Dropbox fends off open source file-sharing application

Dropbox deals with Dropship with polite requests, accidental DMCA

Dropbox is not getting much in the way of good news lately. First the company was caught out over changes to its terms of service (TOS), now the company is fending off a open source project called Dropship.

According to Dan DeFelippi, Dropbox is trying to deep-six Dropship. What's Dropship? It's an application, under the MIT license, that makes it possible to use Dropbox sort of like a file-sharing network. If you have a hash of a file that's stored in a public folder on Dropbox, anybody can copy the file into their own folder. So if you have, say, a couple of MP3s by Jukebox the Ghost, you could provide the hashes and suddenly Dropbox is automagically propagating the MP3s to a bunch of accounts.

It's not surprising that Dropbox wouldn't like this — or even take steps to break its functionality. What is surprising is that the company appears to be trying to get rid of the project altogether, to the point of sending fake DMCA notices to people. (*See update below) DeFelippi says that he received a DMCA notice from Dropbox for copying the file to his Dropbox account.

Dropbox bungled the ball there, but DeFelippi says that the company responded a bit more rationally after he sent Dropbox a copy of the license (MIT, which means the license says he can do what he pleases with the code itself) — and he received a follow-up from Dropbox CTO Arash Ferdowsi:

He requested that I not only remove the archive from Dropbox but delete my posts on Hacker News, which at that point included the fake DMCA takedown. He outlined his objections, that Dropship reveals their proprietary client-server protocol and that it could be used for piracy. He told me that the DMCA takedown was a mistake and reverted the lockdown on my public files.

The result? I followed up with DeFelippi by phone and he says that the company has been very polite, and he's complied with requests to remove the software from Dropbox hosting itself. Further, he says that Dropbox has only pursued removal from Dropbox itself and by contacting the original author of the software — he's not aware of any DMCA notices being sent to GitHub, etc. He also says that he's not aware of any legal threats made against those providing Dropship — just the implied threat that those who are hosting it on Dropbox could lose their Dropbox accounts.

In a follow-up on Hacker News, Drew Houston from Dropbox wrote:

When something like this gets called to our attention, we have to do something about it. Note that this isn't even by choice — if we don't take action, then we look like we are tacitly encouraging it. The point is not to censor or "kill" it (which is obviously impossible and would be idiotic for us to try to do), but we sent kindly worded emails to the author and other people who posted it to take it down for the good of the community so that we don't encourage an army of pirates to flock to Dropbox, and they voluntarily did so.

There were no legal threats or any other shenanigans to the author or people hosting — we just want to spend all our time building a great product and not on cat-and-mouse games with people who try to turn dropbox into an illegal file sharing service against our wishes. (For what it's worth, dropship doesn't even work anymore — we've fixed the deduplication behavior serverside to prevent "injection" of files you don't actually have, for a variety of reasons.)

That said, when we disabled public sharing of that file by hash, it auto-generated an email saying we had received a DMCA takedown notice to the OP, which was incorrect and not what we intended to do, so I apologize to Dan that this happened.

There are a few problems with this response. First, while Dropbox is within its rights to set terms of service, the presumption of guilt in the application is a bit unfortunate. Dropship could be used for illicit sharing — or it could be used to share Linux ISOs or public domain works. (Don't scoff, it does happen...)

Secondly, and more importantly, DMCA notices are not supposed to be auto-generated. The company ought to be a lot more careful with that type of response.

Dropbox has hit a point where it's going to receive a lot more unwanted attention — from hackers, third-party open source folks who want to extend the service, and from law enforcement. How the company responds is going to be important. So far I'd give them a mixed scorecard. The company is being a little too quick to err on the side of caution — which makes me wonder about how the company will respond when the entertainment companies come knocking looking for file sharing information of other sorts.

Update: Dropbox has pointed out that it was actually a erroneous notice of a DMCA takedown, rather than a takedown request. (Meaning that the system generated a notice of a takedown, but Dropbox did not send a request for a takedown.) That's a significant difference, so I owe Dropbox an apology for getting it wrong there. (Sorry, Dropbox.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)