Dropbox Redux: They Don't Really Own Your Stuff

As I blogged last week, I was until recently an enthusiastic Dropbox user. I've therefore been sitting on the sidelines and watching with amazement as a kerfuffle of unusual size has beenbrewing among Dropbox users. Now articles and blog posts with titles like "Dropbox Updates Terms Of Service - Now Owns All Your Stuff" and "All Your Files Are Belong To Them" and the rabid comments they generate are driving more users away from the still popular service.

Frankly, Dropbox management has no one to blame but themselves on this one. They not only had the poor judgment to release new terms of service less than 10 days after leaving their users' data accessible without password protection, but doubled down by issuing the changes on the Friday before a three-day holiday weekend. That allowed the echo chamber of the tech blogosphere to have a field day with the company's little update.

In an even bigger mistake, Dropbox execs let the lawyers write the new terms of service. So, the same people who would happily argue that loading an application from disk into memory would qualify as a possible copyright violation if the publisher didn't grant you that particular license are now in charge of protecting their client, Dropbox, from possible lawsuits from you, the actual customer and presumably copyright holder.

So, the terms of service say, "By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free sub-licenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission." I think we can all agree that to store, backup and let me retrieve my stuff, Dropbox would need a license to use and copy that stuff. That license should be non-exclusive--I may want to license someone else, too--and royalty-free since having Dropbox pay me for the right to store my stuff doesn't seem like a good business model.

I have a bit more of a problem with performance and public display licenses, but I'm sure some lawyer thought retrieving a file over the web at a public kiosk constituted a public performance. The key here is the phrase "to the extent we think it necessary for the Service." While I'm not an attorney, I've worked with enough of them to know that if Dropbox took the photo of your puppy and used it in an advertising campaign, as one blog comment suggested, an expensive lawsuit would ensue. Try anything a reasonable man wouldn't consider necessary to run Dropbox and lawsuits will run rampant.

Then there's the term "Sub-licensable" that folks are picking out as unique to Dropbox and its nefarious plans to sell your garage band's music and make millions. Well, like many other Web 2.0 companies, Dropbox doesn't have its own data centers and EMC storage, but uses Amazon's public cloud services to host the service. Some lawyer figured out that if Amazon ran a backup and Dropbox hadn't sub-licensed Amazon to be able to make copies, that would technically be a copyright infringement. So Dropbox thinks it needs a sub-license.

Of course, some of the strum and drang was about the term "to the extent we think it necessary for the Service." With folks screaming that that meant Dropbox just had to think it might need to, say, release your student film and make millions, then it could. So Dropbox updated the ToS again to read, "You grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services."

The latest ToS seems reasonable to me and, by the way, comparable to other similar services like Box.net or SugarSync, which is working pretty well for me so far. To paraphrase security expert Bruce Schneier, "If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to license them the access they think they need to do whatever interesting things you want them to do." As for some of the professionally offended, methinks they doth protest too much.

P.S.: Dropbox announced a third rev to the ToS that should help unbunch some people’s panties:

…By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”). You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below.

We may need your permission to do things you ask us to do with your stuff, for example, hosting your files, or sharing them at your direction. This includes product features visible to you, for example, image thumbnails or document previews. It also includes design choices we make to technically administer our Services, for example, how we redundantly backup data to keep it safe. You give us the permissions we need to do those things solely to provide the Services. This permission also extends to trusted third parties we work with to provide the Services, for example Amazon, which provides our storage space (again, only to provide the Services).

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to. How we collect and use your information generally is alsoexplained in our Privacy Policy…