For Infosec professionals, Infosec for everyone

For Infosec professionals, Infosec for everyone
Library Risk Quotient

Privacy policies and practical jokes

Posted on: 11-Oct-2012
Author: cmk
Ok, I am an information security and risk management consultant who advises companies about how to protect themselves and reduce risks, et al. This does not mean that I would read every disclaimer and error messages that are constantly thrown at me. I am as susceptible as the next guy when it comes to clicking 'I agree', for free goodies from the Internet. However, the years of advising people does make you wary sometimes. A popular website that I was trying to register on wanted my income details as a mandatory field. That made me want to check out the privacy policy of the site. Without any additions or deletions, here is a key paragraph of the policy (No kidding!!). I have masked the company name of course. " Xxx will not sell or rent your personally identifiable information to anyone other than as specifically noted herein. Notwithstanding the foregoing, Xxx may sell and/or transfer your personally identifiable information to an affiliate and to any successor-in-interest as a result of a sale of any part of Xxx 's business or upon the merger, reorganization or consolidation of Xxx with another entity on a basis that Xxx is not the surviving entity. For the purposes of this paragraph, "affiliate" means any person directly, or indirectly through one or more intermediaries, that controls, is controlled by or is under common control with Xxx. The term "control," as used in the immediately preceding sentence, shall mean with respect to any person, the possession, directly or indirectly, of the power, through the exercise of voting rights, contractual rights or otherwise, to direct or cause the direction of the management or policies of the controlled person. As used in this Privacy Policy, the term "person" includes any natural person, corporation, partnership, limited liability company, trust, unincorporated association or any other entity." This sounds like a lot of legalese. Clearly, it was not meant to be read or understood by the mere mortal. Here is my translation of the same in easy English. "We will not sell or rent your information. However we may sell or rent it to either an affiliate or (a very long way to say) if we get acquired. An affiliate means, (if you are not convinced or confused by the acquired bit) any person or organisation whom we directly or indirectly 'control'. Control means anyone who is our shareholder or whom we have a contract with (and, pray, how do decide to sell unless you have a contract?)." In even simpler English, it means we can do whatever we want with your information as long we have a contract with whoever we want to sell it to. I did not register myself on the site, of course. Learning for the day? Security consultants must learn to walk the talk!
Library Risk Quotient