[liberationtech] Request for review of considerations when using a third party service that hosts private data

Mark Seiden mis at seiden.com
Sat Jul 18 19:42:17 CEST 2020 

hi, david.

i have many experiences with vendor screwups.

my initial reaction is that this attempt to exhaustively enumerate privacy
risks in using vendors, who in turn use other vendors, turtles all the way
down, is a bit misplaced.

as a practical matter there's very little that can reasonably be done even
in full good faith, to prevent parties outside one's direct control from
misfeasing, especially rogue elements or compromised insiders.

but also, where's the money for this kind of indemnification to come from?
the customer wants assurances but would they pay for the costs?

good design helps.  transparency helps. log analysis helps. but doing it
yourself means you have nobody else to blame.



On Sat, Jul 18, 2020, 4:25 AM David Gessel <gessel at blackrosetech.com> wrote:

> Dear Libtech,
>
> One of the discussions I have frequently with people who are considering
> or are using a third party data hosting service is the presumption people
> tend to have that their data will be treated at least like clothes dropped
> off at a dry cleaners if not money left in the care of a bank.
>
> A cursory review of a variety of user agreements indicates that this is
> not remotely accurate.  Often I suggest to my incredulous interlocutor that
> they ask of the data service provider clear guidance as to the
> responsibility they take for the data in their care and what recourse the
> customer/user might have should the provider fail to exercise expected care.
>
> A recent email thread that touched on this topic inspired me to draft the
> below summary of concerns and questions I'd advise a potential user to ask
> of their potential data holder; I would appreciate any thoughts or
> extensions that might make such a list more helpful in getting potential
> users to think about their expectations of rights, privacy, and care.
>
>
> -----
>
> A first consideration is data protection and privacy:
>
> What liability does The Company, and employees of The Company
> individually, have should they sell or lose control of The Customer's
> data?   What compensation will The Customer receive if control of The
> Customer's data is lost?  Please clarify The Company's criminal and civil
> liability under the following scenarios:
>
> 1) A third party exfiltrates The Customer's data entrusted to The
> Company's care in an unauthorized manner.
>
> 2) A rogue employee of The Company willfully misuses The Customer's data
> entrusted to The Company in any way.
>
> 3) The Company disposes of equipment in a manner which makes The
> Customer's data entrusted to The Company accessible to third parties.
>
> 4) The company receives a National Security Letter (NSL) requesting
> information pertaining to The Customer or to others who have data about The
> Customer on The Company's service.
>
> 5) The company receives a warrant requesting information pertaining to The
> Customer or  to others who have data regarding The Customer on The
> Company's service.
>
> 6) The company receives a subpoena requesting information pertaining to
> The Customer or to others who have data regarding The Customer on The
> Company's service that is opened or has been in stored on their hardware
> for more than 180 days.
>
> 7) The company receives a civil discovery request for information
> pertaining to The Customer or to others who have data regarding The
> Customer on The Company's service.
>
> 8) The company sells or provides access to The Customer's data or meta
> information about The Customer or The Customer's use of The Company's
> system to a third party.
>
> 9) The Company changes their terms of service at some future date in a way
> that is inconsistent with the terms agreed to at the time of The Customer's
> engagement of the services of The Company.
>
> 10) The Company fails to inform The Customer of a breach of control of The
> Customer's data.
>
> 11) The Company fails to inform The Customer in a timely manner of a
> change in policy regarding third party access to The Customer's data.
>
> 12) The Company erroneously exposes The Customer's data to third party
> access due to negligence or incompetence.
>
>
> A second consideration is a serial dependency on the reliability of The
> Company's service to The Customer's activity:
>
> By relying on The Company's service, The Customer typically will rely on
> the performance of The Company's products.  If The Company product fails or
> fails to provide service as expected, The Customer may incur losses,
> including direct financial losses, loss of reputation, loss of convenience,
> or other harms.  What warranty does The Company make in the performance of
> their services?  What recourse does The Customer have for recovery of
> losses should The Company fail to perform?
>
> Please provide details on what compensation The Company will provide in
> the following scenarios:
>
> 1) The Company can no longer perform the agreed and expected services due
> to reasons beyond The Company's control.
>
> 2) The Company's service fails to meet expectations in way that causes a
> material loss to The Customer.
>
> 3) The Company suffers an extended outage or compromise of service that
> exceeds a reasonable or agreed maximum accepted duration.
>
>
> A third consideration is the alignment of interests between The Customer
> and The Company which may not be complete and may diverge in the future:
>
> Engagement of the services of The Company requires an investment of time
> and resources on the part of The Customer in excess of any fees The Company
> may charge to adopt The Company's products and services.  What compensation
> will be provided should The Company's products fail to meet  performance
> and utility expectations?  What compensation will be provided should
> expenditure of resources be required to compensate for The Company's
> failure to meet service expectations?
>
> Please provide details on what compensation The Company will provide in
> the following scenarios:
>
> 1) The Company elects to no longer perform the agreed and expected
> services due to business decisions made by The Company.
>
> 2) Ownership or control of The Company changes to an entity that is not
> aligned with the values of The Customer and which The Customer can not
> support, directly or indirectly.
>
> 3) Control of The Company passes to a third party e.g. through an
> acquisition or change of control of the board and which results in use of
> The Customer's data in a way that is unacceptable to The User.
>
> 4) The Company or employees of The Company are found to have engaged in
> behavior, speech, or conduct which is unacceptable to The Customer.
>
> 5) The Company's products or services are found to be unacceptable to The
> Customer for any reason not limited to security flaws, missing features,
> access failures, lack of performance, etc and The Company is not able to or
> is unwilling to meet The Customer's requirements in a timely manner.
>
>
> Any advice or improvements or discussion very much appreciated.
>
> -David
>
>
> --
> Liberationtech is public & archives are searchable from any major
> commercial search engine. Violations of list guidelines will get you
> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
> change to digest mode, or change password by emailing
> lt-owner at lists.liberationtech.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200718/806c719a/attachment.html>

More information about the LT mailing list