WeTransfer faced significant backlash in July 2025 after updating its terms of service to include a “perpetual, sublicensable license” for user-uploaded files, which many interpreted as enabling AI training. The controversy led to threats of account deletions and a rapid policy reversal by the company. This incident highlights broader concerns about data ownership, opaque terms of service, and the security implications of cloud-based file-sharing platforms.
Summary for CISOs
The WeTransfer incident underscores the risks of ambiguous data-use clauses in SaaS platforms, particularly for organizations handling sensitive intellectual property. Key takeaways include:
- Policy Reversal: WeTransfer revised its terms within days to explicitly exclude AI training after user protests1.
- Industry Pattern: Similar controversies affected Dropbox in 2023, suggesting a trend of overreaching terms followed by backtracking4.
- Security Alternatives: Encrypted platforms like Proton Drive and Nextcloud gained traction as secure alternatives3.
- Regulatory Implications: The EU’s Digital Services Act may mandate clearer opt-outs for AI data use in future1.
The Technical and Legal Context
WeTransfer’s original July 2025 terms granted broad rights to “use, reproduce, modify, and create derivative works” from uploaded files1. While common in SaaS agreements, the inclusion of “derivative works” triggered alarms among creative professionals who frequently share unreleased work via the platform. Security researchers noted the terms could have enabled:
| Risk | Potential Impact |
|---|---|
| Data leakage to third-party AI models | Exposure of proprietary designs, source code, or confidential documents |
| Loss of control over intellectual property | Inability to enforce copyright if content was used in training datasets |
| Expanded attack surface | Additional data processing steps increasing potential for breaches |
Legal experts like Mona Schroedel of Freeths LLP observed that companies often use vague language about “service improvement” to justify expansive data collection1. This creates situations where users must either accept unfavorable terms or abandon essential services.
Security Implications for Enterprises
The backlash against WeTransfer revealed several operational security considerations:
“Digital sovereignty is a right, not a luxury.”
— Frank Zijlstra, The New Digital (Sendox developer)3
Organizations handling sensitive data should evaluate file-sharing platforms based on:
- Encryption standards: End-to-end encryption prevents service providers from accessing file contents
- Data jurisdiction: Geographic location of servers affects legal exposure
- Audit capabilities: Logging of file access and transfers
Technical issues like email verification failures in Outlook5 further eroded trust in WeTransfer’s infrastructure reliability during the controversy.
Recommended Mitigations
For organizations requiring secure file transfer:
- Encrypt before uploading: Use AES-256 encrypted ZIPs with strong passwords
- Adopt zero-trust alternatives: Platforms like Sendox or self-hosted Nextcloud instances
- Monitor terms updates: Automate tracking of SaaS policy changes with tools like TermScout
- Implement DLP controls: Block unauthorized uploads to consumer-grade file-sharing services
Conclusion
The WeTransfer incident serves as a case study in how opaque data policies can rapidly damage trust in cloud services. While the company clarified it doesn’t use files for AI training2, the controversy accelerated migration to more secure alternatives and highlighted the need for transparent data handling practices. Organizations should treat consumer-grade file-sharing services as potentially high-risk channels for sensitive data.
References
- “WeTransfer changes terms after AI training backlash”. BBC News, 15 July 2025.
- “WeTransfer says files not used to train AI after backlash”. AOL, 15 July 2025.
- “WeTransfer faces open-source competition after terms controversy”. TechCentral.ie, 18 July 2025.
- “Dropbox backtracks on AI training policy after user revolt”. The Register, 15 December 2023.
- “WeTransfer email verification issues”. JustAnswer, July 2025.
