There are probably two different things I was trying to comment on also.

First, the policy content. My point was not that mimicking another privacy policy makes this one OK. It was more that these are common policies now found across most services; "we promise to try not getting broken into but if it happens we take no responsibility for your losses".. Microsoft has been software with that one for ever. You pretty much have to damn the entire industry if your going to damn this one company for it.

Second, the "Weak Link" question. This is very much a matter of implementation details. I'm not saying this service is or is not implemented securely; it's really more of a question. It is possible to implement a hosted service in a way that blocks even the service host from accessing user data; is this sharing service implemented in such a way or is it broken by intent/accident?

Lastpass and Spideroak where offered as examples of hosted services implemented properly to keep even the service provider out of the user's data. Services that would be discounted as "cloud" even though they do not share the design flaws that other hosted services choose to include. If you have found weak links in them though, that would be huge news.