Dropbox can legally sell all of your files [Update]

Dropbox, a popular tool used for sharing files between computers and friends, recently updated their Terms of Service. They attempted to reduce some of the tedious legalese in order to make it easier for normal people to understand. It appears that they have succeeded in that mission and in the process have taken ownership of every file that uses their service. The section relating to “Your Stuff & Your Privacy” spells out the policy change as follows:

“We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.”

This broad terminology is frightening for end users because it clearly lets Dropbox take a person’s work, whether it is photographs, works of fiction, or scientific research, and gives the company the right to do whatever they want with no recourse from the original owner. Indeed, the company’s blog is full of concerns from users and many posts are claiming that they will be closing their accounts.

Dropbox has had a large number of security issues come up in recent months. Last month, a bug was discovered that allowed users into any account . In April it was discovered that Dropbox uses a simple database table for security and that an attacker can simply recreate the rows on their own machine to secretly access another user’s file. Also in April, Dropbox attempted to >shutdown an Open Source project that exploited the security issue.

As with any provider, it pays to read the terms of service. In many cases, they will surprise you.

Update:  After an initial public outcry, Dropbox has added the following line to the end of their license agreement:

This license is solely to enable us to technically administer, display, and operate the Services.

While this is a step in the right direction, it still makes no sense as to why a product that is used to move files from one computer to another needs the ability to "prepare derivative works of" anyone's files. As always, beware of the terms of service for anything you sign up with even if that's easier said than done.

Report a problem with article
Previous Story

Hulu integration with Facebook caused some security issues

Next Story

HP VP responds to poor TouchPad reviews

69 Comments

Commenting is disabled on this article.

Here is the security statement of Spideroak
To those experienced people out there, does this look safe, private and secure??


"Security

We employ procedural and technological security measures that are reasonably designed to help protect your Personally-Identifiable Data from loss, unauthorized access, disclosure, alteration or destruction, which includes encryption, password protection, and other security measures to help prevent unauthorized access to your Personally-Identifiable Data. The data that you transmit as part of your use of the Services (“Storage Data”) is in encrypted form and SpiderOak does not have access to your Storage Data in its unencrypted form"

Doesn't Neowin actually read their sources properly before they make these articles?

The agreement specifically says they might need those rights to do what YOU ask them to do, and derivative works is all kind of conversions of your files.

I.e. they cannot display your pictures to the public (even if you put them in your public folder) without the risk of being sued if they do not have the rights according to the agreement. And if they want to translate a file, convert it to another format, resize an image, whatever it should be that makes changes to your files, that goes under derivative works.

And none of the Neowin users seem to read the agreement either, and just stops using the service without having looked into what the changes actually means.

In short: Dropbox do not have any legal rights to sell your files.

hmm... see dropbox peeps are more that welcome to the Wallpapers, android Apps, and the odd ringtones i store in dropbox... i however done store personal type data so i dont really care... I just use DB to transfer files from PC to Phone to my Work PC.

Also just tried SpiderOak, and i have to see i hate it!! i hate the interface, i hate they way it get you to backup/sync things.. i found the whole experience horrid... dropbox.. simple.. put things in a folder bam!! its sync'd.

kazgor said,
hmm... see dropbox peeps are more that welcome to the Wallpapers, android Apps, and the odd ringtones i store in dropbox... i however done store personal type data so i dont really care... I just use DB to transfer files from PC to Phone to my Work PC.

Also just tried SpiderOak, and i have to see i hate it!! i hate the interface, i hate they way it get you to backup/sync things.. i found the whole experience horrid... dropbox.. simple.. put things in a folder bam!! its sync'd.

I use Spideroak just like Dropbox. I create a special directory on each PC that I backup and sync using Spideroak. Actually, Spideroak offers many more features than Dropbox.

It´s a good thing I have almost nothing in mine. Nothing personally, especially. Just backed up some apps for my phone.

Did you know that, if you cancel your Dropbox account, your files still remain on their server? I got that message when I tried to close my account.

Solution to the problem is simple - encrypt your data with truecrypt or similar software before uploading to dropbox. On the other hand, do users really store on dropbox or similar services sensitive personal data?
Often when dropbox security is under question there always are mentioned alternatives (usually with ugly name) like spideroak, just wondering, if they really offer better security for data or it's just attempt to advertise.

If you upload files to "cloud storage" then your trusting someone else to care for files and use due dilligance not to invade your privacy. Or just encrypt your data before placing it on such services.

McDave said,
If you upload files to "cloud storage" then your trusting someone else to care for files and use due dilligance not to invade your privacy. Or just encrypt your data before placing it on such services.

You gonna start encrypting your websites now?

Im not very fond of Dropbox and the new ToS - Of living in fear that actualy someone can read my Data that i have uploaded - Ive quit my Account there! Ive used it for Collaboration but without privacy it suxxx... ^^

The terms make full sense. The derivative works from policy could simply be there to allow them to provide you with translated copies of the files in future versions for example (i.e. translate English language files to French). Without these terms they would be restricted to simply storing files.

tiddlie said,
The terms make full sense. The derivative works from policy could simply be there to allow them to provide you with translated copies of the files in future versions for example (i.e. translate English language files to French). Without these terms they would be restricted to simply storing files.

Yes, but why do they need to seek permission in such wide terms in advance? If I specifically ask them to translate my file into French, I can at the same time (implicitly or expressly) give them permission to do precisely that, but nothing more. I don't want anybody making derivative works from my stuff at any other time.

gb8080 said,

Yes, but why do they need to seek permission in such wide terms in advance? If I specifically ask them to translate my file into French, I can at the same time (implicitly or expressly) give them permission to do precisely that, but nothing more. I don't want anybody making derivative works from my stuff at any other time.

They say it's only to be able to provide the service that you signed up for. As tiddlie says, that in itself is a self-limiting term that means they can't go off and do what they want with it.

How many people would moan if Dropbox asked you to read the full terms of service/use every time you wanted to do anything? I imagine quite a few.

Congrats on spinning something positive into an evil conspiracy.

Dropbox updated the TOS to clarify their terms, there has not been (or, more accurately, there was not supposed to be) any substantive changes at all.

Since they announced the change, there have been a couple of legitimate concerns raised by the users. This is to be expected considering it's always tricky working with legal language, especially when their stated goal is to simplify the language. Following user feedback, they made updates to rectify the problems that have been identified.

This exact same scenario has actually happened before, also relating to the licence rights that they claimed. They also claimed too broad of rights and promptly updated the terms when suggested to do so. Name me one other company who changes their Terms of Service just because a couple of customers asked for it.

Were the author of this article to do any research at all, he would find that the wording is actually quite standard across the industry and very similar to the other services dealing with user-uploaded content. Go read Google's policy, for example.

Now, there are still outstanding concerns that I'd like to see addressed, specifically in relation to some licensee rights claimed for the purpose of public or shared files, which they could very well limit to those files only rather than applying to all the files. However this is a relatively minor point since the explicit limit of "only to the extent that they need to run the service" already provides a significant limitation.

well, after seeing this (I got the email), looks like I'll be shifting over to box.net, as it integrates quite well with my CR-48....it's just a matter of re-uploading everything...which doesn't make me happy..but at least what's mine is mine! (I have dropbox clients running on two workstations in my domain)

While this is a step in the right direction, it still makes no sense as to why a product that is used to move files from one computer to another needs the ability to "prepare derivative works of" anyone's files.

It does actually clarify this in the terms. It's so they can offer file conversion services.

wow where are all the people who were raving over dropbox now ?
LMAO u got owned! or maybe just ur files did lol

.... does the last phrase on that statement get overlooked, I think so.

"to the extent we think it necessary for the Service."

Wrap your heads around that. Basically as long as you keep your files on their service, all you are doing is giving them the right to manipulate those files as needed FOR the service. Blow stuff out of proportion much?

If Dropbox felt they needed to modify their tos (again) then I think we can agree that they themselves also felt that clarification was needed.

Xionanx said,
.... does the last phrase on that statement get overlooked, I think so.

"to the extent we think it necessary for the Service."

Wrap your heads around that. Basically as long as you keep your files on their service, all you are doing is giving them the right to manipulate those files as needed FOR the service. Blow stuff out of proportion much?


It's not blown out of proportion at all. Think about this situation: You're a professional photographer and you use Dropbox to share files between your laptop and desktop. Dropbox is in the process of doing a marketing campaign, including a redesign of their homepage. They look through your files and see a picture you took that would fit PERFECTLY on their homepage with only a few minor modifications. With these terms of service, they could use your image to promote their site and you'd have no recourse because you implicitly gave them the right to manipulate and redistribute, royalty-free, anything they need for the service.

Is that what they're really planning on doing? I'd hope not. But could they do it? Sure thing.

I stopped using Dropbox about 2 months ago and switched to Spideroak. I will never look back, Spideroak is way better!

riot said,
I stopped using Dropbox about 2 months ago and switched to Spideroak. I will never look back, Spideroak is way better!

thanks for the link, been looking for something other then dropbox!

I'm going to relocate my files then in that case. It sucks that Dropbox went that route but I can't afford to have them have at some of the files. Any private files are password protected but they include items like private keys for some servers I use.

On the last story about Dropbox to hit main page I commented that I would no longer be using the service and would be erasing all my data off the service. I followed through with that and have erased my data and stopped using Dropbox and this news post just reaffirms my previous decision.

The previous news piece was about their security problem where anyone could access any file from anyones account (public or private) by logging in to the chosen victims account without needing to supply a password.

Vice said,
On the last story about Dropbox to hit main page I commented that I would no longer be using the service and would be erasing all my data off the service. I followed through with that and have erased my data and stopped using Dropbox and this news post just reaffirms my previous decision.

The previous news piece was about their security problem where anyone could access any file from anyones account (public or private) by logging in to the chosen victims account without needing to supply a password.

Did you find a viable alternative?

Vice said,
On the last story about Dropbox to hit main page I commented that I would no longer be using the service and would be erasing all my data off the service. I followed through with that and have erased my data and stopped using Dropbox and this news post just reaffirms my previous decision.

The previous news piece was about their security problem where anyone could access any file from anyones account (public or private) by logging in to the chosen victims account without needing to supply a password.

But, do you know if erasing your files from Dropbox erases all the backup versions that are kept on the server? I suspect not. If you close your account, the files still remain on the server.

Just removed all my files from Dropbox now. I'm just gonna use it to share stuff now. Shame cus DB was good until these recent things going on.

Actually, upon doing my own research, it seems as though the sentence was taken way out of context.

By using our Services you may give us access to your information, files, and folders (together, “your stuff”). You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.

https://www.dropbox.com/terms

They have to seek ownership of your files to be legally able to copy them on their servers, and publicly share them with the rest of the world (if you have them in your Public folder). They don't plan on sneaking through your files and stealing your works, because in a court that would be unlikely to hold up. Copyright law still applies online.

what said,
Actually, upon doing my own research, it seems as though the sentence was taken way out of context.

https://www.dropbox.com/terms

They have to seek ownership of your files to be legally able to copy them on their servers, and publicly share them with the rest of the world (if you have them in your Public folder). They don't plan on sneaking through your files and stealing your works, because in a court that would be unlikely to hold up. Copyright law still applies online.

Good to see a more reasoned comment

what said,
Actually, upon doing my own research, it seems as though the sentence was taken way out of context.

Yes, you retain ownership of your files - but you give Dropbox the ability to do whatever they want with your files, all royalty-free, so they own them too. In addition "we sometimes need your permission" is extremely vague and since they don't state WHEN they need your permission, you have to assume that they can do whatever they want based on the following sentences. Unless, of course, you're ok with spending your money to challenge it in court in order to find out how pervasive it really is.

what said,
Actually, upon doing my own research, it seems as though the sentence was taken way out of context.

https://www.dropbox.com/terms

They have to seek ownership of your files to be legally able to copy them on their servers, and publicly share them with the rest of the world (if you have them in your Public folder). They don't plan on sneaking through your files and stealing your works, because in a court that would be unlikely to hold up. Copyright law still applies online.

Yep. I just looked and noticed that as well. They are not claiming ownership. You are just giving them permission to reuse some of the content. I do believe some common sense is going to be applied here. I have seen this set of statements elsewhere before.

*cough*facebook*cough*

time to uploads lots of pictures/movies etc and get MPAA go after DB for complaining ownership of there work

Considering I mostly use Dropbox to transfer my files between work and home, this is most troubling. Looks like I will be canceling my membership.

Lexcyn said,
Well time to remove my CV and passport app from Dropbox then ... lol

i am pretty sure these services will always have there own backup copies of whatever files you have ever posted even if you delete the files, it would just not be listed in the directory for you, but they will have those files for sure.

yowan said,
Who cares, no one can open your stuff if you encrypt your files before uploading

Who cares, no one can open your ass if you wear locked down titanum underpants before going out. What a bright prospect, don't you think?

Only recently I was linked to an alternative to Dropbox. Might have to check that out now. They can't really claim it's personal backup if you lose the rights to everything you upload there.

what said,
Only recently I was linked to an alternative to Dropbox. Might have to check that out now. They can't really claim it's personal backup if you lose the rights to everything you upload there.

Care to share the alternative?

willdev said,

Care to share the alternative?

Rackspace Cloud or Amazon with Jungledisk isn't bad,

Yes you pay for storage but Jungledisk allows you to encrypt the data with your own Key, which means neither of the Cloud storage providers actually get to see what you're storing.

Suppose it depends what you want to store really

guess I won't be using Drop Box... What is with companies claiming ownership of user's content? It's not right at all.

M_Lyons10 said,
guess I won't be using Drop Box... What is with companies claiming ownership of user's content? It's not right at all.

They don't. They are just assuming the ability to redistribute if they want to. Read the TOS for yourself or a comment posted by another user below. You still retain ownership of your own files.

FlintyV said,
After all the recent security problems and now this I think it's time I found somewhere else...

Someone posted this in the last article about Dropbox's problems, seem to have better policies:

https://spideroak.com/

Edited by xendrome, Jul 2 2011, 3:21pm :

gtho said,
"And also in April, Dropbox attempted to that exploited that security issue"

What does that mean?


Bah, the link to another article got corrupted and ate the text. I'll fix it in a minute.

Fezmid said,

Bah, the link to another article got corrupted and ate the text. I'll fix it in a minute.

no worries, just thought I was reading it wrong

This is quite worrying, I wonder if this also applies to the paid service?

Might have to reconsider using this service now

Amazon cloud service does the same thing. Its stated upfront in the agreement when you sign up. I'm sure that's what every cloud service is doing too.

flexkeyboard said,
Amazon cloud service does the same thing. Its stated upfront in the agreement when you sign up. I'm sure that's what every cloud service is doing too.

Amd this is one of the reason why some people, myself included, never cared for this so called Cloud and keep storing things in house.

Btw yes I can access, grant selective access, upload and download all the files stored as I, and only I decide to do.

IMO much better than hosted services.