On 10/06/15 17:07, Christopher Carpenter wrote: > In the event that we or certain of our assets are acquired, user > information may be included among the transferred assets.
I don't think that's a problem /per se/, if any restrictions Mozilla has placed on how that data is to be used continue to be binding. And (certainly unless the company goes into liquidation) I would expect that to continue to be true. The alternative is that user information _can't_ be transferred, which means that if Pocket is ever acquired, everyone's saved list of URLs is lost and they can no longer log in. Doesn't sound great to me. > I'd rather not have some big investment bank get a hold of my personal > information + URLs I've saved and be able to sell that to someone/do > whatever with it. If I understand privacy policies properly (which is by > no means guaranteed) this is a perfectly plausible scenario since the new > company would not be bound by it's terms. I think it would; if company A buys company B, they are still bound by contracts signed by company B. That's why there's a lot of what's called "due diligence" before an acquisition, as the acquiring company checks that the target has not signed any dumb contracts that will cost them. > Another thing I dislike about the policy, specifically because it appears > that all the information is stored unencrypted on the servers, are these > pretty standard lines: > > Although we strive to protect the personal information of our users, > we will release personal information if required by law or in the > good-faith belief that such action is necessary. We follow the law > whenever we receive requests about you from a government or related to > a lawsuit. We will notify you when we are asked to hand over your > personally identifiable information in this way unless we are legally > prohibited from doing so. When we receive requests like this, we will > only release your personally identifiable information if we have a > good faith belief that disclosure is necessary or appropriate under > applicable law. Nothing in this policy is intended to limit any legal > defenses or objections that you may have to a third party's request to > disclose your information. I agree these are fairly standard, although the notification of pending release is optional, and important. But I'm not sure what else it could say, given unencrypted storage. "We will defy the government until they shut us down?" The question of whether Pocket should encrypt the data server-side is a different question. I know, from Mozilla's experiences with Sync, that this can complicate matters (particularly when adding new devices), and moreover it's now how Pocket works now. It would be reasonable to say (and file a bug to the effect) that users need to be informed that their data is being stored in the clear on Pocket's servers under US jurisdiction. Gerv _______________________________________________ governance mailing list governance@lists.mozilla.org https://lists.mozilla.org/listinfo/governance
