Dropbox and Your Copyright

In
InklingBooks
Posts: 492
Joined: Sun Aug 12, 2007 11:16 pm
Platform: Mac
Location: Auburn, AL USA
Contact:

Sat Jul 02, 2011 2:55 pm Post

If you've got a Dropbox account, you've probably already received an email from them with the subject: "Updates to Dropbox Terms of Service and Privacy Statement." Unlike many other agreements, it is commendably easy to read and understand. But there has been some controversy over the fifth paragraph in the new "Terms of Service."

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.


https://www.dropbox.com/terms#terms

On first pass, that sounds rather scary. If you post your soon-to-be-outrageously-successful novel on Dropbox, are you giving Dropbox permission publish it and even create translations or a movie based on it?

As a number of Slashdot posters have pointed out, however, that bit of legal boilerplate is common among the providers of online services. In our lawyer-afflicted society, it prevents nuisance lawsuits. Dropbox's ability to copy etc. is limited by the opening and closing terms:

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files).


and

... to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.


Since Dropbox is not in the book or movie-making business, publishing or making movies out of what we've written is not doing "what you ask us to do with your stuff" nor is it "necessary for the Service."

That said, those terms do point out that, at a practical level, we're still responsible for the legality and security of what we post online. As the last sentence in that paragraph points out, don't post to Slashdot material whose copyright you don't own or that isn't covered by fair use.

Also, especially given Dropbox's recent blunder in which it left its system totally unprotected by any passwords for several hours, it might be a good idea to encrypt the more critical material you post online. I've not tried them yet, but there are apparently ways to encrypt Dropbox folders. Doing that might be especially appropriate if you're using Dropbox as an off-site backup for an entire Scrivener book.

If Dropbox's security fails again and bad guys try to take advantage of that, even a modest amount of protection will probably mean that they go after easier game and leave your "stuff" alone.

--Michael W. Perry, Seattle

In
InklingBooks
Posts: 492
Joined: Sun Aug 12, 2007 11:16 pm
Platform: Mac
Location: Auburn, AL USA
Contact:

Mon Jul 04, 2011 4:13 am Post

I really should add that others feel differently. One very successful writer, David Hewson, recently announced in a blog post entitled "Bye, bye Dropbox. Great while it lasted," that:

After several happy years and many recommendations issued to others I just cancelled Dropbox.


The why are the terms I quoted previously. He goes on to say this about Dropbox's terms and those of similar services:

The trouble is they all say the same thing: I am granting rights to these services for my professional work. For ‘derivative works’ and ‘translations’ in the case of Dropbox. I’m a writer. I have confidential, valuable stuff on those servers. I’m not granting rights like that unless someone makes a very convincing case that they’re not going to be abused.


You can find his remarks here, along with comments by others:

http://www.davidhewson.com/blog/2011/7/ ... itted=true

I'm not worried myself. A year and half spent in a copyright dispute taught me about the strange world of law and its often covert motives. I suspect that by these terms Dropbox intends to cover itself, for instance, if some of their staff, without permission from higher up, find some popular author who has a Dropbox account, break into his account, and look at his upcoming book. For me, that's not a likely possibility, but for David Hewson it is. His blog notes this about him:

David has been commissioned to write the novels of the BAFTA award-winning Danish TV crime drama The Killing. The first book will appear in autumn 2012.


Given the popularity of The Killing, here and abroad, that's just the sort of "stuff" that a Dropbox staffer might want to get an advanced look at. If Dropbox got sued about that unintended action, it would probably want some sort of legal cover. This contract gives them the right to have the technological capability to look at what we are doing and puts the onus on the spying on a rogue staffer. It might not keep Dropbox from having to pay damages, but it would limit how large the settlement might be.

I will add that, if Dropbox doesn't intend to do the sorts of things that clause in the contract suggests to many writers, and I don't think they do, then they need to specifically state what they do not mean? After all, as they put it, "These updates are meant to make all our policies clearer and more transparent to you." For non-lawyers, those clauses are either very disturbing in their implications or they make Dropbox's policies less clear and less transparent.

One final note. If you go to Dropbox's blog posting about their new terms of service, you will see that they are trying to clarify what they mean in two July 2 updates (that's a Saturday over the July 4 weekend in the US). They have added the bolded sentence below.

You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.


http://blog.dropbox.com/?p=846

That's still not as clear as I would like. I'd like them to state categorically what those terms do not mean. But the added sentence is much better and does make it clear that their stated purposes are solely technical. I have never thought Dropbox wanted to go into the business of publishing books or making movies. This at least makes that clear.

--Michael W. Perry, Seattle

Ta
Tacitus
Posts: 187
Joined: Sun Jun 17, 2007 10:33 am
Platform: Mac
Location: UK

Mon Jul 04, 2011 7:53 am Post

I agree with you regarding DropBox motives being basically intended to allow the service to function. Another point is that they need to have access to the files to cover themselves under US law. If the FBI turns up with a court order they are forced to comply, which opens up another can of worms regarding US companies storing personal information about UK citizens. Merely copying files from your machine to the cloud servers would probably fall within the legal definition of copying and without that ability, no cloud service could operate.

The only alternatives are SpiderOak or Wuala, which do the encryption on your machine so it is impossible, at least in theory, for either of the companies to read your stuff since the keys are stored locally. Whether either of these is as simple or reliable as DropBox is for others to judge.

TBH I don't think it matters which cloud service you use, the only way of ensuring security - at least so far as it is possible - is to do your own. Otherwise it is best to regard files stored there as world readable, whatever the PR blurb may tell you and make your decisions accordingly.

Over on the 1-Password forums I have seen references to an improved version of Knox, AgileBit's security encryption app http://agilebits.com/products/Knox. Given their own use of DropBox, I'm wondering whether they've developed an improved encryption app that works seamlessly with DropBox. If they have they'll be on to a winner, since few, if any, of the current solutions seem to be without problems.
History is a nightmare from which I am trying to escape

Hu
Hugh
Posts: 2412
Joined: Thu Mar 08, 2007 12:05 pm
Platform: Mac
Location: UK

Mon Jul 04, 2011 9:10 am Post

Experience has taught me that if a law or contract allows someone to do something, then at some point they’ll do it — however extreme, perverse of bizarre the circumstances, and despite what those who framed the law or contract say they actually intended.

But what I don’t understand is that if these changes really are so essential to Dropbox‘s idea of protecting itself, why, as David Hewson says, can Windows Live get away without them?
'Listen, some quiet night, when you've shirked your work that day. Do you hear
that distant, almost inaudible clicking sound? That's one of your
competitors, working away in the night in
Paris or London or Erie, PA.'

User avatar
Rayz
Posts: 508
Joined: Fri Sep 22, 2006 4:43 pm
Platform: Mac

Mon Jul 04, 2011 10:17 am Post

Why would they need to 'prepare derivative works'? What is that supposed to mean? I get the bit about having to reformat stuff, but this 'derative works' thing looks like a license to do whatever they want.

That was a very good summary, by the way.
As if I didn't talk enough: Dom on Writing

Pr
Prion
Posts: 96
Joined: Fri Aug 25, 2006 3:14 pm

Mon Jul 04, 2011 11:04 am Post

Tacitus wrote:Another point is that they need to have access to the files to cover themselves under US law.


I strongly believe that this is a common misconception but nevertheless a misconception. *If* a service provider has access to the contents of the files they are obliged to make them available to the authorities if so requested. They are *not* obliged to set up the service in a way that grants them access to the contents. If Dropbox only had access to the files but not their contents they would make the files available then and be fine. The law-compliance aspect can thus be excluded as their motivation.

If you know otherwise I'd love to hear about your sources.

Ta
Tacitus
Posts: 187
Joined: Sun Jun 17, 2007 10:33 am
Platform: Mac
Location: UK

Mon Jul 04, 2011 12:24 pm Post

They are *not* obliged to set up the service in a way that grants them access to the contents. If Dropbox only had access to the files but not their contents they would make the files available then and be fine
.
Which is why I mentioned SpiderOak and Wuala, both of which use client side encryption. The key is stored on your local machine so in theory at least, if required, either service can hand over an encrypted file and that's all.

As I said there's nothing whatever stopping anyone using DropBox from doing their own encryption prior to uploading the files. If the stuff is really important it's what you should be doing anyway, since once it leaves your hard drive you have little to no control over what happens, whatever the PR fluff might say and, however well intentioned the service provider. Drowning the ToS in sub-clauses to cover this or that eventuality, won't change that.
History is a nightmare from which I am trying to escape

Pr
Prion
Posts: 96
Joined: Fri Aug 25, 2006 3:14 pm

Mon Jul 04, 2011 4:19 pm Post

I did not say it was your misconception but nevertheless a common one. The sentence I singled out, taken in isolation, is often misused to offload the responsibility for creating a service that stores unencrypted information in the cloud to US legislation which is wrong, at least in its current state.

Dropbox and others are very reluctant to say why they chose to go that way. It remains their decision, of course, but the reliance on and further propagation of the myth that the decision was not theirs is odd.

Bd
Bdillahu
Posts: 54
Joined: Wed May 25, 2011 3:36 am
Platform: Mac, Win + Linux
Location: Atlanta, GA
Contact:

Thu Jul 07, 2011 2:41 am Post

FYI... the Dropbox folks have posted a clarification:

http://blog.dropbox.com/?p=867

Bruce

IR
IRJH
Posts: 46
Joined: Sat Jan 15, 2011 11:28 am
Platform: Mac + Windows

Thu Jul 07, 2011 6:50 pm Post

Dropbox has been excellent, the only FREE such service that really is useful I know of. Such hysteria is just useless. I had actually asked them directly before going hysteric all over the internet, that clarified things for me, I am so happy they are there.

Thanks for posting the link Bdillahu, I only hope they will continue. One should actually thank them.

In
InklingBooks
Posts: 492
Joined: Sun Aug 12, 2007 11:16 pm
Platform: Mac
Location: Auburn, AL USA
Contact:

Thu Jul 07, 2011 7:19 pm Post

Life Hacker looks at five major online synch services at:

http://lifehacker.com/5818908/dropbox-v ... ht-for-you

They detail the advantages and disadvantages of each. Those concerned about security might want to take a look at SpiderOak.

SpiderOak never stores or knows a user's password or the plaintext encryption keys which means not even SpiderOak employees can access the data. Our zero-knowledge privacy approach means we can never betray the trust of our user


Those needing more free space than the 2 GB that Dropbox offers, might want to look into Live Mesh and SugarSync. Each offers 5 GB.

User avatar
xiamenese
Posts: 3559
Joined: Mon Jan 29, 2007 1:32 am
Platform: Mac
Location: London or Exeter, UK.

Fri Jul 08, 2011 1:39 am Post

SpiderOak is OK. I used it for a while when the Great Firewall of China decided Dropbox was a threat to national security or something and blocked it. It does have advantages:

1) Security: if you're concerned about that, since the encryption keys are on your own computer, not on the server;
2) Organisation: you can designate any folders wherever they are on your hard disk to be synced with SpiderOak, not one main folder.

It has disadvantages:

1) You have to do much more work in maintaining what's on the server:
(a) it keeps historical backups but doesn't delete them, so if you're using it with something like Scrivener, each time Scrivener does an automatic backup, SpiderOak does so, but doesn't limit the number of them, so your space is rapidly eaten up and you have to purge it yourself;
(b) Files and folders deleted are also moved into an online trash which isn't emptied, so you have to purge them yourself, and you have to do so from the computer where the file originated, you can't do it from your other computer(s);
2) It has to run as an app with the window open all the time it is connected: my solution to the clutter was to put it in another space of its own, where I could access it if I wanted to, but where it was out of the way at all other times;
3) It is a port from Linux: it has a Linux interface with no attempt to make it Mac-like, though it is a personal matter whether that constitutes a real problem. It does require much more specific setting up than Dropbox for sharing files between computers.
4) (The one that made me stop using it) problems with the latest release: they released an update which was required, but it caused slow-downs while typing in Scrivener ... at least the slow-downs stopped when I no longer had SpiderOak running.

I don't know if this last point has been addressed as I haven't been using it. I still have my account and intend to sort out my space and use it like a fall-back storage system; I also have a .me account and a Dropbox account, once more accessible in China, and space on Box.net. I need to decide how to use them all to best advantage, but I'll wait until Lion is out, .me has transmogrified into iCloud, and I am on holiday and have more time to think about such things. One of the problems, though, is that to delete a fairly substantial amount of files on SpiderOak, I will have to reboot my MBP from the bootable back-up of its previous system installation, as the permissions on the files are linked to that incarnation of the MBP!

All that said, basically, I thought SpiderOak was good, reliable, synced tolerably quickly ... perhaps more quickly than DropBox, and I would be continuing to use it currently were it not for the slow-down it seemed to cause in Scrivener.

Mark
The Scrivenato sometimes known as Mr X.
rMBP 13" (early 2015) 10.13.3, 8GB RAM, 512GB SSID
MBP17" (late 2011) 10.13, 8GB RAM, 512GB SSID
iPad Air 2, iOS 11, 64GB
Scrivener, Scapple, Nisus Writer Pro, Bookends …

bo
bodsham
Posts: 187
Joined: Wed Jun 13, 2007 2:58 pm
Location: UK
Contact:

Tue Jul 12, 2011 3:59 pm Post

The Dropbox situation is frustrating. I don't believe they'd want to rip off people's work. But the general principle of having valuable confidential material on servers where others can read them worries me. At the moment I'm using Sugarsync in place of Dropbox. The free account gives you 5gb and frankly it seems superior to me - you can sync folders between different machines for example. But it is still unencrypted on their server which makes me uneasy.

I tried both Spideroak and Wuala too since both store encrypted data. Spideroak, as noted elsewhere here, is an ugly pain to manage. Wuala has the most astonishing T&Cs which state 'The user agrees, that by making data public, the user grants LaCie a free, worldwide, non-commerical right of use of such data as well as the right of commercial use for marketing purposes in connection with Wuala. [Without agreement to the contrary, a copyright notice is to be applied and the modification of data is prohibited.]'

It also states elsewhere that all data on the Wuala servers is encrypted and can't be read by Wuala. So quite what this means I've not a clue. But it puts me off - you bet it does.

Also in order to work you have to install a 64 bit Macfuse patch and the whole thing is just about as ugly and unintuitive as Spideroak. But I suspect I do need that encryption frankly. I just don't feel comfortable knowing that confidential work in progress is sitting on the web somewhere readable to others.

User avatar
xiamenese
Posts: 3559
Joined: Mon Jan 29, 2007 1:32 am
Platform: Mac
Location: London or Exeter, UK.

Wed Jul 13, 2011 2:24 pm Post

Just a further thought, though I haven't tried it out at all ...

I downloaded and installed (I think for a very modest price) from the MAS an app called "Concealer", which I understand allows you to encrypt particular folders you choose on your Mac. Just wondering if one couldn't use this to encrypt the Dropbox (or SugarSync) folder. Would that then be encrypted on the server? Would one be able to open the encrypted data on another machine?

Since it's come from the MAS, I have it on the MBA and the MBP, but I have had no time to play with it since installing it ... something else which'll have to wait a couple of weeks till I'm on holiday.

Anyone else tried Concealer at all?

Mark
The Scrivenato sometimes known as Mr X.
rMBP 13" (early 2015) 10.13.3, 8GB RAM, 512GB SSID
MBP17" (late 2011) 10.13, 8GB RAM, 512GB SSID
iPad Air 2, iOS 11, 64GB
Scrivener, Scapple, Nisus Writer Pro, Bookends …

bo
bodsham
Posts: 187
Joined: Wed Jun 13, 2007 2:58 pm
Location: UK
Contact:

Wed Jul 13, 2011 4:15 pm Post

I can't be bothered faffing round with local encryption frankly. Have moved to Wuala which is a little weird but works. 10gb for €19 for one year. All the data is encrypted before sending. They can't even read it.