[mythtv-users] SD privacy policy concerns

Peter Watkins peterw at tux.org
Sun Sep 9 05:56:41 UTC 2007 

SD has just posted its official privacy policy. All customers are
required to log in within 7 days and accept it:

 http://www.schedulesdirect.org/privacypolicy
 
I guess I have three main suggestions:

1) On the legal/government side, alter the language so that SD is only 
allowed to share my PII when legally *required* to do so (vs. the current
document's language authorizing SD to do what it's *allowed* to do).

2) On the business/sharing side, alter the language to disallow information
sharing, except with "Supplier"/Tribune, and for auditing purposes. We've been
told SD exists to collect all the money that Tribune is demanding for their
data, but this policy seems designed to give SD freedom to try out 
other business models without getting customers' approval.

3) Tighten up the PII/Non-PII definitions, especially IP/cookie language.

I'm relieved that all SD really knows about me is where I live, what ATSC/HD
channels I can pick up, that I have standard cable, and the I don't want 
program listings for the home shopping channels. Still, I'd like to see this
policy improved.

My qualms:

  "Non-Personally Identifiable Information"

SD considers IP addresses not to be personally identifiable. I expect
a fair number of us have true static IPs, and the vast majority of others
have "always-on" connections that mean DHCP addresses that very rarely
change. SD considers cookies not to be personally identifiable, but their
forums offers persistent automatic login cookies.

  Too much leeway with "Non-Personally Identifiable Information"

See 2.b.: "Because Non-PII does not personally identify You, Company 
may use such information for any purpose. In addition, Company reserves 
the right to share such Non-PII, which does not personally identify You, 
with third parties, for any purpose."

*Any* purpose??? 

  Big loopholes for Personally Identifiable Information

See 3.f "Company reserves the right to transfer any and all information 
that Company collects from the Site's users to a third party in the event 
of a reorganization, merger, sale, joint venture, assignment, transfer or 
other disposition of all or any portion of Company's business, assets or stock."

I could understand data transfer if SD were sold(??), but "joint ventures"?
Transfer of "any portion" of SD's assets? Here, buy this ethernet cable and 
SD can give you all the customer data you want.

  Another big loophole for Personally Identifiable Information

See 3.g. "Notwithstanding any other provision of this Policy to the contrary, 
Company reserves the right to disclose Your PII to other parties when Company 
reasonably believes such action (a) is appropriate under applicable law; 
(b) to comply with legal process; (c) to respond to governmental requests; 
(d) to enforce Company's Subscription Agreement or Terms of Use; (e) to 
protect Company's operations or Supplier's operations; (f) to protect the 
rights, privacy, safety or property of Company, Supplier, You or others; and 
(g) to permit Company to pursue available remedies or limit the damages that 
Company may sustain in the event of a dispute. For example, Company may, to 
the fullest extent permitted by the law, disclose Your PII to law enforcement 
agencies to assist such agencies in identifying individuals who have been or 
may be engaged in unlawful activities."

Some key phrases in there -- "appropriate" under applicable law rather than
something like "required" by appropriate law suggests "if we're allowed to"
rather than the "if we must" language that I'd expect. "governmental requests"
-- what is that intended to cover that (a) and (b) don't already encompass?
It looks like it would allow SD to hand over information to any old government
employee (city, county, state, federal; legislative, judicial, executive) that
contacted SD. By the time I hit (e) I'm cynical enough to think "operations"
is a broad term. (f) -- SD would release my personal information to protect
the privacy of SD, Tribune, or *me*? How does that work?

  User control that might do nothing

4.c. "Changing or Removing Your PII. If You would like to review, correct, 
update or remove PII that You have previously provided to Company via the Site,
You may do so by editing Your user account. However, You acknowledge and agree 
that (i) Company may retain certain of Your PII for recordkeeping purposes; 
(ii) residual Non-PII may be stored in Company's databases and in other 
recording and/or archiving mechanisms; and (iii) Company is not responsible 
for removing information from Supplier's database(s)."

I have the right to try and remove some PII, but SD isn't obligated to 
actually remove the information, even from their own systems.

Also note the Subscriber Agreement states that "You represent and warrant to 
Company that all Registration Information You provide in connection with Your 
User Account is, and shall remain throughout the term of this Agreement, true, 
accurate and complete." Presumably this means the PII removal clause in 4.c
only really applies to those no longer subscribing?

SD: please see if you can't make this policy better in the next few days so
I'll be more comfortable accepting it.

Thanks,

Peter

More information about the mythtv-users mailing list