Quick question, if AT&T suddenly bought Dropbox, would you all feel as passive about the new TOS or be quick to get your files out of there?
What about Facebook? Microsoft? or Silver Lake Partners?
I understand it's easier for Dropbox to be vague in their TOS so they don't have to spell out the service or future features that might require expanded agreements.... but given the nature of the service and the previous fiascos Dropbox has had already this year, it sure seems like they are cutting themselves some undeserved slack with regards to specificity.
I appreciate that they rewrote the terms to be more human readable, but why not spell out "You agree to let us duplicate, read and write your files in the case where you share, copy, publish or convert your files via the web or client software interface" -- or something following that.
I don't have a company with 200 million users though, so maybe the logistics of being that specific are an impossibility. I'd also be a lot more forgiving of this broad language if Dropbox has never had any hickups, so my personal nervousness is mixed in there.
Those companies do have similar terms in their agreements! Any service that accepts user content should. It's in everyone's benefit to make it clear that you own your content, but you're giving the service a license to copy it, display it, etc.
AT&T: "while you retain any and all of your lawfully owned rights in such Content, you grant AT&T a royalty-free, perpetual, irrevocable, non-exclusive and fully sublicensable right and license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display..."
Facebook: "you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook"
1. People seem to want to use Dropbox to store sensitive, private data. Most sensible people don't trust AT&T, Facebook, Microsoft, etc. for this purpose anymore because of their past gaffes.
2. Dropbox makes numerous "marketing" statements all over their site purporting to be safe for confidential, private information.
3. The licenses that companies need in their TOS can be scoped appropriately to what's strictly necessary for them to provide you the service you signed up for. Companies that reserve rights in their users' stuff beyond what's necessary do so for a reason – and it's not likely to be in the user's interest.
The comment you're responding to says, "Legally, any service that does the basic things we expect Dropbox to do for us probably needs to have these terms in place. The point raised about not trusting Dropbox after an AT&T acquisition is irrelevant; every large company already has those terms, because they have to."
You can want to trust Dropbox more than Microsoft, but that doesn't change the legal landscape.
Your third point comes closest to actually addressing the discussion here, but how do they scope their ToS narrowly enough to satisfy you? And how do they then do that without having to then announce ToS changes every time they add a new feature?
1. The issue is the scope of the license.
2. The overly-broad scope chosen by Dropbox (and many others) is a valid reason to question their trustworthiness as a custodian of sensitive private information.
3. In the case of AT&T, Facebook, etc., we have a history of actual disclosure incidents to draw from, adding some context to their trustworthiness. In fact, Dropbox itself has joined that club, with their recent security gaffe and their handling of it, and statements surrounding it.
4. As I say in a few places around this thread, I think the correct scope of the license would be strictly what's required to carry out the user's instructions. At the very least, it should be limited to uses that are in the user's interest, not the interest of Dropbox or a third party.
EDIT: I said "overly-broad scope chosen by Dropbox" above in error. In fact, I think the Dropbox TOS is dead-on in terms of the scope of the license. As far as I can tell, it's limited to what they need in order to "do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files)".
(This post is information only, is not intended as legal advice or to create an attorney-client relationship.)
If you're a lawyer, it would be helpful if you could just straight-up answer the question, which I'll restate for you: what are specific things Dropbox could do to their ToS to scope it down without making the ToS so narrow they can't introduce new features without constantly revising it?
1. The Dropbox license is scoped correctly, IMO. It's as narrow as it should be, and not so narrow that it would impair their ability to provide the service.
2. All commercial relationships come down to trust. Contracts only take you so far. If a provider offers acceptable contract terms, but has also shown signs of incompetence or untrustworthiness, I would avoid them. After all, how likely are you to enforce the contract terms against them?
HTH – and again – this is not intended to be legal advice or to create an attorney-client relationship.
Maybe we just agree about Dropbox --- that this latest ToS karfluffle is just a banal legal/administrative thing, not evidence of any cavalier attitude at Dropbox about user data.
Sorry for the confusion!
If they did, then I was suggesting that the TOS could use improvement (tightening of terms) to better clarify what is happening to the data you are putting up there.
For example, given a TOS that is sufficiently well specified with regard to what rights are owned in what scenarios, etc... I wouldn't care which company had my data if the TOS protected me enough (let's wave-away the discussion of enforcement here) where as with open-ended TOS's, my level of OK'ness with it is directly tied to the company holding my data and their behavior more than anything.
To me, that suggests that TOSs could benefit from some user-favoring tweaks and clarifications, especially if the company doesn't need the wide birth they have written in for themselves for particular reason.
To address the followup question of amending the TOSs every time a new feature ships, sure on the other extreme end of the spectrum this would be a problem; I'm suggesting something more strict than we have now, but not so strict it's ridiculous.
If you leave facebook, you can revoke the licence for them to use your images. Ditto if you post an image on facebook then later delete it.
Drop Box on the other hand is a private data storage service (at least I thought they were) - where I expect to be confident with them having my sensible data. Such TOS additions are just undermining any trust I might still have to them (after their "encryption" and password fiasco).
They need a license to your work in order to distribute it, and display it to others or perhaps even you.
These clauses have been in TOSs for years and years, and only now people have taken notice. The average person doesn't know much about IP though, and probably couldn't tell you the difference between a copyright and a patent.
Companies sometimes do overreach in this step though, conveniently claiming rights to use your images royalty-free in advertisements for the service and around their site without you being involved. It's important for people to know what they're signing over, and perhaps it is more than necessary or intended in some cases. However, the mere notice that you are extending a copyright license to a company to whom you are uploading media is not in itself suspicious, unusual or an attempt to take rights from you.
Therefore there will always be a tiny chance left for one party to get bitten in the ass down the line. The company has to decide if its them or you that is exposed to that slight risk.
Good luck finding a company that picks them rather than you.
Rereading, I realise that I haven't been entirely clear. I hope you get the idea. IANAL.
If service providers didn't secure a license from the uploader/creator of a work, this could happen:
- Jim McJones uploads his photo to flickr
- flickr displays his image to the public
- Jim McJones sends flickr a cease and desist or sues for copyright infringement
DropBox's clause relating to this was already decent and fair in my opinion. Of course, I am not a lawyer or legal expert, just someone who both creates content and runs websites which distribute other peoples' works.
The "we think" might be a little ambiguous, but given that Dropbox is a tool for sharing files (with yourself or others), it seems reasonable that you grant them rights to do so.
Dropbox definitely does not understand the confidentiality requirements that (some of) their customers have. By reserving themselves so much leeway, Dropbox is driving away business users who need assurances of confidentiality.
IAAL, and I can't use Dropbox today because I can't trust them with my clients' data.
(This post is informational only, not intended as legal advice or to create an attorney-client relationship.)
"For content that is covered by intellectual property rights, like photos and videos ("IP content"), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License"). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it."
facebook's license to share the picture of your cat terminates after you delete it from your profile. Had dropbox used similar strategy while drafting their terms, this would not be news...
(Disclaimer: I am not a lawyer and do not pretend to be one on TV.)
1. When the license ends.
2. What uses are permitted while the license is in effect. This is the part that is currently way too broad. It should be limited to what's necessary to carry out the user's instructions. In other words, Dropbox should only be able to use your content in your own interest, not in theirs or any third party's.
(This post is informational only, not intended to be legal advice or to create an attorney-client relationship.)
the change is highlighted on our blog: http://blog.dropbox.com/?p=846
So, they need to cover themselves legally if you put something in your public folder, or share it with someone else.
Besides, if you encrypt everything then it's not like they can do anything with it.
It's just a cya clause.
You retain copyright and any other rights you already hold in
Content which you submit, post or display on or through, the Services.
By submitting, posting or displaying the content you give Google a
perpetual, irrevocable, worldwide, royalty-free, and non-exclusive
license to reproduce, adapt, modify, translate, publish, publicly
perform, publicly display and distribute any Content which you submit,
post or display on or through, the Services. This license is for the
sole purpose of enabling Google to display, distribute and promote the
Services and may be revoked for certain Services as defined in the
Also, Drew and Arash just posted an update to the blog with clarified language: http://blog.dropbox.com/?p=846
Here is what I wrote back to email@example.com (interesting that the default reply-to was firstname.lastname@example.org which doesn't make it seem like they are really interested in feedback)
Please consider splitting the service into file sharing and backup and
having a different agreement for each.
I cannot and do not accept these new terms for your backup service
and will have to look for an alternate supplier if you cannot amend
your new approach: these are not the terms I agreed to when I signed up
for the service. In addition, two weeks notice strikes me as a very
short window for such a significant change: please consider
extending the notice period.
Can't believe i recommended this service to my friends.
= For the whole internet
= You can still license your stuff to others
= Dropbox doesn't have to pay you for this license
= The license you grant Dropbox can be transferred to other companies, in the event of a company merger or similar
rights to use
= Doesn't mean anything
= So they can copy your files between their internal servers
= So that they can distribute your public files to other users
prepare derivative works of
= So they can create thumbnails, extracts, previews etc
or publicly display
= List your public files to others
They don't have to plan something "sinister", but boundaries are pushed slowly. This sounds to me like a first step, and disregard for privacy.
So, Dropbox account now removed. Won't be going back.
I'd like to be sure that if all my data is exposed to someone it's as a result of my own cock-ups, not anyone else's. I don't think Dropbox are evil but I'm not feeling too confident about keeping sensitive data there any more. Their recent errors have probably only highlighted things I should have thought of previously - lesson learned there.
TL;DR - it's hyperbole. answer the negative. if they didn't get this permission from you - you could sue them for copyright infringement. every service does it. don't freak.
The key to the text is "non-exclusive" - generally this grants the nonexclusive rights to display the material on a Web site. It also allows the licensee (ala DropBox) let their company use, manage, display [etc] your files.
It's a fairly standard contractual term now days - for example see
http://www.youtube.com/t/terms at 6 C OR even your Gmail Terms ... [http://www.google.com/accounts/TOS?hl=en at 11.]
Youtube - "For clarity, you retain all of your ownership rights in your Content. However, by submitting Content to YouTube, you hereby grant YouTube a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, publish, adapt, make available online or electronically transmit, and perform the Content in connection with the Service ...."
Gmail - "By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services."
Generally, the language uses "non-exclusive" in its context which is OK. It basically allows internet services to be internet services
i.e. if they didn't have a non-exclusive licence, how could they use your files - which contain copyright content you own - in their services ? - they couldn't :) By asking for a non-exclusive licence, it means you are permitting DropBox to use it for the purposes of
"worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service."
If you're uncomfortable with this term, then unfortunately you'll be uncomfortable using any service on the Internet as it's generally required to provide a service :) The terms agreement incorporates their Privacy Agreement - thus meaning they still owe you the obligations outlined in their privacy clause. They cannot distribute your content without your permission.
"But, but, but .... they should have to identify copyright not me"
Again, you are giving them to non-exclusive right. If you have MP3 music [legally obtained for example] - you have ownership for that file. You are provided with the right to store that file for personal use just as you have the right to share that file with your friends. The rights associated with this file are governed by the terms of service when you purchased that file [i.e. iTunes]. Go and read your rights regarding MP3 Music purchased from iTunes.
Dropbox do NOT "know" where you purchased the file or the terms surrounding every single file they store on your behalf [how could they?] - it's your responsibility - not theirs - hence the point of the term.
"You must ensure you have the rights you need to grant us that permission."
Dropbox is fine. Use it. Or stop using Gmail and most other services ....
The issue is whether the scope of Dropbox's license is overly-broad, given the service that they're providing.
Under the Google TOS, Google says:
"This license is for the sole purpose of enabling Google to display, distribute and promote the Services."
Now, take a look at Dropbox's new TOS:
"...to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services."
Dropbox's license is actually MORE limited in scope than Google's. I don't really understand why people are freaking out about this particular issue.
IMO, the security issue and their handling of that is more important.
(The post is informational only, not intended to be legal advice or to create an attorney-client privilege).
1. We, Dropbox, copy your files in order to enable sharing and retrieving said files. Those copies of files we use still carry the sharing permissions you enable and your copyrights fully intact.
Does this include if they think its necessary for them to turn off paswords for several hours? I am curious that about the timing:
* Fuck up security
* Get hit with class action suit
* Change TOS