DoSing the Security Community With a ToS

The security community echo chamber was rocking hard over the weekend with news of an online backup/sharing service, Dropbox, changing its Terms of Service to grant them “worldwide, non-exclusive, royalty-free, sublicenseable rights to…” do basically anything they want with your content. From Dropbox’s point of view, this is the sort of thing that they claim they need to have in order to provide you the service. That may or may not be true, but it was probably something their legal counsel told them that it would be in their best interest to include.

The odd part is that anyone in the security community was surprised by this. It does not matter what the ToS said. Fact of the matter is that if you are uploading information to a third-party that is not in an encrypted form that you control, then it needs to be considered public. The only question at that point is the length of time before everyone else knows its public. Someone who isn’t you can read it and you’re putting your trust in them not to reveal it, share it, or profit from it. In practice this may mean that your information is never revealed or that it is revealed when someone compromises their service, or it may mean when they decide to change their ToS, which every ToS tends to allow the provider to do without much notice and little, if any, recourse.

Too many of us have forgotten, or never learned, that everything on the interwebs is public by default, unless you’re making a real effort to restrict access. Ultimately, there are just gradients of how public that information actually is. Dropbox and similar services are great for what they are, a convenient place to put slides and other random files that you want to be able to access or share easily and don’t mind if someone else sees if they put a little effort into doing so. Essentially, it is an alternative to sending email with attachment, and it has about the same amount of (in)security.