Archive for May 2012

If you’re going to compare Terms of Service, kindly do so based on facts.

ObDisc: I used to work for Google. I still have lots of friends at Google. I have a bias towards trusting Google that’s largely based on knowing people who work there and trusting them personally. I pay money for many Google services – several Apps domains, for instance. I am also a paying customer of both Dropbox and iCloud.

I had thought that the nonsense about Google’s Terms of Service and their impact on Google Drive was dead with Nilay Patel‘s comprehensive summary of Dropbox, Skydrive, Google Drive, and iCloud Terms of Service, but then I saw this tweet and realised that the nonsense is continuing. The article linked (published on Trend Micro’s “Cloud Security” blog) to was written on the same day as Nilay’s piece, so it’s not new – but apparently this nonsense is still being spread.

Trend Micro also have a similar service, called Safe Sync. In the footnotes below, I’ve included (as well as the comparison from Nilay’s article) the equivalent sections from Safe Sync’s own EULA for you to compare.

All of these Terms are fairly standard. Amongst their many similarities, each of them has a “You retain ownership” clause[1], and a “You grant us the right to” clause[2]. [3]

Without exception, every bit of FUD I’ve seen has been predicated around comparing the “You retain ownership” clauses from the other services with Google’s “You grant us the right to” clause. Today’s bit of nonsense does exactly the same thing: it lists the “You retain ownership” clauses from Skydrive and Dropbox against the “You grant us rights” clause from Google. This one goes one step further though: it first argues that the “You retain ownership” clauses in the other Terms are vital for establishing a Reasonable Expectation of Privacy under US law; then makes the explicit claim that Google’s terms destroy any argument that content uploaded to your cloud storage service has a reasonable expectation of privacy – implying (although never actually stating) that Google’s Terms, unlike the others, lack the vital “You retain ownership” clause.

Utter nonsense.

It’s quite possible that not having a “You retain ownership” clause might have consequences on a Reasonable Expectation of Privacy; but as Google’s Terms are equivalent to the others, this would apply equally to the other services. I don’t see how this could arise from a genuinely mistaken reading of Google’s Terms, either: the “You retain ownership” clause is quite literally in the previous sentence to the one quoted in the Trend Micro article – I don’t see how any honest attempt at understanding the Terms could miss the clause. I don’t see how this can be anything other than a deliberate attempt to create FUD.

The Trend Micro ends with a plug for their own product. The penultimate sentence says:

Here’s hoping the EFF shames Google into at least being less evil.

Good news! Ars Technica got in touch with the EFF and asked them to read over Google’s policy.. Was the result the shaming that Trend Micro were hoping would be bestowed on their competitors?

When Ars spoke to the Electronic Frontier Foundation about Google Drive’s terms of service, the EFF found little about them that was more suspicious than in any other similar cloud service.

I’m sure that Google is indeed positively burning with shame.

Edited to add: Just to be clear, I’m not intending to imply that there is no reason to be concerned about putting your private data on any of these services. Any time you decided to use any of these services (or any cloud Webmail service, or an online photo sharing site, or a social network…) you need to carefully balance the utility you get from the service against the very real privacy and security issues associated with the service. However, these decisions need to be based on *facts*: what the relevant Terms and Policies actually say. Spreading FUD about the contents of the policies doesn’t help anyone make a decision about which services to use (or not to use).


[1]
Google Drive
Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.
Dropbox
By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”). You retain full ownership to your stuff. We don’t claim any ownership to any of it.
Skydrive
Except for material that we license to you, we don’t claim ownership of the content you provide on the service. Your content remains your content
iCloud
Except for material we may license to you, Apple does not claim ownership of the materials and/or Content you submit or make available on the Service
SafeSync
You are the owner of your files and are solely responsible
for your conduct and content of your files, as well as any of the content contained in communications with other
users of the Trend Micro Products/Services.
<snip>
Trend Micro does not claim any ownership rights
in your files.

[2]

Google Drive
you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.
Dropbox
We may need your permission to do things you ask us to do with your stuff, for example, hosting your files, or sharing them at your direction. This includes product features visible to you, for example, image thumbnails or document previews. It also includes design choices we make to technically administer our Services, for example, how we redundantly backup data to keep it safe. You give us the permissions we need to do those things solely to provide the Services.
Skydrive
You understand that Microsoft may need, and you hereby grant Microsoft the right, to use, modify, adapt, reproduce, distribute, and display content posted on the service solely to the extent necessary to provide the service.
iCloud
you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available, without any compensation or obligation to you.
<snip>
You understand that in order to provide the Service and make your Content available thereon, Apple may transmit your Content across various public networks, in various media, and modify or change your Content to comply with technical requirements of connecting networks or devices or computers. You agree that the license herein permits Apple to take any such actions.
SafeSync
In order to make the Trend Micro Products/Services available to you, you agree to grant Trend Micro a limited, nonexclusive, perpetual, fully-paid and royalty-free, sub-licensable and worldwide license: (i) to use, copy, transmit, distribute, store and cache files that you choose to sync; and (ii) to copy, transmit, publish, and distribute to others the files as you designate

[3]All of the service have Privacy Policys which modify the Terms of Service in various ways. It’s interesting comparing these too.

  • Google’s Privacy Policy mostly limits what they can do with the rights you’ve granted them under the ToS. For instance, although the Terms of Service require that you grant Google the right to use your data for “the limited purpose of … promoting … our Services”, the Privacy Policy seems to restrict Google’s ability to actually do this – as far as I can tell, only data you have expressly chosen to make world-visible could ever be used in this way.
  • Dropbox’ Privacy Policy, by contrast, greatly *expands* the rights Dropbox have. For instance, the Terms say that “aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with … law enforcement, for any purpose unless you direct us to”. On the surface, this seems much more restricted than Google’s equivalent terms – until you find this in the Privacy Policy: We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request. In short, despite the misleading wording in the Terms, Dropbox can and will share your data with law enforcement just as readily as any other corporation.

Precise Pangolin install hints

My desktop at work is a Dell Precision T5500 – a fairly standard desktop, you’d think. My video card is an NVIDIA Quadro FX 580.

I recently spent most of 3 days trying to upgrade from Lucid to Pangolin. I’m not going to bore you with the details, but here are some things I wish I’d known.

  • I have two monitors, one on each of the DisplayPort outputs. The LiveCD will not use either of them *unless you have a third monitor plugged in to the DVI port*. My monitors happen to be able to handle Picture-by-Picture, so I can actually make one of them track both the DisplayPort and DVI inputs, which comes in handy.
  • Although the installer can use the graphics card just fine, the system it installs by default is broken. At the very first part of the installer (a purple screen with a keyboard and a human – at least, I think that’s what those two fuzzy blobs are meant to be), press any key. You’ll be asked to choose a language, then you’ll get a menu with options like “Try Ubuntu without installing” and “Install Ubuntu”. Press F6, arrow-down to “nomodeset”, and press x to activate it. This makes no difference at all to the installer, but does result in it installing a system that can use your graphics card later.
  • This part of the installer uses the DVI input to your monitor. Take the time to set up Picture-by-Picture so you can track the install as it flips back and forth between DVI and DisplayPort throughout the rest of the process.
  • Now choose “Try Ubuntu without installing”. Despite the misleading name, this gives you a chance to set your system up before running the installer.
  • The installer may now switch from DVI to DisplayPort, but then again, sometimes it won’t. Be glad you set up PbP so you can catch it wherever it appears. If it’s on DisplayPort, you probably didn’t set nomodeset correctly. Don’t waste your time continuing with the installer, even though it seems to be working fine – just restart it.
  • The standard LiveCD does not support LVM, so will not handle the LVM partitions already on your desktop (you do use LVM, right?). You can switch to a terminal by pressing alt+F1, and then:
    • sudo apt-get install lvm2
    • sudo vgchange -ay

    You can then use alt+F7 to get back to the GUI and kick off the installer.

  • The installer doesn’t seem to be able to cope with existing swap partitions – at least, not when you have several swap partitions. It does amusing things like popping up modal dialogs to tell you that creating the swap space failed – and then doesn’t let you dismiss the dialog, so your only option is a hard power-down. Don’t waste your time, just tell the partitioner not to use any swap partitions at all.
  • If you choose to use encrypted homedirs, the process that creates the homedirs assumes you have at least one swap partition. Because you’ve had to choose not to use any swap partitions, this will fail – but it does so in a recoverable way. Just use alt+F1 again, “sudo swapon /dev/sdXY”, (assuming that /dev/sdXY is your swap partition), then switch back to the GUI and click “Try Again” on the installer.
  • When you’re setting up your partitions, you will be asked to choose a device for boot loader installation. Choose your hard drive, not your USB stick. Near the end of the installer, sometimes the installer will try to install grub on the USB stick anyway. This will fail, but you will get the chance to pick another partition to install GRUB to. Pick your actual hard drive again.
  • If you cancel the installer, it will think something went wrong and ask if you want to send a message with details to Ubuntu developers. If you cancel this, the window never dies. If you start the installer again, it will eventually reach a point where it’s blocked waiting for the original window to go away. Switch back to the console and use “kill $(ps auxwww | grep [a]pport)” to terminate the original process.
  • Even though you’ve manually installed lvm2 and are installing onto LVM, ubuntu won’t bother installing LVM into the system it creates. Make sure you follow step 7 of this guide before you reboot. If you forget, you can always boot up the LiveCD again and run through this step.

Edited to add: One more tip: Once you’re done, unplug the DVI cable. If you leave it plugged in, a reboot will see the system using the DVI output and ignoring the two DisplayPort outputs again. If I ever do a reboot and the screens go to sleep, I’m going to try plugging in the DVI cable again. The system really seems to love that DVI output.