
They use this information to predict 'trends' for 'investment' purposes. (Which is everything from shorting or controlling supplies of 'popular' products, to investing money in companies directly.)

They also clearly state their employees can lookup any of this information. (Which a few employees have been fired over because they were blackmailing and stalking minors.)

And even with 'location' information turned off, Android still provides enough information back to Google if you are using their searches or gmail and where your phone is when using them, to make a map of virtually every step you have made since buying your Android phone. (And there is NO WAY to 'opt out' of this, as it is collected on the cellular provider side in correlation with the Google App tracking of IPs, triangulation, etc.)


So run out to use the most awesome 'kewl' Google service, just know how much power you are giving them, not only over you, but over the entire world, as even you emailing your grandma about a great new type of shirt you want will be used by Google in just their 'trend' research/prediciton.

If only they would start making the ToS so that they're not written in legalese and way longer than most documents. Then maybe someone would be able to read thru them.

Your previous article has been thoroughly picked apart for sloppy research, and now you say this:

"The recent changes to the Dropbox terms of service highlighted the fact that the company can do what they want with your files, although there is still some question on exactly what that means."

"Dropbox recently changed their terms of service so that they have the legal right to modify and distribute your data and while some maintain that it's only for use within the system"

Both are blatant lies.

First, they can not do whatever they want, and never had been able to. It was poorly worded with the new updated language but promptly corrected.

Second, the update was not supposed to make any substantive changes. Its only purpose was to clarify the language. It's absolutely amazing how you can take a clarification update with a couple of poorly worded sentences (which were loudly pointed out to Dropbox by the users, by the way), blow it way out of proportion, then milk two whole articles out of it.

primexx said,
Your previous article has been thoroughly picked apart for sloppy research, and now you say this:

"The recent changes to the Dropbox terms of service highlighted the fact that the company can do what they want with your files, although there is still some question on exactly what that means."

"Dropbox recently changed their terms of service so that they have the legal right to modify and distribute your data and while some maintain that it's only for use within the system"

Both are blatant lies.

First, they can not do whatever they want, and never had been able to. It was poorly worded with the new updated language but promptly corrected.

Second, the update was not supposed to make any substantive changes. Its only purpose was to clarify the language. It's absolutely amazing how you can take a clarification update with a couple of poorly worded sentences (which were loudly pointed out to Dropbox by the users, by the way), blow it way out of proportion, then milk two whole articles out of it.

The fact of the matter is nobody knows exactly what it means BECAUSE it's so vague. They may not MEAN for it to be vague and it may have only been MEANT to have been a clarification, but a lawyer would easily be able to argue that "necessary for the service" could be (for example) marketing. Compared to a company like Spideroak, who clearly states they WILL NOT and CAN NOT look at your files, I'd say Dropbox falls into the"potentially evil" category. Sorry if you disagree.

Edited by Fezmid, Jul 4 2011, 6:44pm : Removed comment that could be considered offensive

Fezmid said,

The fact of the matter is nobody knows exactly what it means BECAUSE it's so vague. They may not MEAN for it to be vague and it may have only been MEANT to have been a clarification, but a lawyer would easily be able to argue that "necessary for the service" could be (for example) marketing. Compared to a company like Spideroak, who clearly states they WILL NOT and CAN NOT look at your files, I'd say Dropbox falls into the"potentially evil" category. Sorry if you disagree.

I don't disagree with this comment at all. I do, however, have a problem with the claims you made in your articles.

"The recent changes to the Dropbox terms of service highlighted the fact that the company can do what they want with your files, although there is still some question on exactly what that means."

Yes, there are questions on what exactly the terms mean, but it has never ever been possible to interpret it as "can do what they want", with any version of the terms of services that I have seen.

"Dropbox recently changed their terms of service so that they have the legal right to modify and distribute your data and while some maintain that it's only for use within the system"

If they have those rights, they would have had them since before the new terms. They didn't just change their terms in substantive ways to give themselves new rights.

I don't think it's necessary to pick apart your earlier one again since it seems the comments to that article already did a very good job of that.

Report the news, but don't spread ill-researched fud or jump on the twitter bandwagon just to generate views.

allwynd said,
just make a list of the ones who aint evil
SpiderOak, for one. I'm largely ditching dropbox for them because they do not store (or even know) my encryption key.

Plus I got 6GB free storage on SpiderOak using promo code "worldbackupday" and this link http://bit.ly/lYhjjS.

Good read. This definitively would have helped me with the whole tethering issue and AT&T. You see, when i signed the contract over a year ago, it didn't have that clause. But, they just put, "reserve right to change..." and they can do anything.