One of the things that’s really starting to frustrate me is the animosity I’m seeing towards Google Drive, especially from folks who are ardent Microsoft supporters. The biggest statement is usually, “lawyers should never use Google for their data.”
Now, I’m not saying that Google Drive is perfect, and I certainly had reservations, but I finally sat down and
thoroughly reviewed the terms of service for many of the popular online storage systems. This post is a summary of what I found (as of the date of publication). Note: I’m not referencing particular clauses of the terms of service agreements. I figure that if I provide the summary, you can find the particulars — Ctrl + F is a great function.
Here are the systems I looked at: Dropbox, Google Apps, Office Online/Office 365, Bitcasa, and SpiderOak. And these are the questions I asked about the service:
- Does the service allow the user to keep your own content?
- Does the service allow the users to share content with others?
- Does the service have an acceptable use policy?
- Does the service have a dispute resolution requirement?
- Whose state laws control disputes?
- Does the service store its data in the United States?
- Does the service store its data outside of the United States?
- Does the service have a statement on the use of user’s confidential data?
- Will the service notify its customers if it’s requested to disclose personal data?
- Does the service use two-factor authentication?
I looked at each system’s terms of service pages to determine whether each one had a definitive statement on the question presented. If I could “easily” find the statement or information, I gave the service “yes.” Similarly, when I couldn’t find anything, I counted that as a “no.” Obviously, my method isn’t scientific by any means — especially since I spent maybe a total of 1 hour reading all of the terms pages — but I think I grasped enough of the concepts and issues.
This post will discuss the terms of service (and privacy policies where applicable) of Bitcasa, Dropbox, and SpiderOak (in alphabetical order). Part 2 will look at Google Apps and Microsoft Office 365.
Bitcasa is a relatively newer online storage service that offers unlimited storage space for one price; you can see my review here. I like Bitcasa because the program offers encryption from start to finish. Thus, many of the concerns about open access to anyone disappear quickly. Third parties cannot see the encrypted data.
Bitcasa disclaims any rights to its users’ data:
You . . . retain full ownership to your digital belongings. We don’t claim any ownership to any of it. These Terms do not grant us any ownership rights to your digital belongings or intellectual property except for the limited rights that are needed to run the Services, as explained below.
If I had one complaint about Bitcasa is that it’s sort of limited on the number of “share with” apps currently available. Many Android apps don’t integrate well with Bitcasa, thus making it a great place to store information, but sort of useless when accessing. Incidentally, I store almost everything in the unlimited Bitcasa cloud.
If you’re wondering, Bitcasa does not require arbitration, but all disputes are resolved in California.
Dropbox’s newest terms of service update goes into effect on March 14, 2014. The biggest change in the update is the addition of a mandatory arbitration clause.
Dropbox allows its users to share their data (obviously), and has an explicit statement on whether users can keep their own data:
Your Stuff is yours. These Terms don’t give us any rights to Your Stuff except for the limited rights that enable us to offer the Services.
Dropbox also has a very strong statement on how it shares your data with others:
Law & Order. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or our users; or (d) protect Dropbox’s property rights.
That said, according to its “Government Data Request Principles,” Dropbox will “resist [any] requests directed to large groups of people or that seek information unrelated to a specific investigation.” I couldn’t find where Dropbox states it’ll notify its users of the government’s request.
Dropbox doesn’t definitively disclose where its data centers store your data. Some folks have issues with the location of their data, particularly citing that a data center in Paris or Moscow would have any less protection than a center located in the United States. Of course, those concerns are valid, though I believe that most providers will store information in a data center nearest to the user’s home address. I’d love to see a distinct statement on storage location, but I doubt any service will fully disclose that information.
Two-factor authentication is the newest “must have” security measure, especially for online storage sites. Two-factor authorization involves using two different methods for verifying an identity, usually it’s a password plus and email or text message. If you haven’t enabled two-factor authentication for your Dropbox account, do it now.
Dropbox’s most concerning change, as I mentioned, is the inclusion of a mandatory arbitration clause and waiver of class action status. I’m sure this is in response to mass data breaches, though I’m not sure it’s really that big of deal (except for class action lawyers). The terms of service require arbitration in California, under California’s laws.
Overall, I feel pretty strongly about continuing to recommend Dropbox for cloud storage, though I have concerns as to what protections Dropbox will offer when presented with a request for disclosure of an individual’s information.
The SpiderOak system isn’t really on my radar since I’m already using 3 cloud storage systems — Dropbox, Bitcasa, and Google Apps — and I’m not interested in testing a fourth. But, since many attorneys seem to recommend SpiderOak, I decided to test its terms.
First, SpiderOak was the only cloud site that didn’t have some statement affirming that “your data is your data.” And if it’s there, I couldn’t find the statement in plain words. I’m very cautious at this point since my data might be in ownership limbo. Truthfully though, I think SpiderOak has very little desire to own your data, it just doesn’t want to say as much.
Fortunately, SpiderOak earns a very solid positive remark, since its one of the few services to state that it “notif[ies] a user of a request for their personal data stored on our servers prior to disclosure unless prohibited from doing so by statute or court order [e.g. U.S.C. § 2705(b)].” That’s an important step to protecting private data in the cloud.
SpiderOak also has limited two-factor authentication, and encrypts your data. Thus, SpiderOak is protecting data from disclosure to third parties. Their security statement sums things up well:
We employ procedural and technological security measures that are reasonably designed to help protect your Personally-Identifiable Data from loss, unauthorized access, disclosure, alteration or destruction, which includes encryption, password protection, and other security measures to help prevent unauthorized access to your Personally-Identifiable Data. The data that you transmit as part of your use of the Services (“Storage Data”) is in encrypted form and SpiderOak does not have access to your Storage Data in its unencrypted form.
I really wish more cloud providers employed all around encryption for their services.
SpiderOak’s terms are missing any statement as to data storage, whether it’s inside the US or outside. The terms also require mandatory arbitration in Illinois. I’m not sure I’d like Chicago in January.
Overall, I’m pleased with SpiderOak’s terms, and although they could be stronger in a few areas, I think the encryption helps to alleviate some concerns. If you’re interested in SpiderOak, there’s also an Android app.
And the winner is . . .
There are no winners or losers in this game, only opportunities to improve. I’m very happy with the way Bitcasa and SpiderOak handle data, and especially the fact that SpiderOak is going to warn you when some three-letter agency (or third-party) requests your data. I think that’s only fair.
In part 2, we’re examining the two big dogs, Google and Microsoft.