As Dropbox develops and expands, decisions they have made early on are tying them, and their users, in knots. The biggest problem they have is that they keep shifting their mental models of how their service works and it has broken Dropbox and exposed many Dropbox Teams users to real privacy problems.

It’s A Server, Oh No It Isn’t!

Most new Dropbox users, using it on a desktop machine, immediately think it is like a shared server. That’s the mental model many people have from either working in development teams or simply working in corporate environments or sharing files across a network. In that model, the server content is the master. Drag a file from the server to your own folders and a local copy is made. As many people found out the hard way, this is not how Dropbox works.

It’s A Shared Folder, Locally Stored and Synced. Or Is It?

Dropbox does not work like a server, but as a folder synced from the cloud version locally with your machine. Move something out of Dropbox, and it’s not synced anymore. Most people get this straight away, but tend to make the not-a-server mistake above when they first share folders with people.

The fact that changes you make on your local machine change files and folders on someone else’s local machine an odd mental model to get your head around. Once you have understood it, you understand the model that sharing happens at the folder level. You can invite people to join a folder and you can also kick them off the folder or they can leave of their own accord (and choose to keep their copy of the folder’s data).

To add to the complication, Dropbox users used to have a folder called Public, where they put files they wanted to share, but no longer. Now you can share links to individual files from any folder, so it’s redundant. And, of course, you can invite anyone to share any folder.

Weirdly, though, Dropbox have to break this mental model in order to keep some sanity in the world. Once shared, individual users can move or rename shared folders without it affecting the other people’s folders who are sharing it. This makes sense on one level, because if you decide to put our shared folder “OurProject” inside your own Projects folder and rename it to. “Project With Andy Folder” I don’t want to suddenly find it has moved and renamed on my machine.

So, the mental model is that it is like a shared folder, locally synced, except for its name and location. Kind of like an alias/shortcut (except Dropbox doesn’t really handle aliae properly on non-desktop devices).

Okay, that’s rather idiosyncratic, but I can get my head around it until someone starts asking me where they should find a file we are both working on on their Dropbox. The conversation usually goes something like this:

“Where is that file we are working on?”
“It’s in the OurProject folder.”
“Where is that?”
“You know, the one I shared with you.”
“I think I put it inside another shared folder, but one that is not shared with you.”
“That’s okay, the OurProject folder is still shared with me. But now you have shared it with everyone else who has access to your shared folder you put your version of OurProject folder into.”
“I renamed it too. I already had an OurProject folder in that other folder.”
“Then I have no idea where it is on your machine, nor whether you are syncing to the same version that I am anymore.”
“Wait, there’s another folder in my Dropbox called OurProject(2). What’s the (2) for?”

So, folders are like shared, synced folders, but not really in these special use cases.

Shared Folders Are Twice As Big As You Think

Still with me? Good, but we haven’t even begun to talk about the oddity of shared storage quotas in which the files you put in the shared folder from your Dropbox also counts against mine. That means the 100MB file we are sharing takes 100MB off my storage quota and 100MB off of yours, effectively meaning that it counts as 200MB in total, but only if you are still stuck in that previous mental model of Dropbox being like a server.

If you have a Pro account and someone else has a free account, you can completely shaft the other person by dumping a load of files in a shared folder that eat up all their storage quota. Okay, lets live with that oddity for the moment - it kind of still makes sense in the Dropbox-is-a-shared-space-at-the-folder-level model.

Did I mention Dropbox’s tag line is “Simplify Your Life”?

Dropbox Pro gives Me More Space

Apart from all the extra space you get for referrals (a process that soon starts to get saturated as everyone else you know already has Dropbox), you can add extra storage quota by paying for it, like I did - $99 for a total of 100GB plus my referral quota.

Great! Now we’re really rocking along with this Dropbox thing as the centre of our digital lives and put almost all our files in it. I know how to share folders, my workmates share folders with me and all is good in the world of multi-device cloud-joy access. Work machine? No problem, Dropbox lets me access my home files too. Smartphone or tablet? Sorted. I can whip out my iPhone, download the PDF I made last night and mail it to you.

Most of all, I understand the model that, if I pay more, I get more space for me personally. That works, but we’re such Dropbox hipsters, we should sign up for Dropbox Teams and get a whopping 1TB of storage between us and save us from having to cobble together all our personal accounts.

Dropbox Teams Shares at the Account Level

This is where the mental model changes again, and breaks. One of our team signs up our organisation to Dropbox Teams. You can’t have two instances/accounts of Dropbox on a machine, by (foolhardy) design, unless you use a hack. Of course, none of us want to lose our private accounts and screw up all the dependencies we have on it for our cloud-syncing happiness, so we link our personal accounts to the Dropbox Teams account.

The first oddity is that, suddenly, sharing has now moved from the folder level as a mental model to the account level. The remaining pro-rata credit left on my Dropbox Pro account is credited back, not to me who paid for it, but to our Team Account. Huh? I’ve just paid my employer to use something I am required to use as an employee.

I mail support and get a perfectly nice mail apologising for the confusion, but explaining that they can’t credit my credit card back. Instead they can give me “Dropbox dollars” (didn’t know they had their own currency) on my account that I can use should I leave the team and want to re-upgrade my account to a Pro account. Okay, a kludge, but I can live with that because I had already committed that money to Dropbox in the first place.

But the mental model has changed again. I thought accounts were individual, because I can only have one on any given machine and if I want to share, I share at the folder level. Dropbox Teams changes that, by merging all our personal accounts together as users under one big Team account. Sharing in Dropbox Teams is at the account level.

That’s weird, but the main thing is, my personal data already in my Dropbox remains personal and I join Team folder shares as necessary (after we had to unshare and reshare them when we went from personal accounts to Teams), right? Wrong.

Dropbox Is The Stasi

Then, a few days ago, Dropbox Teams casually send out an email notifying Teams users that Dropbox are updating their privacy policy to reflect the fact that Teams administrators may have access to all a Teams user’s folders.

Wait a minute! You mean whoever happens to admin our Teams account can now see all my personal documents, many of which I would be very unhappy for my employer’s employer to be able to snoop on? Yes, despite Dropbox’s Help Center still promising this is not the case.

So now the mental model has moved from a private cloud space that I selectively invite people to share parts of to a totally exposed space that has mixed up the privacy of work and personal life that I had kept separate deliberately. Wow. Now we’re in Stasi territory.

At this point, many panicked emails are being sent around asking who the admin of our Teams account is. The administrative assistant of our research group (the Dropbox Team I am part of) is a lovely person and I’m sure she is to be trusted and has little desire to snoop through my personal files. But I don’t know who else might have access, nor do I have any control over who gets hold of or hacks that admin account’s credentials. This is the new Teams part of the privacy policy:

6. Dropbox for Teams Users
If you have a Dropbox for Teams account, your Administrator may be able to:

  • access information in and about your Teams account;
  • disclose, restrict, or access information that you have provided or that is made available to you when using the Teams account; and
  • control how your Teams account may be accessed or deleted. Please refer to your Team’s policies if you have questions about your Administrator’s rights.

The first point enables the snooping, but the second point means that, potentially, a Teams admin could lock you out of your own, personal files. The last point means that an admin could simply delete your account, which would mean you would be locked out of Dropbox and lose all your files. I make sure I keep my Dropbox password private for a reason. Why should I suddenly give it to someone else?

There is a lot of dissatisfaction out there about the decision and Dropbox has done a poor job of opening up channels of communication for Dropbox Teams. Remember, companies or teams are spending anything from $750 to several thousand on a Teams account. The best they have is the comments of a thread about verification where they reveal the privacy policy change almost in passing. Most people are understandably angered by the situation, while a few can’t see the problem.

Those dissatisfied point out, as I do, that it doesn’t have to be highly sensitive information stored in personal Dropbox (or even other Teams) folders, but just things an admin person should ideally not see. For Dropbox to be useful, you need to be able to store some context-sensitive information on it, otherwise you’re always having to juggle files. You might want to be able write, say, a draft resignation letter on your iPad on the train and then decide against it, safe in the knowledge that it’s not going to be seen by your employer, yet. There are countless other situations that don’t warrant encryption-level security, but leave an uncomfortable feeling knowing someone could view the files. It’s like trusting corporate I.T. guys not to snoop your email. They shouldn’t and probably don’t, but you don’t know. (I take care to always insist on administering my own machine, but many can’t or don’t.)

Those that don’t see the problem - including Dropbox, it seems - have two arguments. The first is, “what are you don’t having personal files on an account/machine your employer is paying for anyway?” The answer is, of course, because the whole point of using Dropbox in the first place is to not have the hassle of files left behind on the wrong machine, especially if you have a work and a home machine. All of my colleagues and most people I know have a laptop in order not to have two computers.

The reality is that our work and personal lives are mingled. Dropbox used to help us keep them together, but separate. As Frank Jorgensen points out in that comment thread “its called ‘dropbox for teams’, not ‘dropbox for companies’”. There are plenty of situations where people might decide to work together with a Teams account and it’s not a clear case of corporate versus private life.

The other argument is to use two different accounts, one for work, one for personal. But again, the whole point of Dropbox is to have all your stuff in one place and you can’t have two accounts on one machine.

Dropbox Is Broken

The upshot is that you have to choose one to be either accessed via another user account on the machine or use the Dropbox web interface to manage the second account. This completely breaks Dropbox for many people who use a lot of Dropbox synced services an apps like 1Password, nvALT, If This Then That, or local scripts to automate things in the Dropbox, like archiving Tweets or automatically pulling in photos from a device to a Dropbox gallery.

If you opt for the Teams account to be the web-based account then most of the usefulness of Dropbox is made redundant. We moved off of Basecamp precisely because of the tedium of getting an email with an icon of a file that was actually a link to a website that you had to log onto in order to download the file. You might as well use Facebook as a document repository if you want that kind of hassle or any other awful Microsoft Sitepoint crap.

The whole thing is compounded by the fact that I can’t disassociate my (previously personal and personally paid for) Dropbox account from my Dropbox Teams account. The Stasiesque approach of Dropbox Teams means that I have surrendered all control to The Team. The Teams administrator will, presumably, have to kick me off the team and I hope I get my personal account back, but Dropbox support haven’t confirmed whether this is the case yet, but it’s not looking good [Update - 7.11.2012: Dropbox support did disassociate my account, but they have to do it. If the Team Admin removes your account from the team, you will be locked out of your Dropbox account]. I’ll have to make another work account and then rejoin the team 1. Whether all those files need to be re-up- or downloaded remains to be seen.

It’s A Service, Not A Product

One of the worst situations you can have with an interface is to present users with a mental model of how the system works that is different from how it actually works. If you’ve ever used a stove where you’ve had to turn on all the knobs that are arranged in a row at the front in order to work out which one operates the burner you want out of the four that are arranged in a square on the stove, you have experienced such a mismatch.

Worse, though, is to keep changing the mental model, which is why Apple’s half-baked and then half-reversed changes to the venerable Save As… command caused such consternation. It takes people a while to learn a mental model and, when they make it part of their daily workflow or life, it’s a big deal to change it. It’s like turning on the tap for a glass of water and suddenly discovering that gas is coming out of it instead.

With a cloud service or any other API (Twitter, I’m looking at you), to keep changing it, for the worse, due to ill thought-through decisions either from product management, engineering or, worse, marketing, is a death knell for services that you are encouraging users to make central to their digital lives and workflows. Dropbox is a service, not a product, and services are about ongoing relationships, not sell and forget. Relationships require trust and you don’t get to destroy trust more than once. And Dropbox have already demonstrated they don’t rate privacy very highly at all.

If Dropbox see the need for Teams admins to access a team member’s files, to sort out a sharing issue, for example, then they need to do it in a way that recognises you are essentially allowing someone access to your machine, just like any other remote access situations. It should be off by default and require explicit permission from the team member to allow access, which they can then revoke at any time.

My mental model of Dropbox as a company is now of a design and engineering team who have painted themselves into a corner and can’t be trusted not to screw things up trying to get out of it.

  1. I opted for the two-accounts-on-one-machine hack, which is an unsatisfactory kludge, but works. For now. It’s not something you would want to rely on as a solution for a larger company or team. ↩︎

Written by