How Dropbox Knows When You're Sharing Copyrighted Stuff

Internet users have gotten used to the risk of having files and content they share through various online services be subject to takedown requests based on the Digital Millennium Copyright Act (DMCA) and/or content-matching algorithms. But users have also gotten used to using services like Dropbox as their own private, cloud-based file storage and sharing systems, facilitating direct person-to-person file transfer without having to worry about such issues. This weekend, though, a small corner of the Internet exploded with concern that Dropbox was going too far, actually scanning users' private and directly peer-shared files for potential copyright issues.

What's actually going on is a little more complicated than that, but shows that sharing a file on Dropbox isn't always the same as sharing that file directly from your hard drive over something like e-mail or instant messenger.

When you upload a file to Dropbox, two things happen to it: a hash is generated, and then the file gets encrypted to keep any unauthorized user (be it a hacker or a Dropbox employee) who somehow stumbles it sitting on Dropbox's servers from easily being able to open it up. 

(Note on encryption: Dropbox handles the encryption keys, so they could look at your files if they were legally required to. Their system has checks in place, both physical and technical, to keep employees from poking about your stuff on a whim.) 

After a DMCA complaint is verified by Dropbox's legal team, Dropbox adds that file's hash to a big blacklist of hashes known to be those corresponding to files they can't legally allow to be shared. When you share a link to a file, it checks that file's hash against the blacklist. 

If the file you're sharing is the exact same file that a copyright holder complained about, it's blocked from being shared with others. If it's something else — a new file, or even a modified version of the same file — a hash-based anti-infringement system shouldn't have any idea what it's looking at. 

In other words: at least based on what they've stated publicly, Dropbox isn't actively scanning through your crap on a hunt for copyrighted materials. There's no human (or even a robot) listening to your MP3s to try and find hot leaked Fergie tracks, or reading through your Harry Potter fanfic collection. They've just got a big list of files that they can't let be shared, and they identify these files in a way that is deliberately blind to what any non-blacklisted files actually are. 

Now, none of this is to say the hash-based system is without its security concerns. If required to by the government, for example, Dropbox theoretically could identify any user who had a certain file stored on their account. But the same would hold true for pretty much any cloud-based storage system where the user isn't handling all of the encryption themselves.