
Transparency report for the first half of 2016 - el_duderino
https://blogs.dropbox.com/dropbox/2016/12/transparency-report-jan-jun-2016/
======
leggomylibro
I'm looking at this report with a very skeptical eye; I moved away from
Dropbox after they brought Condoleezza Rice of all people on to their board of
directors to oversee privacy issues. But it seems pretty comprehensive.

It's interesting that West Virginia is the only state that didn't receive any
account information requests. Hey everyone, if you want to dodge the feds,
move to rural Appalachia! I also find it hilarious that they got a half-dozen
requests issued to the wrong company. Who do you think they were supposed to
go to? My money's on Box.

And it is complete bullshit that they can only give a range of '0-249' for
national security requests. But the big NSL case is still grinding through the
9th circuit court of appeals, right?

Anyways, my biggest concern is with the phrase, "Non-content provided." This
feels like a similar weasel word to "it's only metadata," and it reeks of
parallel construction to me. It's odd that they provided "non-content" for 96%
of subpoenas which didn't refer to nonexistent accounts, but provided actual
content for 0% of subpoenas. I'd like them to go into more detail about why
that is. If they're constantly resisting requests to provide full content,
then good on them. But they don't go into any detail.

~~~
news_to_me
Serious question, what was the big deal about hiring Condi Rice? I'm not
saying I condone her political career, but is there some obvious link that
would indicate that she's operating at Dropbox to the detriment of its users?

~~~
leggomylibro
There's no huge deal, I just see the way that companies fill key positions as
signals of their intentions. I don't think that she's working with the CIA to
spy on all of the company's users or anything, but I do think that her past
actions show a history of complete disregard for individual privacy. So when
the company hired her on their board to deal with issues of privacy, I read it
as a signal that they are unwilling to meaningfully stand up for their users'
privacy, and they're probably not adverse to quietly compromising it for a
quick buck.

I was already not hugely impressed by the service, so I just switched to a
more secure cloud backup provider that costs about the same. I guess it was
more the straw that broke the camel's back.

------
ThePhysicist
I really wished Dropbox would give users a way to perform client-side
encryption of their data. There are ways to do this (e.g. via Boxcryptor or
via EncFS), but they all degrade the usability and are too difficult to set up
for most users. Encryption could be limited to certain folders (as not
everything is sensitive), and the ability to do full text search could be
partially preserved by doing indexing on the client. Especially for businesses
this would be a great boon and protect not only against government
surveillance, but also against hacking of accounts.

~~~
codezero
I presume they save a lot of money on space/upload speed if they can verify
the hash of your data matches data already in their store. I'd be really
curious to learn what percentage of data overlaps between accounts.

~~~
r3bl
Yes.

For a while, I've actually tried uploading stuff to small TrueCrypt
containers. Everything above 50 MB per container is absolutely unusable for
cloud storage.

Now I'm simply on ownCloud (well, Nextcloud to be precise) with the encryption
enabled on the backend when the data is at rest.

------
r3bl
Isn't this more of a public statement about the report than the link to the
actual report that's hidden behind a link at the bottom of all this?

The only thing I've learned is that they're a part of some coalition about the
transparency. The report itself is much more interesting.

Maybe it's worth switching the link to
[https://www.dropbox.com/transparency/](https://www.dropbox.com/transparency/)
?

------
_RPM
I really find Corporate Speak annoying as hell. How could anyone read this and
take it seriously? ..."Here at Dropbox.. We earn your trust...". The whole
"Here at $X" is the most annoying part.

~~~
tedsanders
I see language conformity through two lenses: risk and scale.

I'll speak to risk first.

If you are a company delivering a report to shareholders, the risk is
primarily downside risk. It's unlikely for your stock to skyrocket if you say
something clever, but it might fall if you spook them. This is because the
default assumption for companies is that management is already competent, so
the risk distribution has more downside than upside. I see corporate speak as
a tool to avoid spooking folks and triggering this downside risk. (Notably,
there is a positive feedback loop, where non-corporate speak becomes a
stronger signal as it becomes rarer.)

On the other hand, if you are a startup company trying to break into a market,
the risk is primarily upside risk -- if your communications go well, your
business could eventually grow by many multiples. And achieving growth almost
always means differentiating yourself from competitors. The reason that many
startups eschew corporate speak is not necessarily because they are smarter,
but simply because they are adapted to their environment. Avoiding corporate
speak is the correct strategy when your upside risk is high.

The second issue is scale. It applies to both the receivers of the messaging
and the senders of the messaging.

If you are selling to a specific niche, you can use the language and
sensibilities of that niche when crafting your message. But if you are selling
to a broad base composed of many niches, this customization of language is no
longer possible. Anything too non-standard risks distancing certain niches.
This is why when you are selling to a large audience, your communication
necessarily needs to be blander than if you are a selling to a specific niche.

Another force that pushes corporate speak is coherence. When you have one
voice, as individuals or startups might, it's easy to keep messaging
consistent and coherent. Avoiding mistakes is easier, because there's only one
point of failure. But as your company scales, you suddenly have hundreds of
people putting out communications (and there is constant turnover among these
folks). In this setting, it's hard to keep the style of these communications
unique and consist. It's also harder to prevent dumb mistakes, since there are
now hundreds of points of failure. Relative to more personal or unique styles,
corporate speak is easier to apply across large organizations.

Lastly, and relatedly, I think corporate speak often arises as a result of
people optimizing individually. If I'm putting out communications, I could get
fired if someone doesn't like my bold/honest/creative take. But if I put out
something bland, especially in an environment while others are putting out
something bland, I'm not going to get fired. It's a similar risk argument as
above, but applied to people. If I write a great a blog post for my company,
no one is going to double my salary. But if I write a disastrous blog post for
my company, I'm getting canned. The risk is asymmetric.

~~~
robocaptain
One of the best replies I've ever read on HN. :)

I think you nailed it.

------
elmigranto
That is nice and all, but what interests me as far as transparency goes is:

\- what is up with client's high CPU usage when there is disk activity outside
Dropbox folder;

\- actual technical reason for needing to install kernel extension on macOS
(previous answers on HN were something like "we need to do _things_ that
Finder API does not allow").

~~~
codezero
This is pretty off topic – the transparency report is specific to legal
requests for data. I don't see how it would be relevant to muddy the term
'transparency report' or to couple that report with explanations of features,
no matter how opaque their implementation is.

~~~
elmigranto
Preface says:

 _One way we work to earn that trust is through our commitment to transparency
about government requests for user information._

I think explanations for these kinds of things would work significantly better
for making users trust Dropbox more.

No need to include those in report, but I'd rather see a page about reasons
behind weird behaviors than a bunch of numbers (which might as well be random
from my layman's POV).

~~~
mynameisvlad
Sure, and that'd be great feedback for them in general, but is pretty off
topic when the topic of the thread is that thing that you just quoted.

