I have some experience with this. It is, in fact, very hard to do this. It is possible, but certainly not easy.
There are a few challenges that make this harder than you might think:
- It's a never-ending arms race against adversaries working actively to evade detection.
- It is necessary to find detection approaches that abide by security and privacy requirements.
- Detection of this kind of behavior is inevitably heuristic and false positives are incredibly bad.
To put a finer point on that last one: The flip side of "it's easy to detect and shut down abusive accounts" is every article or tweet or blog post like "look at all these normal people who had their accounts permanently disabled without explanation or recourse".
1. It is already in violation of the Acceptable Use ToS which implies they already have solutions in place to detect this behavior. https://www.dropbox.com/acceptable_use
2. It is easy to detect large amounts of disk usage with a high number of read/writes across wide swaths of the storage.
> It is already in violation of the Acceptable Use ToS which implies they already have solutions in place to detect this behavior.
Putting it in the ToS is how they reserve the right to put in place solutions. But writing text in a ToS to ban some behavior does not magically create a working enforcement solution.
I'm quite certain they have spent the last few years: 1. Putting that in the ToS in order to give themselves permission to do the enforcement, 2. Working really hard fighting an enforcement arms race with people not complying with the ToS, 3. Losing the battle and painstakingly deciding to throw in the towel.
> It is easy to detect large amounts of disk usage with a high number of read/writes across wide swaths of the storage.
Again, these are active adversaries. Their first attempt probably fit that pattern in a way that was discernible to the dropbox client or server code, but it is unlikely that their current usage looks like that.
Again, false positives are extremely painful when doing account shutdowns for abuse. Other usage that is not crypto mining are free to exhibit "large amounts of disk usage with a high number of read/writes across wide swaths of the storage".
And again, I'm not saying this is impossible, just that it is actually a very difficult problem. And I am saying that I don't think it is at all worth the effort, and is much better to do what this announcement is doing, and not attempt to provide "unlimited storage" as a product at all.
> But writing text in a ToS to ban some behavior does not magically create a working enforcement solution.
Of course it doesn't... but if you're running a storage business open to the public, you're going to implement this regardless.
> Again, false positives are extremely painful when doing account shutdowns for abuse.
These are not personal customer accounts, these are business accounts.
> Other usage that is not crypto mining are free to exhibit "large amounts of disk usage with a high number of read/writes across wide swaths of the storage".
They specifically named Chia mining... so they obviously knew what was happening.
Are you seriously telling me that a company in the business of providing storage can't efficiently detect Chia mining? That's not a great look for Dropbox.
> if you're running a storage business open to the public, you're going to implement this regardless.
Implement what? This specific mitigation for cryptocurrency mining? If so, then no, you weren't going to fight that particular arms race "regardless", and you don't have to at all if you instead implement sensible storage limits, because the whole enterprise becomes unattractive to those miners within those limits.
> These are not personal customer accounts, these are business accounts.
Yes and that makes it even worse. Do you think businesses care about this less than consumers?
> Are you seriously telling me that a company in the business of providing storage can't efficiently detect Chia mining? That's not a great look for Dropbox.
Yes, I'm seriously telling you that it is difficult and expensive for any service to win an arms race like this against an entire internet's worth of potential adversaries. It isn't a bad look for Dropbox at all, it just is how it is; sometimes products become too costly to sell for one reason or another, and this is the case for "unlimited storage" now.
There are a few challenges that make this harder than you might think:
- It's a never-ending arms race against adversaries working actively to evade detection.
- It is necessary to find detection approaches that abide by security and privacy requirements.
- Detection of this kind of behavior is inevitably heuristic and false positives are incredibly bad.
To put a finer point on that last one: The flip side of "it's easy to detect and shut down abusive accounts" is every article or tweet or blog post like "look at all these normal people who had their accounts permanently disabled without explanation or recourse".