24 comments

[ 4.7 ms ] story [ 64.6 ms ] thread
If only there were technology available to let us see the difference, let's call that the "diff", of various versions of text, knowing what changed would be a lot easier.

But I don't see where it's particularly egregious. It shares some data with advertisers (surprise) and only to the extent required for ads and promotions. And it says you can opt out, though it's via email.

Google makes diffs available for all Privacy Policy changes. I wish more companies would follow suit.

e.g. https://www.google.com/policies/privacy/archive/20160325-201...

So does DigitalOcean:

https://github.com/digitalocean/tos/commit/782ce59ec49a75fe2...

I'm not seeing anything there that substantially differs from the previous version, but IANAL.

(comment deleted)
My attempt to extract the key changes:

- Now collects IPs as "Personal Information" in addition to the previously-listed types

- No longer claims that cookies do not contain Personal Information, and no longer claims that cookies are not tied to any form of Personal Information in their database (I'm guessing due to the first change, but not positive and not disclosed)

- Adds language limiting the length of time they may hold Personal Information from previous "indefinitely" to current "as long as necessary according to applicable law"

- Adds language limiting the terms of a user's "explicit consent" to collection of Personal Information - previously, usage was the entirety of consent, now consent is conditional upon DigitalOcean adhering "to the applicable law".

- Hardens their commitment to not selling personal information from "will never intentionally" sell to "will not" sell

- Adds relevant language throughout to adhere with EU-US Privacy Shield Principles, including a new section on the same.

- Clarifies account deletion - even post-deletion they will retain email addresses and network logs, and possibly other Personal Information in cases where fraud or illegal activity has been determined by DigitalOcean or law enforcement.

- Clarifies how to object to collection and disclosure of Personal Information; clarifies that such an objection will not affect service-level, transactional or legal communications.

IANAL either, but hey.

DigitalOcean is an infrastructure company that charges for its services.

Do you expect your doctor to similarly "share your data" for "ads and promotions"? No, because he's getting paid for services rendered.

I think you make an important point.

Its one thing if you are partaking in free service such FB or Google et al but when you are exchanging money for good or services I think this crosses the line. Recent examples of this I have seen are AT&T who sent out notice about Customer Proprietary Network Information, basically selling your data even though in the US you are likely paying AT&T > $100 a month. This blogs has the actual notification:

http://ivebeenmugged.typepad.com/my_weblog/2016/03/att-cpni....

Ditto for Verizon with their supercookies. In Verizon/AT&Ts case their position seems to be "well Google and FB are doing it." and we need to compete.

Another recent example was was ING now Voya Financial Services that manages a 401K retirement accounts sent out a notification to customers explaining that they would be sharing your data with third parties.

This is really a disturbing trend. If the service is free then I think your infomration is fair game but when I am paying for something it needs to be opt in.

And almost without waver the reason these companies give for such actions is "so we can provide yo with better service"

Hell, in today's day and age, if we didn't have HIPAA, I absolutely would expect doctors to offer discounts in exchange for sharing my health data with researchers and drug makers.

It's sad, and I don't advocate it, but it's true.

While I'm not a fan of this and some parts of the privacy policy, I don't think think the title is fair. What seems to have changed is that DO implemented the Privacy Shield Framework, https://www.privacyshield.gov/welcome. This gives them the right to transfer data of EU-customers into the US, given that some customer rights are preserved, without having to respect every single law in every single EU-country.

However, they do reserve the right to use collected data to pass sales leads to one of our distribution partners, and that is something that sounds very broad. This is one of those things that do not seem to be explicitly forbidden by privacy shield, but totally collide with german law. I do not see how then privacy shield can be legal in Germany, even if the EU commission did enact that framework. I would expect that the german juridical system will block this later on, but well, I'm an optimist – and I might be wrong here.

Still, for the submission title to stay like this, OP should point out what exactly did change that warrants it.

The "passing sales lead" bit isn't about selling you information to the highest bidder. It's for when "it is necessary to fulfill your request". One example would be ordering a domain name from them – where they have to pass the information on to the registry.
While you might be right, that does not follow from the structure of the sentence:

DigitalOcean may share your information with contracted service providers if sharing your information is necessary to provide a Service you have requested, as part of a joint sales promotion or to pass sales leads to one of our distribution partners, or to keep you up-to-date on product announcements, software updates, special offers or other information.

Note the comma after the Service you have requested, and the leading or. I assume your interpretation is probably what they want to say, but it is not what they do say, if I understand correctly what sale leads can be here.

Also note that https://www.privacyshield.gov/article?id=My-Rights-under-Pri... makes no statement in that regard, that sharing with third parties is forbidden. Only that you can ask to be informed (how nice!). Mixing issues here, the privacy shield seems to be a horrible framework for EU-customers, while the DO privacy policy is probably alright. Besides, it is not like DO has much information they could share.

We updated the title from “DigitalOcean now has the right to give your private information to third parties”, which breaks the guidelines by editorialized. Titles belong to the content, not to the submitter, so that HN readers can decide what they'd like to read and form their own opinions.
And the government just takes all your private information without any terms of service.
Of course there's a terms of service. It's "do what we say or you'll go to prison".
Sorry DigitalOcean. Unsubscribe.
Since you clearly read the policy, I'm curious which parts specifically caused you to unsubscribe and then narrate your actions for us.
Collecting IP addresses maybe?
Maybe if they get enough email from their customer base they will add a self-service opt-out feature.
Is this different from other cloud providers?
(comment deleted)
Dear Digital Ocean,

Thank you for your transparency in this change. I received an email notifying me of it. The policy itself is in a public repository - allowing me to see exactly what changed. (Though to be honest, a link to the diff would be a nice-to-have next time.)

I appreciate your forthrightness. After evaluating the changes further, I will be making my decision about whether to continue making use of your services - as I'm sure you would expect.

Sincerely,

A Customer

----

Agree or disagree with the change, they were very up front with their customers that it happened.

Edit: forgt sme lttrs. Also, too many words so I some.

Are they? I've received e-mail containing just "we've changed privacy policy. Full text here". And they are required to do that, so it's not their choice. So I tried to find diff or short blog post about it. I coudn't. I've found this tread and HN user posted link to DO's github repository (https://github.com/digitalocean/tos/commit/782ce59ec49a75fe2...)

Is it really transparent? Is it really worth the praise?