Dropbox and Your Copyright

If you’ve got a Dropbox account, you’ve probably already received an email from them with the subject: “Updates to Dropbox Terms of Service and Privacy Statement.” Unlike many other agreements, it is commendably easy to read and understand. But there has been some controversy over the fifth paragraph in the new “Terms of Service.”


On first pass, that sounds rather scary. If you post your soon-to-be-outrageously-successful novel on Dropbox, are you giving Dropbox permission publish it and even create translations or a movie based on it?

As a number of Slashdot posters have pointed out, however, that bit of legal boilerplate is common among the providers of online services. In our lawyer-afflicted society, it prevents nuisance lawsuits. Dropbox’s ability to copy etc. is limited by the opening and closing terms:


Since Dropbox is not in the book or movie-making business, publishing or making movies out of what we’ve written is not doing “what you ask us to do with your stuff” nor is it “necessary for the Service.”

That said, those terms do point out that, at a practical level, we’re still responsible for the legality and security of what we post online. As the last sentence in that paragraph points out, don’t post to Slashdot material whose copyright you don’t own or that isn’t covered by fair use.

Also, especially given Dropbox’s recent blunder in which it left its system totally unprotected by any passwords for several hours, it might be a good idea to encrypt the more critical material you post online. I’ve not tried them yet, but there are apparently ways to encrypt Dropbox folders. Doing that might be especially appropriate if you’re using Dropbox as an off-site backup for an entire Scrivener book.

If Dropbox’s security fails again and bad guys try to take advantage of that, even a modest amount of protection will probably mean that they go after easier game and leave your “stuff” alone.

–Michael W. Perry, Seattle

I really should add that others feel differently. One very successful writer, David Hewson, recently announced in a blog post entitled “Bye, bye Dropbox. Great while it lasted,” that:

The why are the terms I quoted previously. He goes on to say this about Dropbox’s terms and those of similar services:

You can find his remarks here, along with comments by others:

davidhewson.com/blog/2011/7/ … itted=true

I’m not worried myself. A year and half spent in a copyright dispute taught me about the strange world of law and its often covert motives. I suspect that by these terms Dropbox intends to cover itself, for instance, if some of their staff, without permission from higher up, find some popular author who has a Dropbox account, break into his account, and look at his upcoming book. For me, that’s not a likely possibility, but for David Hewson it is. His blog notes this about him:

Given the popularity of The Killing, here and abroad, that’s just the sort of “stuff” that a Dropbox staffer might want to get an advanced look at. If Dropbox got sued about that unintended action, it would probably want some sort of legal cover. This contract gives them the right to have the technological capability to look at what we are doing and puts the onus on the spying on a rogue staffer. It might not keep Dropbox from having to pay damages, but it would limit how large the settlement might be.

I will add that, if Dropbox doesn’t intend to do the sorts of things that clause in the contract suggests to many writers, and I don’t think they do, then they need to specifically state what they do not mean? After all, as they put it, “These updates are meant to make all our policies clearer and more transparent to you.” For non-lawyers, those clauses are either very disturbing in their implications or they make Dropbox’s policies less clear and less transparent.

One final note. If you go to Dropbox’s blog posting about their new terms of service, you will see that they are trying to clarify what they mean in two July 2 updates (that’s a Saturday over the July 4 weekend in the US). They have added the bolded sentence below.


That’s still not as clear as I would like. I’d like them to state categorically what those terms do not mean. But the added sentence is much better and does make it clear that their stated purposes are solely technical. I have never thought Dropbox wanted to go into the business of publishing books or making movies. This at least makes that clear.

–Michael W. Perry, Seattle

I agree with you regarding DropBox motives being basically intended to allow the service to function. Another point is that they need to have access to the files to cover themselves under US law. If the FBI turns up with a court order they are forced to comply, which opens up another can of worms regarding US companies storing personal information about UK citizens. Merely copying files from your machine to the cloud servers would probably fall within the legal definition of copying and without that ability, no cloud service could operate.

The only alternatives are SpiderOak or Wuala, which do the encryption on your machine so it is impossible, at least in theory, for either of the companies to read your stuff since the keys are stored locally. Whether either of these is as simple or reliable as DropBox is for others to judge.

TBH I don’t think it matters which cloud service you use, the only way of ensuring security - at least so far as it is possible - is to do your own. Otherwise it is best to regard files stored there as world readable, whatever the PR blurb may tell you and make your decisions accordingly.

Over on the 1-Password forums I have seen references to an improved version of Knox, AgileBit’s security encryption app http://agilebits.com/products/Knox. Given their own use of DropBox, I’m wondering whether they’ve developed an improved encryption app that works seamlessly with DropBox. If they have they’ll be on to a winner, since few, if any, of the current solutions seem to be without problems.

Experience has taught me that if a law or contract allows someone to do something, then at some point they’ll do it — however extreme, perverse of bizarre the circumstances, and despite what those who framed the law or contract say they actually intended.

But what I don’t understand is that if these changes really are so essential to Dropbox‘s idea of protecting itself, why, as David Hewson says, can Windows Live get away without them?

Why would they need to ‘prepare derivative works’? What is that supposed to mean? I get the bit about having to reformat stuff, but this ‘derative works’ thing looks like a license to do whatever they want.

That was a very good summary, by the way.

I strongly believe that this is a common misconception but nevertheless a misconception. If a service provider has access to the contents of the files they are obliged to make them available to the authorities if so requested. They are not obliged to set up the service in a way that grants them access to the contents. If Dropbox only had access to the files but not their contents they would make the files available then and be fine. The law-compliance aspect can thus be excluded as their motivation.

If you know otherwise I’d love to hear about your sources.

Which is why I mentioned SpiderOak and Wuala, both of which use client side encryption. The key is stored on your local machine so in theory at least, if required, either service can hand over an encrypted file and that’s all.

As I said there’s nothing whatever stopping anyone using DropBox from doing their own encryption prior to uploading the files. If the stuff is really important it’s what you should be doing anyway, since once it leaves your hard drive you have little to no control over what happens, whatever the PR fluff might say and, however well intentioned the service provider. Drowning the ToS in sub-clauses to cover this or that eventuality, won’t change that.

I did not say it was your misconception but nevertheless a common one. The sentence I singled out, taken in isolation, is often misused to offload the responsibility for creating a service that stores unencrypted information in the cloud to US legislation which is wrong, at least in its current state.

Dropbox and others are very reluctant to say why they chose to go that way. It remains their decision, of course, but the reliance on and further propagation of the myth that the decision was not theirs is odd.

FYI… the Dropbox folks have posted a clarification:



Dropbox has been excellent, the only FREE such service that really is useful I know of. Such hysteria is just useless. I had actually asked them directly before going hysteric all over the internet, that clarified things for me, I am so happy they are there.

Thanks for posting the link Bdillahu, I only hope they will continue. One should actually thank them.

Life Hacker looks at five major online synch services at:

lifehacker.com/5818908/dropbox-v … ht-for-you

They detail the advantages and disadvantages of each. Those concerned about security might want to take a look at SpiderOak.

Those needing more free space than the 2 GB that Dropbox offers, might want to look into Live Mesh and SugarSync. Each offers 5 GB.

SpiderOak is OK. I used it for a while when the Great Firewall of China decided Dropbox was a threat to national security or something and blocked it. It does have advantages:

  1. Security: if you’re concerned about that, since the encryption keys are on your own computer, not on the server;
  2. Organisation: you can designate any folders wherever they are on your hard disk to be synced with SpiderOak, not one main folder.

It has disadvantages:

  1. You have to do much more work in maintaining what’s on the server:
    (a) it keeps historical backups but doesn’t delete them, so if you’re using it with something like Scrivener, each time Scrivener does an automatic backup, SpiderOak does so, but doesn’t limit the number of them, so your space is rapidly eaten up and you have to purge it yourself;
    (b) Files and folders deleted are also moved into an online trash which isn’t emptied, so you have to purge them yourself, and you have to do so from the computer where the file originated, you can’t do it from your other computer(s);
  2. It has to run as an app with the window open all the time it is connected: my solution to the clutter was to put it in another space of its own, where I could access it if I wanted to, but where it was out of the way at all other times;
  3. It is a port from Linux: it has a Linux interface with no attempt to make it Mac-like, though it is a personal matter whether that constitutes a real problem. It does require much more specific setting up than Dropbox for sharing files between computers.
  4. (The one that made me stop using it) problems with the latest release: they released an update which was required, but it caused slow-downs while typing in Scrivener … at least the slow-downs stopped when I no longer had SpiderOak running.

I don’t know if this last point has been addressed as I haven’t been using it. I still have my account and intend to sort out my space and use it like a fall-back storage system; I also have a .me account and a Dropbox account, once more accessible in China, and space on Box.net. I need to decide how to use them all to best advantage, but I’ll wait until Lion is out, .me has transmogrified into iCloud, and I am on holiday and have more time to think about such things. One of the problems, though, is that to delete a fairly substantial amount of files on SpiderOak, I will have to reboot my MBP from the bootable back-up of its previous system installation, as the permissions on the files are linked to that incarnation of the MBP!

All that said, basically, I thought SpiderOak was good, reliable, synced tolerably quickly … perhaps more quickly than DropBox, and I would be continuing to use it currently were it not for the slow-down it seemed to cause in Scrivener.


The Dropbox situation is frustrating. I don’t believe they’d want to rip off people’s work. But the general principle of having valuable confidential material on servers where others can read them worries me. At the moment I’m using Sugarsync in place of Dropbox. The free account gives you 5gb and frankly it seems superior to me - you can sync folders between different machines for example. But it is still unencrypted on their server which makes me uneasy.

I tried both Spideroak and Wuala too since both store encrypted data. Spideroak, as noted elsewhere here, is an ugly pain to manage. Wuala has the most astonishing T&Cs which state ‘The user agrees, that by making data public, the user grants LaCie a free, worldwide, non-commerical right of use of such data as well as the right of commercial use for marketing purposes in connection with Wuala. [Without agreement to the contrary, a copyright notice is to be applied and the modification of data is prohibited.]’

It also states elsewhere that all data on the Wuala servers is encrypted and can’t be read by Wuala. So quite what this means I’ve not a clue. But it puts me off - you bet it does.

Also in order to work you have to install a 64 bit Macfuse patch and the whole thing is just about as ugly and unintuitive as Spideroak. But I suspect I do need that encryption frankly. I just don’t feel comfortable knowing that confidential work in progress is sitting on the web somewhere readable to others.

Just a further thought, though I haven’t tried it out at all …

I downloaded and installed (I think for a very modest price) from the MAS an app called “Concealer”, which I understand allows you to encrypt particular folders you choose on your Mac. Just wondering if one couldn’t use this to encrypt the Dropbox (or SugarSync) folder. Would that then be encrypted on the server? Would one be able to open the encrypted data on another machine?

Since it’s come from the MAS, I have it on the MBA and the MBP, but I have had no time to play with it since installing it … something else which’ll have to wait a couple of weeks till I’m on holiday.

Anyone else tried Concealer at all?


I can’t be bothered faffing round with local encryption frankly. Have moved to Wuala which is a little weird but works. 10gb for €19 for one year. All the data is encrypted before sending. They can’t even read it.

while hysteria is going strong, just realize that noone, really noone, really wants your texts (other than if it was Harry Potter etc.). they are groundbreaking for sure, but the world has other things to care about. if dropbox would manage to publish mine I would be happy. But, actually, that is not their scope, believe it or not. But, yeah, hysteria is better than nothing to worry about. get a life.

That’s a rather rude way to put it. Plus, if your primary way of earning a living is by writing words that you want to have a constant backup of… then it’s not paranoia; it’s justifiable caution.

Some of us have commissioned work too. Imagine how a publisher would react if your private project for them got leaked. I don’t imagine Dropbox would do that. But a few weeks ago all the security on DB was down for something like four hours. During that time anyone could have got into txt exports of my current, commercially-commissioned project, and snatched copies.

Unlikely? Maybe. Worth the risk? Definitely not. Wuala is just fine for me.

God, just cannot believe this. last hint from me: * Dropbox * is * NOT * a publishing company *. Dream on they will steal and publish your stuff… or cool down, use Dropbox or don’t, but do not discredit this excellent service others just can dream of.

DropBox is an excellent service, and I’m sure it’s run by nice people completely uninterested in what we may use it for. But those terms of service – lately amended? – certainly clarified – were a PR shocker if nothing else. You have to wonder how the company could have let them out into the bright light of day, and they certainly fuel the suspicion not that DB would itself exploit users’ work but that the company was trying to ensure it would be legally protected if others – a disaffected employee, perhaps, or hackers - did so. Perhaps not an unreasonable thing to do, from the company’s point of view, if one ignored the PR. I know media lawyers who’d insist on such protection. But from a user’s point of view with the products of one’s sweat metaphorically in the clouds it seems to me entirely reasonable to prepare for the worst even while hoping for the best. After all, until a few months ago nobody, not even a cynical old hack like me, believed that one of the biggest media organisations in the world might casually be hacking phones by the thousand…