What Dropbox’s revised Terms of Service mean for you

Esuslogo101409

When Dropbox amended its Terms of Service it sparked a controversy about the popular file sharing and cloud-based storage service’s apparent user content grab. As with virtually all controversies about expanded content licensing provisions, many users feared Dropbox was claiming ownership of their content. This is not correct at all but the amended license provisions are cause for concern for a number of other reasons.

The clause which sparked the controversy was amended between the time the new Terms of Service first went up and about a day later when Dropbox clarified its position after receiving quite a bit of feedback from users. The introduction to the Terms of Service (with defined terms) and the current licensing provisions are as follows:

Dropbox Terms of Service

Thank you for using Dropbox! These terms of service (the “Terms”) govern your access to and use of Dropbox (“we” or “our”) websites and services (the “Services”), so please carefully read them before using the Services.

By using the Services you agree to be bound by these Terms. If you are using the Services on behalf of an organization, you are agreeing to these Terms for that organization and promising that you have the authority to bind that organization to these terms. In that case, “you” and “your” will refer to that organization.

You may use the Services only in compliance with these Terms. You may use the Services only if you have the power to form a contract with Dropbox and are not barred under any applicable laws from doing so. The Services may continue to change over time as we refine and add more features. We may stop, suspend, or modify the Services at any time without prior notice to you. We may also remove any content from our Services at our discretion.

The starting point is that you agree to these Terms of Service by using the Dropbox service. This is a common provision in Terms of Service. You very rarely have a workable model involving users actually signing a piece of paper or negotiating terms and conditions for their access to the service. That sort of thing becomes almost impossible to manage satisfactorily if you are negotiating on an individual basis with large groups of users and retain a hope of providing a consistent service. This clause typically ties into another clause that allows the service to make changes to the Terms of Service which you agree to by continuing to make use of the service.

Not only do you bind yourself but if you are using Dropbox in an organisation then you are also representing to Dropbox that you have the necessary authority to bind the organisation too. That can be quite a leap to take so if your organisation makes use of Dropbox (there are business packages) then you really should make sure that someone who does have authority to bind the organisation has read the Terms of Service and is comfortable binding the company. This may sound a little silly but there are legal principles dealing with principals and agents which would come into play here.

Your Stuff & Your Privacy

By using our Services you may give us access to your information, files, and folders (together, “your stuff”). You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

How we use your stuff is also governed by the Dropbox Privacy Policy, which you acknowledge. You acknowledge that Dropbox has no obligation to monitor any information on the Services, even though we may do so. We are not responsible for the accuracy, completeness, appropriateness, or legality of files, user posts, or any other information you may be able to access using the Services. We may disclose information about your account or your stuff to law enforcement officials as outlined in our Privacy Policy.

This clause contains the controversial licensing provisions. Like virtually any Web-based service you are required to grant the service a fairly broad license to enable it to render the service. The reason for this is that copyright law grants copyright owners (often the users) exclusive rights over their content. These rights are often the rights a service like Dropbox needs to exercise just to be able to receive your content and manipulate it as part of the service. A license is a set of permissions which enables Dropbox to do this. The big question is whether the license Dropbox takes goes further than is necessary (the Twitpic terms are a good example of terms which really go too far).

In the case of Dropbox’s Terms of Service the terms were clarified to emphasize the following:

This license is solely to enable us to technically administer, display, and operate the Services.

That said, there are a couple aspects of the license which leave it somewhat open to interpretation and abuse. For starters you grant the license to Dropbox as well as “those we work with to provide the Services”. The problem is that Dropbox doesn’t clarify who “those we work with” are. Given that those people, whoever they are, are also granted a “worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff” is a concern, even if they too are granted the license “to the extent reasonably necessary for the Service” (whatever form that may take over time).

One of the key sentences in the license which potentially places a number of users immediately in breach of the Terms of Service is the following:

You must ensure you have the rights you need to grant us that permission.

This sentence is a statement of one of the fundamentals of content licensing, namely that you can only pass the rights you have. What this means in the context of the license itself is that users have to ensure that any licenses they have over “stuff” they store in Dropbox must have all the following license elements:

  1. worldwide;
  2. non-exclusive;
  3. royalty-free;
  4. sublicenseable rights to use, copy, distribute, prepare derivative works of, perform or publicly display.

This might seem like mumbo jumbo but some content may only be available under licenses which are more restrictive that the license in the Dropbox Terms of Service. The licenses over that content may be personal, incapable of being sub-licensed or even be exclusive to the user concerned. What this means is that the content the user stores in Dropbox and which is subject to a more restrictive license than the Dropbox license requires lack “the rights you need to grant us that permission”. That means the user is in breach of the Terms of Service. Consider the “stuff” you store in Dropbox and ask yourself if you are sufficiently familiar with the licenses which may apply to that “stuff” to be able to give Dropbox the permissions it demands in its Terms of Service. If some of that stuff includes downloaded music, photographs subject to someone else’s copyright or even ebooks and other documents then the odds are that that “stuff” should not be stored in Dropbox.

On the privacy side, one of the big concerns is the revelation that Dropbox not only has the decryption keys for your encrypted data uploaded directly to Dropbox (I understand that the service encrypts uploads to keep them secure) but that it will decrypt data should law enforcement officials demand it with the appropriate authority. The privacy policy includes the following provision:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

This seems to be something Dropbox would be required to do if access to encrypted data was required by law enforcement so if security is a priority for you, I believe a solution is to encrypt the data on your drive before it is uploaded so Dropbox receives encrypted data from the start which it then applies its own encryption to. If Dropbox has to remove its own encryption, your original encryption should protect your data. I stand to be corrected about the mechanics here though.

What was perhaps most noteworthy about this controversy is how transparent the Dropbox team has been and its willingness to engage with its users and respond to their feedback. While its transparency doesn’t detract from the issues in its Terms of Service and Privacy Policy, it does indicate the team is willing to discuss its users’ concerns and possibly even address them.

Update: There are a number of terrific posts about the Dropbox Terms of Service. Here are two which came highly recommended in my Google+ stream in the last day or two:

Leave a Reply

Your email address will not be published. Required fields are marked *