Blog Post

Has Dropbox set the stage for a privacy revolution?

Stay on Top of Emerging Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Life has been something of a rollercoaster ride for Dropbox lately. In May, the consumer cloud-storage service was hit with an FTC complaint based on allegedly misleading contractual language about data security. Last month, a group of consumers filed a class-action lawsuit against Dropbox for how it handled a temporary security hole in the service.

Then, on July 1, when Dropbox tried to do right by its users by clearing up much of the language in its terms of service, privacy policy and security overview, another uproar ensued. It appears this was the first time many customers bothered to read these documents, because the commenters on a blog post announcing the changes, as well as forum members across the web, began loudly criticizing certain Dropbox practices.

Of particular concern was terms of service language about data ownership, which some customers took to mean that Dropbox claimed ownership to their data. After a couple of attempts to clarify the issue on the July 1 blog post, Dropbox completely rewrote the section regarding data ownership and updated its terms of service again on July 6.

Despite all this, when the smoke clears, Dropbox’s newfound focus on transparency could turn out to be a great thing. Especially if it triggers an avalanche of other web-service providers following in its footsteps.

The federal government is eyeing up regulation of consumer web services regarding their privacy practices, and the resulting rules have the potential to be detrimental to companies like Dropbox, Facebook and Google. Part of the reason for the proposed rules is that companies haven’t been willing to regulate themselves. Facebook, which finds itself in a privacy snafu seemingly monthly, exemplifies the problem.

Dropbox’s efforts are so potentially meaningful because the FTC states that, among its chief priorities for any federal rules, are clear, reader-friendly contractual language and privacy policies. While Google is fighting such efforts with lobbyists, Dropbox is giving an example of how to cut legalese from a contract and let users know exactly what they’re signing up for.

Take this excerpt from the hotly contested copyright section, for example:

By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”). You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below. …

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to.

Dropbox General Counsel Ramsey Homsany, who joined the company about a month ago after spending years leading a legal team within Google, said he doesn’t think the contractual changes have anything to do with Dropbox’s legal issues. He said the company disagrees with the premise of FTC complaint, so it isn’t making changes in an attempt to resolve that matter. In fact, the company began rewriting its terms in April, and so the changes were already underway when he joined.

Rather, Homsany said, Dropbox knows that its users — some of whom rely on Dropbox for their life’s work — are passionate about the service, and it wants to help them make informed choices. “We don’t have a pride in being right,” he explained. If some users think the terms are unclear, Dropbox will be even clearer, he said.

Both the federal government and users still care about what customer agreements actually permit a company to, though, regardless how clearly those permissions are written. Dropbox hasn’t materially amended how it uses customer data, and Homsany doesn’t think it has to right now. It can be a delicate balancing act to retain only the necessary rights while letting users keep the rest, but he thinks that customers by and large understand that creating a quality product does require some flexibility to use their data.

Dropbox rewriting its terms, privacy and security policies isn’t the be-all, end-all of the discussion over consumer rights online, but it’s a heck of a start. Someone had to get the ball rolling and show that web services actually are paying attention to the privacy firestorm surrounding them. As the villain du jour, it might as well be Dropbox who does it.

But for their own sakes, Dropbox’s peers might want to follow the company’s lead. If enough sites spell out for their users exactly what they’re signing up for, by the time they get around to formally proposing new laws, the FTC, Congress and any other federal bodies might forget what they were so mad about in the first place.

Feature image courtesy of Transparency Camp.

8 Responses to “Has Dropbox set the stage for a privacy revolution?”

  1. How can Dropbox claim they won’t share my data with LEA? I don’t think they will risk getting their servers taken if they don’t comply a court order.

    Besides they abused data for their own purposes already when they scanned files for software they did not want to distribute.


  2. It’ll be hard to convince me that Dropbox’s moves are anything other than window dressing.

    When they had the initial privacy mini-scandal (where it turned out that some employees are, in fact, able to view customer files), they should have immediately reviewed their processes and policies in this area.

    The fact that they continued to use unclear language — as well as the shocking any-password bug that made it to their live servers — makes me think that they have not made the necessary systemic changes.

  3. Couple of things…

    1. You didn’t include the problem with Dropbox accounts being accessible without passwords for a brief time also during the period you discuss. For me, as a Dropbox customer, that was a serious concern. All the contractual language can’t protect you from those kinds of mistakes. True, all tech has flaws, but the applications Dropbox is used for make it particularly vulnerable to that. It’s as if your bank had a period when people could access your account without a password.

    2. I think Dropbox should also enumerate some of the things it’s intended to be used for, to see if there’s a match between the way customers see it and what they think it can be used for. All products need that kind of explanation. Can you imagine buying a car without them saying what you would use it for? Dropbox is still very new, and it’s important to hear, from the company, what they think it can be used for, safely. I asked this question on my blog four days ago, but haven’t gotten a response. Maybe GigaOm would fare better.

    • Derrick Harris


      I can’t speak to Dropbox’s security issues, or those of any other provider. They all have them, and no contractual language will prevent them from happening. But I do think clear contractual language is a good first step toward at least letting customers know what they’re getting into if all goes according to plan.

      Your second point is very interesting. It would potentially be very helpful for a service to enumerate its uses, but isn’t part of the maturity curve for a new service figuring out new uses? I think it might be more beneficial to say “here’s the deal with security, privacy, etc.” and you do with it what you feel comfortable doing with it. Eventually, everyone learns best practices, ideal use cases, etc.

      But I totally see your point.

  4. Is it that information remains only in Dropbox all the time…. the answer is no.. If the concern is about information misuse, then.. how many DropBox users actually can vouch for their own internal controls.

    The fact is that you are wanting to collaborate with information. A few questions come to my mind

    1) What if the legit recipient downloaded the information from dropbox and then misused it. Can you prevent this from happening..? Will you sue dropbox?

    2) What if the legit user/insider shared his credentials with the competitor to gain access. Can you prevent this from happening? Will you sue dropbox?

    3) What if a relationship sours out and you now need to retract information that was initially shared by email and then by dropbox? Do you blame dropbox?

    It is about having a policy independent of the channel used to share information. I bet that none of the people who have filed the case can retract the information that they may have emailed to their lawyers, collegues, business partners.. So why sue DropBox?