Put it in the Cloud? Are You Nuts?

The situation in the following post has been resolved for now. Dropbox has taken everyone’s outrage seriously, and has fixed the problem. More information here. I am leaving this post and the follow-ups up because it contains a good deal of information on how to protect yourself and your intellectual property when working in the cloud.

As of Sat, July 2 2011, Dropbox has joined Facebook and who-knows-how-many-other ass-backward companies in declaring eminent domain on their user’s data. That’s right, boys and girls, if you’re using Dropbox for storing your manuscripts, photographs, creative works, etc., you should know that their revised TOS says that:

you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service.

In other words, they own your stuff.
Not that this would stand up for a minute in court–but do you want to be a test case?

That right there is bad enough–almost, but not quite as bad as Facebook claiming copyright to anything you post, link to, etc. (and using everything you post in their advertising), but Dropbox does one better. Lest you say “Haha! I’ve dodged a bullet! I only use dropbox to hold my ebook collection, or to sync my porn files and music between my home and office systems!” you better read on. Following on from the same place in the TOS:

You must ensure you have the rights you need to grant us that permission.

In other words, if you put something you legally bought for your personal, non-infringing use, you’ve just been made a felon, because Dropbox now requires you to grant them worldwide license (including derivatives!), by uploading a file you didn’t author (for a personal backup or so you can have access to it on a business trip, say) you’ve just granted rights to Dropbox that you don’t own. But by uploading it, you’re representing that you do have the right to grant those rights, therefore you’re committing fraud as well as several sorts of infringement.

I’m not a lawyer, but I can’t see how in the world this will hold up in court–but I’ll tell you one thing: I ain’t ever using this bloody service again. And I’ll go one further–with shit like this getting to be de rigeur among clueless tech companies and their equally stupid lawyers, there’s no way in hell I’m ever using a cloud-based archiving service that “reserves the right to change the TOS without notice” again.

As The Specials once said, you can’t fight corruption with card tricks–they use the law to commit crimes.

Folks at Dropbox should be ashamed–and they should probably be sued. You guys at the EFF, are you listening?

Full text of the grotesque new Dropbox TOS here.

For an explanation of why the wording of this license is pissing me off, read my Contracts post Everybody Knows Peggy Lee (or should) which explains what’s implied by license wording such as the above–regardless of whether it’s couched in language that says “We only want these rights so we can perform the service.”

Further Addendum:
Check out the comments below for more addenda–I’m posting updates as people feed them to me, and it’s easier to add a comment than to edit the post over and over.

Another further Addendum:
I’ve got a new post talking about the factors in selecting an off-site backup service, the basics of data security, and discussing some alternatives to dropbox. Find it here.

Yet Another Addendum:
There are more updates on the Dropbox situation at my new blog post here.

Final Addendum:
As mentioned at the beginning of this post, Dropbox has taken everyone’s outrage seriously, and has fixed the problem. More information here.

74 thoughts on “Put it in the Cloud? Are You Nuts?”

  1. ” They can’t force you to open it if you have forgotten the password. =)”

    Unless you’re in the UK, then they can force you to remember…or else.

    I do agree with you that you should always encrypt cloud storage files. You never know when Lulzsec (or its progeny) may take a shine to cracking Dropbox just for the lulz.

  2. The full tos isn’t as bad as you make out and an e-mail was sent out notifying of the changes. It is a big change but an understandable one.

  3. Dracoverdi —

    You nailed it in one. Sourceforge and other such sites also don’t claim copyright (or sublicensing or derivative rights) to the data people upload–it would be disastrous if they did. The folks (including the very polite and articulate fellow over at Lawclanger who are claiming that these terms are necessary are simply wrong on both the facts and on the implications of rights grabs such as this (though in most cases I think they are probably right that the intent is self-protective rather than piratical).


  4. J —

    Actually, my web host does none of those things in its TOS, and never has. Not even Microsoft’s Skydrive (which is a file sharing service, rather than a web host) does this, and Microsoft has a well-earned reputation for an attitude of “it’s better to pay a settlement than a license fee” where other people’s intellectual property is concerned.

    I’m sorry, but you’re just wrong on the facts.


  5. Yep–

    Your reasoning is very plausible, and I wouldn’t be surprised if Dropbox’s lawyers were following a similar chain of reasoning–but that’s just not the way it goes down with cyberlaw or copyright law. There have been worries of stuff like this for well over a decade now, true, but the precedents that would create the nightmare scenario you describe simply haven’t emerged (and, if they did, they would effectively bring a lot of internet commerce and data management and database service operations to a screeching halt).

    Thanks very much, though, for the thoughtful post–it puts the case for the defense (so to speak) far better than I”ve done myself, and I do appreciate it.

  6. MLE–

    They couldn’t exactly claim ownership, but under the un-revised TOS (they’ve revised it a lot since I wrote this post, and I’m not current) they could claim the right to resell it. I doubt such an action would stand up in court, but there would have to be a test case, which is a huge pain in the ass and very expensive–so, yes, it’s a big worry. Check out my new post for some suggestions on alternatives and for ideas on how to evaluate whether a service will serve you well in the long term or whether it might screw you over.

    Thanks for stopping by!

  7. Brandon —

    That’s a line from a song? Cool! I’ll have to look that song up, it’s an excellent line.

  8. Okay, first, I don’t like the new TOC, but before everyone goes off the deep end, please make sure you read the TOC for other providers, including Microsoft sky drive. They all say the same thing. You own the stuff you put up, and they get the sublicences.

    Is there another alternative?

  9. I hear that these people are going to claim an indie group’s unfinished game, what are these people hoping to achieve with that?

  10. Perry–

    There are some good alternatives–check out my post from this morning for a quick go-over.


  11. I received the email notifying everyone to check out the new terms of service. The thing that has struck me, that I really haven’t seen mentioned anywhere yet, is that their wording seemed to smack of “this is really where we’ve really stood all along, we’re now just trying to make it clearer for you.”

    That is truly scary.

  12. Isn’t it just possible that 1) They only want this licensing right in order to make money from the totality of users and it has nothing to do with “needing” it to operate? 2) I had a cyber law class back in about 2007, and I seem to remember that servers were never held liable for the content on their websites in terms of abuse or infringement, so what do the companies really have to worry about, might they just be using that as an excuse to gain rights? It is really offensive that they could, for example, make a recording of your music and sell it, with no royalities, when there are royalties built in to the copyright law. 3) By what standard do they decide what they “think is necessary?” No limits!

    1. 1) I think this is entirely probable–the customer, and their data, is the product (though I think it’s more likely that the part of the data they’re interested in is the type and quantity of data people transmit, so they can then find ways to monetize the traffic by selling advertising, targeted service enhancements, etc. The metrics and databases are where the money is–selling access to datamining companies is a popular business model right now.

      2) I have a similar understanding of cyberlaw stemming from RIAA related lawsuits and obscenity prosecutions early in the era.

      3) That is the problem, isn’t it? And they’re now saying “trust us.” In situations like this, I can’t help but remember what Lazarus Long said:
      Money is truthful. When a man speaks of honor, make him pay cash.

Comments are closed.