Saturday, July 2, 2011

Dropbox Warning!

We all know and love Dropbox, the web-based service that lets us share files between our computers using 'Cloud' technology, right?  Just drop your files in the Dropbox folder, and you can access them from any other Dropbox connected computer.  Great concept!

Here's the problem: By using a 'Cloud' service, you essentially allow someone else to hold your data for you, and you are subject to their whims as to what they can do with it.  Previously, Dropbox had a pretty decent statement of how they would hold your data.  It was all supposed to be totally private, not even Dropbox employees could get at it.  Until the US Government demanded some data that Dropbox was holding.  And then it turns out that Dropbox employees could indeed access data if it was necessary, such as to comply with a court order.  Or if some bored, disgruntled employee decided they wanted to snoop.

Now it's worse.  Dropbox just changed their Terms of Service (TOS), and there's some worrisome language in there that essentially assigns full copyright to all of your data to Dropbox: 
'By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service.'
Oh, and sublicenseable, meaning they can let anyone else use your data as well.   Is that what you signed up for?  Is that okay with you? 

This is one of my biggest problems with 'Cloud Computing'.  It's like handing someone your wallet, and trusting them to just hold it, not let anyone else access it, and not access it themselves.  The pressure is just too great for them to just snoop a little, or give in to demands from others to get access for various reasons.  This has always been my problem with Cloud Computing, but the market was all gung ho with a new buzzword, a new (not really) concept, and a huge marketing push to drive customers.  What providers like about Cloud Computing is that it's portable.  They can build new data centers anywhere it's cheap to do so.  Cost of doing business in Hong Kong getting too high?  Let's move the datacenter to Thailand.  Somewhere that labor and rent is cheap.

Dropbox is very convenient.  But is it worth giving away your data?


This and all other articles on this blog are © copyright 2011 by Daniel G. Dillman

4 comments:

  1. If you cancel Dropbox I know our information will still be there. I intensly dislike the part where they say the can use your information. I do not think I will be dropping any more information in their box.

    I read a few weeks ago some of their accounts were also hacked.

    ReplyDelete
  2. I made the mistake of trying Dropbox despite my misgivings, and I uploaded some data there. I'm not putting any more in, definitely. Fortunately, there's nothing more personal than an outdated MyHeritage database and some computer troubleshooting tools, also outdated.

    This same issue applies to things like Picasa and Flickr, and especially to anything you put on Facebook. It's all a matter of not posting things you wouldn't want to just give to anyone else.

    ReplyDelete
  3. I need to clarify this issue because there is a great deal of information circulating on the Internet about the Dropbox TOS which has not changed recently.

    The provision you mention is correct but you should focus on the words TO THE EXTENT WE THINK IT NECESSARY FOR THE SERVICE. This means if law enforcement needs to access data due to a crime, etc., they can do so. This means if Homeland Security finds that someone is posting information that would compromise our security, Dropbox will assist them in an investigation.

    It does not mean that Dropbox sits there and rummages through your stuff. I'm sure they have better things to do.

    And this clause is standard with any cloud service. You must decide whether or not the cloud is right for you. For me, the convenience factor outweighs my desire to set up my own server, etc. to do this.

    ReplyDelete
  4. Thomas, the last part of your comment is the most important part. YOU need to decide whether it's worth the risk.

    My problem is that the risk is rarely clearly stated, so people don't really have a way to properly evaluate it and decide for themselves.

    I've seen some people say it's the same as posting on a blog, or news site forum, or Flickr, for examples. It's not. When I post to those, it's in a forum that is intended clearly to be read by others, where services like Dropbox are marketed as essentially a hard drive you can access from anywhere. You don't expect other people to be able to access the data on your hard drive.

    Dropbox as a company may be honorable and not mess with your data, but that doesn't stop any one of their employees from doing so if they decide they want to.

    There's been so much hype and positive spin about cloud storage, I feel people need to be aware of the negatives. I'm not alone, apparently.

    ReplyDelete