Please comment on the first draft of the privacy policy

| | Comments (10)

It has come to my attention that does not have a written, publicly accessible privacy policy. Below, I have pasted a first draft. Please give me feedback. Note, I've been editing this draft in place... this is /not/ the final version, I'm just soliciting feedback. will not release private customer data except in the following cases:

1. in order to comply with ARIN requirements for new IP blocks, we will release
   the name or business name to ARIN. we will be executing the ARIN non-disclosure
   agreement, which requires that ARIN keep your names secret except in the case
   of a court order [1]

2. We will comply with any valid court orders issued by courts that have 

3. we use automated and manual processes to examine network traffic while looking for problems.  

4. we will never examine your disk without permission.   (we may ask you to let us examine your disk or to leave, but if you don't give us permission, we won't examine the disk without a court order.)

5. we may examine network traffic with both manual and automated processes.   the results of this examination won't be shared without a court order.  

6. we may log and examine your serial console while looking for system problems. 

If this document needs to be amended, I will do my best to minimize the impact
on customers, and I will email the address on file with a notice.  If customers
wish to quit a long term contract because of an amendment to this document, any
early termination fees will be waived, and the customer will be given a prorated 
refund based on time used.  


Data retention is kindof a sticky thing. See, the longer I keep the data, the easier it is for me to spot trends and ongoing problems. but obviously, customers don't want me to keep shit around forever, and without a defined data retention policy, I think it's legally harder for me to tell law enforcement "we don't have that data" when they come knocking.

What if I had a clause that said "I give you access to all data I'm retaining about you at http://blah/customer" - it would be more work for me but it would allow me to have longer data retention (which is good for troubleshooting) without pissing off customers, especially if I add a 'delete this' button... but I don't know where that puts me legally.

of course, that is technically more difficult... but I could release a tool that others could use. (I'd tie the login to the email)


I need to add an escape clause for myself like the following:

3. I reserve the right to ask you to reveal your identity to another party OR to leave. In general, if your presence harms the network or business (even through no fault of your own) I reserve the right to ask you to leave.

The idea is that if you are the target of continued DDos attacks that I can't deal with, or if hosting you creates an untenable legal situation for, I'm going to need to get rid of you. In some cases, if you reveal your identity to the complaining party (such as a DMCA takedown, if you reveal your identity through a counter notice) that makes it not my problem, and then you can stay.

But my intent here is to say "Either one of us can terminate the business relationship, but I can't reveal your identity or data without a court order or your permission."

Clause 2 is a given, i.e. you cannot, legally, do otherwise anyway. Also there, it's "jurisdiction".

I think your third clause mixes privacy issues with the general TOS / termination reasons. You should separate those two sentences.

While I'm very happy with the first two clauses, I cannot say the same with the third one. You mention DDOS attacks, which are a valid business termination reason but have nothing to do with privacy. What I'm concerned with, because I've seen that done to a friend recently, are seemingly-legal but baseless pressure attempts on a host to reveal the identity of a blogger (it was a personal vendetta by a legal council abusing his title and sending registered mail all over without ANY legal basis). With the way you've redacted clause 3, it means you can terminate a customer on a whim (or, say, fear) rather than for a clear reason or legal action. While clause 1 is clear, clause 2 is a given, clause 3 is way too vague in the reasons you might ask that.

Thanks for the feedback and corrections.

I'm leaving two in there for reasons of clarity. (should have spell checked that. Oops.)

From my perspective, a legal attack, even a baseless one, can be just as much of a DoS as a gigabit of 64-byte syn packets. In fact, I'm probably better equipped to deal with a network-based DoS than a well-funded and persistent legal attack.

The thing is, I don't have a big legal team; the truth of the matter is that it is possible, for anyone willing to spend the money on lawyers, to bankrupt me down through baseless legal claims. I mean, really, this is true of almost all small companies, but I have fewer legal (and monetary) resources than most of my competition. If you need protection from a large, aggressive and well-funded legal team, really, the only thing that can save you is another large, aggressive and well-funded legal team. I don't have one of those.

Because the reality is that I am vulnerable to legal attacks, I want to make it clear that in the case that I feel that I need to cave to such attacks, instead of caving to the demands by silently handing out personal data, I will ask you to either make it not my problem by giving out the personal data, or to make it not my problem by leaving. (I should put something in there where I'll give you a prorated refund or something.)

I think this is a /much/ better option than leaving some question in the mind of a (legal) attacker that I might be intimidated into giving away personal information.

The problem with that position is that it makes it clear to a potential legal attacker that all they have to do to get rid of someone they don't like is send you a nasty letter if it is completely baseless. I think it makes far more sense to NOT have a published policy on that to not give people that sort of idea.

Instead, you can amend your ToS to say that you can terminate any account at your discretion as long as you provide a prorated refund - yes, that 'sounds' mean, but it actually offers more protection from legal bullying than saying "If I get a letter about your domain, you're toast." You can still kick someone off if you get what you feel is a credible legal threat, but it won't give sleazeball lawyers the idea to send out threats to takedown content they disapprove of.

Also, you should define "private customer data"; is this the contents of our VPS? our names? our billing info? I mean, it would probably be easier to define it as "anything other than content you have made explicitly public on your VPS", as that's what it is in my head, but...

A few comments:

- I understand Luke's position w.r.t. to the lawyers, but I agree with the other readers that statement #3 should just not be included in a privacy policy. I believe there are many legal threats that could make prgmr suffer, and asking to reveal the identity of a customer is only one such threat. Amending the TOS seems a better option.

- Linode privacy policy ( is a bit more complex than what Luke probably had in mind, but they do define customer data as "full name, company name (if applicable), billing address, credit card number and expiration date, email address, and source IP address". That sounds reasonable.

- One popular topic these days concern the time the private information will be kept by a business entity. This should be mentioned in the policy (e.g., Linode says that the duration is at their discretion).

Ok, so #3 should be replaced with a bit in the ToS saying I can terminate accounts (with a prorated refund, and while providing a way for the customer to retrieve his or her data) at my discretion.

I think that seems good, as it's not really so much a privacy issue as a "what will i do if I'm faced with overwhelming pressure" issue.

there's another bit... I use automated and manual processes to look at network traffic to find problems; but I won't go through a customer's hard drive without permission. Is this assumed? or should I put it in this document?

It couldn't hurt to mention it. Maybe something like "We will not intentionally view the files stored in your VPS without your permission, but we may use automated and manual monitoring tools to ensure the stability and security of your physical server and our facilities. Such tools may inadvertently expose personal information to us, but we will not retain or disclose this information"?

yeah, something like that is good... though I want to be real clear about the network stuff, because there are clear lines we don't cross... we won't mount your disk and look around without getting explicit permission. Same goes for in ram running processes. If we are trying to figure something out, we will look at your console, but we will go no further. (this is as much for us as for you; I don't want to go mucking about in apache configs. Any kernel or hardware related problem will spew to the console, so really, at the level of support I provide, there is no reason to go further.)

But we will hook up tcpdump when things look funny, and this will reveal some data that some people think is private. (considering the ease with which third parties can snoop packets, I think this is a mistake, but I still need to respect that viewpoint.)

Leave a comment

About this Entry

This page contains a single entry by luke published on June 25, 2010 5:05 PM.

roadblock in getting an ARIN allocation was the previous entry in this blog.

hamper to be rebooted shortly is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.