[jarek]

> I don't even understand what this comment is trying to say. If you use HTTP to communicate between services, and those services are not publicly accessible, the use of HTTP makes it no longer a private interface?

Yes - if you make a HTTP call from an app, it can be trivially sniffed. Sniffing HTTP is the first thing a third party trying to discover that undocumented API would do, and you don't need source code for that at all. (This is also why you must always sanitize data coming in from a user's device, even if it's from your own app.)

You can make the argument that there would be a time cost cleaning up the internal calls that will no longer work once the servers are turned off. Sure, but: 1) there are no secrets that would give competitors a new advantage, and 2) if you don't have that time, just chuck the code over the fence and see what happens - worst is that no one uses it, which will be the case with closed code anyway.

[jessedhillon]

The is just so unimaginative that I can't believe you've ever seen the inside of a large operation. How are you going to sniff traffic that's communicating on a private network? And how does trivial sniffability not extend to all unencrypted traffic, ergo nearly everything is public? That's a totally useless definition and misses the point entirely.

Your point #1 is totally unjustified: you don't know what you could learn by e.g. looking at a data structure used internally. #2 shows that you are unable to answer the question of which of Dropbox's incentives are satisfied by doing this.