Dropbox ToS becoming less of a sure thing

by scotslawstudent

Not so very long ago there was an absolute staple of my computing life: Dropbox. Friends who got new computers would find themselves signed up for Dropbox and I would keep one year of university files in my Dropbox at any time for access from the web interface or my laptop. The versioning system was very useful sometimes.

That was fine when they were a reasonably interesting startup company. They supplied a service which was great, necessary and I can’t think of anything quite like it just now. It’s not all been good though.

They released some new policies following of some fairly terrifying security lapses in which the entire nature of their product had to be re-assessed. Dropbox’s big USP back when I started using it was that everything was encrypted — you could send your files off to some strange company knowing that it was encrypted as it travelled and encrypted as it resided with Dropbox (stored communications are important too). Then it was revealed that, obviously, Dropbox could decrypt your files when they had them and there’s confusion about just how much encryption is really used.

They then had a bizarre security breach where they apparently turned their password system off for a few hours but left the file sharing system up. I didn’t really think that the two were separate.

I have two main thoughts about the new terms of service, one is about the terms themselves and the other is the reaction that the new terms have generated.

The terms

The policies are drafted in a deliberately non-threatening plain-language way, so as to try and fix their image. It’s interesting to see contracts being used as public relations devices but I don’t think it’s really worked; most people didn’t read them (of course) and the people who did are picking at how they’re written.

Plain language drafting is a bit of a holy grail – the idea is to draft clearly and precisely and well duh, because the alternative is stupid. Drafting should be as simple as possible. Fluffy, non threatening drafting isn’t what is required. You can clearly see what Dropbox meant when it wrote the terms but, from my reading, the terms don’t strictly line up with that.

One of the stand out issues for me is the cute “your stuff” that they’ve used: your stuff is defined as your information, files, and folders and your stuff gets to be used however they like, for the purposes of running Dropbox. Although I wouldn’t have lumped my personal information in with my files and folders (I certainly don’t expect Dropbox to process any of my personal information contained in the files I store with them) that’s a mostly stylistic choice but it does mean that every time they say “stuff” later on they’re talking about a huge range of material, some I want distributed to other people, some I want kept limited to my own machines and some I want locked in a safe. I’m not entirely comfortable granting a licence allowing Dropbox to distribute and copy my stuff when, strictly speaking, my stuff includes any payment details I have on record with them. I’m not even sure that the Privacy Policy would definitely overrule me voluntarily granting them a licence.

The main flaw in the agreements is the lack of definition of “the Service”. I can imagine my legislation tutor’s reaction if I handed in a drafting assignment that failed to define “the Service” in a “Terms of Service” agreement. Dropbox can do what they need to do with your stuff to provide you with the service but don’t say what that service consists of. I can assume that the service involves taking a copy of my files and spitting them out over the Internet but anything more detailed is a mystery. If it was easy you’d do it yourself.

The reaction: contracts as PR

One of the main complaints is that the update was the 4th of July weekend so it seemed that they were burying it. I personally don’t see that Internet companies really need to bury changes to their terms and conditions because no one reads them anyway.

The other side is that people who got the announcement (sent by email) despite the holiday weekend promptly got out magnifying glasses and looked to see how Dropbox was trying to screw them. A lot of people don’t trust lawyers and by extension they don’t trust contracts. This is why I think it’s interesting to see contracts being used as PR devices. Users who have pointed out that the terms are pretty broad have been accused of “presuming malice”.

I can’t really believe that Terms of Service agreements will ever be particularly effective as a public relations tool. Almost no one reads them, the people who do don’t trust them (if you trusted it to be acceptable you wouldn’t read it) and your audience may not be able to read them in the first place. The plain language drafting has left it vague enough that, as far as I can see, pretty much everyone blogging about it has made reasonably sensible interpretations of the terms and they’ve all been supported by provisions in the agreements.

However, pretty much no one blogging about this has actually agreed on what the terms say.