Hacker News new | past | comments | ask | show | jobs | submit login
Dropbox TOS Includes Broad Copyright License (slashdot.org)
132 points by Indyan on July 2, 2011 | hide | past | web | favorite | 71 comments

When the new TOS were announced I think a lot of balked at reading those statements. The examples given in the TOS (e.g. "to convert your files") all seem reasonable, but as Indyan pointed out, it sure leaves the door open to some fuzzy interpretations.

Quick question, if AT&T suddenly bought Dropbox, would you all feel as passive about the new TOS or be quick to get your files out of there?

What about Facebook? Microsoft? or Silver Lake Partners?

I understand it's easier for Dropbox to be vague in their TOS so they don't have to spell out the service or future features that might require expanded agreements.... but given the nature of the service and the previous fiascos Dropbox has had already this year, it sure seems like they are cutting themselves some undeserved slack with regards to specificity.

I appreciate that they rewrote the terms to be more human readable, but why not spell out "You agree to let us duplicate, read and write your files in the case where you share, copy, publish or convert your files via the web or client software interface" -- or something following that.

I don't have a company with 200 million users though, so maybe the logistics of being that specific are an impossibility. I'd also be a lot more forgiving of this broad language if Dropbox has never had any hickups, so my personal nervousness is mixed in there.

You are missing the point.

Those companies do have similar terms in their agreements! Any service that accepts user content should. It's in everyone's benefit to make it clear that you own your content, but you're giving the service a license to copy it, display it, etc.

AT&T: "while you retain any and all of your lawfully owned rights in such Content, you grant AT&T a royalty-free, perpetual, irrevocable, non-exclusive and fully sublicensable right and license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display..."

Facebook: "you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook"

Actually, I think you're missing the point.

1. People seem to want to use Dropbox to store sensitive, private data. Most sensible people don't trust AT&T, Facebook, Microsoft, etc. for this purpose anymore because of their past gaffes.

2. Dropbox makes numerous "marketing" statements all over their site purporting to be safe for confidential, private information.

3. The licenses that companies need in their TOS can be scoped appropriately to what's strictly necessary for them to provide you the service you signed up for. Companies that reserve rights in their users' stuff beyond what's necessary do so for a reason – and it's not likely to be in the user's interest.

You've evaded this person's comment, possibly because it doesn't fit a point you want to make.

The comment you're responding to says, "Legally, any service that does the basic things we expect Dropbox to do for us probably needs to have these terms in place. The point raised about not trusting Dropbox after an AT&T acquisition is irrelevant; every large company already has those terms, because they have to."

You can want to trust Dropbox more than Microsoft, but that doesn't change the legal landscape.

Your third point comes closest to actually addressing the discussion here, but how do they scope their ToS narrowly enough to satisfy you? And how do they then do that without having to then announce ToS changes every time they add a new feature?

I don't think I've evaded the comment at all.

1. The issue is the scope of the license.

2. The overly-broad scope chosen by Dropbox (and many others) is a valid reason to question their trustworthiness as a custodian of sensitive private information.

3. In the case of AT&T, Facebook, etc., we have a history of actual disclosure incidents to draw from, adding some context to their trustworthiness. In fact, Dropbox itself has joined that club, with their recent security gaffe and their handling of it, and statements surrounding it.

4. As I say in a few places around this thread, I think the correct scope of the license would be strictly what's required to carry out the user's instructions. At the very least, it should be limited to uses that are in the user's interest, not the interest of Dropbox or a third party.

EDIT: I said "overly-broad scope chosen by Dropbox" above in error. In fact, I think the Dropbox TOS is dead-on in terms of the scope of the license. As far as I can tell, it's limited to what they need in order to "do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files)".

(This post is information only, is not intended as legal advice or to create an attorney-client relationship.)

This reads like a smokescreen. If providers need these licensing terms to safely provide this service, then they either need to post them or get out of this business. "Actual history of disclosure incidents" and "trustworthiness" simply don't have anything to do with it.

If you're a lawyer, it would be helpful if you could just straight-up answer the question, which I'll restate for you: what are specific things Dropbox could do to their ToS to scope it down without making the ToS so narrow they can't introduce new features without constantly revising it?

I'm not sure why you're being so cranky about this. I'm doing my best to be as clear as possible.

1. The Dropbox license is scoped correctly, IMO. It's as narrow as it should be, and not so narrow that it would impair their ability to provide the service.

2. All commercial relationships come down to trust. Contracts only take you so far. If a provider offers acceptable contract terms, but has also shown signs of incompetence or untrustworthiness, I would avoid them. After all, how likely are you to enforce the contract terms against them?

HTH – and again – this is not intended to be legal advice or to create an attorney-client relationship.

I'm confused. Upthread, you said (paraphrased) "companies that reserve rights beyond what's absolutely necessary tend not to be doing this in their users best interests". You didn't then qualify this with "but of course that's not what Dropbox is doing".

Maybe we just agree about Dropbox --- that this latest ToS karfluffle is just a banal legal/administrative thing, not evidence of any cavalier attitude at Dropbox about user data.

We do agree. I also agree that my comment above was a little misleading. That's because the OP's article quotes a version of the Dropbox TOS that isn't the current version anymore, apparently.

Sorry for the confusion!

Eli, no where did I say those companies don't have similar TOS, I was trying (badly?) to make the point that while some of the commenters below (and folks on Slashdot) wave-away concern over the open-endedness of Dropbox's TOS because the company isn't seen as evil, if we suddenly put a different company in charge of their data, do those folks suddenly have problems with the TOS?

If they did, then I was suggesting that the TOS could use improvement (tightening of terms) to better clarify what is happening to the data you are putting up there.

For example, given a TOS that is sufficiently well specified with regard to what rights are owned in what scenarios, etc... I wouldn't care which company had my data if the TOS protected me enough (let's wave-away the discussion of enforcement here) where as with open-ended TOS's, my level of OK'ness with it is directly tied to the company holding my data and their behavior more than anything.

To me, that suggests that TOSs could benefit from some user-favoring tweaks and clarifications, especially if the company doesn't need the wide birth they have written in for themselves for particular reason.

To address the followup question of amending the TOSs every time a new feature ships, sure on the other extreme end of the spectrum this would be a problem; I'm suggesting something more strict than we have now, but not so strict it's ridiculous.

The irrevokable nature of the licence is important.

If you leave facebook, you can revoke the licence for them to use your images. Ditto if you post an image on facebook then later delete it.

See, I wouldn't trust say my source code to AT&T or Facebook. I already get a fishy feeling with them having some of my pictures.

Drop Box on the other hand is a private data storage service (at least I thought they were) - where I expect to be confident with them having my sensible data. Such TOS additions are just undermining any trust I might still have to them (after their "encryption" and password fiasco).

This is exactly like the broadly misunderstood TOS for Facebook, Etsy and other services.

They need a license to your work in order to distribute it, and display it to others or perhaps even you.

These clauses have been in TOSs for years and years, and only now people have taken notice. The average person doesn't know much about IP though, and probably couldn't tell you the difference between a copyright and a patent.

Companies sometimes do overreach in this step though, conveniently claiming rights to use your images royalty-free in advertisements for the service and around their site without you being involved. It's important for people to know what they're signing over, and perhaps it is more than necessary or intended in some cases. However, the mere notice that you are extending a copyright license to a company to whom you are uploading media is not in itself suspicious, unusual or an attempt to take rights from you.

Just because it is standard doesn't mean it is acceptable.

It is standard because there is no other choice if you want to provide services of this nature. Blame the law, not the service providers.

Could it be worded in such a way that makes the rights granted to Dropbox only usable for making Dropbox functional?

That's why the sentence ends … to the extent we think it necessary for the Service.

Possibly. Due to the fact that we are dealing with spoken language, even if it is legalese, there will always be some degree of ambiguity and room for interpretation. Here, that ambiguity lies in the phrase "we think is necessary."

Therefore there will always be a tiny chance left for one party to get bitten in the ass down the line. The company has to decide if its them or you that is exposed to that slight risk.

Good luck finding a company that picks them rather than you.

Rereading, I realise that I haven't been entirely clear. I hope you get the idea. IANAL.

"...to the extent we think it necessary for the Service."

Looks like HN has another part of IP law to dislike.

If service providers didn't secure a license from the uploader/creator of a work, this could happen:

  - Jim McJones uploads his photo to flickr   
  - flickr displays his image to the public  
  - Jim McJones sends flickr a cease and desist or sues for copyright infringement
Which leads to... huh? Obviously the intent when you upload a photo to flickr is to have them display it for you. But they need a license, and since this is a legal issue, it needs to be written in a legally specific way. Thus, that's what everyone has done.

DropBox's clause relating to this was already decent and fair in my opinion. Of course, I am not a lawyer or legal expert, just someone who both creates content and runs websites which distribute other peoples' works.

It specifically states that you the rights you grant them are limited "to the extent we think it necessary for the Service."

The "we think" might be a little ambiguous, but given that Dropbox is a tool for sharing files (with yourself or others), it seems reasonable that you grant them rights to do so.

IMO, the right way to express this would have been "to the extent required for us to provide the Services that you use".

Dropbox definitely does not understand the confidentiality requirements that (some of) their customers have. By reserving themselves so much leeway, Dropbox is driving away business users who need assurances of confidentiality.

IAAL, and I can't use Dropbox today because I can't trust them with my clients' data.

(This post is informational only, not intended as legal advice or to create an attorney-client relationship.)

"... to the extent required ..." would leave them open to liability related to the methods they use to implement the system; if it can be established that the service could have been implemented in any way that did not require them to expose, transform, etc., the information in question the way they did at a particular stage, they are suddenly in violation of copyright license.

Indeed. That's the point I want to make!

No, it isn't -- trust me. An approach that seems to be the only way to do things at point A, an approach that was arrived at that was the product of somebody's best thinking, but later turns out to have only seemed so at the time it was implemented (everybody has blind spots), is still a good-faith effort. The word required means that good faith (in the legal sense) and the limits of technological knowledge at any given period in time are insufficient defense for for actions brought on the basis of knowledge that did not exist at the time of the alleged infringement. That is an unreasonable and onerous burden; the service (or any similar service) could not be provided under those terms.

"given that Dropbox is a tool for sharing files"

For now.

Then I misunderstood DP when I signed up. I thought it was a nice way to keep some files in sync on multiple computers. Didn't expect it to become the facebook of text documents ...

The point is that any business can pivot at any time, for their own reasons or because they were acquired/merged. Myspace is firing a good portion of their employees; maybe all that data won't be used for Myspace-like purposes, but instead sold to advertisers. Not what any Myspace user expected when they signed up.

Shit changes.

If my assumption of dropbox's intent is correct, I prefer facebook's approach to this problem. Instead of wording terms exclusively in their favor they could have extended an olive branch...

"For content that is covered by intellectual property rights, like photos and videos ("IP content"), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License"). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it."

(from https://www.facebook.com/terms.php)

facebook's license to share the picture of your cat terminates after you delete it from your profile. Had dropbox used similar strategy while drafting their terms, this would not be news...

(Disclaimer: I am not a lawyer and do not pretend to be one on TV.)

There are two factors that matter:

1. When the license ends.

2. What uses are permitted while the license is in effect. This is the part that is currently way too broad. It should be limited to what's necessary to carry out the user's instructions. In other words, Dropbox should only be able to use your content in your own interest, not in theirs or any third party's.

(This post is informational only, not intended to be legal advice or to create an attorney-client relationship.)

hi all, we've been reading all the feedback carefully and made a change to licensing section to clarify what we meant.

the change is highlighted on our blog: http://blog.dropbox.com/?p=846

Thanks for that.

"We sometimes need your permission to do what you ask us to do with your stuff"... " or publicly display that stuff to the extent we think it necessary for the Service."

So, they need to cover themselves legally if you put something in your public folder, or share it with someone else.

Besides, if you encrypt everything then it's not like they can do anything with it.

It's just a cya clause.

It's often good to look at how other companies do things to see if it's out of the ordinary. Turns out this line is extremely common. Google, for example:

    You retain copyright and any other rights you already hold in 
    Content which you submit, post or display on or through, the Services. 
    By submitting, posting or displaying the content you give Google a 
    perpetual, irrevocable, worldwide, royalty-free, and non-exclusive 
    license to reproduce, adapt, modify, translate, publish, publicly 
    perform, publicly display and distribute any Content which you submit, 
    post or display on or through, the Services. This license is for the 
    sole purpose of enabling Google to display, distribute and promote the 
    Services and may be revoked for certain Services as defined in the 

Also, Drew and Arash just posted an update to the blog with clarified language: http://blog.dropbox.com/?p=846

I only use dropbox for backup of my computer and do not want Dropbox to share or otherwise access my files for any reason other than to preserve them for my use. I do not want Dropbox to make them available to anyone else without my explicit authorization. The revised TOS seems to stress the file sharing aspect which makes me very uncomfortable continuing to use Dropbox.

Here is what I wrote back to tos-feedback@dropbox.com (interesting that the default reply-to was no-reply@dropboxmail.com which doesn't make it seem like they are really interested in feedback)

   Please consider splitting the service into file sharing and backup and 
   having a different agreement for each.
   I cannot and do not accept these new terms for your backup service 
   and will have to look for an alternate supplier if you cannot amend 
   your new approach: these are not the terms I agreed to when I signed up 
   for the service. In addition, two weeks notice strikes me as a very 
   short window for such a significant change: please consider 
   extending the notice period.

TL;DR - this is no different from almost every other site that many of us already participate in that includes an aspect of uploading/sharing content and in no way does this imply ownwership.

Account deleted, problem solved.

Can't believe i recommended this service to my friends.

This certainly isn't a reason to suddenly delete your Dropbox account. Based on the previous actions of Dropbox regarding their TOS, I'm sure they will come out and clearly explain to users exactly why this change was instated and what it means for users, and I honestly doubt it's anything too serious for us to worry about.

They accumulated enough, this was just the one that got me to do it. For these purposes i did use Dropbox i need a service i can trust.

What matters is what it says, not how Dropbox spins it. It says pretty clearly that I'm granting them unrestricted rights to do just about anything they want with my content INCLUDING performing it and making derivative works.

yeah, they've become really bad. i loved the service but moved to spideroak last week when i read that anyone could access my files with any password, while they fixed a bug. that along with the privacy/encryption stuff convinced me to move. wuala seems to be the most secure service i've seen though.

Absolutely, client side encryption is the only way to go in my opinion.

I am no lawyer, and most legalese is absolute greek to me, but that clause genuinely freaks me out. However, commonsense also tells me that Dropbox will never do something like sharing/profiting out of other's files. That will drive them to the ground. I am not really sure what to make out of this. Is this some clause that Dropbox had to put in to save their butt, or is there a sinister motive behind this?

Given how copyright law works, you need to grant Dropbox (and any similar services) those rights, otherwise they can't provide their service with your files.


= For the whole internet


= You can still license your stuff to others


= Dropbox doesn't have to pay you for this license


= The license you grant Dropbox can be transferred to other companies, in the event of a company merger or similar

rights to use

= Doesn't mean anything


= So they can copy your files between their internal servers


= So that they can distribute your public files to other users

prepare derivative works of

= So they can create thumbnails, extracts, previews etc


= Doesn't mean anything

or publicly display

= List your public files to others

= List your public files to others

But it doesn't say public files. They ask for that privilege for all files and then leave it to vaguely worded clarification in the privacy policy.

I'm curious what could happen if they did not include this clause? Who would sue who and for what?

Drop box is making a copy of your files every time they back up one of their servers. That might be a copyright violation without your explicit permission. This license fixes that problem.

I thought the same until twitpic started selling user photos to agencies. Never assume what is commonsense for you is commonsense for anybody else, particularly a company

If there is money to be made, and if it's not illegal, someone will do it. Actually only the first condition is important for some folks.

Even if there is nothing sinister now, this is how power is abused. This worries me.

Can you provide me with some historical details of a case where some people thought sinister action could take place because of one small little detail, and it didn't for a long time, then suddenly things got really bad really fast specifically because of that little thing? Genuinely curious.

Is it a small detail? I look at it as the fine print. They most likely consulted with an attorney and decided that it should be worded like that to cover whatever they have in mind. Attorneys are very deliberate.

They don't have to plan something "sinister", but boundaries are pushed slowly. This sounds to me like a first step, and disregard for privacy.

Google: skype share options

Another reminder on not to use "the cloud" for anything critical or confidential, at least without encryption. Dropbox I used for synchronizing meeting notes, which may or may not be something I'm comfortable sharing. For example GitHub is completely different, as all my code is anyway open.

So, Dropbox account now removed. Won't be going back.

As soon as I get time to investigate it properly, I'm going to be replacing Dropbox with Fuse + S3FS + EncFS. I recommended Dropbox to a lot of people and invited a lot of people to it, but assuming the above combination works I'll certainly be recommending it to techy friends in the future, and if I continue to mention Dropbox to non-tech folks (my parents etc) it'll be with a lot more qualifiers than previously.

I'd like to be sure that if all my data is exposed to someone it's as a result of my own cock-ups, not anyone else's. I don't think Dropbox are evil but I'm not feeling too confident about keeping sensitive data there any more. Their recent errors have probably only highlighted things I should have thought of previously - lesson learned there.

I use Dropbox for everything as I use several different computers (the computer lab at university, work, Windows 7 on my laptop, Ubuntu on my laptop). I cannot see myself without this service...but this is ridiculous. I am seriously considering deleting my account.

Let me clarify ....

TL;DR - it's hyperbole. answer the negative. if they didn't get this permission from you - you could sue them for copyright infringement. every service does it. don't freak.

Long Version:

The key to the text is "non-exclusive" - generally this grants the nonexclusive rights to display the material on a Web site. It also allows the licensee (ala DropBox) let their company use, manage, display [etc] your files.

It's a fairly standard contractual term now days - for example see

http://www.youtube.com/t/terms at 6 C OR even your Gmail Terms ... [http://www.google.com/accounts/TOS?hl=en at 11.]

Youtube - "For clarity, you retain all of your ownership rights in your Content. However, by submitting Content to YouTube, you hereby grant YouTube a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, publish, adapt, make available online or electronically transmit, and perform the Content in connection with the Service ...."

Gmail - "By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services."

Generally, the language uses "non-exclusive" in its context which is OK. It basically allows internet services to be internet services

i.e. if they didn't have a non-exclusive licence, how could they use your files - which contain copyright content you own - in their services ? - they couldn't :) By asking for a non-exclusive licence, it means you are permitting DropBox to use it for the purposes of

"worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service."

If you're uncomfortable with this term, then unfortunately you'll be uncomfortable using any service on the Internet as it's generally required to provide a service :) The terms agreement incorporates their Privacy Agreement - thus meaning they still owe you the obligations outlined in their privacy clause. They cannot distribute your content without your permission.

"But, but, but .... they should have to identify copyright not me"

Again, you are giving them to non-exclusive right. If you have MP3 music [legally obtained for example] - you have ownership for that file. You are provided with the right to store that file for personal use just as you have the right to share that file with your friends. The rights associated with this file are governed by the terms of service when you purchased that file [i.e. iTunes]. Go and read your rights regarding MP3 Music purchased from iTunes.

You are providing DropBox with a non-exclusive right - not an "exclusive right" which would be just that "exclusive" and therefore you have licensed it only to DropBox per see - to be able to storage, transform ... etc that file. The Privacy policy is incorporated within the Terms agreement - thereby inferring they cannot "distribute your content without your consent".

Dropbox do NOT "know" where you purchased the file or the terms surrounding every single file they store on your behalf [how could they?] - it's your responsibility - not theirs - hence the point of the term.

"You must ensure you have the rights you need to grant us that permission."

Dropbox is fine. Use it. Or stop using Gmail and most other services ....

Non-exclusive just means that Dropbox isn't the only licensee. I've never once seen a consumer-facing TOS that purported to be exclusive. That's really not the issue here.

The issue is whether the scope of Dropbox's license is overly-broad, given the service that they're providing.

Under the Google TOS, Google says:

"This license is for the sole purpose of enabling Google to display, distribute and promote the Services."

Now, take a look at Dropbox's new TOS:

"...to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services."

Dropbox's license is actually MORE limited in scope than Google's. I don't really understand why people are freaking out about this particular issue.

IMO, the security issue and their handling of that is more important.

(The post is informational only, not intended to be legal advice or to create an attorney-client privilege).

Except that _wasn't_ the new TOS at the time the articles went up. They changed it _after_ the world exploded. See the bottom of their blog entry: http://blog.dropbox.com/?p=846

Oh, I missed that. Thanks!

If you are technologically savvy (as one may assume, since you are here after all) and you feel uncomfortable with this change (as I do), I would suggest looking in to some of the other projects around that offer somewhat similar (albeit not as feature complete) self-hosted solutions: https://github.com/philcryer/lipsync http://sparkleshare.org/

Well, of course you're granting them a license to your files. Otherwise you could sue them for copying your files to their server.

Could you? Would you win? Has anyone ever sued? Successfully?

Certainly you could sue. I don't think you would win. IANAL.

I'm curious as to how long would it take some open-source enthusiast to come up with an open-source version of Dropbox-like software that you can install on your VPS and sync files through your own server. I mean, that would be awesome, but not too profitable.

This reminds me of Jason Scott's classic: "Fuck the cloud" http://ascii.textfiles.com/archives/1717

disappointing bit of CYA, after they failed to notify ALL of their customers that authentication had been temporarily, accidentally disabled for a few hours.

Flagged for the FUD title chosen by the submitter.

Please advise as to simple alternatives.

What Dropbox TOS could have been

1. We, Dropbox, copy your files in order to enable sharing and retrieving said files. Those copies of files we use still carry the sharing permissions you enable and your copyrights fully intact.

"to the extent we think it necessary for the Service."

Does this include if they think its necessary for them to turn off paswords for several hours? I am curious that about the timing:

  * Fuck up security[0]
  * Get hit with class action suit[1]
  * Change TOS
[0]http://news.ycombinator.com/item?id=2678576 [1]http://www.consumeraffairs.com/news04/2011/06/cloud-site-dro...

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact