<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Mark,</p>
<p>Thank you for the input. I hadn't considered 2nd level
outsourcing, of course that significantly impacts all
considerations, serial risk consequences geometrically.</p>
<p>The point isn't so much as a "how to properly negotiate with a
3rd party service" as I agree it isn't remotely practical nor
would any rational third party service take any binding liability
for the customer data they handle, rather to frame questions in
manner that might help people understand the risks associated with
outsourcing data services rather than in-sourcing them, for
example self-hosting, particularly open source.</p>
<p>If your experience with vendor screwups includes some examples
that aren't considered below, I'd love to hear, even if details
are redacted to protect the guilty.</p>
<p>-David<br>
</p>
<div class="moz-cite-prefix">-------- Original Message --------<br>
Subject: Re: [liberationtech] Request for review of considerations
when using a third party service that hosts private data<br>
From: Mark Seiden <a class="moz-txt-link-rfc2396E" href="mailto:mis@seiden.com"><mis@seiden.com></a><br>
To: David Gessel <a class="moz-txt-link-rfc2396E" href="mailto:gessel@blackrosetech.com"><gessel@blackrosetech.com></a><br>
CC: <a class="moz-txt-link-abbreviated" href="mailto:lt@lists.liberationtech.org">lt@lists.liberationtech.org</a><br>
Date: 2020-07-18 08:42+0300<br>
</div>
<blockquote type="cite"
cite="mid:CAKkLfLHp-WXn-qu6udhgtWfxWJ2Em4DKayftW-jOY7qku_hhyw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">hi, david.
<div dir="auto"><br>
</div>
<div dir="auto">i have many experiences with vendor screwups.<br>
<div dir="auto"><br>
</div>
<div dir="auto">my initial reaction is that this attempt to
exhaustively enumerate privacy risks in using vendors, who
in turn use other vendors, turtles all the way down, is a
bit misplaced.</div>
<div dir="auto"><br>
</div>
<div dir="auto">as a practical matter there's very little that
can reasonably be done even in full good faith, to prevent
parties outside one's direct control from misfeasing,
especially rogue elements or compromised insiders.</div>
<div dir="auto"><br>
</div>
<div dir="auto">but also, where's the money for this kind of
indemnification to come from? the customer wants assurances
but would they pay for the costs?</div>
<div dir="auto"><br>
</div>
<div dir="auto">good design helps. transparency helps. log
analysis helps. but doing it yourself means you have nobody
else to blame.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sat, Jul 18, 2020, 4:25 AM
David Gessel <<a href="mailto:gessel@blackrosetech.com"
moz-do-not-send="true">gessel@blackrosetech.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Dear
Libtech,<br>
<br>
One of the discussions I have frequently with people who are
considering or are using a third party data hosting service is
the presumption people tend to have that their data will be
treated at least like clothes dropped off at a dry cleaners if
not money left in the care of a bank.<br>
<br>
A cursory review of a variety of user agreements indicates
that this is not remotely accurate. Often I suggest to my
incredulous interlocutor that they ask of the data service
provider clear guidance as to the responsibility they take for
the data in their care and what recourse the customer/user
might have should the provider fail to exercise expected care.<br>
<br>
A recent email thread that touched on this topic inspired me
to draft the below summary of concerns and questions I'd
advise a potential user to ask of their potential data holder;
I would appreciate any thoughts or extensions that might make
such a list more helpful in getting potential users to think
about their expectations of rights, privacy, and care.<br>
<br>
<br>
-----<br>
<br>
A first consideration is data protection and privacy:<br>
<br>
What liability does The Company, and employees of The Company
individually, have should they sell or lose control of The
Customer's data? What compensation will The Customer receive
if control of The Customer's data is lost? Please clarify The
Company's criminal and civil liability under the following
scenarios:<br>
<br>
1) A third party exfiltrates The Customer's data entrusted to
The Company's care in an unauthorized manner.<br>
<br>
2) A rogue employee of The Company willfully misuses The
Customer's data entrusted to The Company in any way.<br>
<br>
3) The Company disposes of equipment in a manner which makes
The Customer's data entrusted to The Company accessible to
third parties.<br>
<br>
4) The company receives a National Security Letter (NSL)
requesting information pertaining to The Customer or to others
who have data about The Customer on The Company's service.<br>
<br>
5) The company receives a warrant requesting information
pertaining to The Customer or to others who have data
regarding The Customer on The Company's service.<br>
<br>
6) The company receives a subpoena requesting information
pertaining to The Customer or to others who have data
regarding The Customer on The Company's service that is opened
or has been in stored on their hardware for more than 180
days.<br>
<br>
7) The company receives a civil discovery request for
information pertaining to The Customer or to others who have
data regarding The Customer on The Company's service.<br>
<br>
8) The company sells or provides access to The Customer's data
or meta information about The Customer or The Customer's use
of The Company's system to a third party.<br>
<br>
9) The Company changes their terms of service at some future
date in a way that is inconsistent with the terms agreed to at
the time of The Customer's engagement of the services of The
Company.<br>
<br>
10) The Company fails to inform The Customer of a breach of
control of The Customer's data.<br>
<br>
11) The Company fails to inform The Customer in a timely
manner of a change in policy regarding third party access to
The Customer's data.<br>
<br>
12) The Company erroneously exposes The Customer's data to
third party access due to negligence or incompetence.<br>
<br>
<br>
A second consideration is a serial dependency on the
reliability of The Company's service to The Customer's
activity:<br>
<br>
By relying on The Company's service, The Customer typically
will rely on the performance of The Company's products. If
The Company product fails or fails to provide service as
expected, The Customer may incur losses, including direct
financial losses, loss of reputation, loss of convenience, or
other harms. What warranty does The Company make in the
performance of their services? What recourse does The
Customer have for recovery of losses should The Company fail
to perform?<br>
<br>
Please provide details on what compensation The Company will
provide in the following scenarios:<br>
<br>
1) The Company can no longer perform the agreed and expected
services due to reasons beyond The Company's control.<br>
<br>
2) The Company's service fails to meet expectations in way
that causes a material loss to The Customer.<br>
<br>
3) The Company suffers an extended outage or compromise of
service that exceeds a reasonable or agreed maximum accepted
duration.<br>
<br>
<br>
A third consideration is the alignment of interests between
The Customer and The Company which may not be complete and may
diverge in the future:<br>
<br>
Engagement of the services of The Company requires an
investment of time and resources on the part of The Customer
in excess of any fees The Company may charge to adopt The
Company's products and services. What compensation will be
provided should The Company's products fail to meet
performance and utility expectations? What compensation will
be provided should expenditure of resources be required to
compensate for The Company's failure to meet service
expectations?<br>
<br>
Please provide details on what compensation The Company will
provide in the following scenarios:<br>
<br>
1) The Company elects to no longer perform the agreed and
expected services due to business decisions made by The
Company.<br>
<br>
2) Ownership or control of The Company changes to an entity
that is not aligned with the values of The Customer and which
The Customer can not support, directly or indirectly.<br>
<br>
3) Control of The Company passes to a third party e.g. through
an acquisition or change of control of the board and which
results in use of The Customer's data in a way that is
unacceptable to The User.<br>
<br>
4) The Company or employees of The Company are found to have
engaged in behavior, speech, or conduct which is unacceptable
to The Customer.<br>
<br>
5) The Company's products or services are found to be
unacceptable to The Customer for any reason not limited to
security flaws, missing features, access failures, lack of
performance, etc and The Company is not able to or is
unwilling to meet The Customer's requirements in a timely
manner.<br>
<br>
<br>
Any advice or improvements or discussion very much
appreciated.<br>
<br>
-David<br>
<br>
<br>
-- <br>
Liberationtech is public & archives are searchable from
any major commercial search engine. Violations of list
guidelines will get you moderated: <a
href="https://lists.ghserv.net/mailman/listinfo/lt"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">https://lists.ghserv.net/mailman/listinfo/lt</a>.
Unsubscribe, change to digest mode, or change password by
emailing <a href="mailto:lt-owner@lists.liberationtech.org"
target="_blank" rel="noreferrer" moz-do-not-send="true">lt-owner@lists.liberationtech.org</a>.</blockquote>
</div>
</blockquote>
</body>
</html>