Is this creepy? Or does Dropbox have the right to scan your files for violations of the Digital Millennium Copyright Act (DMCA)? That’s the question being asked right now as a user of Dropbox got a bit of a surprise as he told ARS Technica:
The whole kerfuffle started yesterday evening, when one Darrell Whitelaw tweeted a picture of an error he received when trying to share a link to a Dropbox file with a friend via IM. The Dropbox web page warned him and his friend that “certain files in this folder can’t be shared due to a takedown request in accordance with the DMCA.”
Whitelaw freely admits that the content he was sharing was a copyrighted video but still expressed surprise that Dropbox was apparently watching what he shared for copyright issues. “I treat [Dropbox] like my hard drive,” he tweeted. “This shows it’s not private, nor mine, even though I pay for it.”
Here’s what Dropbox had to say:
Dropbox did confirm to Ars Technica that it checks publicly shared file links against hashes of other files that have been previously subject to successful DMCA requests. “We sometimes receive DMCA notices to remove links on copyright grounds,” the company said in a statement provide to Ars Technica. “When we receive these, we process them according to the law and disable the identified link. We have an automated system that then prevents other users from sharing the identical material using another Dropbox link. This is done by comparing file hashes.”
Dropbox added that this comparison happens when a public link to your file is created, and that “we don’t look at the files in your private folders and are committed to keeping your stuff safe.” The company wouldn’t comment publicly on whether the same content-matching algorithm was run on files shared directly with other Dropbox users via the service’s account-to-account sharing functions, but the wording of the statement suggests that this system only applies to publicly shared links.
And this is not a new behavior from Dropbox:
Dropbox has also been making use of file hashing algorithms for a while now as a means of de-duplicating identical files stored across different users’ accounts. That means that if I try to upload an identical copy of a 20GB movie file that has already been stored in someone else’s Dropbox account, the service will simply give my account access to a version of that same file, rather than forcing me to upload an identical version. This not only saves bandwidth on the user’s end, but significant storage space on Dropbox’s end as well.
Some researchers have warned of security and privacy concerns based on these de-duplication efforts in the past, but the open source Dropship project attempted to bend the feature to users’ advantage. By making use of the file hashing system, Dropship effectively tried to trick Dropbox into granting access to files on Dropbox’s servers that the user didn’t actually have access to. Dropbox has taken pains to stop this kind of “fake” file sharing through its service.
What’s my take? I have a Dropbox account and I have no, as in zero expectation of privacy. If I entrust my data to a third party, I fully expect that at some point they’ll take a look at it. In short, I feel that a third party service like Dropbox should not be treated like your hard drive and they do have the right to make sure that the service isn’t being used for illegal purposes. But I can see how some might see this as being creepy. Thus I think there needs to be more education of users so that these sorts of issues do not flare up and spin out of control because the service in question is trying to do something to protect itself from a potential lawsuit or something similar.