Dropbox recently published a blog post outlining some of the changes to its terms and conditions which include its Terms of Service, Privacy Policy and Business Agreement:

We’ve made a lot of changes to Dropbox since we last updated our Terms of Service, Privacy Policy, and online Dropbox for Business Agreements. So today, we’re starting to email users to let you know about some updates to these policies. The updates will be effective on March 24, 2014.

There are no big surprises, for the most part. The most significant change to the Terms of Service and Privacy Policy is probably how the documents are worded. The language is streamlined, easier to understand and the documents are structured to make more sense to non-lawyers. The revised terms introduce a more information dispute resolution mechanism along with an arbitration process which you will have about a month from 24th March to opt-out of using an online form (if you do this, you basically revert to court as your dispute resolution mechanism).

Dropbox also made a point of dealing with government requests for data in its Government Data Request Principles which guide its responses to these requests:

  • Be transparent
  • Fight blanket requests
  • Protect all users
  • Provide trusted services

Trust has been essential since Snowden changed our understanding of how governments monitor us and Dropbox’s updates are clearly designed to alleviate our concerns about storing data with Dropbox. That said, the new terms and conditions don’t change the fact that Dropbox may decrypt your data if required to do so. Its Security Overview includes this reminder in the context of legal compliance and law enforcement:

As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.

Of course you could address this by adding your own encryption locally which would, in turn, affect the service’s usability. It is a trade off you may be comfortable with, though.

Dropbox’s updates also deal with its Dropbox for Business service and the Terms of Service have a small section dealing with this (the core terms and conditions governing Dropbox’s business offering are in its Business Agreement which, unlike the consumer facing Terms of Service and Privacy Policy, looks and reads more like a legal document):

Dropbox for Business

Email address. If you sign up for a Dropbox account with an email address provisioned by your employer, your employer may be able to block your use of Dropbox until you transition to a Dropbox for Business account or you associate your Dropbox account with a personal email address.

Using Dropbox for Business. If you join a Dropbox for Business account, you must use it in compliance with your employer’s terms and policies. Please note that Dropbox for Business accounts are subject to your employer’s control. Your administrators may be able to access, disclose, restrict, or remove information in or from your Dropbox for Business account. They may also be able to restrict or terminate your access to a Dropbox for Business account. If you convert an existing Dropbox account into a Dropbox for Business account, your administrators may prevent you from later disassociating your account from the Dropbox for Business account.

This section is new to the Terms of Service and what may concern users who use their work email addresses as their Dropbox usernames is that their access to their Dropbox accounts can be limited if their employers start using Dropbox for Business and provision work email addresses as usernames for the business service. In particular, you may find your account blocked until you transition it to a Dropbox for Business account or unless you associate your account with a personal email address.

Many people use business email addresses for personal email and as their usernames for their social services. This is a really bad idea, largely because you don’t have much control over those accounts and because they are business email accounts, your employer can usually access your emails. If your employer has access to your emails and your email account is the primary email address associated with your Facebook, Twitter or other profiles, your employer potentially has access to those profiles too. Because your employer would have direct control over your Dropbox account, it won’t even need to decrypt your data were a government seeking access to your data.

Dropbox’s reminder about the consequences of associating a personal Dropbox account with a business email address highlights another reason you should associate your personal accounts and communications with personal email addresses you have meaningful control over and access to. Of course, if you are using Mailbox to manage your email, your email may be stored on Dropbox too and this only expands your potential exposure to scrutiny.

On the whole Dropbox is a pretty secure service. It uses pretty strong encryption and other security measures but these can be circumvented by law enforcement bodies and, if you happen to use a business email address as your Dropbox username, possibly even your employer. Perhaps the big lesson to take from the Dropbox terms and conditions is not whether you should trust Dropbox but more whether you are taking enough care to protect your data?