68 comments

[ 3.8 ms ] story [ 148 ms ] thread
As long as the files aren't being removed and marked inaccessible by the owner, I see no malicious intent by Dropbox here. I'm sure they were pressured by the MPAA and other similar organizations to actively remove/refuse to host these files, and Dropbox implemented this instead.
Dropbox certainly has a very dedicated advocate in Techcrunch. I wonder why.
Exactly. Quoting Dropbox's terms of service:

> We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you with features like photo thumbnails, document previews, email organization, easy sorting, editing, sharing and searching. These and other features may require our systems to access, store and scan Your Stuff. You give us permission to do those things, and this permission extends to trusted third parties we work with.

However congenial this sounds, they reserve the right to look at your stuff —— worth noting.

I thought the same. It reads like a well crafted press release. It's factually accurate and fair game, sure, yet it doesn't sit quite right with me.
> Dropbox checks the hash of a shared file against a banned list, and blocks the share if there’s a match.

Encoding an mp3 is not a deterministic process. So if multiple people start with the same .wav file ripped from a CD (which itself may introduce errors) and then downcode it, they will end up with files which sound the same but are slightly different (and therefore hash differently).

So, it should be straightforward to test whether Dropbox does anything more sophisticated than what's described in the article.

That brings up an interesting question. At what point does a modified file no longer fall under copyright?

If I had a copyrighted ebook and changed a single "o" to "0" I bet I could still be busted for distributing it (although it appears Dropbox would no longer automatically catch me). But what if I changed every single "o" to a "0"? Re-arranged words? Chapters? Upcased every lowercase letter?

My guess is that's it's based around "intent" which is hard to quantify, but it's still interesting to ponder.

It would fall under the same rules as fair use. If the modified file is close enough to the original that it could deprive the creator of a sale, then it is certainly infringement. If you made it so different that it would not deprive the creator of a sale (for example, if you re-arranged every single word so that the words in the book were in an entirely random order), that would most likely be fair use.
It's not quite that simple, something can be a derivative work even if none of the original content remains and it's purpose changes dramatically. Generally speaking fan-fiction infringes copy-write when someone trys to make money off of it. However, the same work may be free and clear if you don't try and make money from it.

Teachers can generally copy something to use in class as an example. However, they may not copy the same content every year after that. Same action, but slightly different context.

It's an interesting philosophical question, but intent is something that judges are much better at deciding than computer programs. And laws are generally written to be executed by judges (or, by extension, the threat of litigation).

Fun to think about, though. Especially if you start thinking about writing alternate endings, etc.

It gets even more interesting if you use right to "quote" small parts of books.
If you start with the original work, you'd have to pretty much totally change it for it not to be considered a derivative work.
It's more about watermarks than hashes, maybe the author mentions hashes to make it more simple to understand. Modern watermarks can survive most treatments. Even a screener can still be detected.
This whole story brings increasing clarity on the difference between "we don't look at your files" and "we can't look at your files", as outlined by Colin Percival:

http://www.daemonology.net/blog/2012-01-19-playing-chicken-w...

Obviously, the sharing and interoperability of Dropbox are key features, but for lots of use cases I'd much prefer technical barriers to policy barriers.

The article claims that technical barriers exist at Dropbox as well, but considering they hold all the encryption keys, and I have to trust they're even encrypting in the first place, any "technical barriers" they erect are really no more assurance than policy.

If you don't control them, they're not yours.
So if you don't control, say, your family they are not your family?
I believe he was talking about possessions. You don't own humans.
(comment deleted)
They use the same logic to save time when uploading a file that has already been uploaded by another user. Check hash of large file, see if it is already on the server and then just link it to your account.
I believe they stopped doing multi-user deduplication a while ago.
They are _scanning_ your content!! Mobilize the "scropboxed!" campaign!
Yet another reason not to use cloud services. For start dropbox is infrastructure provider and they have no right to snoop inside your files. If they start blocking stuff at their own will they are judge and executor.

Secondly there is lot of potential for abuse. Hacker could sneak hash collision into their database and essentially censor-ship any document he wants.

And finally I do not understand why there has to be protection from working with copyrighted stuff. Most of work I created is copyrighted, nearly every open-source product have copyright.

Even if there would be a movie there, it does not strictly mean it is illegal. Most people have right to create backups of their DVDs. Many jurisdictions allow to create copy for personal use and so on.

You clearly didn't read the article. It only applies to sharing files, not storing them. All of your arguments do not apply to shared files.
It does apply, there is no evidence that receiver does not have a valid license. It could be even the same person using two accounts.

By this logic we should shutdown Github and SourceForge, until we "clear up some legal stuff".

I agree with you that there are cases in which Dropbox might pick up false positives. I think the DMCA should be updated with harsher penalties for improper takedown requests ("copyfraud"). Still, the policy Dropbox has seems pretty reasonable. And you can always choose to encrypt your files locally or even not use Dropbox. After all, it's a company competing in a relatively free market. But I think for most people Dropbox is a pretty good choice and this takedown policy shouldn't be a reason for them to stop using it.
I agree their policy is reasonable for filesharing service.. But it makes dropbox useless for me as backup storage or hosting provider. I would not trust filesystem or provider which randomly deletes/blocks my data.
It makes sense that Dropbox wants to avoid the popularity that would come from being an easy way to distribute unauthorized content.

However, takedown notices have been abused on YouTube to censor criticism, and dishonestly claim ownership. The problem could be even worse if what it covered wasn't limited to when links are posted publicly, but also covered shares between family members, colleagues, and friends.

While distributing backups from your DVD collection to a colleague may not make sense, and that isn't much better than posting public links, qwerta has a point when it comes to the potential for someone unethical to abuse the system.

I appreciate the challenges Dropbox faces with respect to copyright, and that it is easier to focus on making a viable business if a broad policy wastes less of their time on the issue. However, it's also a complicated when you've given a service read/write access to your hard drive—not necessarily because its reasonable to assume that Dropbox would take a legal risk like proactively deleting content on your computer, but because it's almost an unreasonable amount of trust you're granting them in the first place.

Anyway, maybe you meant, "Not all of your arguments apply to shared files."

I don't think what you're arguing would be a problem. From the article:

"Only when a file is shared from user-to-user (or with the Internet at large) does the DMCA check system come into play"

"Some thought the original file was deleted from the user’s Dropbox — that’s not the case, either. Dropbox just blocks the file from being shared."

Personally I think cloud services are super convenient and the downside for most people is really small.

My answer is in other thread, but in short my comment does apply even to sharing.
You could also just encrypt before uploading.
you could just flip a single bit before uploading
Or I could just use my own server... Way more comfortable
"For start dropbox is infrastructure provider and they have no right to snoop inside your files."

Uh sure they do. Both legally and morally. It's their servers! Their right to snoop files stored on their servers is quite strong. Your right to store files on someone else's servers is zero. If you would like to pay someone to store your stuff on their servers that is a business deal which can be arranged and the fine print can be negotiated between the two private parties.

But it is not their data...
If you don't want someone looking at your data then you probably shouldn't store it on their servers. Especially when the contract you entered with that person says they they can snoop the data.

You could try negotiating a contract that says you can store your data on their servers but they aren't allowed to look at that data under any circumstances ever.

There are a variety of Dropbox competitors that focus on letting you run the server so you can control the data. If data privacy is of maximum concern, and that is a legitimate thing to be concerned about, then I'd recommend one of those options.

What if I transmit data over someone else's wires? Do they have the legal and moral right to snoop at it?

What if it's stored within a government's territorial jurisdiction? Do they have the legal and moral right to snoop?

Why not?

Yes to both, save for the limitations these parties themselves agree to. That is, after all, what the 4th amendment is: a limitation on the United States' sovereign rights.
> they have no right to snoop inside your files

The do. Read the TOS, it's written in perfectly understandable english. If you accepted them, then you have nothing to say.

Almost all the recent news and tweets sidestep around the main question, which should be answered in a FAQ somewhere:

If I have copyrighted data on my Dropbox folder, and the system detects it, what happens? If I sync the copyrighted data with several of my computers, does that count as sharing?

Yes, I know what hashing is and yes, it seems the original reporter of the DMCA may have shared the file link through email or a website. Still, I need assurance that my data (including the copyrighted ones) will be backed up at Dropbox and available for my use at my leisure, indefinitely -- provided I don't "share" them in any public way.

Side note: all of my data on Dropbox is encrypted by a separate system, so it's unlikely that I'll be affected, but I still am interested in the issue.

I can't help of thinking that Google's and Microsoft's cloud offerings have a more honest EULA.
Yes, it is sketchy. The architecture of Dropbox is sketchy. The only acceptable solution is end-to-end encryption with an open protocol. I've moved from Dropbox to btsync and started contributing to the ClearSkies project.
Maybe I'm being daft here, but why don't would-be file-sharers just encrypt files and send their friends passwords along with the links? Neither the provider nor the copyright holders would be able to tell who was sharing what, unless they monitored IM, email etc..

Of course it does seem that anyone can abuse the DMCA with impunity, so strictly speaking this wouldn't stop the "notice and takedown" actions. It would however prevent the automated detection and might increase cost and difficulty for copyright complainers.

Yeah, anyone can easily modify a file so it doesn't match the blacklisted hash and share it with their friends. Once you start sharing it with millions of people across the internet though, the copyright holder is likely to find out about and issue another DMCA takedown. So this is a system that doesn't prevent small scale sharing, but might be somewhat successful at preventing large scale infringement.
Just curious, are you storing the keys? Or at the very least the login info from which you could regenerate the keys? If so, there's no reason a government couldn't ask for you to hand the info over, so even though this is a step more complex that Dropbox, it doesn't add too much security.

Now, if users provide their own key and it's never transmitted, that would be secure, but obviously the data would be un-decryptable if the key is lost.

You're right, storing keys would completely defeat the purpose. We don't do it. Master keys are generated from a user's login information, which we have no knowledge of.

Right now if you forget your login/password your account is lost unrecoverably. We have a feature slated that would let you download a file version of your account key, meaning if you lost your username or password, you could log in with the special key file and reset your info. Obviously, you'd have to keep the file encrypted/safe, but that's the user's responsibility ultimately.

I was under the impression they knew, but didn't care. In the past I had uploaded GB-sized HDTV stuff and had it instantly uploaded and available to a friend. I figured they just hashed it, realized someone else already put it up, and added that file to my account or otherwise linked it into my account.
I've seen a lot of outrage about this on Twitter, what annoys me most is that these people who are outraged for the most part consider piracy to be acceptable. Then when a company tries to enforce copyright law and protect the rights of the content owners they go on a tirade that their personal privacy is being breached.

I know that the rights holders haven't been blameless in their history but piracy is still wrong and getting upset about people trying to stop it is wrong.

EDIT: I also think that Dropbox's method of detecting copyrighted files is a perfectly reasonable way of doing it. By now we all (should) know the rights we give up for the convenience we get when using consumer cloud services. I think Dropbox are well within their legal and moral rights to do this.

Would you please zip content of your hard-drive and uploaded it on dropbox? Also give me password from your gmail. I want to check if there is no illegal copy of my work in there.
No one is reading people's hard drives or gmail. They are comparing shared files, on their servers, against a hash of commonly pirated files. You are exhibiting the behavior parent comment was complaining about.
Who says I would be reading it? I will just compare all that content with my hash checker, and delete all illegal stuff. Do not worry I use ultra strong 8 bit hash :-)

It is user who has to deal with blocking, false positives and other negative externalities of this. Copyright holders are just passing on their costs to entire society.

What costs? That you can't share pirated movies over dropbox? Big deal.

Funny speaking about externalities on copyright. The entire purpose is to get rid of externalities.

Although I'm not one of the outraged, I think this sentence from the article talks about two very different situations:

> Only when a file is shared from user-to-user (or with the Internet at large) does the DMCA check system come into play.

Doing a DMCA takedown on a broadcast share with the whole internet? OK. Fine.

Doing it on a share with a specific other user? Not OK. Bad.

IANAL, but: There are limited exceptions such as fair use. For example if a teacher were sharing copyrighted work with a student or another teacher, that could be appropriate. I think it is inappropriate for Dropbox to prevent an appropriate share like this. Their ToS may allow them to do so, but I'm saying they ought not to do so. I think that's taking it too far.

I think your fair use argument is reasonable. Interestingly fair use for sheet music (as one example) in an educational context is far more limited than you might think [1]. There are a number of limited exceptions for sharing copyrighted materials with a student but all of them would involve transforming the sheet music by only sharing part of it. In this scenario this would change the hash of the file and the file blacklist wouldn't pick it up.

[1] http://copyright.lib.utexas.edu/musguid.html

It's wrong? Who says? Why? Because it is illegal? Was slavery OK when it was legal? Is capital punishment? Smoking pot?

If you mean we shouldn't do it because it is illegal, that's fine, although personally I don't find that a compelling reason. I think some people here think maybe the copyright laws should be different then they are. Said that way, it isn't unreasonable opinion, compared to "OMG! You think piracy is acceptable!" There's a better level of conversation here: What do they think should be different? Why? Why do you think its wrong? What does wrong even mean in this case?

Care to enlighten us?

Yes, it's wrong. If the creators wanted people to share their work for free, they could allow it. Furthermore, it's their server, they can forbid it if they want, even if it was legal.
Of course, I see now. It's wrong. Houshalter says. I'm genuinely confused about the pot thing. Can you clear that one up for me, too?
One could just as easily make a stupid comment about how it's not wrong for them to come into your house and steal your things. Who said property rights are right? Who says? Why? Because it is illegal? Why do you think its wrong? What does wrong even mean in this case? Care to enlighten us?

Sure, we can debate the merits of intellectual property or property rights or whatever, but it's not really relevant to the parent comment, you are just picking a fight. Few think it's ok for people to just take things that aren't theirs, and few think stealing music is ok either.

Yes, I was being flippant. That's not constructive and I apologize. However, I think there is an interested discussion to be had about property rights, just like intellectual property rights. I'd want to know the history of property rights. How did we get here? What are our cultural goals and how to property rights help (or fail) to achieve them? What are the limits? Do we think it is a moral question? That is, is it a question of right and wrong? It might be obvious that people shouldn't be able to come and take your stuff, but what about eminant domain and criminal asset forfeiture in the US? What about corporate property rights? I'm thinking about water privatization and the popular uprising in Bolivia, for example. Or (back to intellectual property) the rights of corporations to patent otherwise protect chemicals and genes found in nature, also called piracy by some, biopiracy. Or extending copyright on things destined for the public domain (copyright extension acts).

> it's not really relevant to the parent comment ... and few think stealing music is ok either.

Maybe I misunderstood the parent comment, but wasn't the poster complaining that so many people on twitter outraged about Dropbox's behavior think privacy is acceptable?

I think a lot of people are unhappy with the current intellectual property law and they feel powerless to influence it. The kind of frustrations that produces the GPL and Creative Commons, although not all of us have the vision, leadership or influence of a Stallman or a Lessig. I suspect some current attitudes about piracy are related to those frustrations. I also think a debate about piracy -- rather than just shouting "It's wrong." -- can be very profitable. I'm reading Adrian John's history of Piracy (highly recommended). From the Introduction:

"Those who were called pirates almost never [took the charaterization at face value]: they always repudiated the label as inaccurate and unjust. The point is that when they did so, they often triggered debates that threw light on major structural issues and had major consequences as a result. We can profit by focusing on precisely these contests -- and the more prolonged, variegated, and ferocious they were, the better. They strained relations between creativity and commercial life, and at critical moments caused them to be reconstituted."

I'm very strongly anti-pirate and very strongly anti-dropboox snooping. It's quite possible to be both.
Are you strongly against dropbox hashing files you have shared and comparing them against a known blacklist?
Yes. That's snooping. They're actively looking at what I store with them.
A Dropbox employee looking through your files for filenames with DVDRIP would be actively looking. Hashing a file and comparing it to a blacklist is automated scanning. I think a blacklist is a perfectly reasonable solution to this problem and is as minimally invasive as possible. How would you approach this problem differently?
Snooping doesn't become not-snooping when software does it instead of a human. Ask the NSA.

How would I deal with it? To me it's clearly none of Dropbox's business and they shouldn't be doing this in any way, shape, or form.

"it's clearly none of Dropbox's business"

Actually, it's a core piece of Dropbox's business. One of the ways they save on storage is by comparing hashes of files (or even parts of files - how many bits of any two JPG or DOC files are identical?) being stored and, if identical, only store one copy of the file. That and they explain in plain english that they're allowed to do that. That they explicitly say they do as much in their TOS puts the onus on the user to not store anything they're concerned about the privacy of on Dropbox's servers.

If you want a proper laugh: re-share an "internal" rip from a private tracker on a public one without sufficient identifying meta-data, and watch some fool jump up and down because you've stolen his hard work without credit. His hard word of course being to steal someone else's hard work... To some (many?) everything they do is fair, and everything they don't like isn't (even if what they don't like is exactly what they do themselves).

Not that I would know anything about obtaining copyright protected materials in that manner, of course. A friend told me about it, honest...

Enter service to add random metadata to your files to trivially thwart protection scheme.
Imagine to rely on a storage service that decides wether you may have a certain file. Not even once.
Workaround: Just edit the file's time edited by "saving as" and it will change the hash.