Can your cloud provider do *anything* they want with your data?
If you read the terms of service for one particular provider, it looks like the answer is yes.
4.3 Public User Content and Private User Content
With respect to Public User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content on and in connection with the manufacture, sale, promotion, marketing and distribution of products sold on, or in association with, the Service, or for purposes of providing you with the Service and promoting the same, in any medium and by any means currently existing or yet to be devised.
With respect to Private User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content solely for purposes of providing you with the Service.
On one hand, Bruce Schneier points out in his post, Terms of Service as a Security Threat:
As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our service providers can do, both with the data we post and with the information they gather about how we use their service. The agreements are very one-sided — most of the time, we’re not even paying customers of these providers — and can change without warning. And, of course, none of us ever read them.
How does he read those terms of service?
Those paragraphs sure sound like Prezi can do anything it wants, including start a competing business, with any presentation I post to its site. …Yes, I know Prezi doesn’t currently intend to do that, but things change, companies fail, assets get bought, and what matters in the end is what the agreement says.
Looks to me like they claim the right to do anything they want with your data.
On the other hand, look at this phrase again:
… otherwise exploit the content solely for purposes of providing you with the Service.
That suggests that what they do with your data is limited to what is necessary to provide you with their service. That means they can’t sell off your data wholesale, or create marketable presentations on their own, or cherry pick your trade secrets and sell them to your competitors.
Yet on the other hand again, the definition of what it takes to make their service available to you is flexible and up to them to decide.
So maybe they can’t do anything they want with your data, but they have an irrevocable royalty-free right to do a whole bunch more than what you would like them to do with your proprietary information.
Here is how things get scary. Think beyond this specific company. Eventually, some cloud provider somewhere is going to fail. It would take an extended trial and lots of bills from your attorneys to define the boundary of what the buyer of a bankrupt company can do with your data. Until a judge issues a ruling, your data could be splattered all over the internet.
Mr. Schneier’s conclusion:
I don’t mean to pick on Prezi; it’s just an example. How many other of these Trojan horses are hiding in commonly used cloud provider agreements
Think carefully when you use cloud providers. Might actually be worth your while to read the TOS.