Monday, July 4, 2011

Dropbox Update

As a user of Dropbox, I received an update in my e-mail (and you probably did, too) attempting to clarify the recent uproar over their Terms of Service (TOS).  I think they've done a pretty good job of stating their terms in more clear language, and further, of explaining why they need the rights they are claiming through your agreement to use the service.  That said, I still stand by my earlier positions in that they DO have access to your data, and you DO need to evaluate what you choose to store on your Dropbox, and whether the risk of abuse of your data is low enough to feel safe storing it with Dropbox.

Here's a bit of the statement Dropbox released on their blog:
Some of you have written us with very understandable concerns about the legal-sounding parts. In particular, our new TOS talks about the licenses we need to run Dropbox. We want to be 100% clear that you own what you put in your Dropbox. We don’t own your stuff. And the license you give us is really limited. It only allows us to provide the service to you. Nothing else.
  
We think it’s really important that you understand the license. It’s about the permissions you give us to run the service, things like creating public links when you ask us to, allowing you to collaborate with colleagues in shared folders, generating web previews or thumbnails of your files, encrypting files, creating backups… the basic things that make Dropbox safe and easy to use. Services like Google Docs and others do the same thing when they get these permissions (see, for example, section 11.1 of Google’s TOS).
 
We wish we didn’t have to use legal terms at all, but copyright law is complicated and if we don’t get these permissions in writing, we might be putting ourselves in a tough spot down the road. Not to bore you with the details, but please take a look at the license term in the TOS. We think it’s fair and strikes the right balance: “This license is solely to enable us to technically administer, display, and operate the Services.”

They have gone to great lengths to state clearly that under normal circumstances they will not access your data, and that data they collect is to better operate the service.  I'm not a lawyer, I don't know how well that would stand up in court if it were part of a lawsuit, but it does look pretty reassuring when reading it as a layman.  They have not clarified how they deal with potential abuse of your data by individual Dropbox employees.  One would assume they have provision in their terms of employment to deal with that, but the likelihood of abuse is highest from disgruntled (ex-)employees who are likely not concerned with remaining employed by Dropbox, and once your data is exposed, there's no stuffing the genie back into the bottle.

So, Dropbox (and really, all cloud computing services) remain a security risk that you need to evaluate for yourself.  A lot of family history data is probably just fine on Dropbox, especially if it's also posted to online trees such as Ancestry.com or MyHeritage.com as well.  Just be careful of data you wish to remain private.

And I'm still not a fan of the Cloud...


This and all other articles on this blog are © copyright 2011 by Daniel G. Dillman

Saturday, July 2, 2011

Dropbox Warning

We all know and love Dropbox, the web-based service that lets us share files between our computers using 'Cloud' technology, right?  Just drop your files in the Dropbox folder, and you can access them from any other Dropbox connected computer.  Great concept!


Here's the problem: By using a 'Cloud' service, you essentially allow someone else to hold your data for you, and you are subject to their whims as to what they can do with it.  Previously, Dropbox had a pretty decent statement of how they would hold your data.  It was all supposed to be totally private, not even Dropbox employees could get at it.  Until the US Government demanded some data that Dropbox was holding.  And then it turns out that Dropbox employees could indeed access data if it was necessary, such as to comply with a court order.  Or if some bored, disgruntled employee decided they wanted to snoop.


Now it's worse.  Dropbox just changed their Terms of Service (TOS), and there's some worrisome language in there that essentially assigns full copyright to all of your data to Dropbox: 

'By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service.'

Oh, and sublicenseable, meaning they can let anyone else use your data as well.   Is that what you signed up for?  Is that okay with you? 


This is one of my biggest problems with 'Cloud Computing'.  It's like handing someone your wallet, and trusting them to just hold it, not let anyone else access it, and not access it themselves.  The pressure is just too great for them to just snoop a little, or give in to demands from others to get access for various reasons.  This has always been my problem with Cloud Computing, but the market was all gung ho with a new buzzword, a new (not really) concept, and a huge marketing push to drive customers.  What providers like about Cloud Computing is that it's portable.  They can build new data centers anywhere it's cheap to do so.  Cost of doing business in Hong Kong getting too high?  Let's move the datacenter to Thailand.  Somewhere that labor and rent is cheap.


Dropbox is very convenient.  But is it worth giving away your data?



This and all other articles on this blog are © copyright 2011 by Daniel G. Dillman