Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.

Monday, 4 July 2011

Dropbox Terms of Service not actually that evil

There's an old saying that there's no such thing as bad publicity, but I'm not sure that Dropbox believe that right now.

It was embarrassing enough a couple of months ago when in response to security concerns Dropbox had to concede that their much-vaunted claim for totally secure encrypted hosting of data via the cloud wasn't quite as totally secure as most people assumed. Dropbox's explanation made sense - in order to allow web-based access, they need the ability to decrypt user files - and they reiterated assurances that there were procedural safeguards against their staff snooping such content. But trust in Dropbox took a dent.

Nothing like the dent it took the other week though, when a technical glitch left all Dropbox accounts open to access for several hours. Dropbox management were at least quick to concede fault and to advise users to check their account logs for unexpected activity, but this incident seriously tarnished Dropbox's reputation.

Which is probably why Dropbox are now in the news again, following a recent revision of their Terms of Service. When you've heard two lots of worrying news about a company, it's easy to believe the worst when a third story comes along. Now, ToS of cloud service providers are a particular interest of mine, so as a somewhat concerned Dropbox user myself I was keen to see whether there was genuine cause for concern.

What Dropbox have done is to make a generally admirable attempt to make their ToS as comprehensive, open and at the same time easy to understand as possible. I can well imagine why, in light of recent problems, they'd want to do this, although it's a difficult balancing act to try to achieve at the best of times. As Facebook found out, with its infamously longer-than-the-US-constitution privacy policy, detail and readability don't always go together. But having said that I think Dropbox have made a pretty good attempt at it, and their revised ToS are certainly a lot more concise and accessible than many I've had to review.

The particularly contentious part comes under the heading Your Stuff and Your Privacy. It says:

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

Is this a massive rights-grap by Dropbox? Well, no. This particular term is very common in cloud, blogging and social-networking services. It arises because in any cloud-based service the provider has to copy your data in order to store it and make it available, and indeed has to publish it if you share that data with friends or the world at large. Whilst there are good legal arguments that you are implicitly granting Dropbox (or any other provider) permission to do this by the act of signing up to the service, for entirely understandable reasons Dropbox prefer to make it clear in your user agreement that this is what they're going to do, and that you the user are happy with it. As one of the comments to the Slashdot story I linked to explains, the scary-looking language is actually quite reasonable given how the service is used:

Worldwide = Dropbox provide a globally-available service.
Non-Exclusive = Dropbox can't and don't prevent you from licensing your data in other ways.
Royalty-Free = You won't charge us for this!
Sublicensable = Dropbox need to allow technology partners to copy your data too.

The caveats in the terms make it clear that Dropbox are invoking this licence only for the purposes of providing the service to users. In that respect it's narrower than, say, Facebook's corresponding term (here, clause 2.1), which sets no limits on the use Facebook may make of data that you share online.

What I know has concerned some people though is the rider at the end of Dropbox's clause about 'You must ensure you have the rights you need to grant us that permission.' Does this mean that you can only store content on Dropbox if you either created it or have licensed it on terms that allow you to copy it?

I think that the practical answer to this is that you are probably fine so long as you don't go beyond the implied scope of what you are supposed to do with the material in question. To take an example, I quite often use my Westlaw access to download a case report or journal article. Westlaw give me the option to email it to myself - an activity which necessarily creates transient and, via webmail, not-so-transient copies of the copyright work in question. But nobody else has access to those, and they are incidental to my approved use of the service. I consider that saving such reports or articles to my Dropbox folder is equally legitimate. What would not be legitimate is sharing or publishing links to them - that would be outside the scope of what Westlaw is letting me use the service for.

In a similar vein, just because Dropbox is in a very technical sense 'publishing' your content back to you when you view it via a web interface, that is not what I, or anyone, would normally regard as 'publishing'. If you store the manuscript of your novel on Dropbox, you aren't publishing it by doing so; indeed, you still aren't even if you share it with a circle of test readers. As such, you're not breaking any exclusivity clause with your actual publishers by doing so.

There's a lot of concern about the security of cloud and social networking services and the fine detail of what can be found in their ToS (often with very good reason). However, if you do find a scary-looking clause, look to see if it's a common one, and if so find out what it actually means. It may well be a lot less alarming than you might at first think.