Forgot your password?
typodupeerror
Privacy

Dropbox's New Policy of Scanning Files For DMCA Issues 243

Posted by samzenpus
from the lets-see-what-you-have-there dept.
Advocatus Diaboli (1627651) writes "This weekend a small corner of the Internet exploded with concern that Dropbox was going too far, actually scanning users' private and directly peer-shared files for potential copyright issues. What's actually going on is a little more complicated than that, but shows that sharing a file on Dropbox isn't always the same as sharing that file directly from your hard drive over something like e-mail or instant messenger. The whole kerfuffle started yesterday evening, when one Darrell Whitelaw tweeted a picture of an error he received when trying to share a link to a Dropbox file with a friend via IM. The Dropbox web page warned him and his friend that 'certain files in this folder can't be shared due to a takedown request in accordance with the DMCA.'"
This discussion has been archived. No new comments can be posted.

Dropbox's New Policy of Scanning Files For DMCA Issues

Comments Filter:
  • Later Dropbox! (Score:5, Insightful)

    by Anonymous Coward on Monday March 31, 2014 @07:04AM (#46619833)

    Its been nice while it lasted, now on to other services!

    • Re:Later Dropbox! (Score:5, Interesting)

      by noblebeast (3440077) on Monday March 31, 2014 @07:36AM (#46619999)
      MEGA is looking like a better alternative every day. End-to-end encryption, and 50GB(!) free storage.
    • by hodet (620484)

      I just use my own VPS. Amazing what people will go through to save $10/month.

    • Much, Much Later (Score:4, Insightful)

      by Jane Q. Public (1010737) on Monday March 31, 2014 @12:21PM (#46622975)
      I refused to use Dropbox ever since its "end to end encryption" claim was shown to be false, and they were de-duping your files. (De-duping required access to the original files, which Dropbox tried to claim they didn't have.)

      Then they said they were changing that practice. But how far could you trust them, considering that they had already lied to everybody? Fool me once, and all that.

      NOW, apparently they're checking your files -- which back when they again claimed they weren't accessing -- for copyrighted content, which again requires access to your original files. (Even if you're just doing an MD5 hash or some such, you still need access to the original file to do it.)

      So, yeah. For all those who didn't drop Dropbox when I did, maybe it's time.
      • Re:Much, Much Later (Score:5, Interesting)

        by jimbo (1370) on Monday March 31, 2014 @01:00PM (#46623423)

        I've used EncFS and BoxCryptor with Dropbox from day one and 'd do that with any cloud storage solution, no matter what they claim it is irrelevant. It is my data, by choice I'm retaining the responsibility for it's safety/security.

        I'll continue to use Dropbox because I never trusted them and made sure I didn't have to.

      • by Lord Crc (151920)

        I refused to use Dropbox ever since its "end to end encryption" claim was shown to be false, and they were de-duping your files.

        I simply never assumed my Dropbox files were private to begin with.

        While I don't share everything in my public folders, I don't put anything in Dropbox that I don't mind the whole world to see.

  • by kye4u (2686257) on Monday March 31, 2014 @07:09AM (#46619849)
    If you are determined to use drop box, use an open source software as 7zip that will encrypt and zip. Otherwise, stop using drop box and move on to something else. One of the consequences of using the magical cloud is that your are bound to somebody else's rules for how they manage your data. Also note that those rules are subject to change at any time, and you don't have any say in those changes (I guess the only option is to speak with your wallet and move to greener pastures).
    • by Xest (935314) on Monday March 31, 2014 @07:16AM (#46619897)

      I stopped using DropBox when it's Android app started asking for access to my contacts etc.

      Anything that asks for permissions unnecessary to its key purpose is dead to me.

      • by Sockatume (732728) on Monday March 31, 2014 @07:35AM (#46619991)

        Isn't that so that you can send links to contacts? Android has no granular permissions support so if you ever want to be able to email a link from the app, you have to grant that permission.

        • by Chrisq (894406) on Monday March 31, 2014 @07:51AM (#46620123)

          Isn't that so that you can send links to contacts? Android has no granular permissions support so if you ever want to be able to email a link from the app, you have to grant that permission.

          Its a shame that you cannot just deny that right and have it fail if you ever tried the email functionality. Or even let the application know what's granted so that it can disable the email options.

        • by Xest (935314) on Monday March 31, 2014 @08:02AM (#46620209)

          Yes I believe that's the claim, but I'm more than content to just have a "Copy link to clipboard" button so I can paste it wherever I want - all they need to do is let me take the link where I want.

          Too many companies use such data for other purposes in the background (and ship your contacts etc. off to their servers) that it's a poison chalice to even ask for such permissions if it's not necessary to the underlying point of the application.

          I get that they want to make it easier for some users and I fully sympathise with the usability reasons for doing so, but ultimately when they do shit like this it just reinforces my view that it's not a permission I can trust most such companies with.

          They say they'll never do something, and they resist for a while, then they finally break, "just this once" they tell themselves. Like fuck "just this once".

          I used to have the Facebook app on my phone and I did give that permission - not because I trust them, but because I was going in knowing full well what they were going to do with it, but I drew the line at that app when it started asking permission to draw over other apps and such - what the fuck? No. Just no. There's not a chance in hell you're having permissions to view and render over the pixels on screen on my banking app or whatever.

          Now I'm far more tough with apps in general, which is why I wouldn't touch drop box anymore with this permissions change. Tired of being told our data wont be read, will be held securely and then suddenly such data turns up in completely unrelated places, like when contacts I only had through my MSN messenger list magically turned up as recommendations on LinkedIn despite me never having given permission for MS to share that data with LinkedIn nor LinkedIn permission to receive that data from MS.

          I used to be more laissez faire with my data, because I was lazy enough to put convenience over privacy, but each time I gave a company the trust they asked for based on the assurances they gave they really did lie and abuse it, so fuck them.

          Even something as innocent as a university course I did in my spare time has me getting text messages (2), e-mails (about 5), phone calls (7 of - land line and mobile), letters through the post (3) telling me to fill in the UK's student survey. Eventually I relented, any other comments? Yes, "Fuck your survey, all data I filled in is false. Leave me alone". Apparently I should've opted out of said survey, now if only I was ever given that choice.

          You literally can't put your data anywhere anymore without it being used to harass you. The convenience is no longer worth the inevitable follow on harassment which is anti-convenient, it's a distraction, a disruption, a pain in the fucking arse.

          I buy a TV and I have to give a postcode and house number so they can pass it on to the TV licensing authorities "It wont get used for junk mail, just for licensing" and what comes through the door after a year? "Your warranty is due to expire, your TV wont be covered if it breaks blah blah blah" - no it's fucking not, I'm covered by the consumer protection act you lying dipshits. Last time I bought one I gave the shop the postcode and number of their very own store, knowing full well the question would be coming having looked it up before hand, amusingly my theory that the sales drones would be too fucking dumb to notice was proven right.

          So it may be to let you more conveniently send a link directly, but you always pay in the end, that convenience doesn't come free, you lose the time gained by that convenience dealing with advertising crap, being sent friend invites from people you don't want, sorting junk mail into a recycle bin and phoning them to ask never to spam you again, or dealing with security nightmares because some retard company holding far more of your data than it ever needed got hacked.

          And that's why they can take their lame little "share this" or whatever button and fuck themselves with it.

      • For an app intended to share data with different people, being able to access your contacts would make the program easier to use assuming that you are sharing data with people on your contact list.

        That said most apps work if you say No. I wouldn't call it an unnecessary request to ask for permission.
         

        • That said most apps work if you say No. I wouldn't call it an unnecessary request to ask for permission.

          On Android you cannot install the app if you say no. The question is asked during installation or update.

      • by iq-0 (313030)

        One of dropbox's key features is it's ability to share your files. So I hardly think access to your addressbook is really wrong. If they'd be sending that data to their server or whatever that would be unacceptable.
        You should actually be more annoyed with the Android permission system in this case, because it doesn't let you prohibit that part of the functionality. The current permissions system is that you must allow all permissions an app might need, eventhough you'll never use (or want to use) that part

        • by Xest (935314)

          I agree the Android permissions system is part of the problem in this particular scenario, but see my post here as to why I don't want them to access data that isn't essential to the use of the application:

          http://slashdot.org/comments.p... [slashdot.org]

          Long story short, accessing my contact list just allows them to add fluff, and the fluff to risk of privacy violation ratio is too high. I used their application fine without that option in the past, I don't need it now.

    • Otherwise, stop using drop box and move on to something else.

      And that "something else" will still be subject to the same bad laws (DMCA) as Dropbox.

      One of the consequences of using the magical cloud is that your are bound to somebody else's rules for how they manage your data.

      The problem is, this isn't Dropbox's rules. They are following the law.

    • by aviators99 (895782) on Monday March 31, 2014 @07:38AM (#46620015) Homepage

      If you encrypt, it's not very convenient to do what the person in the article did: link to a video. His IM buddy would have to download/decrypt before seeing the video. Your point is well-taken, of course. But leaving for another cloud provider is likely not going to make things any better. Cloud storage, by its broad definition, is sacrificing security for convenience (to some extent). You can certainly mitigate that via encryption, but at the loss of much of the convenience, especially when it comes to this particular use case, which is the sharing of a video.

  • So, if I get this correctly, Dropbox will prevent you from sharing a file that was blocked due to somebody else uploading it and getting busted?

    What does somebody else's data have to do with your data?
    And what if there is a hash collision?

    • by Sockatume (732728)

      The DMCA is concerned with whether Dropbox is hosting an infringing file, not who they may be hosting the file for or for what purpose. Unfortunately this approach is forced upon Dropbox by a US law passed in an era of dial-up modems.

    • by thue (121682)

      > And what if there is a hash collision?

      Cryptographical hashes are designed to make that ridiculously unlikely. Go play buy a single ticket to the national lottery instead - you are far more likely to win the biggest price there than to every find a hash collision.

      • you are far more likely to win the biggest price there than to every find a hash collision.

        That, of course, only makes it more painful to encounter a hash collision.

      • > And what if there is a hash collision?

        Cryptographical hashes are designed to make that ridiculously unlikely. Go play buy a single ticket to the national lottery instead - you are far more likely to win the biggest price there than to every find a hash collision.

        Its not quite the same thing. If you buy a lotto ticket then you have a single change of winning. In the case of dropbox, you have many chances of "winning" (consider how many files dropbox stores).

        Of course you're right that a collision is incredibly unlikely, but I don't think your example is especially comparable.

        • I suspect that they use more than just a plain hash. Even if you just use hash plus explicit filesize, you've narrowed down the chance of hash collisions massively.
        • by suutar (1860506)
          It's not quite the same thing, but the lottery is still more likely. Assume a trillion files (1e12). Assume Sha-1, for 160 bit hashes. Then the probability of a collision is less than or equal to 1e24/2 * 1/2^160. 1e3 is _rougly_ 2^10 so call it 2^80/2 * 1/2^160, with a final result of about 1/2^79. Your odds of winning the powerball on one ticket are more on the order of 1 in a couple of billion (2 * 1e9, call it 2^31) so you're still vastly more likely to win the lottery than find a collision in a trillio
        • Re:Huh? (Score:5, Informative)

          by blueg3 (192743) on Monday March 31, 2014 @10:42AM (#46621851)

          He wasn't making an analogy between how you find a hash collision and how you win the lottery -- only comparing the odds.

          Dropbox uses SHA-256 hashes. I'm assuming this is what they use for this feature, since it's what they use internally for file identification and deduplication. They actually hash 2 MB file chunks, which means that any file more than 2 MB produces multiple hashes (one per chunk, naturally).

          The "many chances of winning" you're referring to here is the birthday collision problem. A good, rough approximation is that for an N-bit hash, while the number of different hashes is 2^N, the number you can generate before risking a collision is about 2^(N/2). So, with SHA-256, we run no significant risk of collision until we've generated around 2^128 ~= 10^38 hashes.

          The total amount of data stored worldwide is on the order of 1 ZB. That's room enough for about 10^15 2-MB chunks. Of course, some of our files might be smaller than this 2 MB chunk size, enabling us to be more efficient with storage. We might be able to get somewhere around 10^20 different files in there.

          That's a strange and untenable use of all of the world's storage, and it still puts us about 18 orders of magnitude short of being able to risk a SHA-256 collision. If you had this giant set of a ton of different files, the probability of a collision existing is about 1 in 10^37.

          So, short of a flaw in SHA-256, you can assume that a hash collision will never happen. We know of no such flaws. (If we do, it will almost certainly be the case that the collision only occurs because one of the two files was specifically manipulated to produce the collision.)

          On the other hand, the odds of winning the lottery are rarely worse than 1 in 10^9.

    • by Ash Vince (602485) *

      What does somebody else's data have to do with your data?

      There is no "your" data or "there" data. There is only dropbox data. It seems at the point you upload a file they check it to see if they already have a copy and of they do they just add a pointer to the existing file rather than store a fresh copy.

      And what if there is a hash collision?

      By the sounds of it they must actually do a direct file compare rather than use a hash. They probably use some kind of hash to narrow down the options of stuff to compare it with but in the fallback case of a hash collision, and both files being exactly the same

    • by iq-0 (313030)

      Part of it is in the 'terms of service' where you specifically allow dropbox to do certain things (like deduplication and retention after you've deleted it).

      They're not actively searching *your* files to seek out these violations, they got a specific complaint about that file's data, which they are obliged to make publicly inaccessible. If you also share that file's data than that too is, according to the DMCA, in infringing and is prohibited from being shared.

      About the hashes: they most certainly only use

      • But computing a hash-value IS going through your files.

        What if they use a hash that is computed like this:
        1. compute md5sum of the data
        2. make the last bit zero or one, depending on whether the file has some interesting property.

        Suddenly, they can profile you based on "hash-value" alone.

        • by blueg3 (192743)

          But computing a hash-value IS going through your files.

          In the same sense that receiving them from you, storing them, or transmitting them to others (at your request) is "going through" your files.

          Dropbox already uses SHA-256 hashes internally for file identification and deduplication. So it's been hashing all of your data this whole time.

    • So, if I get this correctly, Dropbox will prevent you from sharing a file that was blocked due to somebody else uploading it and getting busted?
      What does somebody else's data have to do with your data?
      And what if there is a hash collision?

      If there was a DMCA request, it means that Dropbox was told by a copyright holder that uploading this file is infringing someone's copyright. Therefore Dropbox knows that you are infringing the same copyright (except if you are the copyright holder, in which case - well, tough). Since they _know_ it is copyright infringement, it would be quite possible to argue that not blocking it would be Dropbox colluding in copyright infringement. And I mean you are not claiming that you have any right whatsoever to upl

  • You wanted privacy? (Score:3, Interesting)

    by DMacedo (1989924) on Monday March 31, 2014 @07:13AM (#46619881)

    This is news, in the sense that Dropbox now actively crawls your files (DMCA still went about for publicly listed files anyway).

    But my question is why are there people in the tech industry still surprised by the fact that Dropbox does not encrypt it's users's files and can read them outright...
    That's how they do sharing between users, as well as file deduplication (Which probably works best for larger copyrighted files, funnily enough!)

    I still use Dropbox, and promote it slightly: with the stern advise to use it simply as a convenient way of sharing crap, but treat it as a "public USB drive"!

    Just never, ever, store sensitive data, like your business or evil masterplans, or your personal/bank/etc account details on it. But if you're sharing that MP3 you recorded on yesterday's block party, go right ahead!

    • by TheCarp (96830)

      That is pretty much exactly why I don't use dropbox. I have enough ways to quickly share a few files, and this doesn't add much real convenience over others; for me anyway. I see why others may find it useful.

      The thing is, the only gaps I have that dropbox would fill, are gaps I wouldn't trust it to fill.

    • by Ash Vince (602485) * on Monday March 31, 2014 @07:26AM (#46619961) Journal

      This is news, in the sense that Dropbox now actively crawls your files (DMCA still went about for publicly listed files anyway).

      You obviously didn't bother to read the article.

      The truth is that they always scan every single file uploaded to make sure they do not already have a copy of that file stored on their network. If they do, they throw your copy in the bin and just add an extra link to that stored copy in your account. That keeps their data usage lower as it means they never store duplicate copies of the same file, even if they are uploaded by completely different people.

      So there is no crawling involved, this was done at the point of upload. They found that the same file had already been uploaded by someone else, shared, and that user got the shared copy of that file DMCA'd. Once a file has been DMCA'd in their system it seems it is blocked from being shared so only people uploaded that file also get to download it.

      • If this is what is going on in the background are they are using hashing to identify the files? What is the risk of a hash collision? Would this be a legitimate concern using the service?
        • by suutar (1860506)
          1. Yes.
          2. Negligible. (I calculated in another post that the odds of a hash collision for SHA-1 and a trillion files was about 1 in 2^79; I have since learned that they actually use SHA-256, so make that 1 in 2^175).
          3. If you think it's worth worrying about then it's a legitimate concern for you; I wouldn't worry about it.
  • by Anonymous Coward

    All that's required of users is to use a encryption mechanism, even weak, to encrypt said files prior to uploading.

    You could potentially even use an encryption key as weak as "password" because DropBox aren't going to be in the business of guessing encryption keys (won't have the CPU grunt) so anything is going to deceive them - potentially even just XOR. Or even use the file's name.

    The only downside will be that DropBox will be just that little bit harder to use without some sort of application to make enc

  • by Ash Vince (602485) * on Monday March 31, 2014 @07:20AM (#46619919) Journal

    This whole issue can be summarized as:

    1) User wants to ignore copyright law and share something they have no legal right to via a public service
    2) Public service being used has no idea how many people will want to access the shared resource but they do know it is copyrighted as they auto match everything uploaded so they can avoid keeping to separate copies of identical files and save storage space and had a DMCA take down request for that same file previously.
    3) Public service errs on the side of not getting their arse sued off by the various content owner conglomerates legal attack dogs and refuses to allow the file to be shared even though the person who uploaded it can still see it.

    All in all seems pretty reasonable. Until copyright law is changed (like that is ever going to happen) dropbox have to follow it to the letter. I suppose they could have avoided the whole thing by storing more data and then not doing the duplicate file scan thing but even that is no guarantee it would prevent them from being sued to oblivion.

    The only safe option for them that would also keep things private would be to use encryption keys that were only kept in the client. That way if you needed to share a particular folder you selected to store that under a different encryption key, and gave that key to other person / people who needed to access it.

    The big problem with this is that it then becomes more awkward to provide web access to the files. People are comfortable remembering a username and password, they are not so comfortable remembering a bunch of encryption keys. If you store the encryption keys on a server at your end anywhere then you can access the files so you therefore get the legal responsibility to make sure your system is not being used to flout copyright law. The only legal way to run this sort of service and not be liable for it's misuse is to design it in such a way that you cannot see what is being stored at all.

  • by Anonymous Coward

    Publicly shared files that match known hashes are restricted, but not deleted, and any file can be shared to anyone privately without restriction, just not publicly to the world. Not much of a story. Read TFA.

  • The only thing I store in my dropbox folder is a truecrypt container file. Have at it.
    • Good for you, but you wouldn't have fallen foul of this issue anyway because you wouldn't be linking your files publicly.

  • This is what OwnCloud is made for.

    I know not everyone is able to set up their OwnCloud server. There are places that will host it and set it up for you.

    I am truely sorry that DMCA is slowly but surely choking the web, In the end it will go away. Kids that are 15 today, when they are 45 will not convict someone of piracy, they just wont see anything wrong, same thing for the judges and prosecutors. In the shot term it could get alot worse. If you don't have the skills to circumvent it all I can do is quote J

    • Re:OwnCloud (Score:5, Interesting)

      by heypete (60671) <pete@heypete.com> on Monday March 31, 2014 @08:07AM (#46620239) Homepage

      This is what OwnCloud is made for.

      I know not everyone is able to set up their OwnCloud server. There are places that will host it and set it up for you.

      OwnCloud is great, with one exception: the slightest change to a file necessitates an upload of the entire file. Dropbox does delta syncs using a modified version of rsync, so it only uploads change portions of a file.

      For typical files and fast connections, the lack of delta sync is tolerable, but when you're dealing with large files or slower transfer speeds it's an issue: if you, for example, you keep a large TrueCrypt container file in OwnCloud and make a change to a small file stored in the container, OwnCloud needs to reupload the entire container. Dropbox would just update the blocks that changed.

      Until OwnCloud implements some sort of delta sync functionality it is considerably less practical than Dropbox.

  • The image of the error message did not say who, or which corporation, had made the DMCA complaint. I thought that in order for something to be taken down under the DMCA the user had to be told who was complaining.

    In this case: the user admits that the file was something that he should not be sharing, but there have been cases where the DMCA is being used to prevent legal files - in a case like that the user must be told who is complaining so that they can challenge the DMCA complaint.

  • Well duh (Score:4, Informative)

    by DrXym (126579) on Monday March 31, 2014 @08:57AM (#46620681)
    Anyone who uploads copyright infringing content to a cloud server and entrusts it to the care of a company is an idiot. There are various ways that files could be scanned simply from looking at the filename or hash all the way through to analysis of the tag / contents / watermark.

    And DropBox is probably the most benign of mainstream cloud hosts. Google, Amazon, Apple and Microsoft all sell content and sign voluminous contracts for the sale of said content. It's not hard to imagine that they would or could be obliged to scan for infringing content and notify the content providers when they find any.

  • They're using hashes (Score:5, Informative)

    by Quila (201335) on Monday March 31, 2014 @08:59AM (#46620697)

    Change a character in the metadata fields, hash changes. If they're scanning the actual video portion of files, add a byte at the end. I don't think that would affect playback.

  • "Waaah, someone won't let us share another person's products I torrented for free! Now I have to find another free site to find stolen binaries! DropBox is the Man!"

  • Encrypt your data before putting it on Dropbox? You mean you weren't doing that already?

  • password protected zip files in dropbox. they cant scan them.

Can't open /usr/fortunes. Lid stuck on cookie jar.

Working...