Do you know SkyDrive's terms of service?
Cloud storage is becoming ever more popular. Thanks to the rise of Dropbox, both Google and Microsoft felt the time was right to launch their own solutions, which also include tools to edit files as well as just storing them. While cloud storage gives us the ability to access our files anywhere, and instantly share them with anyone in the world, it comes at a cost - and not just a financial cost.
Obviously, the issue of SkyDrive terms of service is of interest to Windows Phone 7 users, but even Symbian users should be concerned. Nokia and Microsoft are releasing more applications that work with the cloud storage service, in the hope of encouraging customers to migrate over. While the terms of service are similar to what you'll find for Dropbox and Google Drive, there are signs that Microsoft is implementing those terms in a much more proactive way.
Several stories have recently appeared on the Web about the details of Microsoft's terms of service for SkyDrive, and how it is proactively implementing those terms. Corporate terms of service are infamously overlooked by most users, which is understandable, as most people just don't have time to read these overly long and complex legal documents. However, if you are entrusting confidential data with any company, it is worth taking the time to know what you're dealing with.
Here's a copy of the section on prohibited content from the SkyDrive terms of service:
You will not upload, post, transmit, transfer, distribute or facilitate distribution of any content (including text, images, sound, video, data, information or software) or otherwise use the service in a way that:
- depicts nudity of any sort including full or partial human nudity or nudity in non-human forms such as cartoons, fantasy art or manga.
- incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred, bigotry, racism, or gratuitous violence.
- misrepresents the source of anything you post or upload, including impersonation of another individual or entity.
- provides or creates links to external sites that violate this Code of Conduct.
- includes content that is protected by intellectual property laws, rights of privacy or publicity, or any other applicable law unless you own or control the rights thereto or have received all necessary consents.
- is intended to harm or exploit minors in any way.
- is designed to solicit, or collect personally identifiable information of any minor (anyone under 18 years old), including, but not limited to: name, email address, home address, phone number, or the name of their school.
- invades anyone’s privacy by attempting to harvest, collect, store, or publish private or personally identifiable information, such as passwords, account information, credit card numbers, addresses, or other contact information without their knowledge and willing consent.
- is illegal or violates any applicable local and national laws; including but not limited to child pornography, bestiality, incest, illegal drugs, software piracy, and harassment.
- threatens, stalks, defames, defrauds, degrades, victimizes or intimidates an individual or group of individuals for any reason; including on the basis of age, gender, disability, ethnicity, sexual orientation, race or religion; or incites or encourages anyone else to do so.
- harms or disrupts, or intends to harm or disrupt, another user’s computer or would allow you or others to illegally access software or bypass security on Web sites, or servers, including but not limited to spamming.
- attempts to impersonate a Microsoft employee, agent, manager, host, administrator, moderator, another user or any other person through any means.
- promotes or otherwise facilitates the purchase and sale of ammunition or firearms.
- contains or could be considered ‘junk mail’, ‘spam’, ‘chain letters’, ‘pyramid schemes’, ‘affiliate marketing’ or unsolicited commercial advertisement.
- mischaracterizes content you post or upload or contains the same or similar content to other content you have already posted.
- attempts to manipulate the services, including ranking and reputation systems in the services, by violating any of the provisions of this Code of Conduct, colluding with others on voting or using multiple profiles.
- offers to make international money transfers for amounts exceeding the asking price of an item, with intent to request a refund of any portion of the payment.
- contains advertising for money making schemes, discount cards, credit counseling, online surveys or online contests.
- You will not use any form of automated device or computer program that enables the submission of postings without the express written consent of Microsoft Corporation.
Termination and Cancellation
Microsoft reserves the right, at its sole discretion, and without any obligation to do so, to review and remove user-created services and content at will and without notice, and delete content and accounts. Microsoft reserves the right, at its sole discretion, to ban participants or terminate access to services.
Microsoft is working on bringing SkyDrive to as many platforms as it can
With SkyDrive, Microsoft is making itself liable to the laws of all the countries in which the service is available. For example, while pornography is legal in the USA, there are many countries in which it is not legal. That's reasonable, but how does Microsoft know what you are storing in your account without reading your files?
As an example of someone who unwittingly fell foul of these terms, take the story of user "WingsOfFury". According to Myce.com:
"After some investigation he found out that his account was blocked, preventing him from e-mailing from his phone, access to his files on his SkyDrive account, downloading applications in the market and he also couldn’t login to his Xbox Live account, which also renders his achievements useless.
After contact with Microsoft support he found out that his account was blocked because there was a 9 Gigabyte folder on his SkyDrive that contained content which was not allowed by the code of conduct of Microsoft SkyDrive. Interestingly the folder was a private folder, not shared to anyone else. The same data was also on a private folder on Dropbox, from which the user never received a complaint."
While Microsoft was within its rights to do this, one must ask whether it had probable cause to check the folder or was it just running an algorithm to check all of our files? If the latter, then the stage is set for a spate of false positive results. Since the terms of service prohibit the storage of nude photographs, are we to assume that medical photographs and snaps of our new born babies are to be prohibited too?
In principle, any time your files are uploaded to a cloud storage company, you are compromising your security and privacy. Unless otherwise stated, you must assume that your files are accessible by employees of the company, no matter what encryption is being used. However, whatever the legal stipulations, the reasonable position is that companies cannot be seen to be voluntarily enforcing such content terms as it would create a chilling effect on usage. That is – if they can detect (what they regard as) objectionable content, what else are they recording about your private files?
Are private folders really private?
In short, the common expectation should be that a file hosting service will not check for compliance with its terms of service, within unshared files, unless compelled to do so by law enforcement – which is something we can all live with. Of course, I understand that Microsoft want to help in the fight against child pornography, and indeed that's the claim they have made. However, this cause has been sadly belittled by organisations who seek to use it as an excuse to enact lazy and draconian security measures, and so wins Microsoft little sympathy because the true "bad guys" will be using much more secure methods to exchange illegal material than the rest of us, who just want to store our office files and photos of friends and loved ones in the cloud.
Microsoft is not alone, other cloud storage companies have similar terms, and all are vulnerable to rogue employees. For instance, Dropbox made it into the news when the company was forced to admit that it could and would decrypt users' files when asked to do so by law enforcement. After complaints, the company updated its terms of service to make this clearer to its users, and as far as I know never automatically checks the content of users' files. In comparison, if the contents of 'WingsOfFury's private folder were found by an automated system rather than by a law enforcement request, that goes beyond what is stated in Dropbox's terms of service.
The only alternative is to use third party encryption (e.g. TrueCrypt) before files are uploaded to SkyDrive, but then this defeats the object of being able to access files on multiple devices. Thus, without more relaxed terms, we are in a no-win situation.
Published by David Gilson at 6:06 UTC, July 24th