This. Recently came back to macOS after a decade on the other side, and one surprise was how terrible the official Dropbox client was. Installed Maestral instead and it just works -- just like Dropbox used to.
<begin rant>I see Dropbox as one of the biggest failures of the VC model. If only they had been bootstrapped, they would probably have stuck with their initial sync offering: A perfectly executed solution to a problem everybody has. And a small team could have made a good living here -- even with reasonably priced non-free options. Instead I imagine some VC partner convinced them to "grow their market" (or maybe "prepare for cloud"), and now they are descending into irrelevance. <end rant>
Yeah, I remember when they were briefly going to solve the problem of being a universal translator of file formats. They announced this at a conference I attended and I could see the thought bubbles of everyone in the audience: What? That will fail, are you nuts?
Sure, but without VC money the product space wouldn't exist at all, at least not as a free service.
Who doesn't want free storage? No one, that's who.
See also: everything from Sourceforge to Docker Hub. Very few can complete the transition into a paid service.
The important distinction is whether you sell a product or a service. Dropbox is clearly a service, but it's easy to envision a product instead.
Had the user paid for storage up front, the product would be incentivized to support multiple backends to be able to compete on cost. But it doesn't, because it is the storage service that is the actual thing being sold.
SyncThing, while indeed amazing and my goto for personal file sharing, might not go well with your corporate policies. An alternate program, like InSync, allows you to disable telemetry on DropBox, OneDrive and Google Drive at the same time, and is easier to justify.
Syncthing is indeed amazing. I've been using it for the last years, had some problems way back, but haven't seen a single issue over the last year or so.
Worth mentioning that Syncthing doesn't have a cloud part, while DB does. That said, I've been running it since the very beginning, even before it became public/known, and it had never failed me so far.
Syncthing does encrypted nodes now, so I have an encrypted laptop node running offsite; that, coupled with a mostly-on desktop pc and an always-on headless mac mini running void, and I have a 100+GB 'cloud' with syncthing.
Honestly, the best way I found to prevent sync errors is to make sure there's continuity...that there's always some computer, somewhere, that's running and knows what the latest version actually is.
“On other platforms, you can install the Python package or a Docker image based on Alpine Linux” isn't going to fly for a lot of users, though maybe there is quite an overlap between people who know the details of why they might want to install it and people with the ability to.
If you're using Windows at this point, you must have decided that this sort of telemetry is acceptable for you. It's about the same level as the stuff you can't disable in current versions of that OS.
Hey, thanks for this. I didn't know that it existed and it gets around the limits for the maximum number of devices with the official client without a paid plan. I had whatever the max number of sync'd devices + 1 before they limited the device count. It wasn't a big deal because the last device was infrequently used, but it was annoying that the terms changed.
In the grand scheme of things, music bought on iTunes was only DRMd from 2003-2009. Steve Jobs actually proposed to the music industry to allow it to sell DRM free music as early as 2007 in his famous “Thoughts on Music” open letter that at the time was posted on the front page of Apple’s website.
I switched away from Dropbox to Syncthing https://syncthing.net/ a few years ago.
Running it on Windows, Mac and Linux (I don't use it on mobile) to keep all manner of files in sync across a bunch of machines. While it doesn't have all the shell integration and end-user friendliness of Dropbox, it also doesn't have the pitfalls like (non-optional) telemetry and constant up-sell.
Syncthing is so much better than Dropbox. There are no accounts, so it's much easier to set up syncing between multiple machines that may not belong to the same user, or to shared devices. I use it to sync family documents, work documents, for syncing Factorio save games, ...
I've also never had problems with CPU usage (Dropbox often caused high CPU usage in some cases)
The only downside is that background sync on iOS with Möbius Sync doesn't work reliably, but I think that is mainly because of how Apple cripples background processing. It does sync quickly if you manually start the app.
It's a bit challenging for new users (you need to understand machine keys, folder identifiers, ignore lists), but once it's set up it just works.
But Dropbox business model requires them to use accounts -- as far as I know you can't set up Dropbox on a shared device without signing into an account. This makes it harder than necessary to set up Dropbox in some scenarios.
Sure, they make it as easy as possible to get started, but "easy to use" for first time users does not mean "easy to use" for people who are willing to spend a few hours to read the docs.
The SyncThing developers wrote on their website that they don't offer an iOS client because Apple doesn't properly support background processing. It seems that the SyncThing developers don't care about iOS.
But here's the beauty of Open Source: anyone can download the source code and try to get it running on iOS.
Now Möbius found a way to get SyncThing kinda working on iOS, and for a small fee you can install it on your iPhone. The wrapper they built around SyncThing isn't open source, but for Möbius customers that doesn't really matter. They just want something that works. And through the beauty of Open Source, someone was able to build it for them, and they get to make a little money with it!
Yes, many proprietary software developers who don't respect the freedoms of users make money piggybacking (some might say parasitically) on open source software releases.
I'm not sure what this has to do with open source, however. These people aren't even part of the free software community, as they obviously don't care about software freedom.
It sounds like you are confusing open source with copyleft.
Copyleft is a great thing, but it's also fine for things to be open source and not copyleft.
I can use syncthing because of Mobius. If Mobius did not exist, I would either have to pay a bounty to get someone to port Syncthing or use something else. That bounty is more than $6.
You can still port syncthing yourself. Mobius is not stopping you! You'll have to pay Apple $99 a year, and you will have to handle the app store process, and all - but you can do it. Neither syncthing nor Mobius will stop you.
Joining the Apple developer program requires that you dox yourself to Apple, and ties that government identity to device hardware serial numbers. I buy my Apple devices for cash and use each one with a unique disposable Apple ID created with a burner email address and burner prepaid phone number.
This is also one of the reasons I can't pay for IAP cancer - attaching payment methods links identity to the Apple ID and hardware serial number.
I did the same. Plus also I'm using on my Android phone. Replaces Dropbox completely unless I want to share something with other people. But for that case I usually use Sharing feature from Synology NAS.
Oh I also have shared folders with other people. We used to use it for sharing audio files between podcast presenters, which worked well enough. I have half a dozen folders in my $HOME, shared with different groups of people.
I also have Syncthing installed on my home server which gets backed up. So I have a copy of all my files backed up there, in the event a laptop goes missing or dies.
The only use case I haven't yet covered is an off-site backup of my Syncthing folder, which would be sensible. I just don't know who I can trust with it.
A word of caution for anyone planning to use syncthing for backups.
Syncthing is designed as a sync solution but not explicitly for backups. You need some extra setup on top of the defaults for building a reliable backup solution.
If not setup correctly, any "mistakes" from one of the devices will automatically be synced to other devices and cannot be retrieved back.
In the case of a lost/stolen device, make sure you remove the device as soon as possible.
If not a bad actor now possessing the device can delete and sync that back to your "back-up" devices too.
You can try to use the untrusted device functionality, the data is encrypted on the sending device. Word of caution, it is still beta, an in my experience, it is kinda hit or miss, for some folders it worked beautifully, for another, it simply did not sync after the initial configuration.
You can install a cron job which compresses, encrypts and rsyncs/rclones your home backup weekly to somewhere. Or you can use BackInTime which can automatically encrypt and only backup changed files, again to a remote location.
Syncthing saved my ass last month. My Framework laptop got stolen while I was traveling. I was able to pick up a second-hand MacBook Air, connect it to my introducer, and within a few hours I had all my files back.
I have a Pi with software RAID and two HDDs running Syncthing in my apartment. I rent a cheap Storage VPS from time4vps.com which is untrusted and set as an introducer--meaning, the data is encrypted before it reaches the VPS, and as an introducer it will announce devices to one another. My (former) laptop and an iMac where I do all my work are always in sync. If I need to add a new device, I only have to connect it to the VPS and suddenly all the other devices know of it.
It’s surprisingly easy to maintain. I’m not someone that enjoys tinkering with shit like this to be honest, but I didn’t want to put my entire photo collection and what-have-you on Dropbox. Setting up the software raid was difficult. I ran into a tar pit with that, but it turned out the Pi can’t power two drives at once, and a powered USB hub was all I needed. Otherwise, I’ve only sshed into the VPS a handful of times in the year that it’s been running. I haven’t had to to touch Syncthing on the Pi. I probably need to run apt upgrade somewhere, but it’s all working fine.
I use Syncthing too, but only between my local machines. I don't use it for cloud backup because I've never found 2 TB of cloud storage as cheap as Dropbox. If anybody knows of such a vendor I'd love to hear about it.
Edit: I should further qualify that I'm not interested in solutions that would lock me into Apple's walled garden or anybody else's.
I'm using mine primarily as a redundant backup host. So, for that usage, they're perfectly reliable and functional.
However, the machine is absolutely slow. It usually takes a few seconds before SSH brings me to a shell prompt. Web apps I have running on it (basically just Gitea and Vikunja at the moment) can take upwards of 10 seconds to render pages, and it's just me using it. If you just want a storage host, they're fine. Running your website off it? I would probably not recommend.
Reliability, I have not had any issues so far, but I'm hardly a power user. My own personal anecdote is that my backups get validated monthly and, so far, have not had any issues.
I would probably agree that these machines alone would not suffice to make a good Dropbox alternative if what you're storing there isn't backed up elsewhere. I would recommend supplementing with off-site backups to B2 at the very least.
They won't let you sign up from a VPN. That's annoying but it doesn't affect me. Maybe they're trying to prevent Russian bots from signing up or something. Fine.
But after I gave them a valid credit card and billing address, they still won't take my money. Here's their support response:
"Your IP address does not match with the location you have provided.
In order to accept your order your IP address must match the actual location from where you are placing the order."
Ohh kaay. I'm traveling at the moment in a different US state from my billing address. I'm not in Mongolia. And even when I'm at my billing address, my main ISP is Starlink, whose primary ground stations for me are also in a different state than I'm in. So I routinely see banner ads on websites for stores that are 500 miles away.
It's par for the course for non-technical companies to assume that IP geolocation is in any way accurate. But a cloud VPS company should know better.
And I'm glad they didn't. The mere existence of such a feature would make me worry about unintentionally enabling it and exposing private data as a result.
You don’t expose data just by enabling the sharing, because it’s only accessible via a URL containing a hash-like identifier that can’t be guessed. It’s not more realistic than someone guessing your Syncthing password.
Unfortunately this is not true. Your browser likes to send any URLs it comes across to indexing services. If you share the link via Discord or whatever, it'll be scrapped.
This is also just very outside Syncthing's functionality.
> Unfortunately this is not true. Your browser likes to send any URLs it comes across to indexing services. If you share the link via Discord or whatever, it'll be scrapped.
You still have to manually create the URL first. You don't need to worry about accidentally having everything exposed because the feature is enabled.
> This is also just very outside Syncthing's functionality.
The context was specifically "as a Dropbox replacement".
Many times on HN, commenters have mocked those who questioned why someone would use Dropbox instead of a method controlled by the user. I guess becausse someone made lots of money from it or it became popular or something. I always found this perplexing because I look at solutions from the perspective of the user, namely, me, not from the perspective of a third party "tech" startup founder. It's insensitive to the people on HN who want to other tried and true solutions. "Other people are using Dropbox, so you should too." Who cares. Every user is different. If someone wants to use something else besides Dropbox, why harass them. I could care less what "99%" of users are doing. I care about what I'm doing.
I confess I have never used it. I still rely on USB sticks for a variety of tasks, more than simply transferring files. Anyway, for me, this telemetry nonsense would be one reason I would avoid Dropbox.
Maybe there will someday be telemetry in USB sticks. We'll see. Meanwhile...
Even as a techie, why would you put in the work to set up your own thing?
Though, I moved away from Dropbox long ago when they introduced device limits. One phone, one laptop and one triple booting desktop -> over the device limit already.
> Even as a techie, why would you put in the work to set up your own thing?
As a techie, I do this so that I can maintain control and trust, and so that when something goes wrong, I can fix it instead of just refreshing the status page of the service and hoping.
I in no way think that anyone else should do like me, but when people are having trouble with a service, I will mention options that involve not needing that service.
Putting in the work to setup your own thing is great. You learn a lot, if your doing it at an advanced level you start to understand some of the designs/tradeoffs that the commercial products made.
Keeping that running and reliable and operating it for years or decades sounds like an absolute nightmare and I'd suggest avoiding that at all costs.
Because the things you consider work and what you consider a large burden is different for everyone.
As an example.
I exclusively run hosted apps for email and chat at this point (Outlook/Gsuite/teams/slack/etc).
I use Plex for most of my personal media consumption.
When outlook/gsuite/teams/slack/etc stop working, I realize there's nothing I can do, lots of engineers are fixing it and I move on to some other task.
When Plex stops working, it doesn't come back online until I do something.
Maybe it's just restarting it's container, maybe some update broke something and I need to downgrade, maybe the spinning bit of slowly rusting metal in my basement failed and I'm going to spend the next week fighting with mdadm because the raid rebuild goes poorly. It happens. If you're self-hosting, even if you want to claim to be perfect at deploying/running software and even if you think you can constantly upgrade things without any issue or even if you think you can leave things running on old software forever, something will eventually break. Probably software at times, definitely hardware will break.
Do you see fixing and troubleshooting these kinds of issues as a burden, or a large one? That's the question.
At this point in my life I do. If not for the cost, I'd run absolutely everything on the cloud.
The amount of free time I spend with computers is not infinite and I'd prefer to spend it doing fun new things rather than troubleshooting for the 30th time why some random ISP I was trying to send mail to is blocking my home mail server. Been there, done that, burned the t-shirt out of frustration.
Well... if you run owncloud (or any other alternative in fashion) you need off site backups and a plan for disaster recovery to match what an external service can offer. Backup machine or funds to get one at short notice.
If you use a 3rd party service they'll handle that too.
Dropbox became popular because, from the perspective of 99% of users, it provides an incredibly simple and effective UX for syncing files across devices and locations. And better UX is enough to be a billion-dollar company.
> I confess I have never used it. I still rely on USB sticks
Phew boy. You really should try dropbox or a competing service.*
Picture this:
1. Double click a file
2. Type some words
3. Save the file
That's it. There is no step 4. Your file is now synced to all your other computers and to any colleagues who also need that file.
Seriously you shouldn't be using USB sticks these days. Also - I'm guessing you haven't started the transition to USB-C yet? USB sticks are going to get really painful when you do.
(* I use a competing service - more than one actually, but I have used dropbox in the past and it worked well. I just didn't like the direction the company was taking it. This story is yet another example of that)
> Also - I'm guessing you haven't started the transition to USB-C yet?
Shit, not more painful than nearly everything else. You're gonna need a USB-A/C hub anyway, unless you only use very new equipment and you've gone out of your way (and, not infrequently, spent more money) to make sure you get C instead of A versions of everything—lots of A devices still being sold.
If not for current-generation console video game controllers, I'd still have almost nothing in my house that natively uses C, aside from Macbooks and one newish iPad.
(However, I am, like you, a tad scandalized at the notion of favoring flash drives over network sync of some sort—I'm a luddite in a lot of ways, but god do I not miss losing flash drives, having them mysteriously fail in 6-24 months of light use [even the good brands! If anything, that part's worse now than it used to be], the "whoops, forgot to copy the file", not being able to have any of the stuff unless you physically have it with you, "let me just print this from my phone—oh, right, I don't have an adapter to plug a USB stick into it", et c. A bunch of extra stress and fiddling, to gain... ???)
I have a Dropbox account, since eternity, but used it very rarely. Until I decided to remove my desktop computer from my life, and live with my Office PC and a laptop.
Suddenly I have ripped myself out of a lot of stationary storage space, and access to a lot of files in the process. Moreover, this change was also compounded by lifestyle changes, which reduced my computer time at evenings a lot.
Then, I realized that I used these files a lot, and I needed them where I am, regardless of the device I have with me. After that, I understood what Dropbox is about. I have all my files, everywhere I need, anytime I need.
Moreover, many of the bookstores and merchants deliver things I buy directly into my Dropbox. That's great. Even updates to these items arrive automatically.
I backup the whole thing weekly via rclone to a disk, and I'm happy.
I remember when Dropbox was new and it was possibly the only solution I could find to seamlessly sync files on multiple computers (or at least the only one I knew about).
There was this "Dropbox" folder in your home folder, and anything put in there would show up in the home folder on your other computer or operating system or eventually even your phone. I also knew about Apple File Sharing and it was basically that but much more intuitive and worked on separate networks and on Windows (maybe Dropbox was inspired by AFS and the write-only "Drop Box"). Drop Box just worked, and to less tech-savvy younger me that was the only thing that mattered.
Now we have 300+ other programs which can do the same thing, and I use Git/Github for syncing and woof/AirDrop for individual files, so no Dropbox for me. And probably not for most technical users either.
But the average non tech-savvy user still needs a cross-platform service which "just works". And I'm sure their are alternatives which also "just work", but Dropbox is popular, and they don't care about the telemetry.
Do you use it for images, too? Maybe using a large file extension. Dropbox syncs around 2TB of random files successfully, and it seems like that is not something git it very good at (judging by game developers using Perforce or others to share files).
I am always open for recommendations to replace Dropbox. Even Gdrive (one of the most obvious alternatives) choked on performing the initial sync (of 2TB) last time I tried.
If, a big if, you don't need version control, rsync will do. It can handle any imaginable amount of data and it can work over ssh or for local file syncing. It is much, much faster than other solutions too.
It is my main tool to manage things that aren't code, and I give myself the ability to go back to older files or undelete things in a KISS manner by having multiple rsync destinations that are used in rotation.
Dropbox's specific popularity on HN may partially stem from its original backing by YC. It will have enjoyed additional exposure here thanks to that, and to be fair to Dropbox, it was a good product.
I say *was because I cannot speak for how it is now, I do not have any data to judge how it is now.
I stopped using it a long time ago – not because I disliked it, I just picked a different solution.
I’m still using it, but to me their service has become worse over time as more and more features were tacked on that I don’t want or need… and they are really not listening to their users who want a better experience instead of more junk. I’m also in the market for a better alternative, but haven’t found one so far that is as easy to use as Dropbox. I’d prefer to not have to manage my own servers.
Regarding rogue client devices: Suppose it's not just storage and instead is something additional, like a device for which the host will decide (without autorun.ini in this case) to install drivers, or interact in some other capacity along those lines. Can this automatically cause arbitrary code execution? I would not consider code supplied through official OS channels ("let windows search for a driver online" type of stuff) to be arbitrary, because those repositories ought to be trusted as not containing malware. Rather, by arbitrary I mean the USB device supplies the payload or supplies a URL that the OS requests, and then the OS automatically executes that. I've never heard of such a thing, but it's conceivable... source?
Regarding rogue host devices (not just a power port): I agree 100%, these are dangerous. Luckily a typical USB port on a Windows computer can only interact with client devices, not host devices, as far as I'm aware. The inverse of OTG doesn't seem like it would exist.
The most obvious rogue client device exploit is to pretend to be a mouse and/or keyboard, which on most devices will allow you to execute arbitrary code trivially, though not completely stealthily. "USB rubber ducky" is one such device available to consumers now. As for exploiting drivers: while the software might be 'trusted', I highly doubt that it is all actually secure. Emulating a USB device with a low-quality driver and then exploiting that driver by violating its assumptions about the hardware its expected to be talking to is a rich field of potential exploits (even on linux, there's vast swaths of low-quality driver code which has nowhere near the hardening of the network stack).
> Can this automatically cause arbitrary code execution?
USB has capability to launch any arbitrary code that the user itself could without inputting any secret.
On anything that isn't the best protected Linux GUI (better protected than the configurations that everybody use), this is enough to install a keylogger on your environment and sniff any secret that it's lacking (but root/administrator rights are overrated anyway).
There has been some work on restricting USB so that it can't initiate anything. But that brings extreme usability problems, so it's very rare for people to do it in practice.
This was a long time ago, probably windows XP, so don’t know if that is a fixed problem on newer operating systems. I learned to not put USB sticks in back then and eventually just never needed to.
Dropbox is in a rut because Microsoft used their monopoly power to move a lot of people to OneDrive. Which as a Microsoft product of course is all telemetry, no end to end encryption and a poor syncing experience. But the software comes with the OS and the subscription is included with Office 365.
Dropbox is popular because it's super-usable and works super-well. Approximately 0% of ordinary end users want to gaffer-tape something together by hand. (Happy Dropbox user here, but I've been tempted to do it by hand at times myself. If only rsync to s3 was easier ...)
I get that for some classes of "local-only" apps like compilers (famous from a recent discussion on the same topic), network communication can be surprising and therefore feel unnecessary. But for an app whose sole purpose is sending and receiving lots of sensitive private data to Dropbox servers, who has the energy to be outraged that there is also some other anonymous data sent such as program crash info?
I mean Dropbox has the contents of my files should I find it creepy or unnecessary that they know my RAM amount or what the last exception was?
I am on the fence as to whether I agree with you, but I'll embellish a certain aspect: these folks keep citing how the number of DNS lookups (what pihole reports/blocks) is extraordinary, exceeding all other vendors they use, which says pretty much nothing about the nature of the payload other than that Dropbox likely has very granular client uptime data. The client could cache the DNS response instead of doing so many lookups, and some amount of rage would disappear.
For any local program, I can block its access to the network and still use it. For a program whose functionality requires internet access, I can either inspect every outgoing packet for exfiltrated data, or I can choose to trust some programs to be non-malicious based on their reputation. That trust is incredibly fragile, and unannounced spying/telemetry breaks it.
I'm wondering where the line is between acceptable and unacceptable logs. Obviously no one appreciates analytics used by marketing teams, but virtually every internet service has logs used by engineers (which seem to be what this post is about). A few factors that seem relevant:
- Is the service running locally?
- Do we trust/expect that the data is not used for marketing (i.e. would the user have complained if the domain was "error-reporting.dropbox.com")?
- Is the data anonymous (think twice, everyone who has IPs or user IDs in request logs)
- Did we agree to relevant ToS or privacy policies?
If we think carefully about this, I'd bet that most people here have used or even implemented some form of logging that has privacy problems.
It’s not that difficult to make anonymous (usually pseudonymous) usage stats. Of course you don’t store IPs, computer names, user names, emails, detailed geographical data etc. I think in the past this was a lot messier but these days with GDPR it’s quite easy to draw the line. Basically store nothing that is individual, nor enough data (entropy) associated with one pseudonymous user that they could be identified as individuals.
I actually enjoy Dropbox - for a flat fee of ~€10/month I get 2TB of cloud space plus the synchronization across unlimited devices. I don't mind the telemetry thing, at least not too much.
However, their approach to Android is absolutely ridiculous. There is no files or folders synchronization - at least not at the OS level, like in Windows or Linux. If I need to access my Dropbox files on an Android device, the only way is to do it via the Dropbox app, and it is clunky. The biggest pain point is that I cannot use 3rd party apps to open a folder in my Dropbox storage - I can open a single file, fine, but for example Obsidian is out of reach as it requires opening an entire folder, which is currently not possible.
(I can create an offline copy of the folder on the device and open that one but it defies the purpose of having a sophisticated synchronization software).
So I think at some point I will start investigating alternatives.
Stopped using Dropbox a long time ago. Their constant "marketing" emails were bordering on scammy "Your dropbox is almost full!" etc - I try not to deal with companies that play these games.
That's exactly why I quit using Dropbox. I have TWO pictures in my Dropbox, no way in hell it's almost full. You lie to me in your advertising, you don't get my money, period.
I stopped using dropbox after finding it quarantines files. You won't know about this until you try to migrate off Dropbox. It just gives me the creeps now.
For me it was watching my desktop folder. If I created a screenshot there would suddenly be a notification window asking me if I wanted to upload/share it via Dropbox. Contacted their support, you couldn't switch it off and they didn't understand why such notifications would annoy a user.
I stopped when I stopped being comfortable with them looking at my data. My sensibilities changed and software options had advanced to the point that the activation energy of switching to an E2EE solution had been surpassed. I use self-hosted nextcloud + wireguard + B2 encrypted backup. It's not perfect, it's more setup on each device (no longer a single auth away from the data), but it's well worth it to me.
There's a market here. Idk how big. Apple seems to think there's a market here too. If they offered larger sizes I might be tempted to go all in on Apple.
What does this mean in this context? I tried searching but couldn't find anything other than antivirus software sometimes quarantined files in their Dropbox folder which isn't really a Dropbox issue. Are Dropbox deleting files without notification?
I was a very early user of Dropbox but I’ve fallen out of love with the product over the years, and while I still have an account, I’ve avoided installing the clients for awhile now.
I’ve been migrating things over to Synology Drive hosted in my closet, and the UX for this is a lot like Dropbox (in a good way).
Combined with Tailscale, I get all of the convenience without the ick, and a hell of a lot more storage for that matter.
My limited syncing requirements are met with Signal. Put something into "Notes to Self" and it then exists anywhere I have Signal, which is on everything.
I finally got off of Dropbox recently in favor of the iCloud with "Advanced Data Protection", i.e. end-to-end encryption.
People tend to think that "Tech Independence" [1] and "The Cloud" are at odds with each other. But, end-to-end encrypted services that sync via the cloud really are the best of both worlds - convenient and secure.
I run Boxcryptor (the unpaid version with local keys) on top of Dropbox. They have recently been acquired by Dropbox, so I’m hoping that Dropbox will be integrating E2EE as well.
(Of course that doesn’t solve the telemetry issue.)
Fuck all telemetry (sharing any information which is not just "you have no control over" but anything which is not logically necessary for the app to do its primary job). Just don't use any apps you can block from doing this. IMHO this (sending redundant and untransparent information from a user's machine) should be outlawed.
Typo fix: I meant "apps you can'T block from doing this" of course.
Addition:
I also hate apps and gadgets using "clouds" for jobs which can perfectly be done locally.
E.g. I want a vitals tracking device to record my heart and sleep data but I am not buying any because they send that data to their servers, I want them to only send it to my PC where I would do the data science myself (and/or to my smartphone to a purely local app). I would pay a lot (up to e.g. what a beefiest new MacBook costs) for such a device if it were purely local and well-made (wouldn't break soon).
I also want a vacuum robot which would build and use my apartment map without sending it to any cloud but there are no such models no matter how much I am willing to pay (I know a solution[1] for vacuum robots - some can be hacked to run the server part on themselves but I don't really have time for this). And there have recently been a leak of pictures made by vacuum robots which proves my paranoia is legitimate.
Some genius has even invented a WC which analyzes your pee and stores your hormonal changes log in their cloud which is a great gift to conservative maniacs (I don't mean all conservatives are maniacs, some are awesome, there are many flavours of conservatism) which have just banned abortions and can now subpoena the company to find out you if you have secretly undergone an abortion in another state.
Surely insurance companies and banks will also find a way to get your data and make your insurance and loans prohibitively expensive as soon as they find some clues you might have health risks.
I am almost sure the problem of privacy negligence, every serious actor spying on people hoarding data, is going to become more and more serious up to a catastrophic point and hope it will get more and more attention soon.
I used to be called a paranoid loon by fellow students for covering my laptop camera a decade ago, now almost everybody does this and my new laptops (HP EliteBook and ProBook) even came with built-in curtains on the cams.
This. It's hard to take app development that doesn't use any kind of crash reporting seriously, tbqh.
Like, there's a crash reported by a user. That's already rare in itself, and average report quality from non technical users varies from nearly useless to misleading. What are you gonna do, ask them where it happened and what they were doing, to guess where in your related code something went wrong?
I would gladly report all the bugs myself manually, with all the details, specifics and reproduction steps. The only problem is 85% of bugs I ever reported either got "won't fix" status (mostly in free software) or just been silently forgotten (mostly at work) or got a "pay first, then ask for fixes" response (when it was about shareware). So I lost enthusiasm. Free software bug reporting also often has a problem of requiring registration in a separate BugZilla for every project but this problem has mostly been resolved by the majority moving to GitHub.
By the way, although I don't want to participate in involuntary and non-transparent automatic error reporting, I find your response logically beautiful. "One step away" - a perfect and reasonable description for this.
You wouldn't though. Because a lot of different crashes (not to mention warnings) are handled automatically and are restarted before you even notice.
If you have android, just connect it to pc, open logcat and filter for errors only. There are still messages every couple seccond. You would get frustrated even if those were simply showed to You as a user, not to mention actively going out of your way to report them
Why anyone would use a data storage and backup platform that openly does this and many other things for their most intimate personal or most private business data is utterly beyond me. There are many, many zero-knowledge solutions out there, and ones that at least don't openly spy on user data.
Do people still use Dropbox? I feel like I almost never hear recommendations for it.
I personally abandoned Dropbox when they introduced a limit on the amount of devices you could use for free plans, and the cheapest plan was like 120€/year for 2 TB.
Maybe I just have a different view of pricing, but I find €120 a year for 2TB with unlimited versions, ability to share files of any size, rock solid syncing on all my devices etc to be extremely cheap!
Back when I decided which cloud storage to use, all the big ones were at 1TB and dorpbox was the most expensive with the least features, while microsofts offer included office 365 for nearly half the price.
The main advantage for Dropbox is that file sync works flawlessly. I've had issues with Onedrive and Google Drive in the past. Maybe they fixed those, but I can't trust them anymore.
Agree. I am forced to use OneDrive when I do consultation work for one of my customers, still works like crap compared to Dropbox with slow syncing etc.
Imagine if someone offered you gasoline for 50 cents a gallon, delivered directly to your car, but for personal use only and the minimum contract is 400 gallons a week.
Indeed the price is my problem. I like the functionality of Dropbox but I don’t need 2TB and I won’t pay 12€ for that. I wish they have lower tiers.
iDrive is the only alternative I found that more or less works the same. Maybe Google Drive too but I try to avoid them (maybe if there was an option bundled with Youtube Premium...)
When I tried MS OneDrive messed up the file dates, Amazon CloudDrive did the same (and also got shutdown since). And Apple iCloud is just too barebones and not really meant for sharing if someone is not using a Mac.
I still like it. Its vendor agnostic. I find the scanning documents ability works well on iOS. Not really sure what else I could be using to be honest.
Yep but it's mostly because I have many things which integrate with it -- loads of IFTTT recipes, apps, and sites that automatically sync things for you. If iCloud had a public API that people could integrate with the same way, I'd probably drop Dropbox at some point.
Very convenient that Brother MFC machines can automatically upload OCR’d scans to your Dropbox/onedrive/box/google drive account, but I would like to only use iCloud Drive. Wonder if Apple is dropping the ball on that functionality though.
> Wonder if Apple is dropping the ball on that functionality though.
They definitely are but I can understand why they don't want to be bothered supporting something like that. Plus I think the time to be starting that was about a decade ago...
I don't think iOS / macOS SDKs count as a "public API". I mean, obviously, a HTTP API that anyone can auth against and perform file operations against - like the Dropbox API.
I use it to backup game saves from a Docker container. The binary is installed on the server but otherwise I just use the web interface to check on things.
It's pretty neat, but that's all I use it for these days. Still have my original 2GB account from when Dropbox was new.
Alright, I've cleared some time on the weekend, time to switch to some alternative. I don't need much space, a few GBs are enough. What's the best paid option for Linux?
Dropbox seems to use up a lot of resources on my laptop. I keep it turned off until I need to suck down or upload some recent files. I turn it right off again after using it.
Also some of us here work at public companies and these systems are under scope since finance needs away to share/edit financial documents with each other. These big firms have soc1s. Running our own infra would put that infra under scope which is a huge burden.
I'll be honest, I don't really see the complaint here.
The telemetry goes to telemetry.dropbox.com. You get this telemetry because you have installed the Dropbox desktop app, which means Dropbox already has lots of access to your machine. If this telemetry just went back mixed with normal Dropbox communications (like most apps), would people even be aware of it?
There doesn't seem to be any discussion of what the telemetry actually is, just annoyance it exists.
I see a trend of software engineers that don't see users as someone who they are providing service to - they see them as just one element of a machine they're optimizing to make their software better. They feel that the engineering quest itself is the most important thing in the world, so they feel entitled to any and all data they are technically capable of collecting.
It's a shame. I wish more engineers would see things through Richard Stallman's eyes, and realize that software is supposed to serve its users, not its creators. But, as the saying goes: "It is difficult to get a man to understand something, when his salary depends on his not understanding it."
There is a reason it's popular: it's extremely useful for software development to a) have actual hard data on how your software is being used, and b) have a large selection of crash data for debugging rare issues. If it's not the software engineers who want it, it's the technical management who see the immense value in having it.
You're forgetting the monetary incentives. It allows companies to collect personal data of every user and sell it to "our partners" to build larger marketing profiles.
This depends on what kind of data they're collecting. The most common kinds of telemetry data is not actually particularly useful for that, and usage of it for selling advertising, especially to third parties, would be contradictory to most privacy policies (now how much you trust that they are actually following their own policy is another matter: and dropbox does call out that they may try to use this data to upsell you on their own products).
Nonetheless, the potential is there and GDPR does consider it personal data from the point of view of consent, so dropbox is almost certainly violating the rules here even if they do not sell the data for advertising (as unlike the actual data they store, it is not necessary for providing the service, merely useful to the company for improving their service). Such telemetry almost certainly requires an opt-out, and most likely should be an opt-in as far as GDPR is concerned.
There was an opt-out telemetry proposal in Go [0], which caused a huge backlash. The proposal authors were so focused on the benefits of the telemetry, that they did their best to invent all kinds of very convincing arguments why their telemetry is okay, useful, not intrusive, etc. etc. They completely ignored the ethics of the problem - that they are not entitled to users' data without consent.
It took a very dramatic reaction from the community to convince them that adding opt-out telemetry without users' explicit consent is a bad idea, no matter how "non-intrusive" and "helpful" it is.
That depends what telemetry though. Assuming this telemetry is purely about app's performance and behavior and is trully anonymous(I know that's big assumption, for sake of the argument let's believe it is the case), taking away from devs informations about whether or not the app is working well, is indeed quite unreasonable
I distinctly recall a webcomic in the past few years lampooning cloud storage. There was a guy who said "hey, there's this guy down the street who lets me keep stuff on shelves in his garage." "What does he charge you?" "Nothing, he says it's just cool if I keep it there." and then the stuff is sold off or tampered with, the guy is irate, and the moral of the story is essentially "why did you trust a random guy with a garage to keep your stuff?"
But also the comic as you remembered it has a different moral from the actual comic, and would be very insulting to apply to non-paying dropbox users.
It's okay for a free service to change how they operate with a take-it-or-leave-it offer. It is not okay for a free service to invade your privacy without permission.
Additionally, all users should be able to trust Dropbox just as much as the paying users.
It's polite to be transparent about telemetry, but it's not like there is a requirement in any regulation anywhere to ask for explicit consent (e.g. similar to how GDPR works when PII is involved)
There might not be a hard legal requirement, but it's still a valid complaint.
There's no legal requirement for someone to be polite to a cashier at a supermarket, yet complaining when somebody is an asshole is still a valid complaint.
You're mixing several things together here. Transparency is one of GDPRs cornerstones and very much not just nice to provide, but a deeply serious and non-negotiable hard requirement regardless of how you legitimise the data collection.
What I’m saying is that the GDPR is irrelevant unless there is data collected that counts as PII. Collecting non PII isn’t covered by the GDPR.
So yes there are two things: GDPR which is irrelevant here, and storage of non-PII which should be done transparently because it’s polite to be transparent, but not a regulatory requirement.
Well, to be fair, if there is no PII, the telemetry isn't relevant at all and nobody should be concerned by it. (Except for the people that are concerned they will A/B test their software into exhaustion and optimize it into an abomination; but that's not a loud crowd.)
All the complaints are about them collecting PII. Even if they say they don't, the concern is that they could be lying, or change easily, and nobody would know.
False, I will rephrase: it is a regulatory requirement under the GDPR to disclose the fact that you are collecting data, to provide a detailed and easily accessible specification of the information contents, a precise definition of how this data is processed and used, and your legal justification(s) for doing so, and to do so for each separate type or kind of collection involving individuals, regardless of whether this includes any PII or not.
The few exceptions that exist are only applicable in cases where there is no potentially identifiable data collected at all, which is obviously not the case here.
Here is a very accessible (although non-official) GDPR resource that I've come across: https://gdpr-info.eu/
> it is a regulatory requirement to disclose the fact that you are collecting data
Not if the data isn't PII, no. Not in any way shape or form.
> The few exceptions that exist are only applicable in cases where there is no potentially identifiable data collected at all
The whole point of collecting "anonymous usage data" (which is what telemetry usually does) is that it shouldn't be possible to attribute to a physical person, and thus not be PII. As an extreme example, you could take the most typical form of telemetry: a feature usage count. When a feature is used, the telemetry collects a (+1) for that feature. The only long term stored data is the total count N for each feature across the entire user base. Of course there is no PII stored.
> which is obviously not the case here.
Why do you say that it's "obviously" not the case, when there is no indication about what data it is, other than the Dropbox representative saying precisely that there is no PII collected so the GDPR isn't relevant? There may be PII (in which case they are both at fault for not disclosing, and complete asshats for lying in the support forum). But it would be a pretty uninteresting discussion once one assumes that...
Obligatory "I'm not a lawyer either but I've implemented telemetry in software and had those implementations thuroughly analyzed by lawyers a couple of times"
Ah gotcha, yes, you're right, except that only holds when you are not collecting any other data from the "subject" at all.
The major differentiating factor here is that that Dropbox does in fact process PII - convenient storage and distribution of their customers digital life is their raison d'être, after all, it's precisely what those people expect of Dropbox and pay them their monthly fee for.
In this case, where telemetry is gathered by the same desktop application that is also a primary component of their legitimate and consented-to data processing activities no less, they would at minimum be required to specify what information goes where, how it is anonymised, and for what purpose they require it.
I'm not assuming ill intent or unsanctioned data mining activities or anything of the sort, but whatever it is that they are collecting and doing is not as clear as it should be.
The GDPR lists IP addresses as PII, and not to be all "your IP address is leaking" but in order to send the telemetry, your computer's IP (or that of your VPN) is being sent to Dropbox, potentially to be logged.
AFAIK, it's only an issue if it's actually logged. Also, pretty much all services need to know the IP address during a session. It's fine if it's only used for the purpose of providing the service and not logged.
That’s not a GDPR issue other than if stored. And remember this is an app that already must send requests to the same place in order to function at all.
Of course not. It might send your medical records too.
It will send the IP regardless of whether telemetry is enabled. But they do claim that no PII is stored for telemetry. Whenever the topic of Telemetry comes up I try to keep to the discussion about properly anonymous telemetry, simply because that’s where there is any discussion at all. If anyone transmit or stores anything they aren’t entitled to it’s obviously always wrong so that’s not an interesting discussion.
Dropbox of course already stores PII (your files) but that doesn’t mean they can do so for other info or other purposes.
Just because the DNS entry says telemetry in the name doesn't mean a thing. Just like if they'd called it medical-records-here.dropbox.com and were only sending telemetry to it.
Whenever the topic of telemetry comes up, I try and point out that just because someone says it's just telemetry, it doesn't mean a damn thing. If anyone thinks it's not interesting because they think things are obviously always wrong, I ask them: what does telemetry mean to you? What does it mean to the company?
Are you sure those two definitions are in 100% agreement?
If they were entirely transparent about what they transmitted yet didn’t stick to that, then that would be bad.
Similarly, they might have an opt out but not honor it (in the case of Dropbox it wouldn’t be noticeable)
So all those things aside, the interesting discussion is the discussion that assumes they are honest when they say they don’t store any PII in telemetry. That means, for example that the IP isn’t stored.
“Telemetry” as a term means nothing about what’s stored which is why I try to be specific and talk about “anonymous usage statistics and crash reports” or similar. Telemetry without PII tends to be exactly that.
Don't use any if these proprietary shit apps in the first place. I find it silly to complain about things like that. Even if they have opt-out or even opt-in. They will eventually change it, they will abuse you. They will have "bugs" that leak data. You can only trust open source. And there are plenty of alternatives, that you can self host.
I don’t want to self host. I don’t even want to self-setup some cloud blob store to which my open source can sync. I want something that is free as in beer and zero setup for myself. Happy to take suggestions but Dropbox does seem to fit.
