The Sneaky Ts and Cs Buried In Cloud User Agreements

The revelation that Microsoft read emails from a user’s private account underlines the importance of understanding terms and conditions

Last week, technology giant Microsoft was caught up in a privacy storm after admitting that it read the Hotmail inbox of blogger and ex-Microsoft employee Alex Kibalko while pursuing an investigation into leaked information about Windows 8 before the operating system was released.

Microsoft has since claimed that it took "extraordinary actions in this case" but on closer inspection there’s certainly scope for other technology companies to act in such a manner.  Most cloud services have well-intentioned terms and conditions meant to protect both the company and its users. However, some companies overreach by including clauses granting them ownership of user data or the ability to make private data public in order to drive ad revenue.  The problem is this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not.

When signing up for cloud services or applications, very few people actually read the terms and conditions before accepting them. Most will skim the Ts and Cs and quickly, click “I agree” to move on. Not surprising given the 36,275 words of PayPal’s terms and conditions, which exceeds the entire length of Shakespeare’s Hamlet.

Sneaky terms can be serious business

Apple’s iTunes disclaimer that customers can’t use its app to build nuclear weapons is unlikely to cause an issue for most people, but Facebook’s Ts and Cs mean a user’s name and likeness can appear in its ads, a much bigger concern for the general population. Fortunately, there are areas to look out for, here are some of the sneakiest terms and conditions that crop up again and again:

  • Jurisdictional location – If legal action must be taken, what jurisdiction will apply?
  • Data ownership – Some companies claim ownership of user data uploaded to their service and the right to republish it or resell it to third parties.
  • Data privacy – Services with an expectation of keeping data private should enumerate under what circumstances data can be made public.
  • Responsibility for data loss – What happens when important data is deleted, lost or stolen?
  • Data retention after account termination – The omission of this clause in the user agreement is reason to worry.

Reducing the risk of sneaky T&Cs

Unfortunately, understanding the Ts &Cs of preferred cloud services is not a silver-bullet solution. It is important to keep in mind that terms and conditions can change at any time at the whim of the vendor. Trackers like Docracy can be a massive help in this regard, allowing users to keep up-to-date on periodic changes, without the need to scroll through a ten thousand word document.

Leveraging third-party services such as a CloudRegistry will also help cloud users to understand risks of these terms and conditions. The registry will read the Ts and Cs for every service used, produce an objective risk rating that incorporates a detailed legal risk assessment based on those terms and continually monitor the cloud services for any changes that may affect the risk to the business.

Taking this measure might prevent users from unwittingly agreeing to release their content, allowing their names and likenesses to be used in ads, or agreeing to cover the vendor’s legal fees if an issue arises.

If users are not educated about the need to know what they are signing up for, they will continue to get stung by these Ts and Cs – and there’s nobody to blame but themselves. If users can’t commit to reading full legal documents, at the very least they need to take the time to understand the conditions to which they are agreeing, particularly given how easy and quick it can be to download cloud applications for personal or business use. Cloud users should also leverage any solutions that provide greater visibility into their current cloud applications, so that any potential problems relating to T&Cs are made immediately apparent.

The Microsoft story is not the first nor will it be the last of its kind, so make sure you’re not a part of the next one, putting yourself and your company at risk.


Charlie Howe is EMEA director of Skyhigh Networks, a company that helps customers retain security and compliance in the cloud