This is once again proving that, while I understand the language, probably shop the same things, the USA is a strange place for me. This 'just sue' culture seems weird. It seems that the whole point is to run to the court and claim 'He did something wrong. Please spend a lot of time to check that I actually have a point and if I'm lucky, please define a grossly exaggerated sum in damages'.
I _know_ I'll take flak for this, but it warps my mind. The nation that always, even if it hurts, defends the right of free speech, seems to severely limited elsewhere. It sure looks like you can _say_ anything, but _doing_ anything could lead to a nightmarish jungle (political correctness/discrimination, braindead users don't get the concept of 'hot coffee' and it's your fault, chocolate eggs with toys inside are mightily dangerous) of potential problems.
Reality matters. Details matter. You seem to have lost focus on them:
- Did Dropbox promise its customers that it had very good security?
- Did Dropbox thereby gain an advantage over its competitors?
- Did customers, trusting Dropbox, put private data on their servers?
- Was some of that data quite valuable, and was there quite a lot of it?
- And did Dropbox open a gaping security hole in their systems and then leave one hundred percent of that data exposed for hours? And did that constitute negligence?
From what little I know I'd say the answer is yes on all counts. But I'll concede that reasonable people might disagree, especially after a detailed investigation. Fortunately we have a mechanism for adjudicating significant disputes among reasonable people by conducting detailed investigations: It's called a court.
Now, what I don't know is: Do these events rise to the level where a legal remedy is called for? How big should the remedy be? And are Dropbox's terms of service, which every customer presumably clicked through at some point, going to protect them from being held liable for negligence? Heck if I know. I'm not a lawyer. Fortunately, lawyers are lawyers.
I can't understand why you've picked this particular case to freak out about. Why are you so alarmed to see a company which was, by all appearances, negligent and in breach of contract getting sued for negligence and breach of contract? What kind of surprise is this? It's like water flowing downhill. If a company "accidentally" appears to break a contract, the company has to explain itself. If it "accidentally" breaks the law, it gets taken to court to plead its case. And if it is found to have "accidentally" committed negligence, it gets held liable.
Yes, I know that it seems like an understandable mistake that could happen to any engineer. I feel for those folks. But this is the big leagues, and excuses are not what engineering is about. Engineering is about anticipating mistakes and designing safeguards, and when real engineers (as opposed to fake "software engineers" like myself) screw up a project badly enough a negligence suit is often the least of their problems. They lose licenses and sometimes even go to prison.
Fortunately, nobody appears to have been seriously injured and perhaps nobody will even lose their job. A corporation has been sued, and maybe it will pay. In the meantime, it will re-prioritize its backlog to include better automated testing. ;) This happens. Don't take it so personally. This is what being a corporation is all about. This is why corporations exist.
Somehow this thread of mine got larger than I imagined.
I don't think I've lost my touch on reality. Details? Maybe. I'm also not proposing that Dropbox didn't do something stupid.
But why would you sue? Because someone told you that your data ~could've~ been potentially accessed? I'm not against calling a lawyer in general. But these kinds of (class action) cases regularly look like [Note: Still firmly anchored in reality here. Maybe just in a different culture..] witch hunts to me personally. Like angry/annoyed mobs.
Again: Note that I don't say "these people have no right to sue" nor "the people in this particular case are equivalent to a medieval party of farmers with torches and improvised weapons". This whole thread is mostly "Why oh why?" and less "You're doing it wrong".
In the end I really like edw's comment further down in this thread:
"I think there's no question that Dropbox seriously dropped the ball, but as programmers we should be extremely concerned about the prospect of companies being held liable not just for actual damages but theoretically possible and potentially non-economic yet non-existent damages."
we should be extremely concerned about the prospect of companies being held liable not just for actual damages but theoretically possible and potentially non-economic yet non-existent damages
Well, perhaps if they are held liable for unreasonable sums, and that decision survives appeal, I'll be concerned. But nobody has held anything yet. The issue has gone to court.
Witch hunt? Angry mob? The issue is in court. That is the complete opposite of an angry mob.
How, exactly, are people supposed to seek redress if they have signed a contract with Dropbox, the contract was breached, and they were dissatisfied with the response? If they shouldn't go to court and file suit, what should they do? Bribe the czar's ministers? Recruit their relatives and start an old-fashioned Kentucky feud, complete with snipers and ambushes? Start an astroturf campaign of character assassination on Twitter?
And, again, this isn't some patent troll seeking a quick settlement.
Sometimes they are witch hunts (or maybe "money grabs" is a better term). But there are also many instances where they have effected real change for the better.
A potential settlement in this Dropbox case could be: Dropbox pays off the lawyers (of course) but also agrees to hire a Chief Security Officer and submit to quarterly security audits by an outside company for the next year.
In the absence of a strong government consumer protection bureau, the class action lawsuit is one of the primary ways Americans force corporations to take responsibility for their actions.
People and companies, in the United States, and many other common law countries, have certain duties to other people. If McDonald's serves coffee, they have a duty not to serve it so hot and make it so difficult to open that it can spill on you.
That case is just a terrible example of frivolous lawsuits because it had plenty of merit. Actually the vast majority of lawsuits labeled as frivolous, with huge judgement, tend to skim over the details and make it look like the plaintiff hit the lottery with a mild inconvenience: "Oops, she spilled coffee and became a millionaire!"
While our legal system could certainly use a lot of improvements, lawsuits that actually go to trial are being vetted quite a bit.
>braindead users don't get the concept of 'hot coffee' and it's your fault
The coffee was served hotter than it should have been, and wastely hotter than it would have been if it had been taken from the machine at home, it was served in a cup that was so difficult to open that the customer had to put it between her legs, and when the coffee was spilled she suffered 3th degree burns to her crotch.
And she only asked that they payed her medical expenses. It was the jury who gave her all those millions.
Okay, okay. I don't claim to be an expert on that case.
But: If you buy coffee, it's hot enough to hurt you (or it's crap. There's a range of temperatures that are decent, and personal factors determine what is deemed too hot as well).
I don't buy the 'had to put between the legs to open the cup' thing. In that case don't do it near your private parts, open it properly. Not between your legs, probably sitting in a car. Why is there no applied concept of common sense?
Leaving the whole cause of the accident aside, the next part was really emphasized my point:
The jury gives you millions for 'damage'. Let's not discuss if the problem was the person sueing, but what you have to think about is this:
What message are you sending out, if someone suing a company for (arguably only) slightly irritating service (a couple degrees ~too~ hot, usability issues with a coffee cup, both probably annoying but didn't completely destroy the tiny rest of that company's customers..) could get you the FU money this community is often obsessed about? If you asked for the money on day one of the trial or made the jury feel so sorry for you that they drown you in money at the end is not relevant.
Which leads to my first post again: A culture of fear for being sued, with damages completely out of proportion [1].
1: In a large area of the world. I understand that it can seem completely normal if you limit your view to the area where this is happening.
It was hot enough to melt her genitals and cause serious disfigurement. If she had spilled it anywhere, she would have been seriously injured...
The coffee was scalding hot. The temperature of the coffee was from a corporate order intended to save a few bucks on having to re-brew coffee. The McDonald's corporation was negligent.
In this case, Dropbox was horribly negligent. Releasing all of the data in my Dropbox folder to everyone is not a 'minor inconvenience'. It is a big fucking deal, particularly if I had no idea it could happen so easily, and I am paying them under the assumption that their service is relatively secure.
I think there's no question that Dropbox seriously dropped the ball, but as programmers we should be extremely concerned about the prospect of companies being held liable not just for actual damages but theoretically possible and potentially non-economic yet non-existent damages.
How do you heat liquid water to more than 100°C? Coffee is supposed to be just below 100°C when you brew it, or it is not good. Goes for home made or McD coffee. Whatever, maybe in some parts of the world, the laws of physics don't apply and liquid water does not lose energy though evaporation...
Back on topic: Dropbox is telling everybody that they are "encrypting" stuff on their drives. How do they decrypt without a password? This case is a much different from the "stupid McD coffee customer" case, because details on cloud storage technicalities are not common knowledge, whereas "boiling water may be hot" kinda is.
"hot liquid" and "liquid so hot that it will burn my skin" are not necessarily the same thing. Unless you think that people should feel afraid of a hot bath or a hottub (or even going to a hot spring).
In more precise terms, 'boiling' is a subset of 'hot.'
If you increase the atmospheric pressure, you can raise the boiling point of water well beyond 100°C. Of course, that has little to do with brewing coffee.
So you bring the water to a boil, and then let it sit for a minute, then pour it over the grounds. Then as the coffee steeps, the liquid further cools down. It is just below 100 when you brew it.... not when you drink it. It is much cooler when you drink it, (65 to 80 C).
> Which leads to my first post again: A culture of fear for being sued, with damages completely out of proportion [1].
There had been more than 700 previous cases, where McDonald had settled with the victims for a total of more than US$ 500.000, but hadn't changed their practice. The wast majority of the damages in this case was not "compensatory damages", intended to compensate the victim for her injury, but "punitive damages", intended to be large enough that McDonald would change their business practice. The punitive damages were set to be equivalent to two days worth of coffee sold at McDonald.
We can argue whether McDonald should be forced by law to lower the serving temperature. A UK court came to the opposite conclusion in a similar case. However, if we accept that as a premise, the size of damages doesn't seem out of line.
> If you buy coffee, it's hot enough to hurt you (or it's crap. There's a range of temperatures that are decent, and personal factors determine what is deemed too hot as well).
McDonald's keeps coffee at >82°C, which is much hotter than any coffee served elsewhere.
No, that's not true - it depends on where you buy it from and what their policy on coffee temperature is.
And I don't know if you bought coffee from McDonalds, but at some point they used to serve coffee in containers made out of a thick layer of cellulose (from what I could see) which wasn't leaking any heat; giving you absolutely no clue whatsoever to how hot or cold the coffee was just by holding it. Think about that for a second - when you're holding a glass with hot tea or coffee, you can feel it in your hand. But what if that glass was cold as if holding iced tea?
Yes, I got burned too, but not as badly as to suffer 3rd degree burns and I still buy coffee from McD. But I imagine I would get pretty pissed too above a certain threshold.
Here's a good recent documentary that goes into detail about the famous hot coffee case. It was eye-opening for sure. I never thought that I would going in, but I came away thinking McDonald's was woefully negligent in that case.
Where is the logic there? Something is difficult to open so the immediate response is to put it between your legs? And it's a hot beverage? Sorry...that's idiotic. Zero dollars. Stop wasting the court's time. It doesn't matter what McD did or did not do. You are primarily responsible for your own well being. Nobody tricked her into thinking the coffee was iced tea. Nobody told her that she must use her thighs (?!) to open it.
Sure that doctor gave you the wrong medicine, but you're responsible for your own well-being. How hard is it to Google the name of the medicine and see that it has nothing to do with your condition? How hard is it to remember that the medicine that the doctor told you he was writing a prescription for and the one that he actually wrote on the paper aren't the same? Stop wasting the court's time. Zero dollars.
Not the same logic at all.
Being given the wrong medicine is entirely different due to the relationship between patient and doctor. That is a relationship defined by the position of trust the doctor has. It is a privileged relationship. And a Doctor is known to have years of training and experience behind his belt.
The relationship between a customer and a minimum-wage worker employee is entirely different. You don't expect them to have the years of training and experience behind them to help ensure everything runs smoothly.
You step into someone's hot tub and the water was (actually) boiling. Now you have second degree burns from the waist down. But you should have known better. It's called a hot tub, right? You knew there was a risk that you would be burned by the water. You're just an idiot for assuming that you could just jump in. Stop waisting the court's time. Zero dollars.
(There is no 'position of trust' with a 'hot tub operator,' nor do you require years of training to own/operate a hot tub).
In addition to lambada's response about the doctor-patient relationship, there is also an expectation of common knowledge. You are not expected to know anything about the medicine given to you since that is the doctor's responsibility, but you are expected to take it as instructed. You are expected to know that if you do anything unusual with it you may be putting yourself in danger.
If you do something idiotic like crush it up into powder, then snort it at five times the dosage, that's on you. If you then go into shock and suffer a stroke, guess what.... zero dollars, stop wasting the court's time, you are an idiot.
> political correctness/discrimination, braindead users
> don't get the concept of 'hot coffee' and it's your
> fault, chocolate eggs with toys inside are mightily
> dangerous)
All this looks like vicious circle to me: more and more common sense, simple thinking and moral judgement is "outsourced" to laws and people not bothering to think for themselves are becoming weaker and weaker at making this kind of decisions themselves :(
PC for some reason irritates me greatly, I am not even sure why. Society moving towards total PC looks like Universe moving towards thermal death.
In many cases it seems absurd. For some reason people believe that if something bad happens, someone is at fault. They expect 0% probability of anything bad happening and if they don't get that, they may sue.
I don't think anywhere in the world is like this. It's completely unrealistic. It's impossible.
And yet, at the end of the day, perhaps it forces our society to always be improving. Maybe our country is where it is today because we demand the impossible.
Whoa! Stop the horses! I understand that Europe is moving to a mono-state, but we still have very separate jurisdictions in the USA. She sued in CALIFORNIA by finding some class-action lawyer junkie. That suit would have been thrown out in the other 49 states because she is suing on laws/grounds that simply don't exist there. On top of that, the suit may go nowhere in California too, because she didn't suffer any damages ... her account wasn't compromised. She just heard that other accounts were. That's a joke.
At some point in the last 50 years the US has developed a significant subculture of lawyer-worship. It's not unusual to see commercials hourly on TV asking for people who might have suffered in one way or another to contact a law firm for a lawsuit. Lawyers find "little people" who have been wronged, sue in court, pocket millions, then go on to the next case. Effective lawyers make a killing at this business, and don't be mistaken: it is a business.
The little folks, seeing other people make all the bucks, aren't stupid. They look for ways in which they might have been wronged and contact lawyers. For many, "winning the lottery" and "having a big lawsuit" are the same thing -- a way to easy money. The lawyers are all too willing to play along, setting up mills where good cases are sorted from bad ones. They take part of the profits to advertise for more. It becomes a feedback loop, which is sad, because there are a lot of people who have been really wronged and need legal help.
What we need is tort reform, but every time somebody brings it up they're called either an apologist for big evil corporations or a heartless bastard who could care less for the downtrodden. So the cycle continues.
The commercials aren't there because people worship lawyers! I think most Americans aren't actually all that fond of lawyers. They're there because there is a lot of money at stake. When each new client can bring you tens or hundreds of thousands of dollars, you can afford to take out TV ads.
It's the same reason "mesothelioma" was the most expensive keyword on Google.
"Mesothelioma" is a lucrative keyword because anyone who has mesothelioma has most likely been grievously injured by some commercial entity. I'm sure there's lots of scams revolving around it, but it's hard to imagine a clearer-cut justification for suing a company than that company negligently giving you terminal cancer.
These two parent comments --- unintentionally, I'm confident --- give the impression that "mesothelioma" is a get-rich-quick scheme for plaintiffs. But if a plaintiff actually has mesothelioma, I don't think it's anything to snark about.
I happen to think the conduct of the asbestos industry is a strong argument for a corporate death penalty. And executives who knowingly exposed workers to dangerous materials should be in jail.
My point was that legal ads are prominent because there is a lot of money at stake, not because everybody loves lawyers.
Don't apologize; I'm not taking you to task. And sure, there's a lot of ads because there's a lot of money at stake. But that's also in some ways a good thing: it ensures that everyone harmed by (say) asbestos is aware that there are remedies available to them.
The U.S. has made a choice not to have any effective regulation of such things. Perhaps in another country, there are data security regulations with a regulatory agency in charge and when you have such a breach, you get a call from the government which is annoyed with you. The regulator imposes some sort of fine, demands an action plan to fix the problem, and generally fixes things and reduces the chances of them happening again.
The public, being satisfied that things are now fixed and realizing they weren't really harmed, declines to litigate.
Or there's the U.S. model. Since there is no regulator fixing things, the only way of effecting change is to litigate. The regulatory role has been outsourced to the courts. Of course, the courts are poorly equipped to be regulators, but it's like using a hammer when you really need a wrench: you haven't GOT a wrench, so the hammer must make do. So the courts make do and in general it costs more and regulates worse than a proper regulator would, but hey: you haven't GOT a wrench.
I'm sorry, but good. When you respond to such a serious issue with anything less than an immediate email announcement to your entire userbase, and especially if your eventual announcement is an unapologetic, obscure blog post stating something like "that wasn't supposed to happen"/"that wasn't okay", you show that you care very little about the integrity and safety of your users' data.
I think in this case the critical issue was that they needed to focus 100% of their efforts on preventing the damage to those <100 users who's accounts were accessed. Some person out there could now be inflicting serious harm on these <100 people. I'm really hoping Dropbox is working with the authorities to catch him or her and minimize the potential damage.
I emailed Dropbox asking if my account was accessed and they replied quickly saying no it wasn't. I think that's a perfectly good response.
A mistake was made, and 1 person made a terrible decision to take advantage of it. I hope we can all rally around Dropbox and cut them some slack so they can do all they can for these <100 users who should have huge concerns.
When they've resolved the crisis, then if you want to complain about them it'd be the time to do so. Right now I just hope they are doing everything they can for the seriously affected users, because if I was one of those users that's what I would want.
They can't multi-task, and send one PR guy out to send a batch of e-mails informing their users what happened? Literally everyone in the company was chasing down this one miscreant?
Everyone who was affected by the bug was notified by email, and Dropbox's CEO even gave them his phone number so that they could contact him. As I see it, that's the proper response to issues like this: informing everyone who was affected, and not panicking all the unaffected users.
I don't believe they can pinpoint "the affected users" (supposedly below 100) with such accuracy. It's not responsible to assume nobody else logged in from another location just because only one person logged into 100+ accounts.
It would have been easy to announce without panicking the existing users. By not announcing it at all, and trying to stay below the radar, you incite everyone who's unaffected and reads the news--or, at least, they did me. It's a cheap business move, not "the integrity of your data is our first priority".
This happened on a sunday originally, right? Hence a small number of users logging in to the website. Pinpointing affected users could be as simple as finding the small number of accounts which were logged into from new IP addresses. Alternatively, perhaps the auth server was logging failed attempts, even though the bug resulted in failed attempts being treated as successful attempts. That would make it ridiculously trivial to find all of the accounts compromised - any account accessed with an incorrect password from a new IP address. The number of attackers doesn't matter.
Admittedly, I don't work for Dropbox, and am not aware of the details of how they identifying affected users. I'm just pointing out that it would be very easy to identify affected users with high accuracy and almost no chance of false negatives.
You don't think there were MANY accounts that logged in from new locations in that time frame? Think wireless networks...
I simply refuse to believe that with such a gigantic service they could determine that only X and Y were compromised by "one person" so accurately and so quickly--especially considering they haven't even implemented a build/deploy-time test suite that, among many other things, asserts that something like the auth system works actually works.
Your suggestion is pure speculation like you say, and, really, any application that logs something like "invalid auth" usually(!) immediately aborts the session (since that's the logical thing to do); it doesn't continue it...
Shouldn't someone have to show actual damages in order to sue? The California Unfair Competition Act seems to be about unlawful, unfair or fraudulent business practices - I don't immediately see how that is relevant.
My guess is this is going to just force Dropbox into some kind of settlement because it will be cheaper than fighting it. And the lawyers promoting this get a nice cut, of course.
Does corporate insurance cover this sort of thing? How does a company protect itself from these kind of lawsuits?
Whenever a large firm like dropbox made a clanger and got sued, the insurers would work out how much negligence there was involved.
The insurers discussed the issue with the company and said "you were negligent here, here and here" therefore "we're only going to cover you to X<100% of your public liability"
So negligent actions are not covered by insurance, and some portion will still have to be coughed up.
Dropbox attitude towards users data, privacy and security has been troubling, and their responses have been less than comforting. They really need to do some good PR/branding exercises to make sure they dont continue, on what looks like a slippery slope to me.
THIS is the first time I read about this bug. How incredible is that not to tell your users about that? But okay, if at all I expect it from dropbox. It's already the second time they don't care about their promise so much (at least towards me). I will quit them just now.
But to not say just bad things: This kind of info here on HN is so very much important. That is exactly why I read here, to read what I can't read anywhere else.
I got an email notification from Dropbox on June 23rd as follows:
Hi Lance,
On June 19, 2011, we had a software bug that caused authentication issues. You can read more about it in our blog post. Our records show that your account wasn't improperly logged into during this time.
We are writing to you because one or more users you share a Dropbox folder with logged into their account during that period. We have no reason to believe that the login was improper, but in the unlikely event it was, there could have been access to the information in the following shared folder:
foldername
We are very sorry as this never should have happened. We are implementing additional safeguards to prevent this from happening again. If you have any questions please contact us at support@dropbox.com
On the one side, this was a realllly stupid mistake that should have been caught earlier, not by some external party who was kind enough to report it to them. I feel like the stakes should be raised a bit for companies who are keeping my data.
On the other side, fear of lawsuits leads toward less disclosure and meaningless PR announcements.
Interesting, I just had a course in which they say there's a difference between risk for software company's and other company's.
If Toyota makes an error with their gas pedal, massive lawsuit. Bug in Windows? Nobody even thinks about suing Microsoft although it brings countless businesses in danger.
Ok there's a difference, but generally, people expect bugs in software and they don't expect them in other goods. It's a huge market failure which doesn't do software security any good.
Now for Dropbox, I hope this turns out well, I like Dropbox:-) but I don't think suing for bugs is a bad evolution.
Say you run a small startup and accidentally push out a production bug like this. What should your response be?
Does it matter whether it's been reported by someone else or you discover it yourself? Does it matter whether you're a sole proprietor or a formal business entity? And in general should you form an entity to shield yourself from personal liability because of the remote chance something like this happens? Does it matter what type of content is exposed (passwords, file storage, bingo cards)? How do you decide?
Immediately lock-down, then communicate to all affected before doing a root cause analysis and taking steps to ensure it doesn't happen again.
Dropbox faltered on the communication, and they made claims about their security which hasn't been backed up by practise.
They stated that they would communicate to those whose accounts were 'compromised', yet those 'affected' by this was literally every user they have. They should've communicated to all, as that is who has been affected.
They also state and sell based on security, and do give you the feeling that you are able to trust them, then when you do you find that they leave the door open. So their claims of security haven't been backed up by the practise of it.
Locking down was the right thing.
Communication was dire.
And there hasn't been a follow-up to demonstrate clearly that lessons were learned, and that it cannot happen again. Hell, we haven't even heard if there are now unit tests over this piece of code.
Just act ethically, clearly, and don't be afraid to have egg on your own face by coming clean. But when you do this, come fully clean and be transparent. Don't err, or dodge the details... just come clean, put your hands in the air and admit you screwed up, and then say why you've learned and why it really truly is not repeatable.
And if you've already had a security flaw or two preceding this... then stop what the hell you're doing, stop working on new features, and go back and check every line of code and look for every attack vector or flaw in your processes and put them right.
They sell on securing our data... I want them to be paranoid on my behalf.
I can't help but feel like most of what you're saying doesn't really matter with respect to getting sued or not.
Does it really matter whether advertise that they are secure or not? If security wasn't listed all of their site, would that have mattered?
Does it matter whether they wrote a lessons learned blog post?
And as far as communication goes, Drew did respond and I thought the response was pretty good [1]. It was not immediate, nor should it have been. They had to determine the extent of the breach, consult with their lawyers, devise an appropriate strategy, etc.
It's not as simple as immediately notifying every account holder. That's what... 30 million people? Less than 100 accounts were actually exploited--why create mass hysteria when you can simply notify the small batch that were actually impacted? As bad as this situation is for them, awareness is mostly confined to the tech elite which in the grand scheme of things is a pretty good outcome.
Would the "Limitations on Liability" section on their TOS help them in this case?
FREE ACCOUNT HOLDERS: YOU AGREE THAT THE AGGREGATE LIABILITY OF DROPBOX TO YOU FOR ANY AND ALL CLAIMS ARISING FROM THE USE OF THE SITE, CONTENT, FILES AND/OR SERVICES IS LIMITED TO TWENTY ($20) U.S. DOLLARS. THE LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN DROPBOX AND YOU.
PREMIUM ACCOUNT HOLDERS: YOU AGREE THAT THE AGGREGATE LIABILITY OF DROPBOX TO YOU FOR ANY AND ALL CLAIMS ARISING FROM THE USE OF THE SITE, CONTENT, FILES AND/OR SERVICES IS LIMITED TO LOWER OF THE AMOUNTS YOU HAVE PAID TO DROPBOX DURING THE THREE MONTH PERIOD PRIOR TO SUCH CLAIM, FOR ACCESS TO AND USE OF THE SITE, CONTENT, FILES OR SERVICES, OR ONE-HUNDRED ($100) DOLLARS. THE LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN DROPBOX AND YOU.
My guess, and IANAL, is that it would hold in many courts, but not in Californian ones. California seems to have little tolerance for contracts that restrict basic freedoms (e.g., non-compete agreements.) In this case the basic freedom is to be compensated according to the tort perpetrated, and not limited to a specified arbitrary amount.
My understanding is that these contract terms have teeth in California, just like everywhere else. An enforceable contract doesn't mean you can't sue Dropbox if they cough up your data to an attacker; it just means you sue for a tort instead of breach-of-contract.
Any company with even a small amount of success will be sued for any public mistake, whether it violates the law or not - especially if you're open and transparent about what happened and why.
Class-action trolls, like patent trolls, are just another business risk.
Sure they were transparent? They didn't say what the bug was, how it was introduced, what they are doing to stop it happening again. They didn't email all their customers immediately.
I'm sure that in this situation and legal climate, the only way they could've potentially avoided a lawsuit was to try and keep it quiet (to the detriment of their user base.)
Sadly, doing the right thing just makes you a target.
Potentially. But see how Lastpass dealt with a potential breach [1]. Have not heard of them being sued. I don't think "cover it up to avoid getting sued" is the right message.
I think it is unfair for them to be required to email their entire userbase when maybe 0.1% were POSSIBLY affected.
They emailed the people that logged in during that time and anyone that had a shared folder with anyone that logged in during that time. That seems pretty fair to me.
This is a ridiculous response, and one which seems very ungrounded in the law. Dropbox made a mistake—a big one. They pushed bad code to production that allowed for unauthenticated account access.
But, they're still a startup. There's no SLA. They responded quickly, fixed the bug as soon as they caught it, and have been thorough in investigating any unauthorized access of accounts.
Why sue them? It's just going to disrupt a very good service. It's not going to help them recover (I'm sure they've already learned heavily from the mistake.)
> This is a ridiculous response, and one which seems very ungrounded in the law.
What is the basis of such assertion? Let the courts decide that if the basis is unfounded or not.
> But, they're still a startup.
This is no excuse, if you charge money for your services AND claim to be military grade secure with respect to data. https://www.dropbox.com/security
> There's no SLA. They responded quickly, fixed the bug as soon as they caught it, and have been thorough in investigating any unauthorized access of accounts.
They took 4 hours to know entire dropbox was accessible to everyone, and tried to sweep the incident under the rug by not emailing the issue to users.
> Why sue them? It's just going to disrupt a very good service. It's not going to help them recover (I'm sure they've already learned heavily from the mistake.)
Because they are not entitled to be on the goodside of the user, which unacceptably bad handling of the situation. They, like everyone else, are not entitled to anything, other than what is contracted. You screw users, you get screwed. It is as simple as that.
If you see the OP, the woman behind the lawsuit seems angry that she had to find out about it in the news rather than with Dropbox informing her. That is a serious mistake and one that Dropbox should take heat for. Bugs happen but not communicating to users was a deliberate move.
She was not mailed because there was no access to her account or did I read it wrong that everyone whose account was accessed was mailed?
What should they have told her? "Someone could have accessed your account in the last few hours due to a bug, but that didn't happen. Nothing to worry about!"
I completely agree. Dropbox made a huge mistake. Dropbox is run by humans, and humans make mistakes, that's life. But when it came to communicate the issue they screwed up IMHO. I shouldn't need to subscribe to their blog RSS to know this kind of stuff.
They should have mailed everyone, encouraging users to change their passwords right away while they investigated the issue.
I see the run by humans argument a lot, but what you need to keep in mind is that a company is NOT a human. No one's suing the individual employees here, but a company. There is a massive difference.
By their nature companies are entirely selfish (especially companies with outside investment) and unless you're going to hold the humans within a company individually responsible for a companies douchebaggery then by the same logic you also shouldn't give the company a break because it's run by humans.
The important thing about this bug is that it allowed log-ins without passwords. No passwords were compromised. Therefor, asking users to change their passwords would have been FUD, as well as making it more difficult to identify which users were affected by the person exploiting the bug (if almost every user logs in during 4 hours, you're going to have a lot of trouble identifying the <100 accounts who were accessed by the attacker).
How do you know? (Note that the point of a punitive lawsuit is not only to encourage the culprit not to do it again, but also to encourage other potential culprits not to do it again.)
I guess the answer is "because it was just a mistake", but (1) not informing their customers promptly when they found they'd made a disastrous security screwup wasn't just a mistake, and (2) since they themselves say they're improving their procedures in response to the incident, it seems clear that there are things they could have done that would have either avoided the just-a-mistake or mitigated its consequences.
Cloud brings risks, one shall be aware of it, and do the math of advantages/disadvantages.
I will keep my dropbox account, despite that incident, and know deep in my heart that such glitch can happen to me as well, no matter how well my develop/test/deploy routine is designed.
Having say that, I will never have anything high sensitive on any hosted machine, no matter who the provider is, unless it is strongly encrypted (that includes, pgp for sensitive mail (gmail) attachments, etc.)
I really hope dropbox will learn from this and continue improve their service as they have been doing since day one.
from the terms page:
IN NO EVENT WILL DROPBOX BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR DAMAGES OF ANY KIND, INCLUDING,
WITHOUT LIMITATION, DIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF
USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, OR FROM YOUR
ACCESS TO OR USE OF, OR INABILITY TO ACCESS OR USE, THE SITE, CONTENT, FILES AND/OR SERVICES, OR FOR
ANY ERROR OR DEFECT IN THE SITE, CONTENT, FILES OR SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY
CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, OR
ANY OTHER LEGAL THEORY, WHETHER OR NOT DROPBOX HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE,
EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. YOU SPECIFICALLY
ACKNOWLEDGE THAT DROPBOX IS NOT LIABLE FOR THE DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OF OTHER USERS
OR THIRD PARTIES AND THAT THE RISK OF INJURY FROM THE FOREGOING RESTS ENTIRELY WITH YOU. FURTHER,
DROPBOX WILL HAVE NO LIABILITY TO YOU OR TO ANY THIRD PARTY FOR ANY THIRD PARTY CONTENT UPLOADED ONTO
OR DOWNLOADED FROM THE SITE OR THROUGH THE SERVICES AND/OR THE FILES, OR IF YOUR DATA IS LOST,
CORRUPTED OR EXPOSED TO UNINTENDED THIRD PARTIES.
FREE ACCOUNT HOLDERS: YOU AGREE THAT THE AGGREGATE LIABILITY OF DROPBOX TO YOU FOR ANY AND ALL CLAIMS
ARISING FROM THE USE OF THE SITE, CONTENT, FILES AND/OR SERVICES IS LIMITED TO TWENTY ($20) U.S.
DOLLARS. THE LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE
BARGAIN BETWEEN DROPBOX AND YOU.
PREMIUM ACCOUNT HOLDERS: YOU AGREE THAT THE AGGREGATE LIABILITY OF DROPBOX TO YOU FOR ANY AND ALL
CLAIMS ARISING FROM THE USE OF THE SITE, CONTENT, FILES AND/OR SERVICES IS LIMITED TO LOWER OF THE
AMOUNTS YOU HAVE PAID TO DROPBOX DURING THE THREE MONTH PERIOD PRIOR TO SUCH CLAIM, FOR ACCESS TO AND
USE OF THE SITE, CONTENT, FILES OR SERVICES, OR ONE-HUNDRED ($100) DOLLARS. THE LIMITATIONS OF DAMAGES
SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN DROPBOX AND YOU.
I've always wondered if these really work. We all use these EULAs and TOS that essentially say "you can't sue us for anything no matter what!" but I have a feeling that kind of thing doesn't actually hold up in court.
It doesn't that's why they have:
> Severability
> In the event that any provision of these Terms of Service is held to be invalid or unenforceable, the remaining provisions of these Terms of Service will remain in full force and effect.
In Australia, Europe and the UK, there are laws that make "unfair" clauses unenforceable... where unfair includes all kinds of things you see in every consumer level contract like no liability for death/injury or avoiding delivery with no notice or compensation.
In the UK the legislation is 'the unfair contract terms act 1977'. http://www.legislation.gov.uk/ukpga/1977/50
Also, the case law suggests that if you are providing a professional service your appointment should make it clear that you will take 'reasonable skill and care' in carrying out the services otherwise you will be judged as to whether the service you have provided is 'fit for purpose' which is a much harder test to pass. I dont know if this test would apply to SAAS T&C's and IANAL by the way. Edit: Clarity & Bad grammar.
I am neither a judge nor a lawyer, yet, can assume, most of us simply lie when we click on "Yes, I have read, understand and agree to the terms!" buttons.
None of us read them (most of us TBMA), but we "sign this contract"
Most people don't read the terms of service, but they do read the marketing copy. If the marketing copy contradicts the terms of service, the contract should be based on the marketing copy. The terms of service should not be a license to make false or misleading marketing claims.
If the marketing copy said something like "if we screw up, you can sue us" while the TOS says "we can't be held liable if we screw up", then that might be relevant. However, I've never seen dropbox say anything like that in their advertising, so there doesn't seem to be any contradiction.
Here's some attorney practice materials (a whitepaper) on the California's Unfair Competition Law: http://www.stroock.com/SiteFiles/Pub168.pdf (PDF). In the first paragraph it is described, quoting a CA Supreme Court Justice, as "a standardless, limitless, attorney fees machine" that, because of its "broad and sweeping provisions," "will continue to be alleged in almost every consumer protection action."
IANAL but an advantage of this lawsuit is that Dropbox will be forced to disclose in greater detail what happened, and we will be able to determine if the "1% of accounts possibly compromised" really was that low (it probably was, but given the seriousness of the bug, and their tendency to downplay this, confirmation would be good). As it stands currently, users are forced to rely on scant information released by Dropbox.
The number of comments supporting Dropbox in this thread astonish me. It seems like people think that such "engineering" mistakes are acceptable in the software/web industry. But let me ask you: What if a construction engineer made a little mistake (humans err right?) when building that bridge? Maybe nothing happens but believe me he will get sued and no one here would object.
Sure, in the latter example people could get killed, but a big security error with Dropbox could also lead to serious personal damage (personal health documents published, business confidentiality breached, etc, etc).
It seems like people don't understand that building a "structure" in the software world should be the same as building a "structure" in the real world. Would you not sue the safe company that produced a safe that just opened by itself the day you were robbed (leading to theft of personal important documents, money, jewelry). Would you not sue the produced of an over-heating oven that leads to your house burning down?
Why do people assume that it is acceptable to make mistakes in the software world, but not in the "physical" world? Maybe this points towards some kind of basic problem with the software/web business model. Maybe all these free/premium product are really too cheap (and can be so cheap because they are inadequately produced). Maybe we need to accept that these ship-quickly products are not really acceptable, that there really needs to be considerable investment into such products (and thus increasing prices)...
Note: I do understand that nobody would accept a 50/50 % chance-of-breaking bridge, but may very well accept a 50/50 % chance-of-being-breached "Dropbox". But then don't advertise differently.
You assume that the word "engineering" means the same thing in bridge building vs. software development. It doesn't. These activities are no more alike than software development is to, say, writing novels.
If you really want to compare software to bridges, imagine that humans had written the same simple program millions of times over thousands of years. We'd be pretty good at it by now. (Even that analogy, though, doesn't level the playing field. The physical world is not programmable.)
Why do people assume that it is acceptable to make mistakes in the software world, but not in the "physical" world?
We know the answer to this. It is possible to make software that has very low defect rates -- among other things, you have teams of programmers intensively review every line of code -- but these practices have drastic consequences: projects become massively more expensive, development slows to a crawl, and innovation is greatly restricted. There are only a few fields where those tradeoffs are worth it. Elsewhere, they aren't close to being economic. The net benefit of software to society would be crippled if we built it this way. Of course we never would, because any software company trying to would be out-competed into oblivion.
As for Dropbox, when I see programmers jump all over other programmers for making a mistake, even a big mistake (or series of mistakes compounded), I think schadenfreude. People who engage in such gleeful condemnation are making an implicit claim to their own perfection. I'd think twice about doing that.
I do understand the difference between engineering in the "real world" and the "software world". There is no doubt that the latter is immensely more complex (see Fred Brooks).
Nonetheless, in cases where somebody may get hurt (physically, emotionally, financially, etc) we have to make a greater effort. All I was saying is that we have to either lower our expectations of how good affordable software can be or accept much higher costs for it.
Dropbox love to advertise that they are an extremely safe solution to data storage, thus leading people to believe that their data is safe. Unless every line of code in the authentication module is reviewed and checked and tested, that statement cannot be true. So there is a paradox there.
I guess I may have positioned Dropbox too extremely, but Dropbox breaking is much worse than say a music application, some game or other non-critical software. And with Dropbox I believe that development should be approached more like NASA would do it than EA would. People can get hurt!
"As for Dropbox, when I see programmers jump all over other programmers for making a mistake, even a big mistake (or series of mistakes compounded), I think schadenfreude. People who engage in such gleeful condemnation are making an implicit claim to their own perfection. I'd think twice about doing that."
Believe me that that was not my intention. I am without not as good a programmer as anybody at Dropbox!
I can't help but wonder if all of this might have gone away had they even just appeared to take this issue seriously. They didn't even bother to reply to my request for access logs on my account, personally.
1. Unfair competition (per California's law) caused damages [by for instance causing people to pick Dropbox instead of some other less expensive storage solution.]
2. Invasion of privacy, for which punitive damages are being sought.
3. Negligence [for enabling that invasion of privacy], for which actual damages are being sought [whatever those might be... maybe things like, billable time being spent moving files off Dropbox?].
4. Breach of express warranty, for which the purchase price of Dropbox is sought.
5. Breach of implied warranty, for which the purchase price of Dropbox is sought.
Not a lawyer, am a security practitioner, somewhat versed in the issues here, and:
This probably doesn't go anywhere. Don't these cases have to pick up a certain amount of steam before they matter? My sense of it is, as bad as the security lapse at Dropbox appears to have been, it was an issue primarily for the geekerati; "my mom" probably doesn't care, and might even assume stuff like this happens all the time. If it did go somewhere, presumably Dropbox would just provide vouchers for refunds for people who want to close their accounts.
There is, as I understand it, still no formal standard of due care required for software vendors. There was no slam-dunk tort available for the plaintiffs in the CardSystems case, where a card processor lost millions of credit cards. Similarly, lapses in Microsoft code enabled tens of millions of machines to be compromised during the "summer of worms", and the class action case brought against it was dropped as well.
Meanwhile, contract law is of little use, because virtually every professional piece of software is shipped with an airtight contract limiting the vendor's liability for defects. This complaint alleges some form of breach of contract, but it's entirely possible that such a claim dies a quick death when reconciled against the Dropbox user agreement, which surely says something to the effect of "shit happens, if you can't deal, use an external hard drive instead".
For a 2005 perspective on the issue by two law professors, which reaches the conclusion that we need to create a whole new tort ("negligent enablement of cybercrime") to address the issue, check out:
Without going into another 7 grafs of noodling about whether software liability is a good idea or not, let me just say one thing I'm fairly confident of: the industry cannot afford a "due care" standard for software. Security flaws happen all the time, in everything anyone ships. You don't hear about most of them. Simple supply & demand has driven software security bill rates to very high levels, and that's largely without any legal mandate that would effectively require everything to get assessed.
I wonder if the developer who caused the bug got fired. As a developer, this is one of the few nightmares I get at night :) (making a small change and bringing every thing down)
With that understood, systems and processes should be designed to catch the errors early and hopefully long before they reach live.
This is the insurance policy that TDD gives you, this is why you make all of those unit tests, functional tests, etc.
I wouldn't sack a developer who did this, I'd look at my processes and ask why they didn't catch this. After all, if 1 developer can push low quality code to production, then they all can.
The problem isn't with the developer... as with everything in the cloud, expect failure and design to handle it. Sometimes the failure is human, so design to handle that too.
[...] while Test Driven Development is very popular right now, a survey of all of the studies that have been done on TDD have shown that the better the study done, the weaker the signal as to its benefit.
However I didn't claim it improved quality, just that it's an insurance policy.
What I mean by that, is that you pay up front in time, to help protect against things going wrong in future... such as shipping code to production that allows anyone to login to anyone else's account.
All unit tests are, are externalised asserts about what your code should and shouldn't do.
There should certainly have been one that said, "User A should not be able to login to User B's account.", or at the very least "Login should fail when the password is not right.".
My point remains: You should expect people to make errors from time to time, just like you expect servers to go down from time to time. Whilst you're busy handling what happens when servers fail, you should also be busy thinking about how to deal with human errors too... and that means detecting and catching those errors early so that the impact that they have is minimal.
There is a culture of half-arsedness with some businesses where they don't respect user's security and privacy requirements. This is partially down to plain old incompetance but in my experience it's usually down to the fact that if doing something properly and testing it properly doesn't add business value, then it's not done. At the risk of pissing people off here; that culture is prevalent amongst startups.
They screwed up, they're getting sued. They should have tested it properly.
If this was a public organisation that left everyone's files in an open skip overnight they'd get sued too.
This is once again proving that, while I understand the language, probably shop the same things, the USA is a strange place for me. This 'just sue' culture seems weird. It seems that the whole point is to run to the court and claim 'He did something wrong. Please spend a lot of time to check that I actually have a point and if I'm lucky, please define a grossly exaggerated sum in damages'.
I _know_ I'll take flak for this, but it warps my mind. The nation that always, even if it hurts, defends the right of free speech, seems to severely limited elsewhere. It sure looks like you can _say_ anything, but _doing_ anything could lead to a nightmarish jungle (political correctness/discrimination, braindead users don't get the concept of 'hot coffee' and it's your fault, chocolate eggs with toys inside are mightily dangerous) of potential problems.