peterw at tux.org
Sun Sep 9 05:56:41 UTC 2007
required to log in within 7 days and accept it:
I guess I have three main suggestions:
1) On the legal/government side, alter the language so that SD is only
allowed to share my PII when legally *required* to do so (vs. the current
document's language authorizing SD to do what it's *allowed* to do).
2) On the business/sharing side, alter the language to disallow information
sharing, except with "Supplier"/Tribune, and for auditing purposes. We've been
told SD exists to collect all the money that Tribune is demanding for their
data, but this policy seems designed to give SD freedom to try out
other business models without getting customers' approval.
3) Tighten up the PII/Non-PII definitions, especially IP/cookie language.
I'm relieved that all SD really knows about me is where I live, what ATSC/HD
channels I can pick up, that I have standard cable, and the I don't want
program listings for the home shopping channels. Still, I'd like to see this
"Non-Personally Identifiable Information"
SD considers IP addresses not to be personally identifiable. I expect
a fair number of us have true static IPs, and the vast majority of others
have "always-on" connections that mean DHCP addresses that very rarely
change. SD considers cookies not to be personally identifiable, but their
forums offers persistent automatic login cookies.
Too much leeway with "Non-Personally Identifiable Information"
See 2.b.: "Because Non-PII does not personally identify You, Company
may use such information for any purpose. In addition, Company reserves
the right to share such Non-PII, which does not personally identify You,
with third parties, for any purpose."
Big loopholes for Personally Identifiable Information
See 3.f "Company reserves the right to transfer any and all information
that Company collects from the Site's users to a third party in the event
of a reorganization, merger, sale, joint venture, assignment, transfer or
other disposition of all or any portion of Company's business, assets or stock."
I could understand data transfer if SD were sold(??), but "joint ventures"?
Transfer of "any portion" of SD's assets? Here, buy this ethernet cable and
SD can give you all the customer data you want.
Another big loophole for Personally Identifiable Information
See 3.g. "Notwithstanding any other provision of this Policy to the contrary,
Company reserves the right to disclose Your PII to other parties when Company
reasonably believes such action (a) is appropriate under applicable law;
(b) to comply with legal process; (c) to respond to governmental requests;
protect Company's operations or Supplier's operations; (f) to protect the
rights, privacy, safety or property of Company, Supplier, You or others; and
(g) to permit Company to pursue available remedies or limit the damages that
Company may sustain in the event of a dispute. For example, Company may, to
the fullest extent permitted by the law, disclose Your PII to law enforcement
agencies to assist such agencies in identifying individuals who have been or
may be engaged in unlawful activities."
Some key phrases in there -- "appropriate" under applicable law rather than
something like "required" by appropriate law suggests "if we're allowed to"
rather than the "if we must" language that I'd expect. "governmental requests"
-- what is that intended to cover that (a) and (b) don't already encompass?
It looks like it would allow SD to hand over information to any old government
employee (city, county, state, federal; legislative, judicial, executive) that
contacted SD. By the time I hit (e) I'm cynical enough to think "operations"
is a broad term. (f) -- SD would release my personal information to protect
the privacy of SD, Tribune, or *me*? How does that work?
User control that might do nothing
4.c. "Changing or Removing Your PII. If You would like to review, correct,
update or remove PII that You have previously provided to Company via the Site,
You may do so by editing Your user account. However, You acknowledge and agree
that (i) Company may retain certain of Your PII for recordkeeping purposes;
(ii) residual Non-PII may be stored in Company's databases and in other
recording and/or archiving mechanisms; and (iii) Company is not responsible
for removing information from Supplier's database(s)."
I have the right to try and remove some PII, but SD isn't obligated to
actually remove the information, even from their own systems.
Also note the Subscriber Agreement states that "You represent and warrant to
Company that all Registration Information You provide in connection with Your
User Account is, and shall remain throughout the term of this Agreement, true,
accurate and complete." Presumably this means the PII removal clause in 4.c
only really applies to those no longer subscribing?
SD: please see if you can't make this policy better in the next few days so
I'll be more comfortable accepting it.
More information about the mythtv-users