While attempting to protect against viruses, organisations of all kinds are
unwittingly leaking confidential documents into the public domain.
[...]
By uploading or submitting the submitted content, excluding personal data for which you are responsible, to [provider], you grant [Provider] a non-exclusive, worldwide, royalty-free, irrevocable, fully paid up, transferable, sublicensable license to use, edit, host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute the Submitted Content, including but not limited to, free or paid offerings such as Malware databases.” The exclusion of “personal data for which you are responsible” might at first sight suggest that personal data would be expunged by the service provider before performing any of the listed public acts. However that would apparently not be a safe assumption, as the T&Cs go on to state: “If you submit the Submitted Content to the service without checking the box that states ‘do not share my sample with the community’ the entirety of the Submitted Content, including but not limited to all files, URLs, comments, queries, YARA rules, and/or other content, will be available for download by others, subject to these Terms. Regardless of whether you select ‘do not share my sample with the community’ screenshots and associated metadata data, which may incidentally reveal file contents, will still be shared with the community.” (My redactions and emphasis). And of course, personal data is not the only kind of confidential information we should worry about, nor necessarily the most significant source of harm in the wrong hands. The worst aspect of such data leaks is that the responsible organisations are completely unaware they’re happening. But the $64k question is how this could come about. Such T&Cs are typical, so obviously lots of folks didn’t read them with due attention before signing up their businesses to the services. This implies a lack of corporate information governance that’s quite mind-boggling, but it’s becoming commonplace in the context of online business services — a cultural tendency for which I long ago coined the term ‘Fire and Forget Outsourcing’. It’s extremely common but very dangerous to take on trust that a service provider will automatically and entirely serve your best interests. So before considering any third party service (and most particularly any apparently free of charge online service) ensure you’re equipped to do for yourself everything that’s not expressly offered as part of the service, and make yourself fully aware of the full implications of any caveats or exclusions of liability on the part of the provider. Then, rather than taking assurances on trust, establish by active enquiry how much oversight you can exercise over the service if engaged. Only if all these enquiries pass muster should the service be used for sensitive business purposes — and what business purposes aren’t sensitive in this highly competitive world?
Mike Barwise
Director, BiR
21/08/2019