Is it safe to carry on using Dropbox following the DMCA takedown revelations?
Over the weekend, Darrell Whitelaw tweeted a Dropbox error message that said certain files could not be shared due to a DMCA takedown request.
The immediate concern was that perhaps Dropbox files are neither as safe nor private as its users had thought — how could Dropbox take down files if it did not scan the users’ folders?
In fact, Dropbox is being rather clever. Its problem is this: Dropbox is primarily used as a file syncing system, allowing users to transfer files from one personal device to another personal device. If the user owns or has licensed the files in question, this is not generally a problem.
In fact, from 1 June 2014, UK copyright law will be changed to explicitly allow consumers to make additional copies of copyrighted works for personal use — so transferring music from the tablet you used for downloading, via Dropbox, to the PC you will use to burn CD for playing on your music centre will be perfectly legal.
But as a US company, Dropbox is also subject to the peculiar effects of the DMCA. Under this law, rightsholders can simply demand that copyrighted materials should be taken down. While the service provider can challenge this, failure to respond to a valid takedown demand can prove very expensive. As a result, in many cases the receipt of a DMCA takedown request automatically triggers its takedown without any further query.
It is in trying to balance these apparently contradictory pressures that Dropbox has developed a rather sophisticated solution. If we look more closely at the error message wording, we can see it says that ‘certain files can’t be shared’ because of a valid DMCA takedown request. But it also says that the folder is empty.
The files themselves have not been taken down; it’s just that public sharing has been blocked — that is, this folder is empty for this user, but not for the owner. In other words, Dropbox does not takedown legally owned or licensed files; but it does prevent them being illegally shared to other people.
This just leaves the second concern: how does Dropbox know what is in the folder unless it scans it?
In fact, it doesn’t know — or at least it doesn’t necessarily know. When files are first uploaded by the user, they are hashed. This is automatic and doesn’t require Dropbox to know anything about the file itself. The hash algorithm generates unique fixed length outputs from variable length inputs. Dropbox stores these hashes.
Elsewhere is a separate database of different hashes produced from files that have been subject to successful DMCA takedowns. Whenever a user publicly shares a file that has been uploaded, Dropbox compares its own hash to that on the takedown list. If there is a match, Dropbox blocks the public sharing. It doesn’t need to scan the folder, nor even know what the file is.
Dropbox is thus using best efforts to comply with US copyright laws, accommodate European laws, and maintain user privacy. It’s not foolproof, of course, because the user could encrypt the file locally before uploading it. The resulting hash would then not match any other hash.
Well, that’s the theory, anyway. In reality, Dropbox will know many of the files stored by users via the separate database of hashes. But this then provides the potential for different privacy abuses — user profiling based on music and video tastes, for example.
At the same time, repeated encryption of movie-length files prior to uploading could act like a red-flag and draw the attention of The Eye. That in itself would probably be enough to trigger a Patriot Act NSL demanding the user’s details without allowing Dropbox to tell anyone about it.
So, basically, as we always say about Dropbox… is it safe to use? Yes… and no.