Dropbox Attempts To Kill Open Source Project

Yesterday morning I woke up much earlier than I wanted. Instead of lying in bed, wishing I was asleep, I decided to get up and check out Hacker News. Better to waste my time reading industry news than lying around. One headline in particular caught my attention: “Dropship — successor to torrents?“. The name was an obvious reference to Dropbox and the suggestion it could replace torrents was enticing. Data storage and distribution has been a long time interest of mine and I can’t resist reading about the industry. I had no idea that by the end of the day I’d have received a fake DMCA takedown notice, correspondence with Dropbox’s CTO, and witness the near killing of an open source project.

Make Files Appear

The HN post linked to a blog post about an open source project called Dropship that allows users to exploit Dropbox’s file hashing scheme to copy files into their account without actually having them. Dropship will save the hashes of a file in JSON format. Anyone can then take these hashes and load the original file into their Dropbox account using Dropship. This has some real potential benefits for Dropbox’s users. Anyone could easily share a private file with someone else by simply giving them the JSON string. No need to make the file public. The downside is potential for abuse in distribution and sharing of illegally pirated files.

In Steps Dropbox

Dropbox’s CTO and cofounder, Arash Ferdowsi, did not like Dropship. His reaction was swift. According to the project’s creator, Wladimir van der Laan, Ferdowsi contacted him soon after and requested “in a really civil way” that he take the project off of github. van der Laan complied. This was within hours of the HN post. Another HN member, Peter Steinberger, mirrored the project on his github account using an archive from the blog post. I also mirrored the archive in the public folder of my Dropbox account and linked to it from HN. Within hours Ferdowsi contacted Steinberger and the author of the blog post, Krzysztof Dziądziak, and had them remove Dropship too.

At 1:46PM ET I received the following email from Dropbox support (emphasized text is mine):

Subject: [Dropbox Support] Re: DMCA Violation for [my email address] Dan DeFelippi, Apr-24 10:46 am (PDT): Dear Dropbox User: We have received a notification under the Digital Millennium Copyright Act (“DMCA”) from Dropbox that the following material is claimed to be infringing. /Public/laanwj-dropship-464e1c4.tar.gz (the Dropship archive) Accordingly, pursuant to Section 512(c)(1)(C) of DMCA, we have removed or disabled access to the material that is claimed to be infringing or to be the subject of infringing activity. As a result of this notice, public sharing on your account has been disabled for a period of 3 days. Please be aware that copyright infringement violates our Terms of Service (TOS) and Copyright Policy,which can be found at the following locations: https://www.dropbox.com/terms#terms

https://www.dropbox.com/help/210 Also note that Dropbox has a policy of terminating the accounts of repeat infringers. If you repeatedly use Dropbox to infringe copyrights, your account will be terminated and you will lose access to your files. If you believe that this DMCA notice was sent in error, you may file a counter notification. Such a notification must comply substantially with 17 U.S.C. § 512(g)(3) and include a statement under penalty of perjury of a good faith belief that the DMCA notice was the result of mistake or misidentification. You cansend counter notifications to the following address: Copyright Agent

Dropbox Inc.

760 Market Street #1150

San Francisco, CA 94102

copyright@dropbox.com The Dropbox Team

This was something new to me. A DMCA takedown being issued against an open source project? I immediately looked up the proper format for responding to a takedown and replied with the following:

The material in question, a file stored on Dropbox under the filename and path of /Public/laanwj-dropship-464e1c4.tar.gz, is not infringing the DMCA. The following is the license contained within the archive: License

———

Copyright (C) 2011 by Wladimir van der Laan Permission is hereby granted, free of charge, to any person obtaining a copyof this software and associated documentation files (the “Software”), to dealin the Software without restriction, including without limitation the rightsto use, copy, modify, merge, publish, distribute, sublicense, and/or sellcopies of the Software, and to permit persons to whom the Software isfurnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE. Based on this license, which issues permission to copy and distribute freely, it is my good faith belief that this material is non-infringing. As such, I demand the file be restored per 17 U.S.C. Section 512(g). Signed,

Daniel A DeFelippi

contact info removed

Soon after Ferdowsi contacted me directly, sending what I now assume is the same “really civil” request he sent to others. He requested that I not only remove the archive from Dropbox but delete my posts on Hacker News, which at that point included the fake DMCA takedown. He outlined his objections, that Dropship reveals their proprietary client-server protocol and that it could be used for piracy. He told me that the DMCA takedown was a mistake and reverted the lockdown on my public files.

First of all, attempting to protect a proprietary protocol is going to get them nowhere. His argument implied security by obscurity. Security by obscurity falls completely flat on its face in this case since their client can be analyzed by anyone with the proper skills and could be deciphered again.

Second, dealing with piracy is the responsibility of Dropbox. It’s not the problem of an innocent hacker who wrote some useful code that could benefit legitimate users and advocates the use of his software for “sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases.”

The Censored Respond

At this point I started emailing everyone who had been contacted by Ferdowsi to find out what had happened to them. I asked Dropship’s author to find out if he had issued a takedown. He told me he had not and that “my code is MIT licensed anyway, you can do with it what you want.” One person told me he took Dropship down for fear of losing his Dropbox account. A few of them expressed support for my resistance to the takedown attempts.

Aftermath

Dropbox’s censorship was nearly successful. In the aftermath Dropship all but disappeared from the internet. All public repositories and archives I could find were taken down. The takedown requests instilled fear in Dropbox users who didn’t wish to lose their account. I doubt van der Laan will continue developing Dropship. Even if he does it will most likely be private since he took his public repository down.

To Ferdowsi’s credit, I understand his position. He’s trying to protect his company. His correspondence was friendly and non-threatening. He’s obviously a very intelligent person and probably made a snap judgement on how to do damage control. The DMCA takedown seems to have been an accident and he remedied it.

In my unhumble opinion censorship is never an option. I’ve defied Ferdowsi’s requests and posted Dropship on my github account. If you are able to I’d love to see contributions. Fork and submit a pull request. To be certain it doesn’t disappear I’m also making the archive available from my own servers.

Dropship Mirror #1

Dropship Mirror #2

Censorship doesn’t work, especially in a community of open source using geeks.