'Not training — today': lingering skepticism over Dropbox's AI data assurances

Since the 2023 OpenAI-toggle controversy, Dropbox has leaned on a consistent set of assurances about its AI features: that customer data shared with its AI partner is not used to train or fine-tune the partner's models, that such data is deleted within roughly 30 days, and that for Dash for Business it uses self-hosted AI by default so content stays within Dropbox's trust boundary. These statements are specific and, as far as can be verified, accurate as written.

The persistent skepticism is structural rather than an accusation of present wrongdoing. Security commentator Bruce Schneier summarized the concern in the title of his 2023 analysis — 'OpenAI Is Not Training on Your Dropbox Documents — Today' — making the point that policy commitments can change, that they are not the same as a technical guarantee, and that they sit atop Dropbox's existing server-side access to user files (Dropbox holds the keys and there is no end-to-end encryption for ordinary accounts). As Dash expands to index browser history and content across connected third-party apps, the volume and sensitivity of data covered by these revocable assurances grows, and so does the gap between 'we promise not to' and 'it is impossible for us to.' That gap — not any proven breach of the promises — is what keeps privacy-conscious users and regulators watchful.