Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Changes to our policies (dropbox.com)
78 points by duck on July 1, 2011 | hide | past | favorite | 19 comments


Nice writing. Nailed the right tone and level of detail. Feels like it came from humans.


I've wished for change overviews like this. Paypal policy changes in particular - when they send an email simply to say that their 10 page policy document has changed, that isn't helpful.


Law requires changes to policy to be notified, but doesn't require diffs.

Diffs would be very nice, as would some way of tracking those changes over time.

Opportunity for useful service?


The EFF diffs some, e.g. http://www.tosback.org/diff.php?vid=1736. That one actually suggests an improvement: You have to strain your eyes to find the difference. In other pairs, the differences stand out better.


>Feels like it came from humans.

Agreed. This is a hard thing to get right, especially with these kind of 'inhuman' legal/procedural issues.


"1.) Encryption keys" .. "would either be impossible or would be much more cumbersome for users without this capability."

Then make it optional and disable these services for people opt-in for managing their own private keys.


I agree. At least on the Mac client, there's already an "Advanced" preference pane. Why not create an option there for the user to manage their own encryption key, and possibly what folders it applies to? (For example, they could exempt shared and public folders but encrypt everything else.)


You type a key in some proprietary software. Anything beyond that is only based on trusting the software.


Then open source the crypto portion. Problem solved.


You still have to trust them that they do not transmit your keys elsewhere and that they really do use the same crypto code thy open-sourced.

I am not saying that you can't trust Dropbox. Quite on the contrary. But if you give your key to some unknown entity, you have to trust them. You can choose to trust their claims about what they do with it, but there is ultimately no guarantee.


Beauty of asymmetric crypto, you don't have to trust them as soon as you can trust the client software (that it doesn't do something nasty with your private key/pass). And having an open source client can actually provide that trust.


Or you can use other products if you don't like their decisions.


Or complain enough such that you, and all your friends, stop using the service. It's an even more effective way to convince the company to change.


I'm already doing that.


Indeed, encrypting something that's already encrypted isn't a bad thing


"We want to be clear about how we collect and use that data, so we’ve explained it in our privacy policy. For example, we collect information such as your country, operating system and the hardware ID from your device. This data allows us to optimize your experience for your device and language."

I was thinking they'd have examples like the above in their Privacy Policy... but I was wrong. If they want to be crystal clear, I think they need to be more specific rather than Analytics, Geo-Location Info, and Personal Info are stored.

"For example" to me seems like just the tip of the iceberg, and the three bullet points seem fairly basic.


Perhaps they can have ellipses (...) that, when moused over, describe in legal detail everything they collect, so those of us who care for the details can read more into it. But I applaud them for trying to keep it readable and short.

The tradeoff is hard to make, but at least for me, it was a right balance.


Here's my privacy policy: http://www.geetasks.com/remote

What do you think?


They've updated the blog post to clarify some stuff.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: