Unfortunately, the policy falls down a bit at the end where it says they can change it with no notice of any kind (most policies of this sort have a 30-day notice period, so that if you don’t like the policy, you can remove your data before it comes into effect).

It would be good to see a notice period added to that. But in any case it’s very good to see such a big improvement to the policy, and kudos to Decho for responding to the criticisms.

Corporations have been adding their master keys to PKI used by their employees for awhile now. This is a corporate best practice to ensure corporate data is available after employees leave or for other emergency purposes.

Since Mozy is in the EMC family, with RSA, I’m positive the RSA guys were helpful on this particular part of the deployment.

Lacking a clear public statement to the contrary, anyone concerned about complete privacy of data recovery without their expressed consent should carefully consider this and alternate providers.

Good work

NICE ARTICLE

More than a half a year later, and at least one update of the privacy policy later (as it’ s currently dated Nov 17th, 2008), that third paragraph is still there.

That stops me in my tracks. A good friend of mine highly recommend Mozy as being really incredibly easy to use, unobtrusive, having a great stance on how much you can back up (he warned Mozy he had a *lot*, and the response was just “Bring it on”), etc. I was jazzed.

But sorry, no, you are not the arbiters of public safety. That’s the whole point of court orders. If someone is in imminent danger, the relevant court can have a subpoena in your hands in no time. And as for protecting your policies, well, that’s not a good enough reason to hand over my data to third parties. It’s not even a close call.

If Mozy ever want to revise that policy to be more like Carbonite’s, I’m in. Meanwhile, I guess I have to go deal with their stuff.
–
T.J. Crowder
tj / crowder software / com

http://backupanytime.com/blog/?p=138

I’m glad that you’ve chosen to comment a bit on the 3rd section of the clause, the one that really troubles me. While I’m sure that your intentions are most likely very good, the intention of a privacy policy as a binding document is to make sure that they are – and the one offered by Mozy simple doesn’t deliver. The two other examples Søren mention deliver much stronger language, and thus better protection, should the matter come before a court or law.

It is my hope that Mozy will take this discussion as a starting point to reviewing this clause of their privacy policy.

Søren, good point about the wording of that third clause. I’m assuming the lawyers required it just in case something ever happens where the world is in danger and some data on the company’s servers can prevent a major catastrophe (but that’s just me talking). But I would expect that the company would only retrieve information if it were ABSOLUTELY necessary. Accessing a user’s information without permission could harm the company’s reputation, and that would be quite a high price to pay. That fact, in-and-of itself would seem to be a pretty high motivation to keep everything secure. And for those individuals that are still hesitant, I repeat, use the private key.

I appreciate your suggestions though. Your newest post is even more helpful. I invite you to add other suggestions in the comments and I’ll pass along what I can. We’re always looking for ways to improve the product.

(And no Søren, I’m not in charge of PR or security, I’m just an employee that wants to clear up a little confusion.)