Earlier this month, I wrote that we would not be renewing our Dropbox accounts when they expire because the cloud storage provider had changed its terms of service to include a forced arbitration clause. This wasn’t a hard decision, even though we opted-out of the forced arbitration and would have been grandfathered under the terms in place when we first subscribed. But we’re nearly fully migrated to ownCloud running on our own server and there’s no longer any need for us to pay Dropbox and subject ourselves to its bullshit.
Until the spring of 2011, Dropbox perennially did a lot of hand-waving about how secure your encrypted data was on its servers. Then, under pressure, the company grudgingly acknowledged that it holds the encryption key for every Dropbox account and faced a complaint with the US Federal Trade Commission (FTC) alleging continued disingenuousness with regard to its claims of the security of its users’ files. Subsequently, Dropbox has dialed back much of its security rhetoric.
Watch now as Dropbox fails to drop any pretense of security of its users’ files and doubles-down on bullshit. Last Saturday evening, Darrell Whitelaw tweeted a Digital Millennium Copyright Act (DMCA) takedown in his personal Dropbox folder:
wow. @dropbox DMCA takedown in personal folders . . . this is new to me. pic.twitter.com/fSKxJUrFus
— darrell f'n whitelaw (@darrellwhitelaw) March 30, 2014
Darrell Whitelaw tweet, 29 March 2014 9:25PM.
Whitelaw followed up with another tweet indicating that the Dropbox folder in question was a private folder with a share link:
@mmasnick private. But a share link.
— darrell f'n whitelaw (@darrellwhitelaw) March 30, 2014
Darrell Whitelaw tweet, 29 March 2014 9:51PM.
And further clarified that sharing the file was being blocked, not that the file was deleted:
@brendanl79 @natefanaro just block file from being shared.
— darrell f'n whitelaw (@darrellwhitelaw) March 30, 2014
Darrell Whitelaw tweet, 29 March 2014 10:07PM.
The link to the shared file was sent via instant message and was not public:
@MFaroTusino @alv1nW @Dropbox nope. Via IM.
— darrell f'n whitelaw (@darrellwhitelaw) March 30, 2014
@bradleychambers nope. Link was only shared via IM to one person.
— darrell f'n whitelaw (@darrellwhitelaw) March 30, 2014
Darrell Whitelaw tweet, 29 March 2014 11:52PM and 30 March 2014 12:12AM.
Within about five hours, Dropbox support makes an appearance, claiming DMCA takedowns only apply to shared links:
@darrellwhitelaw Hey Darrel – content removed under DMCA only affects share-links. DM us if you’re seeing something different so we can help
— Dropbox Support (@DropboxSupport) March 30, 2014
Dropbox Support tweet, 30 March 2014 2:43AM.
Later, Whitelaw joins the speculation that Dropbox checks file hashes against a DMCA blacklist when the share link is created:
@Leonick91 @Dropbox @wilw yeah, that seems to be how its working. Checks hashes against a blacklist of DMCA request content when making link
— darrell f'n whitelaw (@darrellwhitelaw) March 30, 2014
Darrell Whitelaw tweet, 30 March 2014 10:44AM.
None of this means that Dropbox isn’t within its original terms of service. It is; this isn’t anything new. Moreover, Dropbox is following the letter (and intent) of current US intellectual property law. If Dropbox is indeed checking file hashes against a DMCA blacklist to determine which share links to block, it’s working in the least intrusive way it can to protect itself. Assuming that the DMCA blacklist it’s using is completely legitimate; and that’s a big assumption.
But here’s the bigger problem: For years we each created symbolic links between our Documents directory and Dropbox so that all of our files were available regardless of the device we were using. Quite a few of the files in that directory are sensitive and include bookkeeping information, strategic notes, client work, manuscripts, and on and on.
If you’re still not convinced that Dropbox isn’t nearly what it pretends to be, consider that the service for which you pay that purports to keep your information secure — or at least private — doesn’t. Not by a long shot.