[conspire] OT?: Ridiculous licence terms

Rick Moen rick at linuxmafia.com
Fri Sep 24 17:38:22 PDT 2010

Quoting Luke S. Crawford (lsc at prgmr.com):

> I think we've all seen that.  The thing is, when you ask a lawyer for
> a contract, it seems that they see it as their job to protect you as
> much as possible... and as there seems to be no downside to ridiculous
> terms in most cases, this means asking for the moon.

Well, of course.

This almost certainly won't help your problem either, but it reminds me:
A few months ago, I read Twitter's terms of service, expecting to be
able to make derogatory comments about how they assert inappopriate
rights to what you post and attempt to hang absurd obligations onto
their customers -- and was, instead, blown away by how thoroughly
reasonable, brief, and comprehensible the service's terms are.

I still don't have an account, but I respect them quite a bit, for that.

Your fundamental problem is ARIN asking inappropriately broad data,
i.e., your customer list.  One approach is to consent to their NDA
approach but negotiate a couple of extra clauses.

1.  ARIN formally acknowledge that your customer list is confidential
and valuable data and will safeguard its privacy, giving no access to
outsiders except as required by law.

2.  Your customer list will include no more than two invented 'seed'
entries that you will use to verify that data are used only for
agreed purposes:  ARIN agree it will use that data only to verify the
size and extent of your business needs, and delete all copies of that
that data within six months.

('Seed' database entries are familiar in business.  E.g., all the
proprietary online street-mapping services famously include occasional
non-existent street locations, so that wholesale duplication of their
maps can be detected.  Making explicit reference to them in an NDA 
agreement means they are put on notice you're serious about data abuse,
you're not trying to deceive them with false customer data, and are
prepared and entitled to detect and punish abuse.)

> Well, I've told people that I wouldn't give out that info, so really
> the only reasonable thing to do is to write up a proper privacy policy
> that formalizes what data I will and won't keep, and the conditions
> under which I will release that data, include the ARIN situation, 
> and then email that to all my customers, so they know what's happening.

An explicit data retention policy is a good idea for many reasons.
E.g., if you have a written policy of deleting all of your company's
e-mail that's over six months old, and implement that policy, then you
cannot be forced by subpoena to dig for it.

> You know what I want?  I want a set of standard privacy policies 
> to be published by some group like the EFF.

It's not a bad idea.

The pity is, good examples doubtless exist in corporate land, but you'll
never get them out in public.

More information about the conspire mailing list