[liberationtech] Request for review of considerations when using a third party service that hosts private data

David Gessel gessel at blackrosetech.com
Sun Jul 19 06:19:00 CEST 2020 

Mark,

Thank you for the input.  I hadn't considered 2nd level outsourcing, of course that significantly impacts all considerations, serial risk consequences geometrically.

The point isn't so much as a "how to properly negotiate with a 3rd party service" as I agree it isn't remotely practical nor would any rational third party service take any binding liability for the customer data they handle, rather to frame questions in manner that might help people understand the risks associated with outsourcing data services rather than in-sourcing them, for example self-hosting, particularly open source.

If your experience with vendor screwups includes some examples that aren't considered below, I'd love to hear, even if details are redacted to protect the guilty.

-David

-------- Original Message --------
Subject: Re: [liberationtech] Request for review of considerations when using a third party service that hosts private data
From: Mark Seiden <mis at seiden.com>
To: David Gessel <gessel at blackrosetech.com>
CC: lt at lists.liberationtech.org
Date: 2020-07-18 08:42+0300
> hi, david.
>
> i have many experiences with vendor screwups.
>
> my initial reaction is that this attempt to exhaustively enumerate privacy risks in using vendors, who in turn use other vendors, turtles all the way down, is a bit misplaced.
>
> as a practical matter there's very little that can reasonably be done even in full good faith, to prevent parties outside one's direct control from misfeasing, especially rogue elements or compromised insiders.
>
> but also, where's the money for this kind of indemnification to come from? the customer wants assurances but would they pay for the costs?
>
> good design helps.  transparency helps. log analysis helps. but doing it yourself means you have nobody else to blame.
>
>
>
> On Sat, Jul 18, 2020, 4:25 AM David Gessel <gessel at blackrosetech.com <mailto:gessel at blackrosetech.com>> wrote:
>
>     Dear Libtech,
>
>     One of the discussions I have frequently with people who are considering or are using a third party data hosting service is the presumption people tend to have that their data will be treated at least like clothes dropped off at a dry cleaners if not money left in the care of a bank.
>
>     A cursory review of a variety of user agreements indicates that this is not remotely accurate.  Often I suggest to my incredulous interlocutor that they ask of the data service provider clear guidance as to the responsibility they take for the data in their care and what recourse the customer/user might have should the provider fail to exercise expected care.
>
>     A recent email thread that touched on this topic inspired me to draft the below summary of concerns and questions I'd advise a potential user to ask of their potential data holder; I would appreciate any thoughts or extensions that might make such a list more helpful in getting potential users to think about their expectations of rights, privacy, and care.
>
>
>     -----
>
>     A first consideration is data protection and privacy:
>
>     What liability does The Company, and employees of The Company individually, have should they sell or lose control of The Customer's data?   What compensation will The Customer receive if control of The Customer's data is lost?  Please clarify The Company's criminal and civil liability under the following scenarios:
>
>     1) A third party exfiltrates The Customer's data entrusted to The Company's care in an unauthorized manner.
>
>     2) A rogue employee of The Company willfully misuses The Customer's data entrusted to The Company in any way.
>
>     3) The Company disposes of equipment in a manner which makes The Customer's data entrusted to The Company accessible to third parties.
>
>     4) The company receives a National Security Letter (NSL) requesting information pertaining to The Customer or to others who have data about The Customer on The Company's service.
>
>     5) The company receives a warrant requesting information pertaining to The Customer or  to others who have data regarding The Customer on The Company's service.
>
>     6) The company receives a subpoena requesting information pertaining to The Customer or to others who have data regarding The Customer on The Company's service that is opened or has been in stored on their hardware for more than 180 days.
>
>     7) The company receives a civil discovery request for information pertaining to The Customer or to others who have data regarding The Customer on The Company's service.
>
>     8) The company sells or provides access to The Customer's data or meta information about The Customer or The Customer's use of The Company's system to a third party.
>
>     9) The Company changes their terms of service at some future date in a way that is inconsistent with the terms agreed to at the time of The Customer's engagement of the services of The Company.
>
>     10) The Company fails to inform The Customer of a breach of control of The Customer's data.
>
>     11) The Company fails to inform The Customer in a timely manner of a change in policy regarding third party access to The Customer's data.
>
>     12) The Company erroneously exposes The Customer's data to third party access due to negligence or incompetence.
>
>
>     A second consideration is a serial dependency on the reliability of The Company's service to The Customer's activity:
>
>     By relying on The Company's service, The Customer typically will rely on the performance of The Company's products.  If The Company product fails or fails to provide service as expected, The Customer may incur losses, including direct financial losses, loss of reputation, loss of convenience, or other harms.  What warranty does The Company make in the performance of their services?  What recourse does The Customer have for recovery of losses should The Company fail to perform?
>
>     Please provide details on what compensation The Company will provide in the following scenarios:
>
>     1) The Company can no longer perform the agreed and expected services due to reasons beyond The Company's control.
>
>     2) The Company's service fails to meet expectations in way that causes a material loss to The Customer.
>
>     3) The Company suffers an extended outage or compromise of service that exceeds a reasonable or agreed maximum accepted duration.
>
>
>     A third consideration is the alignment of interests between The Customer and The Company which may not be complete and may diverge in the future:
>
>     Engagement of the services of The Company requires an investment of time and resources on the part of The Customer in excess of any fees The Company may charge to adopt The Company's products and services.  What compensation will be provided should The Company's products fail to meet performance and utility expectations?  What compensation will be provided should expenditure of resources be required to compensate for The Company's failure to meet service expectations?
>
>     Please provide details on what compensation The Company will provide in the following scenarios:
>
>     1) The Company elects to no longer perform the agreed and expected services due to business decisions made by The Company.
>
>     2) Ownership or control of The Company changes to an entity that is not aligned with the values of The Customer and which The Customer can not support, directly or indirectly.
>
>     3) Control of The Company passes to a third party e.g. through an acquisition or change of control of the board and which results in use of The Customer's data in a way that is unacceptable to The User.
>
>     4) The Company or employees of The Company are found to have engaged in behavior, speech, or conduct which is unacceptable to The Customer.
>
>     5) The Company's products or services are found to be unacceptable to The Customer for any reason not limited to security flaws, missing features, access failures, lack of performance, etc and The Company is not able to or is unwilling to meet The Customer's requirements in a timely manner.
>
>
>     Any advice or improvements or discussion very much appreciated.
>
>     -David
>
>
>     -- 
>     Liberationtech is public & archives are searchable from any major commercial search engine. Violations of list guidelines will get you moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, change to digest mode, or change password by emailing lt-owner at lists.liberationtech.org <mailto:lt-owner at lists.liberationtech.org>.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200719/8d3892b5/attachment.html>

More information about the LT mailing list