One of our trusted CRM providers 37signals.com recently published some statistics on the usage of their service. They accidentally published the name of one of the files in those anonymous statistics. That raised quite the uproar on their security/privacy policy. This is a great example of how a company in the cloud responds to the uproar.
The interesting thing is that this was not a security breach or a hack: this was done by staff of the company as part of a disclosure cloaked in a bit of marketing on their blog. This is one of the places where the security/privacy policies can be breached. A good example of how the legalese can be all swiped away by the press of one button, the wrong word on one blog post.
500 pixels has an interesting approach on their privacy policy and terms of use. By summarizing the legalese it makes it easier to start to parse these complex legalese agreements that are the bane of the software industry. Noone reads them, and everyone knows that including the vendors. But the content of these policies can make or break you from adopting a service.
Note that there is usually nothing in these terms that says how usage statistics can be reported by a cloud vendor. It may be a loophole, we're not sure. It may be important to note and clarify how anonymous usage statistics are used when marketing the product and that the cloud collects all sorts of usage statistics above and beyond your IP address and which pages you visit. There are actions like uploading files, creating records and other various use cases that can be tracked and are most definitely tracked to improve the systems. These usage statistics can be reported and anonymized, AND that certain data may be used for marketing purposes to identify for example, how many first time users used a particular feature and then upgraded to a paid plan. Where do you draw the line on what can be reported and what cannot? Looks like 37signals crossed that line for a bit and are now stepping back to clarify.
