Mark,
Thank you for the input. I hadn't considered 2nd level outsourcing, of course
that significantly impacts all considerations, serial risk consequences
geometrically.
The point isn't so much as a "how to properly negotiate with a 3rd party
service" as I agree it isn't remotely practical nor would any rational third party
service take any binding liability for the customer data they handle, rather to frame
questions in manner that might help people understand the risks associated with
outsourcing data services rather than in-sourcing them, for example self-hosting,
particularly open source.
If your experience with vendor screwups includes some examples that aren't
considered below, I'd love to hear, even if details are redacted to protect the
guilty.
-David
-------- Original Message --------
Subject: Re: [liberationtech] Request for review of considerations when using a
third party service that hosts private data
From: Mark Seiden <[email protected]>
To: David Gessel <[email protected]>
CC: [email protected]
Date: 2020-07-18 08:42+0300
hi, david.
i have many experiences with vendor screwups.
my initial reaction is that this attempt to exhaustively enumerate privacy
risks in using vendors, who in turn use other vendors, turtles all the way
down, is a bit misplaced.
as a practical matter there's very little that can reasonably be done even in
full good faith, to prevent parties outside one's direct control from
misfeasing, especially rogue elements or compromised insiders.
but also, where's the money for this kind of indemnification to come from? the
customer wants assurances but would they pay for the costs?
good design helps. transparency helps. log analysis helps. but doing it
yourself means you have nobody else to blame.
On Sat, Jul 18, 2020, 4:25 AM David Gessel <[email protected]
<mailto:[email protected]>> wrote:
Dear Libtech,
One of the discussions I have frequently with people who are considering or
are using a third party data hosting service is the presumption people tend to
have that their data will be treated at least like clothes dropped off at a dry
cleaners if not money left in the care of a bank.
A cursory review of a variety of user agreements indicates that this is not
remotely accurate. Often I suggest to my incredulous interlocutor that they
ask of the data service provider clear guidance as to the responsibility they
take for the data in their care and what recourse the customer/user might have
should the provider fail to exercise expected care.
A recent email thread that touched on this topic inspired me to draft the
below summary of concerns and questions I'd advise a potential user to ask of
their potential data holder; I would appreciate any thoughts or extensions that
might make such a list more helpful in getting potential users to think about
their expectations of rights, privacy, and care.
-----
A first consideration is data protection and privacy:
What liability does The Company, and employees of The Company individually,
have should they sell or lose control of The Customer's data? What
compensation will The Customer receive if control of The Customer's data is
lost? Please clarify The Company's criminal and civil liability under the
following scenarios:
1) A third party exfiltrates The Customer's data entrusted to The Company's
care in an unauthorized manner.
2) A rogue employee of The Company willfully misuses The Customer's data
entrusted to The Company in any way.
3) The Company disposes of equipment in a manner which makes The Customer's
data entrusted to The Company accessible to third parties.
4) The company receives a National Security Letter (NSL) requesting
information pertaining to The Customer or to others who have data about The
Customer on The Company's service.
5) The company receives a warrant requesting information pertaining to The
Customer or to others who have data regarding The Customer on The Company's
service.
6) The company receives a subpoena requesting information pertaining to The
Customer or to others who have data regarding The Customer on The Company's
service that is opened or has been in stored on their hardware for more than
180 days.
7) The company receives a civil discovery request for information
pertaining to The Customer or to others who have data regarding The Customer on
The Company's service.
8) The company sells or provides access to The Customer's data or meta
information about The Customer or The Customer's use of The Company's system to
a third party.
9) The Company changes their terms of service at some future date in a way
that is inconsistent with the terms agreed to at the time of The Customer's
engagement of the services of The Company.
10) The Company fails to inform The Customer of a breach of control of The
Customer's data.
11) The Company fails to inform The Customer in a timely manner of a change
in policy regarding third party access to The Customer's data.
12) The Company erroneously exposes The Customer's data to third party
access due to negligence or incompetence.
A second consideration is a serial dependency on the reliability of The
Company's service to The Customer's activity:
By relying on The Company's service, The Customer typically will rely on
the performance of The Company's products. If The Company product fails or
fails to provide service as expected, The Customer may incur losses, including
direct financial losses, loss of reputation, loss of convenience, or other
harms. What warranty does The Company make in the performance of their
services? What recourse does The Customer have for recovery of losses should
The Company fail to perform?
Please provide details on what compensation The Company will provide in the
following scenarios:
1) The Company can no longer perform the agreed and expected services due
to reasons beyond The Company's control.
2) The Company's service fails to meet expectations in way that causes a
material loss to The Customer.
3) The Company suffers an extended outage or compromise of service that
exceeds a reasonable or agreed maximum accepted duration.
A third consideration is the alignment of interests between The Customer
and The Company which may not be complete and may diverge in the future:
Engagement of the services of The Company requires an investment of time
and resources on the part of The Customer in excess of any fees The Company may
charge to adopt The Company's products and services. What compensation will be
provided should The Company's products fail to meet performance and utility
expectations? What compensation will be provided should expenditure of
resources be required to compensate for The Company's failure to meet service
expectations?
Please provide details on what compensation The Company will provide in the
following scenarios:
1) The Company elects to no longer perform the agreed and expected services
due to business decisions made by The Company.
2) Ownership or control of The Company changes to an entity that is not
aligned with the values of The Customer and which The Customer can not support,
directly or indirectly.
3) Control of The Company passes to a third party e.g. through an
acquisition or change of control of the board and which results in use of The
Customer's data in a way that is unacceptable to The User.
4) The Company or employees of The Company are found to have engaged in
behavior, speech, or conduct which is unacceptable to The Customer.
5) The Company's products or services are found to be unacceptable to The
Customer for any reason not limited to security flaws, missing features, access
failures, lack of performance, etc and The Company is not able to or is
unwilling to meet The Customer's requirements in a timely manner.
Any advice or improvements or discussion very much appreciated.
-David
--
Liberationtech is public & archives are searchable from any major commercial search engine. Violations of list guidelines will get you moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, change to digest mode, or change password by emailing [email protected] <mailto:[email protected]>.
--
Liberationtech is public & archives are searchable from any major commercial
search engine. Violations of list guidelines will get you moderated:
https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, change to digest
mode, or change password by emailing [email protected].
