On Jan 17, 11:17 am, hawkett <hawk...@gmail.com> wrote:
> Hi Marzai,
>
> Thanks for the detailed response. It would be great to get those
> clarifications included in the terms of service and/or privacy
> policy. I can see from my post rating that some people don't share my
> concern, but data privacy is probably the number one barrier to
> commercial cloud adoption at the moment.
To whomever marked the OP down: he's right. This *is* an incredibly
important consideration. However...
> Clear legal statements
BWAHAHAHA! It all depends on the meaning of the word "is."
Sorry, I couldn't resist. :-)
> are
> always better than implied trust, or clarifications made in forums. I
> don't doubt that the constraints you have outlined are correct, but I
> read the privacy policy and terms of service to say something
> significantly different. The privacy policy explicitly lists content
> (including code)
Actually, see section 5.1:
* The term Content shall specifically exclude the web application that
* you create using the Service and any source code written by you to
* be used with the Service (collectively, the "Application").
> and says this -
>
> 'We use this information internally to deliver the best possible
> service to you,
A lawyer probably *could* stretch this to include making your private
customer data public
> such as improving the Google App Engine user interface
> and maintaining a consistent and reliable user experience.'
Lots of disagreement among lawyer types about phrases like "such as."
Be careful of those.
> The terms of service say this (in section 8, which overrides any
> rights outlined in section 6) -
>
> 'By submitting, posting or displaying the Content on or through the
> Service you give Google a worldwide, royalty-free, and non-exclusive
> license to reproduce, adapt, modify, translate, publish, publicly
> perform, publicly display and distribute such Content
Note the term "Content" here. *Not* Application. Nothing about your
source code.
> for the sole
> purpose of enabling Google to provide you with the Service in
> accordance with its privacy policy.'
IANAL, but that whole "sole purpose" thing seems to actually make this
safer for us developers.
Then again, lawyers have completely up-ended those silly "Congress
shall not..." clauses in the Bill of Rights, so they could probably
use this to justify publicizing your medical records. :-/
> When you put these two statements together, Google is able to
> reproduce, adapt and modify developer contributed code
Again, IANAL. But can you take individual pieces of an agreement like
this out of context?
> to improve your
> UI, and explicitly *does not* require content
Just to re-emphasize (yet again, from the Department of Redundancy
Department): content seems [to me] to specifically be the user data.
*Not* the source code.
> owner's permission.
> Apparently that permission is given once the data is uploaded. I'm
> not trying to be difficult - that is actually what it says - and those
> documents are actually what business look at when making decisions.
And the details are extremely important. Especially when you have to
break down and actually talk to the suits.
> I realise that the terms of service and privacy policy are produced by
> the legal team and not the engineering team, and the legal guys have a
> responsibility to protect Google from liability and litigation.
> Perhaps the legal team isn't fully aware of the importance of data
> security to GAE adoption.
I suspect you aren't giving enough credit to the legal team.
It's their job to keep google from getting sued. When google does get
sued (which it will), it's their job to ensure that google wins.
This must balance against the marketing team's job to actually get
people/developers/us to use the product.
> It is probably the engineering team's
> responsibility to raise that awareness.
You could be right. In almost any other company, I'd agree with you.
I'm willing to bet that google's lawyers are at least hip-deep when it
comes to privacy concerns.
As I understand it, google's business model is to analyze data and use
that analysis to make a profit. This seems to be mostly through
selling ads. I'm sure there are other forms of revenue (like the
people who pay for premium service, enterprise search, etc).
If you store data on GAE, you should expect google to be crawling it
and making every penny they can out of it.
The biggest risk (that I can see) might be google focusing ads from
your competitors on your users.
A secondary risk seems to be google actually analyzing your data and
making it (and the analysis) public. I don't think the TOS allows
that, but (yet again) IANAL. It could all happen "to deliver the best
possible service to you."
But I doubt it's the engineering team's responsibility. Maybe someone
on that team should (I hate that word) step up to the plate and make
sure the legal team appreciates your/our concerns, but you'd really be
better off having your lawyers talk to their lawyers.
> It seems clear to me that Google's strategy is to market GAE
> applications to its Google Apps customers.
That would be an interesting approach to monetize the whole thing,
wouldn't it?
That seems a lot less paranoid than my delusions about google crawling
our data to squirrel out anything valuable we might have hidden in
there.
> Both offerings sustain
> each other, and the delivery of the reseller program is a hint that
> this ecosystem is well on its way to being opened up. If you want an
> abundance of vendor supplied, commercial quality applications in that
> ecosystem, then data security needs to be much more clearly respected
> in the legal documentation.
IMO, if you have critical data that you're really worried about anyone
else seeing, it should probably not be anywhere near the internet.
If you have valuable data that you're worried about competitors
stealing, you should host it on your own server(s).
GAE seems (to me) to be a platform for companies that really aren't
all that worried about privacy but need the ability to scale
explosively, and don't want to invest in a lot of infrastructure. I'm
sure others see it in a different light.
Their TOS seem unusually straight-forward and clean to me. Until
they've been sued over them a few times, I have a rough time imagining
a situation where google would go back to those high-priced lawyers to
demand a re-write.
Then again, maybe that's the wrong way to look at things. Maybe all
the technical concerns about putting your data on the cloud have all
been cleared up, and the only details left are wrangling it out with
the lawyers.
It's not like I know anything.
> Thanks,
> Colin
Shrug,
James
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en
-~----------~----~----~----~------~----~------~--~---
