Reasonable Expectation of Privacy From Web Hosts? 287
Shafted writes "I'm in a bit of dilemma, and I'm wondering what fellow Slashdotters think regarding this subject. I've been hosting web sites for some clients for years using my own server. About a year and a half ago, I got a reseller account with a company that will remain nameless. They are, however, fairly large, and they did come highly recommended. Other than the usual slow tech support, occasional server overloading, and... well... typical support staff, it's been pretty good and has saved me from having to deal with problems like hardware and driving down to the colo at 4AM to figure out a routing problem. All-in-all, it was acceptable. Until yesterday, when I was asking for a relatively minor email-related fix, and by the tech support staff's response, they had accessed my MySQL database directly and looked at the contents; presumably, in order to tell me what I was doing wrong. Regardless of the fact that they missed the boat with regards to the support question, I found it surprising that they would access my database data without my consent. When I asked them why they were accessing the database without my permission, they've pretty much ignored me, despite repeated requests asking why they think this is acceptable. So, my question is this: Do I, as a customer who, according to the acceptable use policy, owns my data, have a reasonable expectation of privacy for the data which I own, despite it being hosted on a third-party's server? Or do web hosting companies have the right to poke around at everyone's data as they see fit?"
Read below for the rest of the question.
Shafted continues: "I did get a response from one of the higher-ups, who said it was ok - they were perfectly within their rights, and their privacy policy supports that. Problem is, I've read the privacy policy, terms of service and acceptable use policy, and nowhere does it make mention that they have the right to look at files or data. It does indicate that I am the one who owns the data (presumably to cover copyright infringement). Another fellow indicated he felt that, as site admin, he had the right to look at whatever he wanted on the site, whether it's his data or a customer's (he, from what I can tell, is not an employee). I can understand looking at data to determine whether it violates the AUP or TOS, provided that it's justified (i.e. a scanner or audit indicates that something fishy is going on). But since I haven't violated the AUP or TOS, do they have this right? Is this something all web hosting companies do? If it isn't expressly stated, either that they do or do not have the right, does that automatically give them the right? Is this an industry norm, or did someone make a mistake and they're simply unwilling to admit to it? I'd really like to hear what some of you have to say, knowing that many of you probably have sites hosted by third-parties, and some of you may work for web hosting companies. Since this is the first one I've ever dealt with, I'm unsure whether I should expect this anywhere else, and if so I may end up going back to self-hosting."
From home? (Score:4, Informative)
I run a few servers here at home that are web-facing.
I have never found a provider that will accommodate me in any ways that I see fit, so the home solution has won me over every time I go looking.
I host my own work as well as customers. I'm running it all on a Business Class 7Mbit ADSL line... never any problems as most sites are pretty low on bandwidth.
I've recently got a new client (signed and sealed -- working on the project right now, actually). Their project is going to require their own server(s -- Yay redundancy!) for some power behind their project... if all goes well I'm going to lease some office space outside of my home and upgrade the connection to whatever the best is I can get.
The 'at home' solution offers total control. If you're making enough money off your clients, it's worth it in my opinion.
Re:Lemme guess, Dreamhost? (Score:1, Informative)
They even modified my databases more than once. Mainly adding indexes
Ah yes, suddenly my memories of ISP server maintenance come flooding back...dozens of clients suddenly complaining that their shared server has slow to nag speed. The usual culprit was almost invariably a developer who hadn't yet got to the chapter on indexes and query performance. Personally I just flipped the switch on the entire domain, rather than 'fix' a client's database (considering that I'd probably have to be back there every couple of days while he 'developed' on the live server...just like they seem to have been for ol' Bob here). Sounds like Dreamhost puts way more futile work into their client support than is prudent or productive.
Be careful what you admit to, Bob.
Re:Slippery Slope? (Score:4, Informative)
Where does he say that? It's unusual to have mail configuration depend upon a database, but it's not unheard of. For example, the simplest way of setting up a web interface to SpamAssassin is to configure it to read rules from a database. The only thing the Ask Slashdotter says on the matter is:
It sounds like he has put some mail-related configuration in his database and they looked at it because his mail wasn't working correctly and they suspected he had screwed it up somehow.
Expectation of privacy? (Score:3, Informative)
You're hosting on their servers. I don't think you have much expectation of privacy, frankly. I'm all for privacy, and if you own the box, then nobody should be allowed to look at it, but if you're renting the box, just like a landlord, they should have a right to inspect it for whatever reasons. They are, to some degree, responsible for what that box contains.
On a slightly different topic, you say they're pretty good except for... And then you have a list of issues with them. I don't know who your host is, but I'd recommend CrystalTech [crystaltech.com]. I have no affiliation with them other than having hosted some sites with them over the past decade or so. Other than the occasional technical problem, for example an upgrade several years ago that broke one of my apps, or one of the two times in the past 10 years when my e-mail went down, they've been solid as rock. Additionally, when I've needed help, both their online tech support as well as their phone tech support were amazing and responsive. I'll never host with anyone else as long as they continue the way they are.
Re:Expectation of privacy? (Score:3, Informative)
"...just like a landlord, they should have a right to inspect it for whatever reasons."
As someone who's lived in rental properties a good bit, in Philly, Austin and Chicago, let me tell you, this is *BULLSHIT*. Every city ->mandates- that a landlord can *not* come in whenever they want, that they are *required* to give you at least a day's notice.
This prevents large abuses (like walking into your apt when you're female and taking a shower), and small (like the freakin' little old lady, when I was a lot younger, who'd come into our apt while we were at work, and put the ground beef that we'd explicitly left out to defrost back into the fridge, with no warning....)
mark
Re:Lemme guess, Dreamhost? (Score:2, Informative)
They probably added indexes because your DB was bringing the server to it's knees. The only reason to add an index is to improve query performance. They may have changed the column for a technical reason, or it could have been another naive type choice on your part.
They should have contacted you about the problem first, suggested a solution, and allowed you to take action. If you chose not to take action (on the index), they may likely do it on your behalf if it's a quality of service issue.
Webhosts look at server resources and quality of service for every customer on that server. If one customer is impacting the quality of service for others, they will take action. No one customer is allowed to monopolize the resources of a server, unless that's what they paid for. Some hosts have more elegant solutions for this problem, while others use a more brute force approach.
How does it look from their end? (Score:3, Informative)
If you brought your computer in to Best Buy and said you couldn't play videos- and the techs there saw your naughty pictures in "Your Documents" you took with your wife (or husband), you'd be feeling similarly embaressed.
You could probably expect that the Geek Squad would not upload your pictures to 4chan. You should also be able to count on your hosting provider to show a similar level of discretion.
However you can't say the Best Buy was violating your privacy- not intentionally, not clearly. It seems what happened with your mysql was likely an accident- I see no reason to believe otherwise, and you don't seem to either- you're just grasping around their privacy policy like it somehow matters.
RTF Summary at least (Score:4, Informative)
He said he switched from colo to hosted to avoid having to take care of his own server.
sudo can help, but be careful (Score:4, Informative)
Sudo in combination with a script that would modify your network config might work in your case. You'd also want to allow shutdown and reboot.
No time to read your stuff - Sorry to disappoint! (Score:2, Informative)
Re:Slippery Slope? (Score:3, Informative)
I used to do Tier II support for a major ISP. Much of my day was devoted to taking calls after a junior tech had failed. I'd say that in at least a third of the cases, that tech had gone haring off in the wrong direction and wasted time playing with things that had nothing to do with the issue. It wasn't at all uncommon for me to look at the case notes and see that the first tech had spent the entire call playing with the network settings when the caller's modem didn't sync. Not knowing anything about the issue except for what's in the article, I'd give 4:3 odds that the contents of the database had nothing to do with the issue.
Re:Expectation of privacy? (Score:1, Informative)
just like a landlord, they should have a right to inspect it for whatever reasons
Landlords don't have a right to inspect your apartment for whatever reason. By law, they need to give 24 hours notice and have a good reason to enter.