Terms of Service as a Security Threat

After the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it's worth thinking about the security threat stemming from terms of service in general.

As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our service providers can do, both with the data we post and with the information they gather about how we use their service. The agreements are very one-sided -- most of the time, we're not even paying customers of these providers -- and can change without warning. And, of course, none of us ever read them.

Here's one example. Prezi is a really cool presentation system. While you can run presentations locally, it's basically cloud-based. Earlier this year, I was at a CISO Summit in Prague, and one of the roundtable discussions centered around services like Prezi. CISOs were worried that sensitive company information was leaking out of the company and being stored insecurely in the cloud. My guess is that they would have been much more worried if they read Prezi's terms of use:

With respect to Public User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content on and in connection with the manufacture, sale, promotion, marketing and distribution of products sold on, or in association with, the Service, or for purposes of providing you with the Service and promoting the same, in any medium and by any means currently existing or yet to be devised.

With respect to Private User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content solely for purposes of providing you with the Service.

Those paragraphs sure sound like Prezi can do anything it wants, including start a competing business, with any presentation I post to its site. (Note that Prezi's human readable -- but not legally correct -- terms of use document makes no mention of this.) Yes, I know Prezi doesn't currently intend to do that, but things change, companies fail, assets get bought, and what matters in the end is what the agreement says.

I don't mean to pick on Prezi; it's just an example. How many other of these Trojan horses are hiding in commonly used cloud provider agreements: both from providers that companies decide to use as a matter of policy, and providers that company employees use in violation of policy, for reasons of convenience?

Posted on December 31, 2012 at 6:44 AM • 47 Comments

Comments

J.D.December 31, 2012 7:21 AM

As B points out, the 'Private user content' cannot be used for any old purpose, but rather only for the purposes of 'providing you with the service'. As to whether that phrase contains Trojan horse ambiguities, keep in mind that Courts generally interpret contract language in the favor of the non-drafter, especially in the case of dense, boiler-plate legalese that 'nobody ever reads'.

The trickier thing is the default options -- depending on the type of user you are, by default all your presentations are classified as 'public user content', and you have to actively change the designation to 'private user content'.

gregorylentDecember 31, 2012 7:30 AM

when apple does it, it's a service, "in the cloud"

when NSA does it, it's "the surveillance state" ..

not much difference, apart from the marketing ...

NSA could rebrand >> "saving the things you might forget"

Victor EngmarkDecember 31, 2012 7:35 AM

ToS terms like these can also be a get-out-of-jail-for-free card: When they get bought up by someone who in turn goes bananas with the data, the original owners can throw up their arms and honestly say "It wasn't us!"

RmsDecember 31, 2012 8:16 AM

Yet another reason to only use Gnu/Bsd licensed free software instead of giving predatory data stealing corporations money. Soon TOS will be so huge nobody but teams of lawyers will be able to decipher them

Anna RonkainenDecember 31, 2012 8:29 AM

Well, considering that basically anything you do with a file (say, backing up an entire server) is potentially considered copying in the sense protected by copyright at least somewhere in the world, it is no surprise a service provider would at least by default want as broad a licence grant as possible just to be safe. By insta^H^H^Hdustry standards the "solely for purposes..." part about as good as you'd expect, unless you are in a position to negotiate the terms on an individual basis. (Of course the whole copyright system is desperate need of an overhaul, but that's a much larger problem.)

J.D.December 31, 2012 8:37 AM

Rms -- the more long and opaque contracts get, and the more carefully the egregious terms are hidden in dense legal boilerplate, the more Courts are willing to hold those terms void and unenforceable. Especially where the non-drafter is the lay individual and not some 'sophisticated' party who has the resources to hire a team of contract lawyers for every piece of paper they sign.

The greater danger is laziness and defaults. If you are sufficiently clever, you put the egregious terms in clear, bolded, unambiguous language, and give the user the ability to opt out....but the default is to opt-in, and the snail-mail opt-out forms are long, complicated, and stuck somewhere in the bottom of a locked filing cabinet, in a disused lavatory, with a sign on the door saying 'beware of the leopard'.

Michael JohnstonDecember 31, 2012 8:44 AM

This ToS nonsense pretty much reached its apex when Dominos Pizza began requiring those placing online orders to agree to their terms when ordering a pizza - a pizza!

Putting aside my evident poor taste, does it not strike anyone as patently ridiculous that I have to agree to accept a legal contract prior to acceptance of my order for - let me repeat - a pizza?

If I were a walk-in customer of Dominos or someone placing an order over the phone, they wouldn't dare try to impede the order flow with a business-killing requirement such as this, for who would sign such a thing or even read it? It is the click-here-and-agree-with-all-that-we-demand process that is at fault.

In popular culture, the most humorous take on this phenomenon might have been on South Park, where Kyle, blindly agreeing to the latest iTunes ToS update, finds himself at the whim of Apple, who decide that he and three others will be sewn togther, mouth to anus, as Apple's newest product: The Humancentipad.

AlanSDecember 31, 2012 9:03 AM

@Simon Phipps

In practice this seems very unlikely. The only example I see cited is Wikileaks, a situation where the CSPs made a choice between seriously aggravating Julian Assange and friends or the feds. CSPs that start damaging paying business customers put their reputations at risk and invite lawsuits. And business users have SLAs.

fineonymousDecember 31, 2012 9:12 AM

> "Soon TOS will be so huge nobody but teams of lawyers will be able to decipher them"

According to law professor Evan McKenzie, that's a feature, not a bug ("The Fine Print Society", a short blog post ).

...We are conclusively presumed to have read, understood, and agreed to every lawyer-drafted word, and yet everybody knows that none of us reads this. Not even Ron Paul -- so don't start with me. And the more of these contracts we get, the less likely it is that we will read any of them. So corporations have an incentive to send more of them and make them longer and more verbose. This is a collective decision on their part, and it is working, and they know it.

Nearly all of this stuff is enforceable, as many an HOA or condo unit owner has discovered, and it makes citizens relatively powerless. The private logic of contract law structures the relationship as individual consumer vs. big corporation with government as the enforcer of the contract, instead of citizens vs. powerful private organizations, with government as policy maker holding jurisdiction over the relationship...

There is even a new book about this, "The Fine Print: How Big Companies Use 'Plain English' to Rob You Blind" by David Cay Johnston.

Release Date: September 18, 2012

“No other modern country gives corporations the unfettered power found in America to gouge cus­tomers, shortchange workers, and erect barriers to fair play. A big reason is that so little of the news . . . addresses the private, government-approved mechanisms by which price gouging is employed to redistribute income upward.”

You are being systematically exploited by powerful corporations every day. These companies squeeze their trusting customers for every last cent, risk their retirement funds, and endanger their lives. And they do it all legally. How? It’s all in the fine print.

It's almost funny how a certain ideological faction that blames lawyers for the ills of society (when those lawyers represent individuals) wants us to live in a "lawyerocracy" (they don't call it that) dictated by corporate lawyers.

HaraldDecember 31, 2012 9:17 AM

Just a small nit - those terms are actually required by existing copyright law. They cannot legally provide you a cloud-based service that manipulates your content unless you license your content to them.

The "perpetual, royalty free, transferable" etc. stuff is to prevent various legal log jams for the business (e.g. M&A activity).

tobias d. robisonDecember 31, 2012 9:53 AM

Our courts should recognize that a ToS that gives the provider the right to change the terms unilaterally is an unenforceable contract. Where else is it legal to make a contract that one side is allowed to change at any time? E.g., i agree to pay you $100/hr to do the work, but I reserve the right to change this contract in any way, including changing your rAte to $0.
- tobias d. robison

Mahesh Paolini-SubramanyaDecember 31, 2012 10:32 AM

Harald has the right of it - if there is anybody/anything to blame here, it is our copyright laws.
The bottom line is that if you are using pretty much any online service (and I include Dropbox, Facebook, AWS, Instagram, whatever) and you didn't assign them a whole passel of rights, *they* are almost certainly violating copyright law.
(More detail on this at http://bit.ly/IyFIFV)

This comes up pretty much any tech-writer (or anyone with a modicum of influence) reads a ToS and/or decides to troll a bit, there is nothing particularly unusual about it.

Note, I'm not saying its good, i'm just pointing out that this particular Catch-22 is brought to you courtesy our Copyright Law...

Andrew BurdayDecember 31, 2012 10:37 AM

Like other commenters, I think "solely for purposes of providing you..." is reasonably clear. Also like other commenters, I'd be more worried about what happens when Prezi changes hands, and about whether users understand their privacy settings. There was an amusing incident recently in which Zuckerberg's sister apparently got confused about her Facebook privacy settings and distributed a family photo more widely than she intended.

But generally, won't reputational concerns be fairly effective in limiting what Prezi itself does? I can't prove this, but what they stand to lose in a scandal seems to me to outweigh what they could gain by using private info illicitly. They aren't making a huge amount of money on each transaction. Bruce hints at the problem that would concern me most when he points out that individuals may use Prezi even if their companies have a policy against it. I would be more worried about a disgruntled or greedy Prezi employee misusing my data than about Prezi itself. But of course there's nothing we can do about that. We can at least read TOS and be on the lookout for Instagrams.

Dirk PraetDecember 31, 2012 10:42 AM

@ Harald

They cannot legally provide you a cloud-based service that manipulates your content unless you license your content to them.

Really ? From where I'm sitting, that effectively invalidates any and all cloud-based service as a secure business platform or the laws governing it as a fair arbiter. I can't wait for the same schmucks who drafted and accepted it to start regulating food sales.

HawkeDecember 31, 2012 12:22 PM

@A, JD

What if the "Purpose of the Service" becomes "use your IP for our gain" overnight?

Remember, these are subject to change anytime $PROVIDER chooses.

vasiliy pupkinDecember 31, 2012 1:11 PM

@fineonymous.
Thank you for your post. Each word resonates with my thoughts.
The most imporatant that those long legalize infested contracts are for average person to sign, not corporation with same resources (corporate lawyers).
Government regulation should required different level of contract text understanding depending on addressee:
average person: no legalize, plain English with level of understanding by high school graduates or business (e.g. banking account agreement for private person versus banking account for business/ corpoartion, privact statement/policy).
Corporartions often include mandatory arbitration provision, no class action provision. That is 'feudal' approach.
In law-guided (not laywer-guided) state access to the court for protection and dispute resolution is essential remedy against violation of any right.

Brian ChristensenDecember 31, 2012 1:17 PM

Mahesh, I read that page but don't find it very convincing. I don't think a cloud provider needs copyright permissions to make backups, etc., on behalf of the user. Often, users upload stuff (legally) for which they lack authority to assign these rights anyway. And it's obvious that a user inherently grants permission for the provider to distribute content when the user uploads it to a publically viewable page.

Has a provider ever been successfully sued for something like this (which common sense suggests should be obviously legal)? It wouldn't surprise me to see frivolous suits, but people will file those regardless of the ToS.

J.D.December 31, 2012 2:23 PM

Hawke,

Only terminable at will contracts can be unilaterally modified. The classic example is credit card contracts -- the CC company can (or could up until recently) change the interest rate (and other terms) at any time without your explicit consent, and because you always (at least theoretically) have the option to cancel the line of credit, by continuing to use the credit line Courts will see that as tacit acceptance of the changes. Of course, this example is also classic because of the abusive loophole it permits -- if you are unable to pay off the entire outstanding balance then you have no choice but to 'accept' the term changes.

The Prezi contract (at least the for-pay subscription part) is a terminable at will contract -- in exchange for them hosting your presentations 'in the Cloud' (ooh! Magic!), you give them money and grant them licenses to use your IP "for the purpose of providing you with the service" for the duration of that service. If they don't want to continue providing the hosting service they can always stop doing so, so long as they also stop accepting your payments. Similarly, you always have the option to cancel the subscription and your licenses and delete your content. So, since it is at will, they can change the terms of the contract at will, with one limitation -- they cannot change it to such an extent that it is no longer an at will contract.

At will contracts generally have a 'continuing' nature -- e.g. the credit card company will continue to provide a line of credit so long as you continue to make regular payments; the Cloud hosting service will continue to host your content so long as you continue to make the subscription payments; etc. Contracts that are not at will lack that continuing nature, and involve an irrevocable exchange of some sort (they are also not unilaterally modifiable). Note that the Prezi free subscription is not a terminable at will contract -- if you sign up for the free account then in exchange for hosting your content you give them a permanent license to use your content in the specified ways. That permanent transfer lacks a continuing nature, and as such is not an at will contract.

If Prezi unilaterally modifies the paid-subscription contract such that even paid users permanently give them their IP to use in whatever fashion they like, then they would have altered the essential nature of the contract -- turning it from one with a continuing nature to one that involves a permanent exchange. This you cannot do; or at least, it is quite unlikely if the issue ever came to litigation that a Court would find such a modification enforceable.

ScamDecember 31, 2012 3:28 PM

You guys may have courts in your country that help the end user but not where I live. Here they always rule for business because we are just pawns. You need at least 100k disposable income to launch any kind of lawsuit as well which will be purposely delayed until you run out of money.

These cloud businesses make the majority of their money from the Facebook/google model which is to own all uploaded content and sell off data marketing analytics to the highest spamming bidder.

FigureitoutDecember 31, 2012 3:37 PM

Treating the ToS as the security threat is like calling a knife sitting on a table one. It's the writer or operator of the tool, they are the threats that have the gall to classify a dog or corporation as a person, change the terms without giving me notice and expect me to abide by terms that have been changed, and like @Michael Johnston said require a legal contract to order a goddamn pizza.

Makes me want to pull out my legal mandates; and their silence is taken as an acceptance of my terms.

jack burtonDecember 31, 2012 3:58 PM

@figureitout

Dwolla tried to ninja edit their TOS to alter their policy on chargebacks and are being sued because of it. That was a year ago haven't heard any new developments as lawyers are doing the stalling game still. It already ruined one company because of it so I guess this is a real threat

MingoVDecember 31, 2012 4:21 PM

Verizon's legal language for using its "free" web site creation service was worse than Prezi's: Besides owning your content, Verizon could place any ads it desired on your site.

Clive RobinsonDecember 31, 2012 4:57 PM

It has been said so often it should be engraved on the inside of our eyelids,

There is no such thing as a free lunch

However you also need to remember that other bit of advice that follows it but is seldom said,

When invited for lunch, it is best to check if you are there to eat or be eaten

In essence a company is usually not a charity and is in the main a preditory self interested entity that wishes to grow by whatever means it can just like any other preditor.

If you are not paying for a service with money then you are not a consumer. However almost certainly you are paying for it some other way. That is your free luch invite fails to mention that as you are not a consumer you in fact an ingredient to be consumed by others...

The thing about contracts is in many places you need legaly an equanimity of "offer" to "gain" such that not only can damages be calculated on breach by any party but to have the terms be fair for the contract to stand . It has been sugested that as many of these service suppliers do not charge for the services they provide to end users, nor do they provide an indication of the service worth in the contract, the service supplier must therefore be limited to an equitable return of exchange to the same value (ie zero). It is why in places such as the UK where a "voucher" or "stamp" is used by which the recipient can redeem it for goods or services it usually has in the small print an equivalent value of 0.001pence.

Further other people have suggested that the provision of such service is in fact like any other "gift" of a "good" or "service" something that is a "taxable benifit" on which a government may raise revenue.

Thus at some point somebody is going to take such service provision to a court and then the fun will realy start in earnest.

Clive RobinsonDecember 31, 2012 5:21 PM

One of the reasons some companies are changing their TOS without notifiication is the significant backlash and potentialy even litigation such announcments can cause.

As a current example the company Instagram (acquired by Facebook a little while ago) recently anounced it was making changes to their TOS. You can read about the backlash from this,

http://news.techworld.com/personal-tech/3417675/...

Ravan AsterisJanuary 1, 2013 12:22 AM

Any idiot(s) who put private company or personal data in the "cloud" unencrypted are handing it over to their cloud provider and the rest of the world. Sure, they say *now* that it's yours, but tomorrow may change.

You want to keep your IP really *your* IP? Store it on *your* servers. Physical control of the hardware that your data is on is the only way to keep it secure and have a way to prosecute people who appropriate it. A cloud ToS isn't worth the paper it's printed on. (Even if you faithfully print it out.)

Only use public resources for public projects and data. Only use public source repos for open source projects. It's not hard to figure it out.

kashmarekJanuary 1, 2013 5:47 AM

It is interesting how a poorly translated phrase from a game, "all your base are belong to us", itself became translated into "all your data are belong to us", by an industry that translated itself from one of innovation to being a group of legal maggots. Apparently it is the easiest form of theft. Little did DARPA realize what would happen when they created the internet (or did they?) It seems that getting people to give away their property is easier than stealing it.

Simon PhippsJanuary 1, 2013 8:18 AM

@alans:

I agree that the cases to date are few and far between, but as the intellectual monopoly wars escalate I expect it to become increasingly common for companies to use ToU as a pressure release valve.

We've seen safe harbor structures become more common in laws around the world over the last year, and the pressure on service providers to treat customers as guilty until they prove themselves innocent is mounting. As such I think it's unwise to treat the scarcity of past cases as an indicator of the probability of future cases.

Wendy M. GrossmanJanuary 1, 2013 3:53 PM

Interesting you should raise this point. Five-six years ago I wrote something about the switch to Gmail/Hotmail at universities, and one point that was made to me was that it was actually a security improvement to do this, because the universities were big enough to negotiate terms with Google/MS, but individual users are not - and what was happening was that individual users were forwarding their university email to thei Gmail/Hotmail accounts to access at home and that therefore intellectual property was at risk under the standard ToS.

wg

Aribert DeckersJanuary 1, 2013 4:29 PM

We wrote about TOS already in 1998, in the for long years (and perhaps still today) largest list of free email and free web-space providers:
http://ariplex.com/tina/twebspac.htm

Concentrating on TOS and related problems makes the list outstanding.

The known TANSTAAFL ("There ain't no such thing as a free lunch") is one of most important, but most neglected rules to have in mind. The networking BETWEEN different companies is

a) a severe breach of privacy and
b) getting in use in horrendous pace.

The doers just sit on our monitors and grin at us. The screen is FULL with their tons of spam-dreck, errm, payload transported by OTHER companies. Disclaimers are worth zero.

And the governments do nothing to stop these crimes.

RonKJanuary 2, 2013 12:13 AM

@ Clive Robinson

> When invited for lunch, it is best to check if you are there to eat or be eaten

Classic. Is that an original quote by you?

Clive RobinsonJanuary 2, 2013 5:10 AM

@ RonK,

Classic. Is that an original quote by you?

I've used it for a few years of and on usually as a rider to some who says "Ain't no such thing as a free lunch" and I don't remeber anyone else using it before me.

However I also used to use "Welcome to the world in a goldfish bowl" when talking about the "Surveillance State" which I thought was original to me, but Bryan Feir indicated on this blog it had been used in an Issac Asimov story from a time befor I was born and on reading the description of the plot line I remembered that I'd read the story back in the 1960's ( http://www.schneier.com/blog/archives/2008/08/... )

So to answer your question, it is probably original in the exact wording I've used, but in all probability somebody will find the same sentiment slightly differently worded from times past. I gather from looking for quotes to put in chapter headings for a book I was writing, most quotes as attributed are not original thoughts, but those distilled step by step untill some orator says a punchy version publicaly that some journalist (in the original sense) pins it in history ("follow the money" is one such quote).

But if my quip is original and you or others want to use it feel free, who knows it might end up in a film or TV show for a "Gordon Gekko" type (remember "lunch is for wimps"), and somebody will say "hey didn't Schneier say that" :-)

OnTheWaterfrontJanuary 2, 2013 6:16 AM

If its free on the internet, then your not the customer your the product.

Clive RobinsonJanuary 2, 2013 6:32 AM

@ Wendy M. Grossman,

Five-six years ago I wrote something about the switch to Gmail/Hotmail at universities...

I'm surprised you did not mention the much earlier CompuServe / AOL attempt to steal users rights to their postings etc.

For those to young to remember many moons ago the access to the Internet (then called DARPAnet) was very restricted and OnLine ment using a "dialup" "Walled Garden" service provided by the likes of Compuserve or AOL that was a glorified out groth of previous Bulliten Board Service (BBS) communities such as the Well etc.

This was well before the WWW as we now know it. These "walled gardens" were basicaly a combination of forums, marketing portals and user to user messaging, and were a commercial venture outside of the state controled telecom's organisations offerings (Anyone remember the British Telecom Prestel or Telecom Gold services? or their French or German equivalents?)

The value in these comercial ventures was initially the tied-in user base on a large monthly subscription over and above the call cost for a couple of hours connect time. However as the users posted to the forums etc it was realised that the "Content" could actually be worth more than the subscription income. So they tried changing the terms and conditions of service by saying they not the user had the copyright to what the users typed in. This created a bit of a stink at the time and it turned out that some people regarded the change as indicating that the services had gone from "common carrier" status to "Publisher" status and thus became liable for damages and criminal conduct caused by the conduct (If I remember correctly CompuServe were the first online service provider prosecuted for liable and child pornography).

It is interesting to note that many commercial organisations who have tried to claim copyright on user provided content have come a cropper, and likewise those trying to coral information behind paywalls (News International being one such organisation with a considerable history of expensive failure in these areas).

AC2January 3, 2013 2:12 AM

Snapfish (HPs online printing and photo storage site - FREE!) had some pretty strange TOS last time I checked.

Something to the effect that customers given them a license to use (including commercially) any photos uploaded. Can't access from work right now will check later and post...

Anyway I've my own photo sharing site up. It's on shared hosting so still trying to figure out how to encrypt before uploading the images, but still serve them in a manner that is easy to access... (NB I don't care if the people I have given access to the images download and store them locally)...

Wendy M. GrossmanJanuary 3, 2013 3:54 PM

Clive, yes, I remember that. (And yes, CompuServe higher-up Felix Somm was prosecuted in Germany over child porn allegations - not personally but holding him responsible for everything on the service.)

wg

AllenJanuary 13, 2013 10:21 PM

I have a hard time considering any of these "Agreements" to actually be agreements. Anything that says "...and the terms of this agreement can be unilaterally changed without notice or approval" is not an agreement.

Clive RobinsonJanuary 14, 2013 7:48 AM

@ Troy,

... for those who are talking about "If you're not paying then you're the product" are putting waaaaaay too much faith into services you're paying for

Yup and worse besides.

As any one who has been bullied when young and had things taken from them by school playground bullies knows,

If you don't control it you don't own it.

A quick look at how Facebook started shows the harsh reality of this. When at Harvard College Mark Zuckerberg took bullying online with Facemash, a network application which alowed people to vote on the attractiveness or not of fellow students. But where did the photos come from? It has been said that Zuckerberg had copied them without due permission of the person or the photo copyright holder, and further that this exploiting behaviour continued and still does with Facebook.

This is the important point, you might think you have a cast iron contract with a service provider, but the reality is that it does not cover third parties who assume that the service is an "all you can eat buffet".

Take this blog for instance I have copyright on my words and Bruce has copyright on his words and the look and format of the site. The copyright in most juresdictions is implicit, and you have to specificaly revoke it either in part or whole in the correct legal way for it tto be lifted.

But a question arises, do my words also fall in part under Bruce's copyright because it forms part of a combined work?

But what of other third parties? I've frequently found via search engines that my words have been reproduced on other sites that I have never heard of or used, and certainly without being contacted by the site for permission.

Can they justifiably claim that "fair use" alows them to take my words almost in their entirety provided it's only a small part of Bruce's overall work?

It is this skating on the edge of legality or salami slicing legalities that many use to justify their actions of exploitation that others would consider theft. But what about those who as Bruce has found out take his work in it's entirety and claim it as their own? And further what of those who copy this site in significant part or it's entirety?

Afterall did I say Google could copy all my words into their database? did they ask? what about the printed books they have scanned in, many still well within copyright did they ask the author or publisher? I think you know the answer to that. In many peoples view it's all exploitation or theft.

But the flip side it's only possible for third parties to steal my words because in effect I've alowed them to, because I've alowed my words to leave my direct control and become public in a way over which I have no control. I know this and thus practice self restraint over what I say. I have accepted that the words I post here are beyond my control, and all I realy ask is that people simply acknowledge my moral and legal right to be identified as the source when they either quote my words or use the information within them. Oh and if they find them of use that they buy either Bruce or myself a drink should they ever meet us. Most do acknowledge the source but some don't (I don't know about Bruce being bought a drink on my behalf he's never said one way or the other ;-)

Thus just one major problem with electronic information is it's way to easy to copy with 100% fidelity. Another less obvious problem is the hidden information held withing the format of files.

As we know from various disclosures that even Intelligence agencies didn't know how to redact electronic documents properly. Likewise politicaly minded individuals trying to fake doccuments not realising that things like the MAC address of the computer they used got embbeded invisably to them in the faux document they create.

I once worked on a short term contract in a major financial institution. The secretary of one of the senior people sent me an "electronic memo" by Email that whilst only a few lines long was a megabyte or so in size, which I thought was odd. On opening it up with a file editor it showed lots of very interesting and highly confidential information.

Basicaly the secretary was making a new memo by opening the last one she had sent out deleating the visable text and then typing in the new memo saving it and sending it. What she was not aware of was the software she used had an "undelete" function that stored all the deleated information in the file... When I went and told her this she was at first disbeliving then horrified when she realised just how much highly confidential information she had released, she was also scared she would lose her job, I showed her how to properly make a template and use it correctly, problem solved and a grateful friend made.

It's just one of a number of reasons I advise people,

Paper, paper, never data

With paper atleast you can see what it is you are giving to another person, and so can a Judge.

As I've noted a number of times in the past the legal system runs on paper. It's what judges see, it's what in reality is the evidence, not the objects themselves but the reports about them written and signed as sworn testiment by supposed impartial experts. Paper is in reality what judges realy understand, it is their world view.

One of the things I was repeatedly told when I was doing my basic training in science and engineering is,

If it's not written down at the time and logged, then it never happened.

Because of this the importance of paper records and their presevation is of high importance to the legislature as well. Thus the level of forensics available for paper documents to detect tampering and originality is way beyond that of electronic documents. So establishing and maintaining control of paper documents is actually easier than electronic data.

So one important rule for life to remember is,

If you don't control your data it could end up controling you, either directly or indirectly

JohnJanuary 14, 2013 6:00 PM

Bruce I'm very disappointed you're confused about this as you call yourself a "security guru." It's standard for any cloud-based service since anything you do is going to be "displayed" on their servers.

Actually, if you look at Prezi's 'humanly readable version' terms prezi, which you say has no mention of this (really, you linked it?), Prezi clearly talks about this. Did you even go through the prezi you linked (https://prezi.com/-xhkitvsivku/prezi-terms-of-use/)?

It cleary states:

"You will be editing, storing, sharing and showing your prezis through Prezi's servers. To be able to provide you with these services (and only for this reason), we need to secure certain licenses for you … we may copy your prezi, but only as needed to maintain our system and offer the Prezi service to you… we may modify… but only with your consent when providing you with user support. 'Distribute and publicly display' … Even when you show your prezi to a colleague on your own computer, you are actually showing it through Prezi's servers. This is why Przi needs the licesne to "show your prezis publicly. Prezi will not make your content public, of course."

It is necessary in order NOT to break the law to include this in the terms.

I'm surprised you're confused by these standard cloud-based service terms. Are you just writing link bait, did an intern write this for you, or are you just losing your edge?

JohnJanuary 14, 2013 6:03 PM

I mean, you even end your quote from the terms in the article with:

"[Prezi can do this] solely for purposes of providing you with the Service."

WTFLOL?

Windom EarleJanuary 24, 2013 6:13 AM

@Troy: no. People who are saying "If you ARE paying then you're NOT the product" are putting too much faith into services they're paying for. But no-one is saying that.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..