Google Drive and the data ownership panic

Google Drive launched a couple days ago and some new publications are already writing about possible data ownership issues. It’s a common concern whenever a new service launches or website terms and conditions change. Darren Smith pointed me to an article by C|Net titled “Who owns your files on Google Drive?” which had a somewhat confused focus and an unnecessarily alarming conclusion represented by this tagline:

Dropbox and Microsoft’s SkyDrive allow you to retain your copyright and IP rights to the work you upload to the service, but Google Drive takes everything you own.

I took a look at Dropbox’s, Microsoft’s and Google’s terms and conditions to test this conclusion.

Dropbox’s terms and conditions

The C|Net post focused on this clause in the Dropbox terms which are only part of the story when it comes to Dropbox’s terms:

By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”). You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below.

This clause clearly states that Dropbox doesn’t claim ownership of your data but the more important set of provisions are those dealing with the license Dropbox takes from its users when it comes to accessing and making use of the data you upload to Dropbox. Bear in mind that all of these services will have a license of some sort. A license is a set of permissions you, as the user, give to the provider and that enables the provider to receive, manipulate and otherwise handle your data. It’s an essential component and nothing to be alarmed by in itself (at least not if you are comfortable with the basic idea of a provider having access to your data as part of your use of the particular service).

Dropbox’s license provisions are pretty vague. Here are the key clauses:

We may need your permission to do things you ask us to do with your stuff, for example, hosting your files, or sharing them at your direction. This includes product features visible to you, for example, image thumbnails or document previews. It also includes design choices we make to technically administer our Services, for example, how we redundantly backup data to keep it safe. You give us the permissions we need to do those things solely to provide the Services. This permission also extends to trusted third parties we work with to provide the Services, for example Amazon, which provides our storage space (again, only to provide the Services).

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to. How we collect and use your information generally is also explained in our Privacy Policy.

Sharing Your Stuff

The Services provide features that allow you to share your stuff with others or to make it public. There are many things that users may do with that stuff (for example, copy it, modify it, re-share it). Please consider carefully what you choose to share or make public. Dropbox has no responsibility for that activity.

The basic idea is clear, though. Dropbox requires your permission to run its service and you agree to give it whatever permissions it requires to do that. The problem with this simplistic approach is that it is too simplistic and vague. As a user you don’t really know what the license’s parameters are beyond whatever is not required to operate the service.

Microsoft Services Agreement

These terms and conditions are not limited to SkyDrive but apply to a range of Microsoft services:

It’s a contract that governs your use of any Windows Live, Bing, MSN, Microsoft Office Live, or Office.com services or software, or other Microsoft services or software that directly display or link to this agreement (the “service”). By using or accessing the service, you confirm that you agree to these terms. If you don’t agree, don’t use the service. Thanks.

This is significant because, unlike with Dropbox where your license relates to a fairly specific service, the license you grant to Microsoft encompasses a variety of services which are increasingly interconnected. This is very similar to Google’s terms (below). These terms and conditions are more specific than Dropbox’s licensing provisions and also contain a statement that Microsoft doesn’t claim ownership of users’ data:

5. Your content

Except for material that we license to you, we don’t claim ownership of the content you provide on the service. Your content remains your content. We also don’t control, verify, or endorse the content that you and others make available on the service.

You control who may access your content. If you share content in public areas of the service or in shared areas available to others you’ve chosen, then you agree that anyone you’ve shared content with may use that content. When you give others access to your content on the service, you grant them free, nonexclusive permission to use, reproduce, distribute, display, transmit, and communicate to the public the content solely in connection with the service and other products and services made available by Microsoft. If you don’t want others to have those rights, don’t use the service to share your content.

You understand that Microsoft may need, and you hereby grant Microsoft the right, to use, modify, adapt, reproduce, distribute, and display content posted on the service solely to the extent necessary to provide the service.

Please respect the rights of artists, inventors, and creators. Content may be protected by copyright. People appearing in content may have a right to control the use of their image. If you share content on the service in a way that infringes others’ copyrights, other intellectual property rights, or privacy rights, you’re breaching this contract. You represent and warrant that you have all the rights necessary for you to grant the rights in this section and the use of the content doesn’t violate any law. We won’t pay you for your content. We may refuse to publish your content for any or no reason. We may remove your content from the service at any time if you breach this contract or if we cancel or suspend the service.

You’re responsible for backing up the data that you store on the service. If your service is suspended or canceled, we may permanently delete your data from our servers. We have no obligation to return data to you after the service is suspended or canceled. If data is stored with an expiration date, we may also delete the data as of that date. Data that is deleted may be irretrievable.

A couple things emerge from these terms and conditions. Firstly, when you share your data with other people, you give them a limited license to use your data “solely in connection with the service and other products and services made by Microsoft”. Similarly, the license users grant to Microsoft in respect of their data is limited to permissions required “solely to the extent necessary to provide the service”.

Google’s terms and conditions

Google Drive is governed by Google’s Terms and the license provisions are fairly similar to Dropbox’s and SkyDrive’s, at least when it comes to the basic approach. As with the other two services, Google doesn’t claim ownership of your data. Here are the license provisions:

Your Content in our Services

Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.

You can find more information about how Google uses and stores content in the privacy policy or additional terms for particular Services. If you submit feedback or suggestions about our Services, we may use your feedback or suggestions without obligation to you.

The license Google users grant to Google is notionally for the “limited purpose of operating, promoting, and improving our Services, and to develop new ones” but it is somewhat open ended in that Google could develop new services or modify existing ones that require your data to be used in ways you couldn’t have anticipated when signing up. This is fairly similar to Microsoft’s Services Agreement which also uses one license for all its services.

What does this all mean?

The C|Net article contains this rather alarming set of statements:

The last sentence makes all the difference. While these rights are limited to essentially making Google Drive better and to develop new services run by Google, the scope is not defined and could extend far further than one would expect.

Simply put: there’s no definitive boundary that keeps Google from using what it likes from what you upload to its service.

The chances are Google’s terms will never be an issue — and it is likely over-zealous lawyers making sure Google doesn’t somehow get screwed in the long run by a lawsuit — but it may be enough to push away a great number of entrepreneurs and creative workers who rely on holding on to the rights to their own work.

The fact is, according to its terms, Google may own any code or product you ultimately upload to its new Google Drive service, whether you realise it or not.

These statements, particularly the last one, are factually incorrect and misleading. They are also not uncommon when journalists attempt to navigate terms and conditions without the time or inclination to read them carefully. Google doesn’t claim ownership of its users’ data. Its license is fairly broad and that is understandable given the wide range of services it offers. At the same time, there is scope for the already broad license to be applied in ways users may not have considered. The specific permissions users grant to Google are substantially the same as those users grant to Microsoft (Google is more specific and lists more individual permissions but they are not fundamentally different). 

The big difference here is between Dropbox’s terms, on one hand, and Google’s and Microsoft’s on the other hand. Dropbox offers a fairly specific set of services so users have more certainty as to what they are licensing Dropbox to do with their data. Google and Microsoft offer a range of interconnected services governed by a single legal framework and the potential scope for their licenses is far broader when you consider that their users may be using a variety of Google and Microsoft services with different functionality.

I’ve seen license provisions which are far more onerous in the past. The big culprit back in 2007 was Facebook with this gem:

When you post User Content to the Site, you authorize and direct us to make such copies thereof as we deem necessary in order to facilitate the posting and storage of the User Content on the Site. By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

This license was as close to an assumption of ownership as Facebook has ever come. It was so close to assuming ownership that the difference between ownership and licensing user content was a matter of semantics. The controversies over the Facebook terms did a lot to create more awareness of users’ expectations and what it means to be a better licensor. The current generation of terms and conditions reflect that, for the most part (there are still some shockers). These modern licenses are clearer, limited in varying degrees but are often necessarily broad to enable these services to function effectively. I agree with the one statement in the C|Net article, though –

It always pays to read the fine print.

What Dropbox’s revised Terms of Service mean for you

Esuslogo101409

When Dropbox amended its Terms of Service it sparked a controversy about the popular file sharing and cloud-based storage service’s apparent user content grab. As with virtually all controversies about expanded content licensing provisions, many users feared Dropbox was claiming ownership of their content. This is not correct at all but the amended license provisions are cause for concern for a number of other reasons.

The clause which sparked the controversy was amended between the time the new Terms of Service first went up and about a day later when Dropbox clarified its position after receiving quite a bit of feedback from users. The introduction to the Terms of Service (with defined terms) and the current licensing provisions are as follows:

Dropbox Terms of Service

Thank you for using Dropbox! These terms of service (the “Terms”) govern your access to and use of Dropbox (“we” or “our”) websites and services (the “Services”), so please carefully read them before using the Services.

By using the Services you agree to be bound by these Terms. If you are using the Services on behalf of an organization, you are agreeing to these Terms for that organization and promising that you have the authority to bind that organization to these terms. In that case, “you” and “your” will refer to that organization.

You may use the Services only in compliance with these Terms. You may use the Services only if you have the power to form a contract with Dropbox and are not barred under any applicable laws from doing so. The Services may continue to change over time as we refine and add more features. We may stop, suspend, or modify the Services at any time without prior notice to you. We may also remove any content from our Services at our discretion.

The starting point is that you agree to these Terms of Service by using the Dropbox service. This is a common provision in Terms of Service. You very rarely have a workable model involving users actually signing a piece of paper or negotiating terms and conditions for their access to the service. That sort of thing becomes almost impossible to manage satisfactorily if you are negotiating on an individual basis with large groups of users and retain a hope of providing a consistent service. This clause typically ties into another clause that allows the service to make changes to the Terms of Service which you agree to by continuing to make use of the service.

Not only do you bind yourself but if you are using Dropbox in an organisation then you are also representing to Dropbox that you have the necessary authority to bind the organisation too. That can be quite a leap to take so if your organisation makes use of Dropbox (there are business packages) then you really should make sure that someone who does have authority to bind the organisation has read the Terms of Service and is comfortable binding the company. This may sound a little silly but there are legal principles dealing with principals and agents which would come into play here.

Your Stuff & Your Privacy

By using our Services you may give us access to your information, files, and folders (together, “your stuff”). You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

How we use your stuff is also governed by the Dropbox Privacy Policy, which you acknowledge. You acknowledge that Dropbox has no obligation to monitor any information on the Services, even though we may do so. We are not responsible for the accuracy, completeness, appropriateness, or legality of files, user posts, or any other information you may be able to access using the Services. We may disclose information about your account or your stuff to law enforcement officials as outlined in our Privacy Policy.

This clause contains the controversial licensing provisions. Like virtually any Web-based service you are required to grant the service a fairly broad license to enable it to render the service. The reason for this is that copyright law grants copyright owners (often the users) exclusive rights over their content. These rights are often the rights a service like Dropbox needs to exercise just to be able to receive your content and manipulate it as part of the service. A license is a set of permissions which enables Dropbox to do this. The big question is whether the license Dropbox takes goes further than is necessary (the Twitpic terms are a good example of terms which really go too far).

In the case of Dropbox’s Terms of Service the terms were clarified to emphasize the following:

This license is solely to enable us to technically administer, display, and operate the Services.

That said, there are a couple aspects of the license which leave it somewhat open to interpretation and abuse. For starters you grant the license to Dropbox as well as “those we work with to provide the Services”. The problem is that Dropbox doesn’t clarify who “those we work with” are. Given that those people, whoever they are, are also granted a “worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff” is a concern, even if they too are granted the license “to the extent reasonably necessary for the Service” (whatever form that may take over time).

One of the key sentences in the license which potentially places a number of users immediately in breach of the Terms of Service is the following:

You must ensure you have the rights you need to grant us that permission.

This sentence is a statement of one of the fundamentals of content licensing, namely that you can only pass the rights you have. What this means in the context of the license itself is that users have to ensure that any licenses they have over “stuff” they store in Dropbox must have all the following license elements:

  1. worldwide;
  2. non-exclusive;
  3. royalty-free;
  4. sublicenseable rights to use, copy, distribute, prepare derivative works of, perform or publicly display.

This might seem like mumbo jumbo but some content may only be available under licenses which are more restrictive that the license in the Dropbox Terms of Service. The licenses over that content may be personal, incapable of being sub-licensed or even be exclusive to the user concerned. What this means is that the content the user stores in Dropbox and which is subject to a more restrictive license than the Dropbox license requires lack “the rights you need to grant us that permission”. That means the user is in breach of the Terms of Service. Consider the “stuff” you store in Dropbox and ask yourself if you are sufficiently familiar with the licenses which may apply to that “stuff” to be able to give Dropbox the permissions it demands in its Terms of Service. If some of that stuff includes downloaded music, photographs subject to someone else’s copyright or even ebooks and other documents then the odds are that that “stuff” should not be stored in Dropbox.

On the privacy side, one of the big concerns is the revelation that Dropbox not only has the decryption keys for your encrypted data uploaded directly to Dropbox (I understand that the service encrypts uploads to keep them secure) but that it will decrypt data should law enforcement officials demand it with the appropriate authority. The privacy policy includes the following provision:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

This seems to be something Dropbox would be required to do if access to encrypted data was required by law enforcement so if security is a priority for you, I believe a solution is to encrypt the data on your drive before it is uploaded so Dropbox receives encrypted data from the start which it then applies its own encryption to. If Dropbox has to remove its own encryption, your original encryption should protect your data. I stand to be corrected about the mechanics here though.

What was perhaps most noteworthy about this controversy is how transparent the Dropbox team has been and its willingness to engage with its users and respond to their feedback. While its transparency doesn’t detract from the issues in its Terms of Service and Privacy Policy, it does indicate the team is willing to discuss its users’ concerns and possibly even address them.

Update: There are a number of terrific posts about the Dropbox Terms of Service. Here are two which came highly recommended in my Google+ stream in the last day or two: