

Dropbox TOS Includes Broad Copyright License - Indyan
http://hardware.slashdot.org/story/11/07/02/0515218/Dropbox-TOS-Includes-Broad-Copyright-License?utm_source=slashdot&utm_medium=twitter

======
timmyd
Let me clarify ....

TL;DR - it's hyperbole. answer the negative. if they didn't get this
permission from you - you could sue them for copyright infringement. every
service does it. don't freak.

Long Version:

The key to the text is "non-exclusive" - generally this grants the
nonexclusive rights to display the material on a Web site. It also allows the
licensee (ala DropBox) let their company use, manage, display [etc] your
files.

It's a fairly standard contractual term now days - for example see

<http://www.youtube.com/t/terms> at 6 C OR even your Gmail Terms ...
[<http://www.google.com/accounts/TOS?hl=en> at 11.]

Youtube - "For clarity, you retain all of your ownership rights in your
Content. However, by submitting Content to YouTube, you hereby grant YouTube a
worldwide, non-exclusive, royalty-free, sublicenseable and transferable
license to use, reproduce, distribute, prepare derivative works of, display,
publish, adapt, make available online or electronically transmit, and perform
the Content in connection with the Service ...."

Gmail - "By submitting, posting or displaying the content you give Google a
perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to
reproduce, adapt, modify, translate, publish, publicly perform, publicly
display and distribute any Content which you submit, post or display on or
through, the Services. This license is for the sole purpose of enabling Google
to display, distribute and promote the Services and may be revoked for certain
Services as defined in the Additional Terms of those Services."

Generally, the language uses "non-exclusive" in its context which is OK. It
basically allows internet services to be internet services

i.e. if they didn't have a non-exclusive licence, how could they use your
files - which contain copyright content you own - in their services ? - they
couldn't :) By asking for a non-exclusive licence, it means you are permitting
DropBox to use it for the purposes of

"worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy,
distribute, prepare derivative works (such as translations or format
conversions) of, perform, or publicly display that stuff to the extent we
think it necessary for the Service."

If you're uncomfortable with this term, then unfortunately you'll be
uncomfortable using any service on the Internet as it's generally required to
provide a service :) The terms agreement incorporates their Privacy Agreement
- thus meaning they still owe you the obligations outlined in their privacy
clause. They cannot distribute your content without your permission.

"But, but, but .... they should have to identify copyright not me"

Again, you are giving them to non-exclusive right. If you have MP3 music
[legally obtained for example] - you have ownership for that file. You are
provided with the right to store that file for personal use just as you have
the right to share that file with your friends. The rights associated with
this file are governed by the terms of service when you purchased that file
[i.e. iTunes]. Go and read your rights regarding MP3 Music purchased from
iTunes.

You are providing DropBox with a non-exclusive right - not an "exclusive
right" which would be just that "exclusive" and therefore you have licensed it
only to DropBox per see - to be able to storage, transform ... etc that file.
The Privacy policy is incorporated within the Terms agreement - thereby
inferring they cannot "distribute your content without your consent".

Dropbox do NOT "know" where you purchased the file or the terms surrounding
every single file they store on your behalf [how could they?] - it's your
responsibility - not theirs - hence the point of the term.

"You must ensure you have the rights you need to grant us that permission."

Dropbox is fine. Use it. Or stop using Gmail and most other services ....

~~~
sunchild
Non-exclusive just means that Dropbox isn't the only licensee. I've never once
seen a consumer-facing TOS that purported to be exclusive. That's really not
the issue here.

The issue is whether the scope of Dropbox's license is overly-broad, given the
service that they're providing.

Under the Google TOS, Google says:

"This license is for the sole purpose of enabling Google to display,
distribute and promote the Services."

Now, take a look at Dropbox's new TOS:

"...to the extent reasonably necessary for the Service. This license is solely
to enable us to technically administer, display, and operate the Services."

Dropbox's license is actually MORE limited in scope than Google's. I don't
really understand why people are freaking out about this particular issue.

IMO, the security issue and their handling of that is more important.

(The post is informational only, not intended to be legal advice or to create
an attorney-client privilege).

~~~
nknight
Except that _wasn't_ the new TOS at the time the articles went up. They
changed it _after_ the world exploded. See the bottom of their blog entry:
<http://blog.dropbox.com/?p=846>

~~~
sunchild
Oh, I missed that. Thanks!

------
rkalla
When the new TOS were announced I think a lot of balked at reading those
statements. The examples given in the TOS (e.g. "to convert your files") all
seem reasonable, but as Indyan pointed out, it sure leaves the door open to
some fuzzy interpretations.

Quick question, if AT&T suddenly bought Dropbox, would you all feel as passive
about the new TOS or be quick to get your files out of there?

What about Facebook? Microsoft? or Silver Lake Partners?

I understand it's easier for Dropbox to be vague in their TOS so they don't
have to spell out the service or future features that might require expanded
agreements.... but given the nature of the service and the previous fiascos
Dropbox has had already this year, it sure seems like they are cutting
themselves some undeserved slack with regards to specificity.

I appreciate that they rewrote the terms to be more human readable, but why
not spell out "You agree to let us duplicate, read and write your files in the
case where you share, copy, publish or convert your files via the web or
client software interface" -- or something following that.

I don't have a company with 200 million users though, so maybe the logistics
of being that specific are an impossibility. I'd also be a lot more forgiving
of this broad language if Dropbox has never had any hickups, so my personal
nervousness is mixed in there.

~~~
eli
You are missing the point.

Those companies _do_ have similar terms in their agreements! Any service that
accepts user content should. It's in everyone's benefit to make it clear that
you own your content, but you're giving the service a license to copy it,
display it, etc.

AT&T: "while you retain any and all of your lawfully owned rights in such
Content, you grant AT&T a royalty-free, perpetual, irrevocable, non-exclusive
and fully sublicensable right and license to use, reproduce, modify, adapt,
publish, translate, create derivative works from, distribute, perform and
display..."

Facebook: "you grant us a non-exclusive, transferable, sub-licensable,
royalty-free, worldwide license to use any IP content that you post on or in
connection with Facebook"

~~~
sunchild
Actually, I think you're missing the point.

1\. People seem to want to use Dropbox to store sensitive, private data. Most
sensible people don't trust AT&T, Facebook, Microsoft, etc. for this purpose
anymore because of their past gaffes.

2\. Dropbox makes numerous "marketing" statements all over their site
purporting to be safe for confidential, private information.

3\. The licenses that companies need in their TOS can be scoped appropriately
to what's strictly necessary for them to provide you the service you signed up
for. Companies that reserve rights in their users' stuff beyond what's
necessary do so for a reason – and it's not likely to be in the user's
interest.

~~~
tptacek
You've evaded this person's comment, possibly because it doesn't fit a point
you want to make.

The comment you're responding to says, "Legally, any service that does the
basic things we expect Dropbox to do for us probably needs to have these terms
in place. The point raised about not trusting Dropbox after an AT&T
acquisition is irrelevant; every large company already has those terms,
because they have to."

You can _want_ to trust Dropbox more than Microsoft, but that doesn't change
the legal landscape.

Your third point comes closest to actually addressing the discussion here, but
_how_ do they scope their ToS narrowly enough to satisfy you? And how do they
then do that without having to then announce ToS changes every time they add a
new feature?

~~~
sunchild
I don't think I've evaded the comment at all.

1\. The issue is the scope of the license.

2\. The overly-broad scope chosen by Dropbox (and many others) is a valid
reason to question their trustworthiness as a custodian of sensitive private
information.

3\. In the case of AT&T, Facebook, etc., we have a history of actual
disclosure incidents to draw from, adding some context to their
trustworthiness. In fact, Dropbox itself has joined that club, with their
recent security gaffe and their handling of it, and statements surrounding it.

4\. As I say in a few places around this thread, I think the correct scope of
the license would be strictly what's required to carry out the user's
instructions. At the very least, it should be limited to uses that are in the
user's interest, not the interest of Dropbox or a third party.

EDIT: I said "overly-broad scope chosen by Dropbox" above in error. In fact, I
think the Dropbox TOS is dead-on in terms of the scope of the license. As far
as I can tell, it's limited to what they need in order to "do what you ask us
to do with your stuff (for example, hosting, making public, or sharing your
files)".

(This post is information only, is not intended as legal advice or to create
an attorney-client relationship.)

~~~
tptacek
This reads like a smokescreen. If providers need these licensing terms to
safely provide this service, then they either need to post them or get out of
this business. "Actual history of disclosure incidents" and "trustworthiness"
simply don't have anything to do with it.

If you're a lawyer, it would be helpful if you could just straight-up answer
the question, which I'll restate for you: what are specific things Dropbox
could do to their ToS to scope it down without making the ToS so narrow they
can't introduce new features without constantly revising it?

~~~
sunchild
I'm not sure why you're being so cranky about this. I'm doing my best to be as
clear as possible.

1\. The Dropbox license is scoped correctly, IMO. It's as narrow as it should
be, and not so narrow that it would impair their ability to provide the
service.

2\. All commercial relationships come down to trust. Contracts only take you
so far. If a provider offers acceptable contract terms, but has also shown
signs of incompetence or untrustworthiness, I would avoid them. After all, how
likely are you to enforce the contract terms against them?

HTH – and again – this is not intended to be legal advice or to create an
attorney-client relationship.

~~~
tptacek
I'm confused. Upthread, you said (paraphrased) "companies that reserve rights
beyond what's absolutely necessary tend not to be doing this in their users
best interests". You didn't then qualify this with "but of course that's not
what Dropbox is doing".

Maybe we just agree about Dropbox --- that this latest ToS karfluffle is just
a banal legal/administrative thing, not evidence of any cavalier attitude at
Dropbox about user data.

~~~
sunchild
We do agree. I also agree that my comment above was a little misleading.
That's because the OP's article quotes a version of the Dropbox TOS that isn't
the current version anymore, apparently.

Sorry for the confusion!

------
code_duck
This is exactly like the broadly misunderstood TOS for Facebook, Etsy and
other services.

They _need_ a license to your work in order to distribute it, and display it
to others or perhaps even you.

These clauses have been in TOSs for years and years, and only now people have
taken notice. The average person doesn't know much about IP though, and
probably couldn't tell you the difference between a copyright and a patent.

Companies sometimes do overreach in this step though, conveniently claiming
rights to use your images royalty-free in advertisements for the service and
around their site without you being involved. It's important for people to
know what they're signing over, and perhaps it is more than necessary or
intended in some cases. However, the mere notice that you are extending a
copyright license to a company to whom you are uploading media is not in
itself suspicious, unusual or an attempt to take rights from you.

~~~
cma
Just because it is standard doesn't mean it is acceptable.

~~~
JonnieCache
It is standard because there is no other choice if you want to provide
services of this nature. Blame the law, not the service providers.

~~~
matwood
Could it be worded in such a way that makes the rights granted to Dropbox only
usable for making Dropbox functional?

~~~
jws
That's why the sentence ends _… to the extent we think it necessary for the
Service._

------
russell_h
It specifically states that you the rights you grant them are limited "to the
extent we think it necessary for the Service."

The "we think" might be a little ambiguous, but given that Dropbox is a tool
for sharing files (with yourself or others), it seems reasonable that you
grant them rights to do so.

~~~
sunchild
IMO, the right way to express this would have been "to the extent required for
us to provide the Services that you use".

Dropbox definitely does not understand the confidentiality requirements that
(some of) their customers have. By reserving themselves so much leeway,
Dropbox is driving away business users who need assurances of confidentiality.

IAAL, and I can't use Dropbox today because I can't trust them with my
clients' data.

(This post is informational only, not intended as legal advice or to create an
attorney-client relationship.)

~~~
stan_rogers
"... to the extent _required_ ..." would leave them open to liability related
to the methods they use to implement the system; if it can be established that
the service could have been implemented in any way that did not require them
to expose, transform, etc., the information in question the way they did at a
particular stage, they are suddenly in violation of copyright license.

~~~
sunchild
Indeed. That's the point I want to make!

~~~
stan_rogers
No, it isn't -- trust me. An approach that seems to be the only way to do
things at point A, an approach that was arrived at that was the product of
somebody's best thinking, but later turns out to have only _seemed_ so at the
time it was implemented (everybody has blind spots), is _still_ a good-faith
effort. The word _required_ means that good faith (in the legal sense) and the
limits of technological knowledge at any given period in time are insufficient
defense for for actions brought on the basis of knowledge that did not exist
at the time of the alleged infringement. That is an unreasonable and onerous
burden; the service (or any similar service) could not be provided under those
terms.

------
wavesound
If my assumption of dropbox's intent is correct, I prefer facebook's approach
to this problem. Instead of wording terms exclusively in their favor they
could have extended an olive branch...

"For content that is covered by intellectual property rights, like photos and
videos ("IP content"), you specifically give us the following permission,
subject to your privacy and application settings: you grant us a non-
exclusive, transferable, sub-licensable, royalty-free, worldwide license to
use any IP content that you post on or in connection with Facebook ("IP
License"). This IP License ends when you delete your IP content or your
account unless your content has been shared with others, and they have not
deleted it."

(from <https://www.facebook.com/terms.php>)

facebook's license to share the picture of your cat terminates after you
delete it from your profile. Had dropbox used similar strategy while drafting
their terms, this would not be news...

(Disclaimer: I am not a lawyer and do not pretend to be one on TV.)

~~~
sunchild
There are two factors that matter:

1\. When the license ends.

2\. What uses are permitted while the license is in effect. This is the part
that is currently way too broad. It should be limited to what's necessary to
carry out the user's instructions. In other words, Dropbox should only be able
to use your content in your own interest, not in theirs or any third party's.

(This post is informational only, not intended to be legal advice or to create
an attorney-client relationship.)

------
arashf
hi all, we've been reading all the feedback carefully and made a change to
licensing section to clarify what we meant.

the change is highlighted on our blog: <http://blog.dropbox.com/?p=846>

~~~
sixtofour
Thanks for that.

------
jcfiala
"We sometimes need your permission to do what you ask us to do with your
stuff"... " or publicly display that stuff to the extent we think it necessary
for the Service."

So, they need to cover themselves legally if you put something in your public
folder, or share it with someone else.

Besides, if you encrypt everything then it's not like they can do anything
with it.

It's just a cya clause.

------
grinich
It's often good to look at how other companies do things to see if it's out of
the ordinary. Turns out this line is extremely common. Google, for example:

    
    
        You retain copyright and any other rights you already hold in 
        Content which you submit, post or display on or through, the Services. 
        By submitting, posting or displaying the content you give Google a 
        perpetual, irrevocable, worldwide, royalty-free, and non-exclusive 
        license to reproduce, adapt, modify, translate, publish, publicly 
        perform, publicly display and distribute any Content which you submit, 
        post or display on or through, the Services. This license is for the 
        sole purpose of enabling Google to display, distribute and promote the 
        Services and may be revoked for certain Services as defined in the 
        Additional.
    

<http://www.google.com/accounts/TOS>

Also, Drew and Arash just posted an update to the blog with clarified
language: <http://blog.dropbox.com/?p=846>

------
skmurphy
I only use dropbox for backup of my computer and do not want Dropbox to share
or otherwise access my files for any reason other than to preserve them for my
use. I do not want Dropbox to make them available to anyone else without my
explicit authorization. The revised TOS seems to stress the file sharing
aspect which makes me very uncomfortable continuing to use Dropbox.

Here is what I wrote back to tos-feedback@dropbox.com (interesting that the
default reply-to was no-reply@dropboxmail.com which doesn't make it seem like
they are really interested in feedback)

    
    
       Please consider splitting the service into file sharing and backup and 
       having a different agreement for each.
       I cannot and do not accept these new terms for your backup service 
       and will have to look for an alternate supplier if you cannot amend 
       your new approach: these are not the terms I agreed to when I signed up 
       for the service. In addition, two weeks notice strikes me as a very 
       short window for such a significant change: please consider 
       extending the notice period.

------
dolinsky
TL;DR - this is no different from almost every other site that many of us
already participate in that includes an aspect of uploading/sharing content
and in no way does this imply ownwership.

------
sek
Account deleted, problem solved.

Can't believe i recommended this service to my friends.

~~~
vesto
This certainly isn't a reason to suddenly delete your Dropbox account. Based
on the previous actions of Dropbox regarding their TOS, I'm sure they will
come out and clearly explain to users exactly why this change was instated and
what it means for users, and I honestly doubt it's anything too serious for us
to worry about.

~~~
sek
They accumulated enough, this was just the one that got me to do it. For these
purposes i did use Dropbox i need a service i can trust.

------
Indyan
I am no lawyer, and most legalese is absolute greek to me, but that clause
genuinely freaks me out. However, commonsense also tells me that Dropbox will
never do something like sharing/profiting out of other's files. That will
drive them to the ground. I am not really sure what to make out of this. Is
this some clause that Dropbox had to put in to save their butt, or is there a
sinister motive behind this?

~~~
henrikschroder
Given how copyright law works, you need to grant Dropbox (and any similar
services) those rights, otherwise they can't provide their service with your
files.

 _worldwide_

= For the whole internet

 _non-exclusive_

= You can still license your stuff to others

 _royalty-free_

= Dropbox doesn't have to pay you for this license

 _sublicenseable_

= The license you grant Dropbox can be transferred to other companies, in the
event of a company merger or similar

 _rights to use_

= Doesn't mean anything

 _copy_

= So they can copy your files between their internal servers

 _distribute_

= So that they can distribute your public files to other users

 _prepare derivative works of_

= So they can create thumbnails, extracts, previews etc

 _perform_

= Doesn't mean anything

 _or publicly display_

= List your public files to others

~~~
pbreit
I'm curious what could happen if they did not include this clause? Who would
sue who and for what?

~~~
xsmasher
Drop box is making a copy of your files every time they back up one of their
servers. That might be a copyright violation without your explicit permission.
This license fixes that problem.

------
bergie
Another reminder on not to use "the cloud" for anything critical or
confidential, at least without encryption. Dropbox I used for synchronizing
meeting notes, which may or may not be something I'm comfortable sharing. For
example GitHub is completely different, as all my code is anyway open.

So, Dropbox account now removed. Won't be going back.

------
lemming
As soon as I get time to investigate it properly, I'm going to be replacing
Dropbox with Fuse + S3FS + EncFS. I recommended Dropbox to a lot of people and
invited a lot of people to it, but assuming the above combination works I'll
certainly be recommending it to techy friends in the future, and if I continue
to mention Dropbox to non-tech folks (my parents etc) it'll be with a lot more
qualifiers than previously.

I'd like to be sure that if all my data is exposed to someone it's as a result
of my own cock-ups, not anyone else's. I don't think Dropbox are evil but I'm
not feeling too confident about keeping sensitive data there any more. Their
recent errors have probably only highlighted things I should have thought of
previously - lesson learned there.

------
Nemisis7654
I use Dropbox for everything as I use several different computers (the
computer lab at university, work, Windows 7 on my laptop, Ubuntu on my
laptop). I cannot see myself without this service...but this is ridiculous. I
am seriously considering deleting my account.

------
Prometheu5
If you are technologically savvy (as one may assume, since you are here after
all) and you feel uncomfortable with this change (as I do), I would suggest
looking in to some of the other projects around that offer somewhat similar
(albeit not as feature complete) self-hosted solutions:
<https://github.com/philcryer/lipsync> <http://sparkleshare.org/>

------
eli
Well, of course you're granting them a license to your files. Otherwise you
could sue them for copying your files to their server.

~~~
pbreit
Could you? Would you win? Has anyone ever sued? Successfully?

~~~
eli
Certainly you could sue. I don't think you would win. IANAL.

------
snitko
I'm curious as to how long would it take some open-source enthusiast to come
up with an open-source version of Dropbox-like software that you can install
on your VPS and sync files through your own server. I mean, that would be
awesome, but not too profitable.

------
blumentopf
This reminds me of Jason Scott's classic: "Fuck the cloud"
<http://ascii.textfiles.com/archives/1717>

------
molecule
disappointing bit of CYA, after they failed to notify ALL of their customers
that authentication had been temporarily, accidentally disabled for a few
hours.

------
tzs
Flagged for the FUD title chosen by the submitter.

------
katovatzschyn
Please advise as to simple alternatives.

------
shareme
What Dropbox TOS could have been

1\. We, Dropbox, copy your files in order to enable sharing and retrieving
said files. Those copies of files we use still carry the sharing permissions
you enable and your copyrights fully intact.

------
ldar15
"to the extent we think it necessary for the Service."

Does this include if they think its necessary for them to turn off paswords
for several hours? I am curious that about the timing:

    
    
      * Fuck up security[0]
      * Get hit with class action suit[1]
      * Change TOS
    

[0]<http://news.ycombinator.com/item?id=2678576>
[1][http://www.consumeraffairs.com/news04/2011/06/cloud-site-
dro...](http://www.consumeraffairs.com/news04/2011/06/cloud-site-dropbox-
drops-the-ball.html)

