Dropbox Tries To Kill Off Open Source Project With DMCA Takedown

from the copyright-as-censorship dept

Teck points us to the troubling news of Dropbox seeking to kill off an open source project through questionable means, involving DMCA notices. As you may have heard, Dropbox got into a bit of a security/privacy kerfuffle lately after some researchers questioned the news that it uses a hash function to deduplicate files on its servers. If you don't know, Dropbox is a cloud storage system that's pretty useful. However, one of the ways it attempted to save some costs was that if you sought to upload a file that was identical to a file on someone else's shared server, it wouldn't actually "upload" your file, but just point you to the single file. There were clear security and privacy questions about this.

Of course, some noted that it could also represent an "opportunity" of sorts, and out of that came a project called Dropship -- which used a little hack to use this deduping tech to make Dropbox think you were trying to upload specific content that you might not actually have, and then the actual file (if already stored in someone else's Dropbox) would automatically appear in yours as well. Obviously, one key use of such a technology would be to make unauthorized copies of music and movies. Dropbox, for obvious reasons, didn't like that aspect, but its response to this was pretty troubling: it focused on censoring information about Dropship.
Dropbox's CTO and cofounder, Arash Ferdowsi, did not like Dropship. His reaction was swift. According to the project’s creator, Wladimir van der Laan, Ferdowsi contacted him soon after and requested "in a really civil way" that he take the project off of github. van der Laan complied.
Others quickly mirrored the project (some in their own Dropboxes) and Dropbox contacted all of them in a that same "civil way," asking each to remove the content... but in at least one case, with Dan DeFelippi, they sent a DMCA takedown, despite not being the legitimate copyright holder (a violation of the DMCA process). When confronted on this, Dropbox backed down and claimed that the DMCA notice (and subsequent limits on the guy's account) were really a mistake, but, along with admitting that, Dropbox was still asking the guy to remove all info about Dropship:
Soon after Ferdowsi contacted me directly, sending what I now assume is the same “really civil” request he sent to others. He requested that I not only remove the archive from Dropbox but delete my posts on Hacker News, which at that point included the fake DMCA takedown. He outlined his objections, that Dropship reveals their proprietary client-server protocol and that it could be used for piracy. He told me that the DMCA takedown was a mistake and reverted the lockdown on my public files.

First of all, attempting to protect a proprietary protocol is going to get them nowhere. His argument implied security by obscurity. Security by obscurity falls completely flat on its face in this case since their client can be analyzed by anyone with the proper skills and could be deciphered again.

Second, dealing with piracy is the responsibility of Dropbox. It’s not the problem of an innocent hacker who wrote some useful code that could benefit legitimate users and advocates the use of his software for “sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases.”
While it's good that Dropbox has been mostly civil on this, resorting to a DMCA takedown, even as a mistake, is problematic. Of course, you can't totally blame Dropbox here. As we've seen, copyright maximalists in industry and in government seem quite eager to blame tech companies if their tech might possibly be used for unauthorized access. While the law is almost certainly on Dropbox's side that it has no liability for Dropship, that wouldn't necessarily prevent them from getting hit with an annoying lawsuit. It's really an unfortunate sign of the copyright times.

Of course, the end result is also likely to be exactly the opposite of what those maximialists hope. While DeFelippi notes that Dropbox has been successful in getting many of these mirrors taken down, some are still up (including his) and the whole attempt to censor the project is only going to call that much more attention to it in the long run. I think there's a name for that phenomenon...

Filed Under: copyright, dmca, dropbox, dropship
Companies: dropbox

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    aldestrawk (profile), 27 Apr 2011 @ 10:01am

    Re: Re: Re: Re: Re: Re:

    AC has made a couple of valid points but doesn't do the analysis needed to find out if there is a real security vulnerability in the Dropbox context.

    1). if the [SHA-2] hash of a file is known, that encryption on that file can be bypassed by anyone via Dropship. You have to be careful now, to not inadvertently publish the hash of any file you want to keep private. Why would anyone publish such a hash value? One answer is: to authenticate the file. This assumes you don't encrypt the hash itself and you don't use the hash as part of a MAC (Message Authentication Code). Such uses are real and Dropbox needs to address this. One way they could do it is to add a salt and make all their SHA-2 hashes unique to Dropbox.
    If the file is a publicly known file to begin with, then the ability to decrypt it doesn't matter. It does allow someone to infer the existence of a particular file on Dropbox's server and possibly use that information to initiate legal action (e.g. a subpoena) to find out the owner(s) identity.

    2). Dropbox is offering security to a large multitude of cloud users. They tout their usage of AES(256) to show the files are strongly protected. A user's assumption now is that even governments with fantastic resources (e.g. NSA) cannot defeat this security. AC's point is valid, Dropbox's security must take into account the possibility of attackers armed with great resources.
    What AC didn't do was the analysis needed to find out if such an attack could be successful given Dropbox's real level of security (see my post below). Dropbox's real level of security does not correspond to a level of effort of 2^255. With their deduplicating/hash scheme it is actually:
    2^99 / (total number of deduplicated files within Dropbox)
    However, it is still outside of NSA's ability to bypass encryption on even a random file. It would probably be much easier to brute force account passwords.
    The weakest part of their security is that Dropbox knows the keys used to encrypt all their files. This allows the government to access any particular file through legal means (always justified and completely ethical of course).

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.