My gripe session about Dropbox’s new TOS and my presentation (wherein I all but came out and shouted that it’s stupid to use a free cloud-based backup service) understandably rankled a healthy percentage of the commenters. My fellows in the hacking community, who eat, sleep, and breathe security issues, described my post as a “breathless rant,” an “overreaction,” etc. And what’s more, if my post were written up for LinuxJournal or for an IT rag, they’d be right.

But it wasn’t. It was written with writers, musicians, and other creatives squarely in mind–an audience that, by and large, is not highly conversant with all the ways around lawyers and moronic service providers that we hackers and power users have built up into a reflex. When you tell a writer who only uses a mac (who’s not otherwise a computer geek) that they need to encrypt their backups, they’re likely to look at you like you’re speaking Latin, then shake you off and continue right on doing whatever gets in their way least.

So, in the interest of being part of the solution rather than just part of the agitation camp, I’m now going to get into the things about cloud-based computing that, if you don’t know them, can make the whole enterprise very hazardous. I’ll also suggest a few ways to minimize these hazards and the hazards it can pose–and the benefits it can offer–for writers and other creative non-hacker types who use it.

So, here are some things you need to know about using any cloud-based computing service:

If The Service is Free, You Are Not The Customer

If you’re using a service, it’s natural to assume that you’re the customer and the service provider is the vendor–and there are a lot of companies (like that book about the fronts of peoples heads) that count on the fact that you’ll continue to think that.

Why? Well, if you assume that, you’re going to be inclined to several reflexes–you’ll assume that the vendor will try to treat you well, for example, and you’ll be more likely develop brand loyalty to an insane degree, because we’ve been trained to think that “the customer is always right.”

The trouble is, with these services, you’re not the customer. You (and your data) are the product.

The customers are other parties–in some cases, they’re advertising, demographics, and political firms. In other cases, the free service is a test bed for a commercial product and you’re essentially an unpaid QC person.

If this is sounding negative, it’s not because I don’t approve of the business model–if you understand what you’re getting into I’ve got no problem with such things. The trouble is that the Internet is full of people who think that that nice guy from Nigeria really does need help, and it’s not because they’re stupid, it’s because they don’t have any idea about how the economic situation works on the net. People (like me) who’ve literally been on the Internet since before it was the Internet tend to forget about that.

What this all means is that the service provider has a lot less incentive to keep you happy, and a lot more incentive to do things that annoy you while advancing their own interests with regards to serving their primary customer base. These things that annoy you often turn up as rights grabs for your data, sudden changes in Terms of Service, sudden discontinuance of a service you’re relying on–and, when there’s a big public outcry, sometimes a marginal backing off combined with very loud self-flagellating apologies and protestations about how important their customers are to them (which is true–but the customer isn’t you. A fact they usually fail to mention).

In some cases, it can get worse than that. Some companies have (or believe they have) the incentive to use your intellectual property free of charge to make money. Facebook, for example, uses your user pictures in their advertising, and they don’t pay a dime for it. You’re obligated to let them unless you specifically opt-out every time they change their TOS. They’ve also, from time to time, tried to claim copyright or free license to all the text posted on their site (your words) and to all the text linked to from their site (which will never stand up in court).

Which brings me to the court test and the other reason you actually need to read your TOS: A lot of them disallow court cases. In them, you agree to binding arbitration in some po-dunk jurisdiction that doesn’t have robust laws regarding intellectual property or Internet business–a jurisdiction often pre-selected because of its statutory or cultural bias against consumer protection, in favor of enforcing binding arbitration, or of not enforcing claims of individuals against corporations. Get screwed over by a company that does this, and you have two court cases in front of you: first, to get the binding arbitration clause ruled out of order, and second to actually pursue action against the company.

On Putting Things In The Cloud

When you park your car on the street. It’s possible that someone might come along and make off with it. Two things protect people in such situations:
1) They lock their cars (which makes stealing them inconvenient–but not impossible)
2) They have cars that are unremarkable

The same holds true for your data. Most of the time, if you post your work online for free nobody’s going to steal it–frankly, most work isn’t special enough to be worth the bother. Most work is the Yugo of online car theft. And the other kinds of data that some sites collect–the demographic, behavioral, large-scale statistical data for resale to advertisers–isn’t individuated enough to worry many people.

The story changes a bit, though, with things like financial data, or unpublished manuscripts, or raw tracks. Stuff that either has intrinsic value (all financial data does, even if you personally don’t have any money) or statutory value (intellectual property).

Unfortunately, even people who are driving the Internet-equivalent of expensive cars tend not to lock them, unless they’re people who are otherwise interested in hacking and security for its own sake, and this is where you get into trouble.

When you use a cloud-based backup service, you’re gaining some useful things: data portability and off-site fire protection spring to mind. But you’re also putting your data on someone else’s server–you’re trusting your intellectual property to the good graces of an organization whose interests might not align with your own tomorrow, even if they do today–which means that if you want to keep yourself safe, you’re going to have to be checking the service’s user relations blog and TOS pretty regularly–and that’s a headache.

You’re also trusting your data security to a corporation whose security practices you can’t practically audit (and, in the case of a new company, whose practices aren’t well-established enough to have earned them a reputation you can check). The company might respect its users privacy, but if they don’t have their servers secure, then Lulzhack or Anonymous or the Russian Mob or an overzealous high schooler can waltz in and have their pick of what’s there.

VW or Aston Martin, Use A Kill Switch
So, say you need the benefits of a cloud-based data service, what are you going to do? There are a few things that can make the enterprise a not-entirely-foolhardy one:

1) Encrypt your data using the strongest available encryption
This is non-trivial if you’re not in the habit, but it is actually the only way to secure your data against most attacks. GPG, and TrueCrypt are both open-source, community enterprises and are the gold standard in data encryption. PGP has several commercial implementations of the same encryption schemes and algorithms GPG uses, and they have some slick front-ends that make it easier to use. There is a learning curve here, but it’s worth it.

2) Select a data service provider that does not have access to your data
This is the standard of professional practice in the data services industry–your data is stored on a TrueCrypt-style drive to which the hosting company doesn’t hold the keys. They can delete it, but they can’t read it. Since this claim is difficult to verify, though, you should also encrypt the data you upload.

3) Select a data service provider that does not share data
You basically want a company that won’t allow anyone–including the FBI–to access your data without a court order.

4) Select a data service provider with decent lawyers
The shitstorm over last weekend was, on the most charitable reading, caused by bad lawyers. So to be very clear: what you store on a server is no more business to your hosting provider than what you keep in a rental house–and I’m sticking to that unless and until the law says otherwise (which, at the moment, it doesn’t). When you upload to a server, you are granting the implicit right to archive, store, back up (which involves making copies) and display your data to the extent (and only to the extent) required by normal data management operations–these are all technical tasks. You are not implicitly granting the right to create derivative works, to publish, to distribute, or to sublicense the content (and if you’re looking at a service that demands that right because they use a subcontractor to handle their data farms, avoid them.

5) Pay for it
You’re going to be in a much better position if you’re using a paid service, and the paid services are not expensive. You spend more at Starbucks every month, even if you don’t drink coffee. This puts the customer/vendor relationship on the proper footing. Don’t, however, neglect points 1-4 just because you’ve paid.

6) Notice of changes to TOS
Always select a service provider that gives at least a billing-cycle’s worth of notice to changes of their TOS. This is something Dropbox did right, and with all the grousing I’ve been doing about them it’s only fair to give kudos where they’re due.

Blessed Are The Pessimists, for They Have Made Backups

The best solution of all, though, is to do it yourself. There are a number of programs available, such as PogoPlug, which make it easy to set up your own cloud-drive that you can access from anywhere. A lot of NAS appliances also include web servers that let you access your files from anywhere. Get something like this, set it up in a friend’s closet (so you have the “off-site” part of your backups covered–important in case of flood or fire), and you’re miles ahead of using a cloud-based service from a company whose politics and business incentives you have no control over.

Of course, doing this, you are parking your Aston Martin on the street, which means you need both a lock (a good firewall) and a very good kill switch (encrypt everything on that shared drive)–and if you have any sense at all, your cloud drive must be on a dedicated appliance or computer, not on your desktop or laptop machine. Isolating it from the rest of your network protects the rest of your network from the Internet, exposing only your (encrypted, right?) cloud drive on its own well-secured machine (device, spare computer, whatever).

Concluding Thoughts

I got a LOT of comments, and a lot of blog posts, commenting on the panicky, breathless nature of my initial post about the Dropbox debacle by people who figured I ought to “know better.” Those people were all either 1) hackers who already know how to navigate this weird world, or 2) people with a good understanding of cyberlaw but a poor understanding of copyright law. Most of them were very intelligent and the comment stream (and cross-linked posts) are well worth reading–but this post is not for them. The first group are already well-equipped to take care of themselves, because they have the “informed” part of “informed consent” nailed. The second group are intelligent enough that they’ll likely be fine too, though I’m nervous about the folks who take advice from them.

If you’re a creative type, your work is your livelihood. You need to be fully conversant in Copyright law, or you’re gonna get fucked. You also need to be moderately conversant in security–i.e. you need to understand the basic concepts, even if you don’t understand the technical details. And you need to apply both to the way you deal with data you put online.

This is a world of informed consent, and most people on the net are consenting without understanding the paradigm or the implications. For most people, the worst that will happen to them from operating uninformed on the net is a little identity theft. Occasionally, one of them might get implicated in a crime through no fault of their own–annoying and unlikely, but possible. But for creatives who are using the net for business, the ballgame is different–if a creative walks through this world as a naive, he risks a lot more headache and wallet ache. It really is worth the time to get savvy.

If you find this post useful or thought provoking, please consider donating to the tip jar at the top right of this site, or buying a copy of any of the books you’ll find listed in the right sidebar. Writing is how I make my living–I enjoy it and would like to keep it up!


  1. Pingback: Update on the Dropbox Situation at Literary Abominations

  2. Pingback: Put it in the Cloud? Are You Nuts? at Literary Abominations

  3. If they claim the unfinished indie game that I and dozens preordered, your just crushing the indie groups’ dreams, leaving it in the dark and ruining our purchase.

    Whiskey Tango Foxtrot
  4. Heya WTF–

    At that point, I hope the group gets a lawyer. There’s been a LOT of traffic through here as a result of this post–can you post a link documenting their troubles? Perhaps another helpful soul would have some useful advice.

  5. jdsawyer, They don’t know about this, someone posted on there Twitter recently, I might email them just to be safe, is it possible to take your files and run far away?

    Whiskey Tango Foxtrot
  6. It shouldn’t be necessary to leave Dropbox to protect oneself, simply encrypt your files. Good locks make good neighbors. Why would they waste resources to decrypt your files when someone else has unencrypted data available.

    What I find interesting is that I’ve been thinking for a while that authors should be telling their readers the same thing: “You are not the customer, you are the product.” An author doesn’t sell books to readers, but instead sells access to an audience to publishers. That doesn’t mean that the readers shouldn’t be well cared for, simply that they don’t have the influence they think they have.

    Tempted to do my own blog post on this…


  7. Heya Doc —

    Regarding authors and customers, I think you’ll be hard pressed to find more than one or two examples where this is actually the case. In fact, I can think of only two at the moment where that argument might hold water. One is Sigler, who had ~40k fans or so when he finally landed the deal with Random House. The other is Amanda Hocking, who had hundreds of thousands (if not millions–the numbers are hard to come by) of sales with fans raving about her and making a lot of noise online.

    Of the two cases, I think the most you can say about Sigler is that his fanbase was a deal sweetener–it put him in a better bargaining position, as he could have walked and done very well self-publishing (as he later did for the GFL series). It might even be the thing that distinguished him in the first place. But in the world of publishing, I gotta tell you, 40,000 is not a lot of sales for a thriller author. If you don’t perform significantly over that number, many publishing companies are likely to cut you from their lists even if you turn a modest profit for them.

    Hocking might be a different matter, as her numbers are up in the low end of what publishing companies want to see out of someone in her genre writing in the solid-to-high midlist at an early career point.

    In either case, had Sigler not significantly grown his readership when he went into trade and mass market circulation, his publisher might well have canceled his contract. It’s a very common thing. I suspect the same will happen with Hocking if her readership doesn’t grow significantly as a result of her mainstream deals.

    So I don’t think that an author is selling his fan base to publishers–most authors (way north of 95%) who get large press deals do so with a first novel and no previously established fan base. What is true is that with books that are intermediated by a publishing house and stories published through magazines (as opposed to indie publishing either) the editors are the customer and the story is the product. The readers then become the customers of the publishing house, even if they are fans of the author–and the author has to walk the difficult line of pleasing the readers (so they’ll buy from the publisher) and of pleasing his editors and their bosses. (Which can make an author crazy, which is why most just write the best they can and hope to hell the continue to have market appeal).

    So, the reader is the indirect customer of the author in legacy publishing, and is the direct customer in indie publishing. Potential market appeal (or, in at least two cases, proven market appeal)–not established fan bases–are what authors sell to publishers. The numbers of podcast fans, for example, are simply usually too small to do much other than raise an eyebrow at the editor’s desk (it shows the author will hustle, that they’ll take some of the marketing burden off, that they are comfortable dealing with the public, etc–all of which can translate to lower costs/risk).

    This is a very different paradigm from what Google, Facebook, and other cloud services operate under. And I’m not saying that paradigm is inherently evil–only that it becomes dangerous if you interact with such companies under the false impression that you’re the customer.

    The person who pays the money for something to exist is the customer. Google’s customers are advertising and marketing companies. Ditto for Facebook. Author’s customers are either the audience (for indies) or the editors (for legacy), and in legacy pub the publisher’s customers are the distributors, and the distributor’s customers are the bookstores, and the bookstores sell to readers. With that kind of a supply chain, is it any wonder that the business of getting books to market has, until recently, been so fraught with bother for all involved?

    Anyhow, that’s what I’ve got. Would love to hear your further thoughts on the matter. Thanks for stopping by, Doc!

  8. Dan,

    Actually, I think you did a pretty good job of making my point for me, instead of countering it.

    On the indie market, the Author IS the Publisher, but it is the publisher that must hustle to sell books. You still don’t sell books to the readers as the author, you sell them as the publisher. It just happens that the two of you sit in the same body. I know it sounds like a spurious argument, but if you follow the logic it fits.

    In the legacy market, the author sells to an editor, who buys on behalf of a publisher. The publisher wants the content because it gives access to an audience who will pay for the content. Note that phrase “access to an audience”. That doesn’t mean that the author already HAS the audience, although as you said, it is a bonus to the author if one does already have an established audience. It is access to a theoretical audience that may already exist or may be an emerging market. No matter how good a new author’s book is, no publisher will “buy” it if they don’t believe there is an audience for it.

    The examples you cited only took into account authors who were new to mainstream publishing, but established authors also follow the same model. Their customers are editors and publishers, but they will only buy their product if it give access to a sizable audience. There are talented authors out there who are still writing, but can’t sell anything anymore because the publishers don’t believe that they will give them access to a sufficiently large audience. This decline may be because the author’s quality dropped, because their chosen genre is in disfavor, because the author did something to alienate their audience, or a dozen other reasons. A bad reputation can ruin an established author, even though the authors stories are still high quality.

    Authors DO need to appeal to the reader, because they need to produce something that the publisher can continue to sell on to someone else. But that reader is not the Author’s customer. Ford doesn’t sell a car to you and me, they sell to dealers. But they still have to sell a product the dealers will be able to sell on to someone else.


  9. Pingback: Google Pulls a Dropbox at Literary Abominations

Comments are closed.