The No Pie Rule for Dropbox Services
This post on Google Drive’s Terms of Service caused a bit of a stir yesterday, as well as some thoughtful replies. The best reply (in my mind) came from tiffanyb. I’ve quoted her response below because it was that good:
These two quotes actually say the same thing. It’s just that the part where Dropbox enumerates what rights they need to provide the service is cut out of the quote, and included in Google’s.
In order to operate a service in which your files are hosted remotely in order for you to gain access to them from anywhere in the world, the company providing the service actually DOES have to do things that are legally considered creating derivative works, public performance, reproduction, etc.
For example, you can’t run a redundant, always-availabe service like Dropbox without copying the files uploaded to it across multiple redundant servers, to say nothing of backups. Making it available via the Internet? That’s public performance. Compressing/optimizing the bits you upload to make them faster to deliver? Legally, that’s a derivative work.
The real, substantial difference is that since Google runs a whole raft of services, what’s covered under the umbrella of “for the purpose of providing the services” is a lot broader than it is with Dropbox, which really only does one thing.
Dropbox-like services can be extremely useful for educators, Google Drive included. It’s hard to explain to non-users just how awesome it is to have something automatically synced between all your computers and mobile devices, while still being available anywhere via the web. The ability to share those documents and folders makes these services even better. You have plenty of compelling options out there. But I want to stress one rule we use in my department:
Always follow The No Pie Rule
The No Pie Rule is actually spelled “No PII,” which stands for “No Personal Identifying Information.”The reason my team can’t use a service like Dropbox for more advanced document sharing is their inadequate encryption setup.
It’s complicated, but the gist is that if your data is kept in a metaphorical locked box (cue Al Gore), ideally you should be the only one with the key. Instead, Dropbox keeps the only copy of your key. This means if someone steals the key from Dropbox, they have access to all your data (another explanation here). That’s not good if you have anything in there that’s FERPA sensitive, for example.
Dropbox has been hacked in the past (both Dropbox and Facebook had a recent security issue with iOS and Anroid devices). So have other, similar services. The problem is that some users store sensitive and inappropriate material in their synced folders. In general, avoid:
- Anything that would lead to a FERPA violation
- Anything that HR would freak out about
- Anything that could lead to your identity being stolen (this includes copies of tax forms, receipts for online purchases, and even monthly budgets; yes, people have put these things in Dropbox)
In other words: If you’re using a Dropbox service, No Pie!
