Comparing Terms of Service: Part 1 – Bitcasa, Dropbox, and SpiderOak

One of the things that’s really starting to frustrate me is the animosity I’m seeing towards Google Drive, especially from folks who are ardent Microsoft supporters. The biggest statement is usually, “lawyers should never use Google for their data.”

Now, I’m not saying that Google Drive is perfect, and I certainly had reservations, but I finally sat down and thoroughly reviewed the terms of service for many of the popular online storage systems. This post is a summary of what I found (as of the date of publication). Note: I’m not referencing particular clauses of the terms of service agreements. I figure that if I provide the summary, you can find the particulars — Ctrl + F is a great function.

Here are the systems I looked at: Dropbox, Google Apps, Office Online/Office 365, Bitcasa, and SpiderOak. And these are the questions I asked about the service:

  • Does the service allow the user to keep your own content?
  • Does the service allow the users to share content with others?
  • Does the service have an acceptable use policy?
  • Does the service have a dispute resolution requirement?
  • Whose state laws control disputes?
  • Does the service store its data in the United States?
  • Does the service store its data outside of the United States?
  • Does the service have a statement on the use of user’s confidential data?
  • Will the service notify its customers if it’s requested to disclose personal data?
  • Does the service use two-factor authentication?

I looked at each system’s terms of service pages to determine whether each one had a definitive statement on the question presented. If I could “easily” find the statement or information, I gave the service “yes.” Similarly, when I couldn’t find anything, I counted that as a “no.” Obviously, my method isn’t scientific by any means — especially since I spent maybe a total of 1 hour reading all of the terms pages — but I think I grasped enough of the concepts and issues.

This post will discuss the terms of service (and privacy policies where applicable) of Bitcasa, Dropbox, and SpiderOak (in alphabetical order). Part 2 will look at Google Apps and Microsoft Office 365.

Cloud Terms of Service

Bitcasa

Bitcasa is a relatively newer online storage service that offers unlimited storage space for one price; you can see my review here. I like Bitcasa because the program offers encryption from start to finish. Thus, many of the concerns about open access to anyone disappear quickly. Third parties cannot see the encrypted data.

Bitcasa disclaims any rights to its users’ data:

You . . . retain full ownership to your digital belongings. We don’t claim any ownership to any of it. These Terms do not grant us any ownership rights to your digital belongings or intellectual property except for the limited rights that are needed to run the Services, as explained below.

Unfortunately, Bitcasa’s terms of service and privacy policy doesn’t unequivocally state how it handles third-party requests:

Compliance with Laws and Safety. We may also share your information to (i) comply with laws or to respond to lawful requests and legal process, (ii) to protect the rights and property of Bitcasa our agents, customers, and others including to enforce our agreements, policies, and terms of use or (iii) in an emergency to protect the personal safety of its customers or any person.

Ultimately, that’s not too much of a concern, since the 256 AES encryption ensures that the data is unreadable. I wish the privacy policy and terms unambiguously stated that Bitcasa would notify its users of any third-party requests, or something similar to Google’s statement.

If I had one complaint about Bitcasa is that it’s sort of limited on the number of “share with” apps currently available. Many Android apps don’t integrate well with Bitcasa, thus making it a great place to store information, but sort of useless when accessing. Incidentally, I store almost everything in the unlimited Bitcasa cloud.

If you’re wondering, Bitcasa does not require arbitration, but all disputes are resolved in California.

Dropbox

Dropbox’s newest terms of service update goes into effect on March 14, 2014. The biggest change in the update is the addition of a mandatory arbitration clause.

Dropbox allows its users to share their data (obviously), and has an explicit statement on whether users can keep their own data:

Your Stuff is yours. These Terms don’t give us any rights to Your Stuff except for the limited rights that enable us to offer the Services.

Dropbox also has a very strong statement on how it shares your data with others:

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to. How we collect and use your information generally is also explained in our Privacy Policy.

That’s certainly a pleasingly strong statement on protecting its user’s private data, especially in light of new NSA spying revelations. Unfortunately, that statement comes from the old terms. Dropbox’s newest terms and privacy policy are much more vague about their willingness sharing of data:

Law & Order. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or our users; or (d) protect Dropbox’s property rights.

That said, according to its “Government Data Request Principles,” Dropbox will “resist [any] requests directed to large groups of people or that seek information unrelated to a specific investigation.” I couldn’t find where Dropbox states it’ll notify its users of the government’s request.

Dropbox doesn’t definitively disclose where its data centers store your data. Some folks have issues with the location of their data, particularly citing that a data center in Paris or Moscow would have any less protection than a center located in the United States. Of course, those concerns are valid, though I believe that most providers will store information in a data center nearest to the user’s home address. I’d love to see a distinct statement on storage location, but I doubt any service will fully disclose that information.

Two-factor authentication is the newest “must have” security measure, especially for online storage sites. Two-factor authorization involves using two different methods for verifying an identity, usually it’s a password plus and email or text message. If you haven’t enabled two-factor authentication for your Dropbox account, do it now.

Dropbox’s most concerning change, as I mentioned, is the inclusion of a mandatory arbitration clause and waiver of class action status. I’m sure this is in response to mass data breaches, though I’m not sure it’s really that big of deal (except for class action lawyers). The terms of service require arbitration in California, under California’s laws.

Overall, I feel pretty strongly about continuing to recommend Dropbox for cloud storage, though I have concerns as to what protections Dropbox will offer when presented with a request for disclosure of an individual’s information.

SpiderOak

The SpiderOak system isn’t really on my radar since I’m already using 3 cloud storage systems — Dropbox, Bitcasa, and Google Apps — and I’m not interested in testing a fourth. But, since many attorneys seem to recommend SpiderOak, I decided to test its terms.

First, SpiderOak was the only cloud site that didn’t have some statement affirming that “your data is your data.” And if it’s there, I couldn’t find the statement in plain words. I’m very cautious at this point since my data might be in ownership limbo. Truthfully though, I think SpiderOak has very little desire to own your data, it just doesn’t want to say as much.

Fortunately, SpiderOak earns a very solid positive remark, since its one of the few services to state that it “notif[ies] a user of a request for their personal data stored on our servers prior to disclosure unless prohibited from doing so by statute or court order [e.g. U.S.C. § 2705(b)].” That’s an important step to protecting private data in the cloud.

SpiderOak also has limited two-factor authentication, and encrypts your data. Thus, SpiderOak is protecting data from disclosure to third parties. Their security statement sums things up well:

We employ procedural and technological security measures that are reasonably designed to help protect your Personally-Identifiable Data from loss, unauthorized access, disclosure, alteration or destruction, which includes encryption, password protection, and other security measures to help prevent unauthorized access to your Personally-Identifiable Data. The data that you transmit as part of your use of the Services (“Storage Data”) is in encrypted form and SpiderOak does not have access to your Storage Data in its unencrypted form.

really wish more cloud providers employed all around encryption for their services.

SpiderOak’s terms are missing any statement as to data storage, whether it’s inside the US or outside. The terms also require mandatory arbitration in Illinois. I’m not sure I’d like Chicago in January.

Overall, I’m pleased with SpiderOak’s terms, and although they could be stronger in a few areas, I think the encryption helps to alleviate some concerns. If you’re interested in SpiderOak, there’s also an Android app.

And the winner is . . .

There are no winners or losers in this game, only opportunities to improve. I’m very happy with the way Bitcasa and SpiderOak handle data, and especially the fact that SpiderOak is going to warn you when some three-letter agency (or third-party) requests your data. I think that’s only fair.

In part 2, we’re examining the two big dogs, Google and Microsoft.

2 Responses to Comparing Terms of Service: Part 1 – Bitcasa, Dropbox, and SpiderOak

  1. The perception that the NSA needs access to the datacenter in order to spy on you is a bit archaic.
    One should assume that as long as his data lived at any point in time unencrypted, on any device connected to the net – IT IS compromised.
    Disconnect, encrypt, connect and hope for the best (as they probably have flappy bird reading your data while you were disconnected and it will send the data to them later one).

    I prefer co-sharing businesses simply as most of the above are two small on the free tier to store all my stuff, and bitcasa became expensive for unlimited as of last November.

  2. I am a firm believer that Google is a far bigger threat to privacy than the NSA will ever be, simply because it actively stores and mines everything. While current management might be restrained in its use of this information, it is a publicly traded company, and we humans are not immortal. I’m ambivalent about storing my writing in the cloud, my needs are more for backing up what I create than sharing.

    Microsoft has always taken the brunt of anti-trust actions, deserved or otherwise. They aren’t perfect, and they can be quite paternalistic in their approach, but Google manages to fly under that radar. They shouldn’t.

Let's discuss this (you can use Markdown in your comment)

Jeff Taylor

I’m just an ordinary guy living an extraordinary life. I’m also an attorney and I blog about Android for lawyers. You can follow me on Twitter, LinkedIn, YouTube, or Google+.