Criticism of Dropbox

Last updated

Logo of Dropbox Dropbox logo 2017.svg
Logo of Dropbox

The American cloud storage and file synchronization company Dropbox Inc. had several security and privacy controversies. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords; a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data; concerns about Dropbox employee access to users' information; July 2012 email spam with reoccurrence in February 2013; leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program; a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption; the leak of 68 million account passwords on the Internet in August 2016; and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

Contents

April 2011 user authentication file information

Dropbox has been criticized by the independent security researcher Derek Newton, who wrote in April 2011 that Dropbox stored user authentication information in a file on the computer that was "completely portable and is not tied to the system in any way". In explaining the issue, Newton wrote: "This means that if you gain access to a person's config.db file (or just the host_id), you gain complete access to the person's Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface." He updated his post in October 2011 to write that "Dropbox has release version 1.2.48 that utilizes an encrypted local database and reportedly puts in place security enhancements to prevent theft of the machine credentials." [1] A report from The Next Web featured a comment from Dropbox, in which they disagreed with Newton that the topic was a security flaw, explaining that "The researcher is claiming that an attacker would be able to gain access to a user's Dropbox account if they are able to get physical access to the user's computer. In reality, at the point an attacker has physical access to a computer, the security battle is already lost. [...] this 'flaw' exists with any service that uses cookies for authentication (practically every web service)." [2]

May 2011 data deduplication and employee access

In May 2011, a complaint was filed with the U.S. Federal Trade Commission alleging Dropbox misled users about the privacy and security of their files. At the heart of the complaint was the policy of data deduplication, where the system checks if a file has been uploaded before by any other user, and links to the existing copy if so; and the policy of using a single AES-256 key for every file on the system so Dropbox can (and does, for deduplication) look at encrypted files stored on the system, with the consequence that any intruder who gets the key (as well as potential Dropbox employees) could decrypt any file if they had access to Dropbox's backend storage infrastructure. [3] In a response on its blog, Dropbox wrote that "Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. But that's the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access." [4] In response to the FTC complaint, Dropbox spokeswoman Julie Supan told InformationWeek that "We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21." [3]

June 2011 account access without password

On June 20, 2011, TechCrunch reported that all Dropbox accounts could be accessed without password for four hours. [5] In a blog post, co-founder Arash Ferdowsi wrote that "Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions." He wrote that a "thorough investigation" was being conducted, and that "This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again." [6] Julianne Pepitone, writing for CNNMoney, wrote that "It's the security nightmare scenario: A website stuffed with sensitive documents leaves all of its customer data unprotected and exposed", and featured a comment from Dave Aitel, president and CEO of security firm Immunity Inc., saying "Any trust in the cloud is too much trust in the cloud -- it's as simple as that. [...] It's pretty much the standard among security professionals that you should put on the cloud only what you would be willing to give away." [7]

July 2011 Privacy Policy update

In July 2011, Dropbox updated its Terms of Service, Privacy Policy, and Security Overview agreements. The new Privacy Policy sparked criticism, as noted by Christopher White in a Neowin post, in which he wrote that "They attempted to reduce some of the tedious legalese in order to make it easier for normal people to understand. It appears that they have succeeded in that mission and in the process have taken ownership of every file that uses their service". Citing a paragraph in the updated Privacy Policy that Dropbox needed user permission to "use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display" user's data, White wrote that "This broad terminology is frightening for end users because it clearly lets Dropbox take a person’s work, whether it is photographs, works of fiction, or scientific research, and gives the company the right to do whatever they want with no recourse from the original owner". After users expressed concerns about the change, Dropbox once again updated its policy, adding "This license is solely to enable us to technically administer, display, and operate the Services." White concluded by writing that "While this is a step in the right direction, it still makes no sense as to why a product that is used to move files from one computer to another needs the ability to "prepare derivative works of" anyone's files." [8] [9]

July 2012 email spam and February 2013 reoccurrence

In July 2012, Dropbox hired "outside experts" to figure out why some users were receiving e-mail spam from Dropbox. [10] In a post on its blog, Dropbox employee Aditya Agarwal wrote that "usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts." However, Agarwal also noted that "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." One of the additional controls implemented was the introduction of two-factor authentication. [11] [12] In February 2013, users reported additional spam, with the company stating that "At this time, we have not seen anything to suggest this is a new issue", and blamed the earlier e-mail spam issue from the past July. [13]

June 2013 PRISM program

In June 2013, The Guardian and The Washington Post publicized confidential documents suggesting Dropbox was being considered for inclusion in the National Security Agency's classified PRISM program of Internet surveillance. [14] [15]

January 2014 outage

On January 11, 2014, Dropbox experienced an outage. A hacker group called The 1775 Sec posted on Twitter that it had compromised Dropbox's site "in honor of Internet activist and computer programmer Aaron Swartz, who committed suicide a year ago". However, Dropbox itself posted on Twitter that "Dropbox site is back up! Claims of leaked user info are a hoax. The outage was caused during internal maintenance. Thanks for your patience!" [16] [17] [18] In a blog post detailing the issue, Dropbox's Akhil Gupta wrote that "On Friday at 5:30 PM PT, we had a planned maintenance scheduled to upgrade the OS on some of our machines. During this process, the upgrade script checks to make sure there is no active data on the machine before installing the new OS. A subtle bug in the script caused the command to reinstall a small number of active machines. Unfortunately, some master-replica pairs were impacted which resulted in the site going down." Gupta also noted that "Your files were never at risk during the outage". [19]

April 2014 Condoleezza Rice appointment to board of directors

In April 2014, Dropbox announced that Condoleezza Rice would be joining their board of directors, [20] prompting criticism from some users who were concerned about her appointment due to her history as United States Secretary of State and revelations of "widespread wiretapping on US citizens during her time in office". [21] RiceHadleyGates, a consultancy firm consisting of Rice, former US national security adviser Stephen Hadley, and former US Secretary of Defense Robert Gates, had previously advised Dropbox. [22]

In May 2014, Dropbox temporarily disabled shared links. In a blog post, the company detailed a web vulnerability scenario where sharing documents containing hyperlinks would cause the original shared Dropbox link to become accessible to the website owner if a user clicked on the hyperlink found in the document. Some types of shared links remained disabled over the next few weeks until Dropbox eventually made changes to the functionality. [23] [24]

July 2014 Snowden comment

In a July 2014 interview, former NSA contractor Edward Snowden called Dropbox "hostile to privacy" because its encryption model enables the company to surrender user data to government agencies, and recommended using the competing service SpiderOak instead. In response, a Dropbox spokeswoman stated that "Safeguarding our users' information is a top priority at Dropbox. We've made a commitment in our privacy policy to resist broad government requests, and are fighting to change laws so that fundamental privacy protections are in place for users around the world". [25]

October 2014 account compromise hoax

In October 2014, an anonymous user on Pastebin claimed to have compromised "almost seven million" Dropbox usernames and passwords, gradually posting the info. However, in a blog post, Dropbox stated "Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. [...] A subsequent list of usernames and passwords has been posted online. We've checked and these are not associated with Dropbox accounts." [26] [27] [28]

A long discussion on Dropbox's support forum, entitled "Can we have plans that are smaller than 1 TB?" began in December 2014, when Dropbox introduced one terabyte paid storage plans. [29] Dropbox users voice concern that they are not able to grow their plan from the two gigabyte free plan by smaller increments than one terabyte. By 2020 the minimum paid data storage plan increased to two terabytes, making the incremental increase from the free account to the minimum paid plan out of reach for many users.

August 2016 password leak

In August 2016, email addresses and passwords for 68 million Dropbox accounts were published online, with the information originating from the 2012 email spam issue. [30] [31] [32] Independent security researcher Troy Hunt checked the database against his data leak website, and verified the data by discovering that both the accounts belonging to him and his wife had been disclosed. Hunt commented that "There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing". [33] In a blog post, Dropbox stated: "The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. We're very sorry this happened and would like to clear up what's going on." The company outlined details that the information was "likely obtained in 2012", with the company first hearing about the list two weeks earlier, at which time they immediately started an investigation. "We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012. This reset ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts." [34]

January 2017 accidental data restoration

In January 2017, Dropbox restored years-old supposedly deleted files and folders in user accounts. In one example, a user reported that folders from 2011 and 2012 returned. In explaining the issue, a Dropbox employee wrote on its forum that "A bug was preventing some files and folders from being fully deleted off our servers, even after users had deleted them from their Dropbox accounts. While fixing the bug, we inadvertently restored the impacted files and folders to those users' accounts. This was our mistake; it wasn't due to a third party and you weren't hacked. Typically, we permanently remove files and folders from our servers within 60 days of a user deleting them. However, the deleted files and folders impacted by this bug had metadata inconsistencies. So we quarantined and excluded them from the permanent deletion process until the metadata could be fixed". [35] [36]

July 2018 anonymized data analysis

In July 2018, researchers at Northwestern University published an article [37] in Harvard Business Review on the analysis of the habits of tens of thousands of scientists using anonymized data provided by Dropbox. The data used was over the period from May 2015 to May 2017 from all scientists using the platform across 1000 universities. [38] Personal names attached to the data was removed by Dropbox, but according to Casey Fiesler, researcher at Colorado University, the folder titles and file structures that were provided could be used to identify individuals. Dropbox, later in a blog post, [39] said that the reverse identification of the data was impossible. The data was provided without the express consent of the 16 thousand people whose information was accessed.

February 2021 allegations by former employees of gender discrimination

In February 2020, a document containing interviews with 16 current and former Dropbox employees claimed to be victims of gender discrimination was obtained by VentureBeat. The subjects of the report alleged discrimination point to examples such as "changing standards for promotions, unequal compensation, being set back in their careers after maternity leave, and experiencing retribution when they take their cases to HR". The report also detailed instances of alleged harassment and demotion after employees filed a complaint with Dropbox HR or returned to work following maternity leave. [40]

Related Research Articles

<span class="mw-page-title-main">Password</span> Text used for user authentication to prove identity

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

<span class="mw-page-title-main">Gmail</span> Email service provided by Google

Gmail is the email service provided by Google. As of 2019, it had 1.5 billion active users worldwide, making it the largest email service in the world. It also provides a webmail interface, accessible through a web browser, and is also accessible through the official mobile application. Google also supports the use of third-party email clients via the POP and IMAP protocols.

<span class="mw-page-title-main">Yahoo Mail</span> American email service

Yahoo! Mail is an email service offered by the American company Yahoo, Inc. The service is free for personal use, with an optional monthly fee for additional features. Business email was previously available with the Yahoo! Small Business brand, before it transitioned to Verizon Small Business Essentials in early 2022. Launched on October 8, 1997, as of January 2020, Yahoo! Mail has 225 million users.

A file-hosting service, also known as cloud-storage service, online file-storage provider, or cyberlocker, is an internet hosting service specifically designed to host user files. These services allow users to upload files that can be accessed over the internet after providing a username and password or other authentication. Typically, file hosting services allow HTTP access, and in some cases, FTP access. Other related services include content-displaying hosting services, virtual storage, and remote backup solutions.

Evernote is a note-taking and task-management application developed by the Evernote Corporation. It is intended for archiving and creating notes with embedded photos, audio, and saved web content. Notes are stored in virtual "notebooks" and can be tagged, annotated, edited, searched, and exported.

A Google Account is a user account that is required for access, authentication and authorization to certain online Google services. It is also often used as single sign-on for third party services.

<span class="mw-page-title-main">Outlook.com</span> Microsoft webmail service

Outlook.com, formerly Hotmail, is a free personal email service offered by Microsoft. This includes a webmail interface featuring mail, calendaring, contacts, and tasks services. Outlook can also be accessed via email clients using the IMAP or POP protocols.

This is a comparison of online backup services.

Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, U.S. that offers cloud storage, file synchronization, personal cloud, and client software. Dropbox was founded in 2007 by MIT students Drew Houston and Arash Ferdowsi as a startup company, with initial funding from seed accelerator Y Combinator.

LastPass is a password manager application. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

A recent extension to the cultural relationship with death is the increasing number of people who die having created a large amount of digital content, such as social media profiles, that will remain after death. This may result in concern and confusion, because of automated features of dormant accounts, uncertainty of the deceased's preferences that profiles be deleted or left as a memorial, and whether information that may violate the deceased's privacy should be made accessible to family.

Disqus is an American blog comment hosting service for websites and online communities that use a networked platform. The company's platform includes various features, such as social integration, social networking, user profiles, spam and moderation tools, analytics, email notifications, and mobile commenting. It was founded in 2007 by Daniel Ha and Jason Yan as a Y Combinator startup.

The 2011 PlayStation Network outage was the result of an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. The attack occurred between April 17 and April 19, 2011, forcing Sony to deactivate the PlayStation Network servers on April 20. The outage lasted 23 days.

Google Drive is a file-hosting service and synchronization service developed by Google. Launched on April 24, 2012, Google Drive allows users to store files in the cloud, synchronize files across devices, and share files. In addition to a web interface, Google Drive offers apps with offline capabilities for Windows and macOS computers, and Android and iOS smartphones and tablets. Google Drive encompasses Google Docs, Google Sheets, and Google Slides, which are a part of the Google Docs Editors office suite that allows collaborative editing of documents, spreadsheets, presentations, drawings, forms, and more. Files created and edited through the Google Docs suite are saved in Google Drive.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personal identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information of more than 2,500 users was initially released. The company initially denied that its records were insecure, but it continued to operate.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

NordLocker is a file encryption software integrated with end-to-end encrypted cloud storage. It is available on Windows and macOS. NordLocker is developed by Nord Security, the Lithuania-based company behind the NordVPN virtual private network.

References

  1. Newton, Derek (April 7, 2011). "Dropbox authentication: insecure by design". Derek Newton. Retrieved February 17, 2017.
  2. Brian, Matt (April 8, 2011). "Dropbox security hole could let others access your files [Updated]". The Next Web. Retrieved February 17, 2017.
  3. 1 2 Schwartz, Mathew (May 16, 2011). "Dropbox Accused Of Misleading Customers On Security". InformationWeek . UBM plc. Archived from the original on October 20, 2012. Retrieved February 17, 2017.
  4. Houston, Drew; Ferdowsi, Arash (April 21, 2011). "Privacy, Security & Your Dropbox (Updated)". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  5. Kincaid, Jason (June 20, 2011). "Dropbox Security Bug Made Passwords Optional For Four Hours". TechCrunch . AOL . Retrieved February 17, 2017.
  6. Ferdowsi, Arash (June 20, 2011). "Yesterday's Authentication Bug". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  7. Pepitone, Julianne (June 22, 2011). "Dropbox's password nightmare highlights cloud risks". CNNMoney . Time Warner . Retrieved February 17, 2017.
  8. White, Christopher (July 2, 2011). "Dropbox can legally sell all of your files [Update]". Neowin . Retrieved February 17, 2017.
  9. Houston, Drew; Ferdowsi, Arash (July 1, 2011). "Changes to our policies (updated)". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  10. Brodkin, Jon (July 18, 2012). "Dropbox hires "outside experts" to investigate possible e-mail breach". Ars Technica . Condé Nast . Retrieved February 17, 2017.
  11. Agarwal, Aditya (July 31, 2012). "Security update and new features". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  12. Brodkin, Jon (August 1, 2012). "Dropbox confirms it got hacked, will offer two-factor authentication". Ars Technica . Condé Nast . Retrieved February 17, 2017.
  13. Robertson, Adi (February 28, 2013). "Dropbox users claim email addresses leaked to spammers, company blames 2012 security breach". The Verge . Vox Media . Retrieved February 17, 2017.
  14. Greenwald, Glenn; MacAskill, Ewen (June 7, 2013). "NSA Prism program taps in to user data of Apple, Google and others". The Guardian . Retrieved February 17, 2017.
  15. Gellman, Barton; Poitras, Laura (June 7, 2013). "U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program". The Washington Post . Retrieved February 17, 2013.
  16. "Dropbox site is back up! Claims of leaked user info are a hoax. The outage was caused during internal maintenance. Thanks for your patience!". Twitter. January 11, 2014. Retrieved February 17, 2017.
  17. Swartz, Jon (January 11, 2014). "Dropbox says outage arose from routine maintenance". USA Today . Gannett Company . Retrieved February 17, 2017.
  18. "Dropbox hit by outage on Friday, denies that it was hacked". PC World . International Data Group. January 10, 2014. Retrieved February 17, 2017.
  19. Gupta, Akhil (January 12, 2014). "Outage post-mortem". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  20. Houston, Drew (April 9, 2014). "Growing our leadership team". Dropbox Blog. Dropbox. Retrieved February 8, 2017.
  21. "Controversy flares as Condoleezza Rice joins Dropbox board". BBC News . April 11, 2014. Retrieved February 8, 2017.
  22. Stone, Brad; Levy, Ari (April 11, 2014). "Dropbox's Next Chapter: Corporate Customers, IPO, Condi Rice, and Eddie Vedder". Bloomberg L.P. Retrieved February 8, 2017.
  23. Agarwal, Aditya (May 5, 2014). "Web vulnerability affecting shared links". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  24. Lee, Dave (May 6, 2014). "Warning over unintentional file leak from storage sites". BBC News . Retrieved February 17, 2017.
  25. Yadron, Danny; MacMillan, Douglas (July 17, 2014). "Snowden Says Drop Dropbox, Use SpiderOak". The Wall Street Journal . News Corp . Retrieved February 17, 2017.(subscription required)
  26. Mityagin, Anton (October 13, 2014). "Dropbox wasn't hacked". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  27. Lomas, Natasha (October 14, 2014). "Dropbox Confirms Compromised Account Details But Says Its Servers Weren't Hacked". TechCrunch . AOL . Retrieved February 17, 2017.
  28. Lewis, Dave (October 14, 2014). "Was Dropbox Hacked? Not So Fast". Forbes . Retrieved February 17, 2017.
  29. "Can we have plans that are smaller than 1 TB". www.dropboxforum.com. Retrieved 4 December 2023.
  30. Mendelsohn, Tom (August 31, 2016). "Dropbox hackers stole e-mail addresses, hashed passwords from 68M accounts". Ars Technica . Condé Nast . Retrieved February 17, 2017.
  31. Brandom, Russell (August 31, 2016). "Dropbox's 2012 breach was worse than the company first announced". The Verge . Vox Media . Retrieved February 17, 2017.
  32. McGoogan, Cara (August 31, 2016). "Dropbox hackers stole 68 million passwords - check if you're affected and how to protect yourself". The Daily Telegraph . Retrieved February 17, 2017.
  33. Gibbs, Samuel (August 31, 2016). "Dropbox hack leads to leaking of 68m user passwords on the internet". The Guardian . Retrieved February 17, 2017.
  34. Heim, Patrick (August 25, 2016). "Resetting passwords to keep your files safe". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  35. Tung, Liam (January 25, 2017). "Dropbox bug kept users' deleted files on its servers for six years". ZDNet . CBS Interactive . Retrieved February 18, 2017.
  36. Hackett, Robert (January 25, 2017). "Dropbox Didn't Actually Delete Your 'Deleted' Files". Fortune . Time Inc. Retrieved February 18, 2017.
  37. "A Study of Thousands of Dropbox Projects Reveals How Successful Teams Collaborate". Harvard Business Review. 2018-07-20. ISSN   0017-8012 . Retrieved 2020-12-16.
  38. "Was It Ethical for Dropbox to Share Customer Data with Scientists?". Wired. ISSN   1059-1028 . Retrieved 2020-12-16.
  39. "5 traits that distinguish high-performing teams". blog.dropbox.com. Retrieved 2020-12-16.
  40. "Dozens of current and former Dropbox employees allege gender discrimination". Venture Beat. 5 February 2021. Retrieved 2021-02-15.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.