[besson3c]

Hello,

Do any of you have any experience in this area? I'm wondering if you'd be interested in helping me a little?

[reader50]

Very little help required. When a big company gives you a TOS, take a red pen and line out all the objectionable parts. The parts that take away your rights, and excuse them from any responsibility for not delivering their service. Usually everything beyond the first paragraph. Place your chop beside the lining-out.

You are welcome.

[besson3c]

Originally Posted by reader50 

Very little help required. When a big company gives you a TOS, take a red pen and line out all the objectionable parts. The parts that take away your rights, and excuse them from any responsibility for not delivering their service. Usually everything beyond the first paragraph. Place your chop beside the lining-out.

You are welcome.

Heh... It looks like a number of people rework existing agreements as to not plagiarize them, I was just wondering if anybody here had gone down that path or a path like it...

[angelmb]

David Pogue to the rescue !!

Secrets of the Software License Agreement - Computerworld

[besson3c]

angelmb: that doesn't really help me much, unfortunately.

What I'm looking for is advice whether basing a user agreement on that of a similar company would be a good idea (with appropriate rewordings to avoid accusations of plagiarism), and whether it is a good idea to summarize a user agreement to make users a little more comfortable with signing it. There would be nothing unusual in my agreement, I just hate having to provide one...

[subego]

You get what you pay for.

If you don't care about the user agreement, go for it. If you want it to actually protect you from something, know that someone who represents themselves has a fool for a client.

MURDER PILLS!

[besson3c]

Originally Posted by subego 

You get what you pay for.

If you don't care about the user agreement, go for it. If you want it to actually protect you from something, know that someone who represents themselves has a fool for a client.

MURDER PILLS!

It's mostly a matter of assessing risk and cost. I don't think I have ever heard of somebody combing through user agreements and looking for lawsuits, they often seem to be just a means to do some basic ass covering.

[subego]

No, it's the other way around. You jack one of your users and they come for blood, you counter with the contract which says you have the right to jack them.

The problem arises when the contract doesn't give you that right because it's not written properly.

To put it another way, an ass cover is useless if it doesn't actually cover the ass.

[besson3c]

Yeah, I hear you... I was thinking the same way, I'm just hoping for something this simple I wouldn't have to hire a lawyer. I just want it to say, basically "this is a cloud service, there are backups, proper security measures taken, but you know, the possibility for some data loss still exists, as well as the possible outage, app bugs, and see that thing that says 'beta'? Yeah, that too.

I was thinking that if this was broad enough I might be okay. It's not so much willfully jacking as much as it is acknowledging the computer gods and human error.

[reader50]

"We do not guarantee this service to work perfectly, or at all. Use at your own risk."

Not sure if it would please a lawyer, or your customers. But it does seem to cover everything ...

[subego]

Originally Posted by besson3c 

Yeah, I hear you... I was thinking the same way, I'm just hoping for something this simple I wouldn't have to hire a lawyer. I just want it to say, basically "this is a cloud service, there are backups, proper security measures taken, but you know, the possibility for some data loss still exists, as well as the possible outage, app bugs, and see that thing that says 'beta'? Yeah, that too.

I was thinking that if this was broad enough I might be okay. It's not so much willfully jacking as much as it is acknowledging the computer gods and human error.

You've forgotten lack of privacy, which is usually vital to a functioning cloud service.

That's not a joke. Read any cloud ToS.

[besson3c]

Oh I know, that was what I intended to imply with what I wrote about security, but yes... With my app anything that is marked as private will be private, everything public public - much like Amazon S3 or the like...

[subego]

So, crypto where you don't have the key?

Edit: unless it's that, then it's not private. You have to tell your users you have access to their data.

Edit 2: note I said cloud services need a lack of privacy. If you claim data is private, and it doesn't have crypto where you don't have the key, the only way you can maintain privacy is to never touch it.

Never touch it means no copies. No copies means you can't make backups, or move it to different hardware.

[besson3c]

Originally Posted by subego 

So, crypto where you don't have the key?

Edit: unless it's that, then it's not private. You have to tell your users you have access to their data.

Edit 2: note I said cloud services need a lack of privacy. If you claim data is private, and it doesn't have crypto where you don't have the key, the only way you can maintain privacy is to never touch it.

Never touch it means no copies. No copies means you can't make backups, or move it to different hardware.

Yes, in theory I would have access to their private data, but I think this would be handled the same way email providers handle the fact that most email is not stored in some sort of encrypted file format. This is a good point though, perhaps the TOS should include something about this.

[besson3c]

Thanks again subego, you've made some great points here. Unfortunately I can't really provide any useful utility to my users without being able to display their data on screen, which means I'd need their crypto key, and I think most users are going to want/need their stuff backed up (although my backups are encrypted), so stating that I'll have access to their data is definitely a good point to make in the user agreement.

The nature of my app doesn't really invite putting sensitive info into it anyway, so I don't think this is a big problem, but it's good to do my homework and cover my ass properly anyway, cause you never know...

I'm actually very close to releasing a beta version of this product, I'll be sure to post about this because your feedback will be most useful to me!

[Waragainstsleep]

I would think summarising one would be asking for trouble.

[besson3c]

Originally Posted by Waragainstsleep 

I would think summarising one would be asking for trouble.

My thinking here was just to provide something a little more friendly and human for the vast majority of people who don't bother to read user agreements. I want to come across as professional without being too homey or folksy/informal, or too cold and sterile. My idea was not necessarily to provide a legal summary, but just something courteous to those who just want to see the important stuff without reading all the legal mumbo jumbo.

[Waragainstsleep]

Originally Posted by besson3c 

My thinking here was just to provide something a little more friendly and human for the vast majority of people who don't bother to read user agreements. I want to come across as professional without being too homey or folksy/informal, or too cold and sterile. My idea was not necessarily to provide a legal summary, but just something courteous to those who just want to see the important stuff without reading all the legal mumbo jumbo.

I get your intention, and I want to applaud it. It wouldn't surprise me if over the next few years some of the epic ToS documents out there did exactly the same (Paypal I believe is the worst culprit at 50,000 words especially compared to Hamlet which is only 30,000 or so). They won't do it until they know they have iron clad protection when doing so though because the second anyone tries it, some **** will take them to court and say "I only read the summary and it didn't expressly forbid me from anally inserting my iPhone and expecting it to work therefore millions of dollars please." or something like that.

[reader50]

Originally Posted by besson3c 

Yes, in theory I would have access to their private data, but I think this would be handled the same way email providers handle the fact that most email is not stored in some sort of encrypted file format...

Originally Posted by besson3c 

... Unfortunately I can't really provide any useful utility to my users without being able to display their data on screen, which means I'd need their crypto key, and I think most users are going to want/need their stuff backed up (although my backups are encrypted)...

Only tangential to the TOS, but it seems the future of cloud services will require user-level encryption by default, with the users having the only keys. After the NSA scandals, it is likely European users and businesses will shun services that can access user data. Even USA businesses may follow, so as not to be at a competitive disadvantage.

MEGA uses browser-side encryption/decryption, so the raw data never reaches their service. But MEGA's TOS #8 more-or-less says they deduplicate files, which implies ways around individual keys. So it looks like even they are vulnerable to snooping. And if you receive a national security letter, you can't even tell your users their data was harvested.

Perhaps complete encryption will help your business, as well as simplify your TOS.

[subego]

My pre-NSA understanding was most companies have to balance their crypto with the stupidity of their customers. They don't want to deal with pissed-off clients who lost their key and are up the creek.

I know CrashPlan makes you jump through extra hoops, read warnings, and agree to what amounts to a ToS addendum before they're willing to erase your key and leave it up to you.