Dropbox says it isn’t poking around in our stuff

Dropbox says it isn't poking around in our stuff

On Sunday evening, a Dropbox user by the name of Darrell Whitelaw was startled upon receiving an error message when he tried to share a link to a Dropbox file via IM with a friend.

The message, posted over an icon of an empty file folder:

Certain files in this folder can't be shared due to a takedown request in accordance with the DMCA.

It was a takedown message triggered because the content of the folder was in violation of the Digital Millennium Copyright Act (DMCA).

Whitehall’s surprised tweet:

It was new to plenty of others, as well.

In fact, his tweet set off a mini-panic at the idea of Dropbox’s peeking into supposedly personal folders.

One such response:

Whitelaw had, in fact, been sharing a copyrighted video, he admitted, but he was still surprised to find that Dropbox was keeping its eye on a chunk of the internet that he considered, more or less, his own real estate:

Whitelaw went on to tell Ars Technica that technically, the IM to his friend was a public link that could have been shared with anyone.

This DMCA violation didn’t affect content in Whitehall’s folder – it just kept him from sharing that content, as Dropbox Support helpfully pointed out:

In other words, it’s only when we try to share copyrighted material that DMCA comes into play – not when it’s just sitting in our Dropbox folders.

It comes into play rapidly because, in fact, it is completely automatic.

Multiple tech journals tried to calm flustered people by pointing out that none of this is new nor is it sinister.

Dropbox prevents you from sharing a file when a hash of that file matches a hash on its blacklist.

Hashing is a way of creating a unique, fixed length, signature for a file that is very difficult to reverse engineer. If two hashes that were created in the same way match you can be all but certain they’re hashes of the same file, but you can’t find out anything about the file from the hash (this property of hashes is also why they play such an important role in secure password storage).

Using hashes allows Dropbox to be certain that they are blocking a file on their blacklist without anyone involved knowing, or being able to find out, what that file is.

This was Dropbox’s official comment on the Whitehall tweet:

There have been some questions around how we handle copyright notices. We sometimes receive DMCA notices to remove links on copyright grounds. When we receive these, we process them according to the law and disable the identified link. We have an automated system that then prevents other users from sharing the identical material using another Dropbox link. This is done by comparing file hashes. We don’t look at the files in your private folders and are committed to keeping your stuff safe.

All of which raises some interesting questions.

On the one hand Dropbox are doing nothing more than YouTube or Google do when they are asked to stop public access to content because of a DMCA violation, and they’re doing it in a limited way, at arm’s length, whilst wearing a blindfold.

On the other hand, no matter how arm’s-length the system is, Dropbox can and do scan your stuff, at least when you make it public, and they will act as ‘cop’ to enforce the claims of ostensible copyright holders.

Technically there’s no difference between making a video public on YouTube or making a video public on Dropbox so there’s no reason why we should treat DMCA notices on the two systems any differently.

However, judging by the immediate reaction to this situation, there does appear to be a difference in the way that we think about them; as Darrell Whitelaw said of Dropbox in one of his tweets “I treat it like my hard drive”.

We are used to our hard drives being things that are entirely within our control.

Of course, the minute we share something from Dropbox it is less a hard drive and more a website. But we’ve had 30 years to get used to the idea of hard drives and for most of that time they’ve been ours and haven’t been able to morph into public websites.

This furore shows that we have some adjustments to make before we understand what it means to have, to own or to control something in The Cloud.

Increasingly that means allowing our stuff to be subjected to some degree of automated processing.

On this I can give you no more sound advice than that of former Naked Security writer Graham Cluley: for a better understanding of how you should approach security in The Cloud simply replace all instances of the words in The Cloud with the words on somebody else’s computer.

The only way to completely keep other people out of your business when it’s on-the-wire or in The Cloud on somebody else’s computer is to encrypt your files before they leave your system, using keys that you control.