09:24 PM
Becca Lipman
Becca Lipman
Connect Directly

5 Things to Look For Before Accepting Terms & Conditions

Is your corporate data at risk? Before uploading sensitive information to cloud services be sure to review these terms.

Those pesky terms and conditions, who bothers to read them? It was recently estimatedthat to read all the privacy policies the average person agrees to on a daily basis, it would take 250 hours per year. Easier just to skip ahead and accept.

If you did read the terms, you might be surprised to learn a lot of widely used cloud applications have agreements that do not favor end users. Far from benefiting the consumers, these companies want a privacy policy as permissive as possible. They are often designed to lessen the service provider's liability if a user's privacy is violated, and in some cases secure the right to sell user information and turn a profit.

The agreements are often long, in vague legal text that leaves even the most determined policy reader unsure of their rights. And unfortunately, while legal authorities recognize users rarely read the terms and agreement, it is done so at their own risk.

So to protect yourself and corporate data, the best approach to reading or skimming terms and conditions may to be narrow in on the sections most likely to impact corporate security.

To help protect your business from accidental security risk, Skyhigh Networkspulled together 5 essential user agreement terms to look out for when signing up for a cloud service.

[How Risky Are Your Cloud Service Apps? Each application comes with unique risks to the enterprise, says Rajiv Gupta, CEO of Skyhigh Networks.]

In an increasingly global economy users want to pay close attention to jurisdiction laws in case there are any disputes. Laws around data ownership are more defined in the US, and odds of recovering losses elsewhere are slim to none.

One of the most famous examples of jurisdiction disputes, one that continues today, pertains to Kim Dotcom and his file sharing site Megaupload. Five major movie studios recently filed a lawsuit against Dotcom, who is stuck in New Zealand under threat of extradition from the US. Despite the best efforts of the studio lawyers, New Zealand's protection makes it unlikely this case will come to a fruitful resolution.

"It can be long drawn out process if you have a dispute in countries where laws aren't favorable to protecting corporate identities," says Kamal Shah, VP of product at Skyhigh Networks.

[For more on terms and service complications, see Everyone's Doing It, But Is It Legal?.]

Due to the considerable security risks, one of the most important things to ask before accepting the terms is, when you use a service and upload data to it, who owns that information? The user or the provider?

In some cases the terms and conditions will state the data uploaded is licensed to the provider and they can do whatever they want to do with it.

[How Risky Are Your Cloud Service Apps? Each application comes with unique risks to the enterprise, says Rajiv Gupta, CEO of Skyhigh Networks.]

SourceForge is example of code sharing depository that says whatever you upload becomes their property, explains Shah. "They have a license to make it available to other users. If I am a developer at financial bank working on a proprietary trading algorithm I want to be careful of uploading to other sites, or it may no longer proprietary to me and available to everyone."

Another important question: Can the service access or share the information without due cause? Some privacy clauses gives firms the right to look at data because they have suspicion or volition without any legal requirements to do so.

"It's one thing to share information in response to a legal request from a government agency, that's the law," says Shah. "But it's another thing to take a look because the company feels like it on their own volition."

Microsoft recently updated their policy following public scrutiny for accessing a customer's email account in an information leak investigation. Taking the high road, Microsoft will now wait on law enforcement before accessing user information. Apple, Google and Yahoo still retain the right to search emails on their volition. Instagram also maintains the right to voluntarily access user information.

What happens when something is deleted, lost or stolen? Who takes responsibility?

"They are trying to minimize legal risk, but at the same time many are charging for a service," explains Shah. "I could be paying in the same price range for another service that takes accountability."

[For more on terms and service complications, see Everyone's Doing It, But Is It Legal?.]

WeTransfer, a file sharing service, takes no responsibility for data loss and is ranked by Skyhigh Networks as a high risk cloud service.

Data retention after an account is terminated can create serious issues from a consumer and enterprise standpoint.

Perhaps, upon realizing data stored in a cloud service is a liability to the firm, a user wants to delete the account and move on to an enterprise ready service provider. Be sure the service isn't maintaining a backup or can benefit from the data long after you've moved on.

[How Risky Are Your Cloud Service Apps? Each application comes with unique risks to the enterprise, says Rajiv Gupta, CEO of Skyhigh Networks.]

The median length of a privacy policy from the top 75 websites is 2,514 words. PayPal's user agreement is a hefty 36,275 words long. By comparison, Shakespeare's Hamlet is 30,066 words long.

Without fail the agreements are boring and written in "legalize." But every once in a while an agreement will contain a hidden gem.

Tumblr, the popular blogging site, hit headlines when it was found the updated terms of service, already considered light reading by lawyer standards, included beautifully snarky one-liners such as:

“Don’t post private photos of your ex’s junk (no matter how attractive).
“If you want to ridicule or parody a public figure (and who doesn’t?) don’t try to trick readers into think you are actually that public figure.”
You have to be at least 13 years old to use Tumblr. We're serious: it's a hard rule, based on U.S. federal and state legislation. “But I’m, like, 12.9 years old!” you plead. Nope, sorry. If you're younger than 13, don't use Tumblr. Ask your parents for a Playstation 4, or try books.

"There are some services trying to simplify the agreement," says Shah. "But despite best efforts the devil is in the details. Always."


Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio

Copyright © 2018 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service