Reasonable Expectation of Privacy From Web Hosts?

Shafted writes "I'm in a bit of dilemma, and I'm wondering what fellow Slashdotters think regarding this subject. I've been hosting web sites for some clients for years using my own server. About a year and a half ago, I got a reseller account with a company that will remain nameless. They are, however, fairly large, and they did come highly recommended. Other than the usual slow tech support, occasional server overloading, and... well... typical support staff, it's been pretty good and has saved me from having to deal with problems like hardware and driving down to the colo at 4AM to figure out a routing problem. All-in-all, it was acceptable. Until yesterday, when I was asking for a relatively minor email-related fix, and by the tech support staff's response, they had accessed my MySQL database directly and looked at the contents; presumably, in order to tell me what I was doing wrong. Regardless of the fact that they missed the boat with regards to the support question, I found it surprising that they would access my database data without my consent. When I asked them why they were accessing the database without my permission, they've pretty much ignored me, despite repeated requests asking why they think this is acceptable. So, my question is this: Do I, as a customer who, according to the acceptable use policy, owns my data, have a reasonable expectation of privacy for the data which I own, despite it being hosted on a third-party's server? Or do web hosting companies have the right to poke around at everyone's data as they see fit?" Read below for the rest of the question.

Shafted continues: "I did get a response from one of the higher-ups, who said it was ok - they were perfectly within their rights, and their privacy policy supports that. Problem is, I've read the privacy policy, terms of service and acceptable use policy, and nowhere does it make mention that they have the right to look at files or data. It does indicate that I am the one who owns the data (presumably to cover copyright infringement). Another fellow indicated he felt that, as site admin, he had the right to look at whatever he wanted on the site, whether it's his data or a customer's (he, from what I can tell, is not an employee). I can understand looking at data to determine whether it violates the AUP or TOS, provided that it's justified (i.e. a scanner or audit indicates that something fishy is going on). But since I haven't violated the AUP or TOS, do they have this right? Is this something all web hosting companies do? If it isn't expressly stated, either that they do or do not have the right, does that automatically give them the right? Is this an industry norm, or did someone make a mistake and they're simply unwilling to admit to it? I'd really like to hear what some of you have to say, knowing that many of you probably have sites hosted by third-parties, and some of you may work for web hosting companies. Since this is the first one I've ever dealt with, I'm unsure whether I should expect this anywhere else, and if so I may end up going back to self-hosting."

encrypt your data or dont co-lo

[NynexNinja]

there isn't much you can do. if you choose to co-locate your server at another location, be prepared to have other people looking at your stuff all day. If you have issues with that, either encrypt your private data, or dont co-locate your data at some hosting provider.

And the moral of the story is

[fishthegeek]

that no matter what, when you sacrifice control for convenience there is always going to be a chance that someone is going to poke around your stuff. It's a risk of the business.

Slippery Slope?

[Kneo24]

Hmm... I can see your point. Nothing anywhere in their policies that you agreed state they have that right. And you also seem ok with it IF they suspect or even have proof that someone broke the agreement that both parties made.

Often times people will put private stuff on a server they rent/own and make the files/folder private so that they and a select few can only view the files. So what right does hosting company have to look at information that's private without my consent?

I think this goes beyond the "well I own it!". Guess what? When you rent out a house to other people, you don't have the right to snoop on your renter's. You can't just access their house whenever you please. There's an expectation of privacy and I think the same applies here.

My suggestion? Kindly tell them to fuck off and find another hosting company. I would suggest you make it public who this company is and what their practices are so the rest of us can avoid them too.

Unusual

[Bogtha]

I've never had this happen as far as I know (obviously hosts can snoop without telling you). I'd say that this was quite unusual, if for no other reason that hosting companies rarely help you diagnose problems that are likely of your own making. They'll usually just tell you to revert to a supported configuration.

It seems quite odd that they'd be poking around in your database to debug a mail configuration unless you are doing something unusual. But if it is indeed technically related, I doubt you could support the argument that they shouldn't be inspecting your configuration when you ask them to help you debug something. If the database can cause your problem, then how do you expect them to help you without giving them access to it?

Encrypt It

[joutlaw0870]

I don't mean to be critical here but why don't you encrpyt the sensitive data prior to storing it? Yes it is going to cost you some development and testing time but it will provide with piece of mind that 3rd parties who peak at your data whether legitmattly or illegitmatlly wont be able to use it for the own purposes easily.

Re:Take your business and go somewhere else

[retchdog]

And all of your examples are due to the evils of government regulation.

Even the ISPs reading email, except you added a "don't" for some strange reason.

Re: People looking

[TaoPhoenix]

Isn't this the great flaw of Cloud Computing?

Playing in the clouds is convenient, but should probably be focused that way. Do serious stuff locally and transmit it as needed.

Colo versus Managed or Shared hosting

[DigitalSorceress]

I'd say that any instance where you don't fully own/control the hardware (managed servers or shared hosting), that the contract can SAY whatever it wants, but if they want to see your data, they can.

Now, I'm sure most tech support folks have better things to do than to nose through your data or read your email. There is a certain level of trust that you have to give your hosting service, or else it's just not going to work.

It's been my experience that if you want more change / access control in place, you can get it, but it's not going to be cheap. The hosting facility my previous employer used had tech support folks who always asked permission and told us what they were going to do and/or what they did, but that was a $50,000/month hosting contract.

Anyhow, You're going to have to choose... is your privacy more important than having to buy/handle your hardware? if so, then go back to a colo and be prepared for those occasional 4:00am calls. If the support is what's more important, then find a hosting provider where you have some faith in the folks involved. I maintain a very good working relationship with the main support guy where my own server is hosted. I have a lot of faith in him, and I never get redirected to the "Bangalore Bargain Bin" cuz they're not doing that outsourced support thing. To me, this is a comfortable arrangement.

In the end, security versus convenience is always going to be a give-and-take arrangement.

Web hosting?

[TheRaven64]

If you are buying 'web hosting' then you are essentially buying a managed server - someone else is the administrator, you are a user. You have no control over it and should have no expectation of control. If you want an expectation of privacy then you should get a dedicated server. If you are a reseller then you could probably do this quite easily - get your own co-located dedicated server somewhere and sell vhosts to your clients. If the hosting company wants the root password for your machine, run away.

Shifting Laws in Troubled Times

[b4upoo]

Your question should be taken up with a good lawyer. These days things are quite unclear as to what snooping is reasonable.
        I am not a lawyer and my opinion is that anyone looking at your files acquires certain legal liability if anything at all is going on through your servers that breaks civil or criminal law. Not looking at files by you or anyone else leaves you with a great deal of legal protection.
        Recently I learned that a vague acquaintance was arrested for possession of child pornography as a popular music- file sharing site runs search
programs looking for copyrighted materials and they happened to key in on certain words or images within those porn files.
        He may have had some expectation of privacy. I really don't know. But what I do know is that famous site now has a problem if other porn passes through their site and they fail to catch it. Not doing a good enough job carries legal penalties whereas not doing any job at all relieves them of responsibility. Color that spying can be foolish, expensive and dangerous.

Even for dedicated servers, it's hard

[Animats]

It's a difficult issue. I have a dedicated server at APlus in Phoenix, and for the first six months, they didn't have any of the passwords for the box. Then they had a big outage and had to move the servers to another data center, and asked the users to tell them the root password so the could shut down the server, move it, and reconfigure the networking. So now they have the root password, and they did use it once without asking me first when I called in with a later problem.

It's not a big issue for this particular application, because it doesn't have any proprietary or personal data and it doesn't do credit card transactions. But for anyone selling something, it could be a very big deal.

This is to some extent a lack of Linux system administration capability. There's no standard way to give out a permission that allows only the operations a co-location facility might need to perform - startup, shutdown, IP address change, and maybe encrypted backup. APlus uses the Plesk control panel, which can do most of those things, but its security isn't designed to give the co-location operator a limited login.

Some Customers. . .

[mosb1000]

Some customers will get upset with you if you wait to fix the problem, others will get mad if you don't wait and ask them first. It is a no-win situation.

Re:I've had worse.

[Splab]

Wouw... Just wouw, he runs some code without knowing what it is supposed to do on a live server?

In a company I used to work we had an object with the function "destroyDatabase" which did exactly what it said (well cleaned up data for testing purposes). For some reason someone allowed this to get on to the live servers.

Several generations of coders later some smart guy decides to run this function on the live server, because he was wondering what the function did...

Re:Slippery Slope?

[ScrewMaster]

You can't just access their house whenever you please.

Well, in my State landlords have the right of "reasonable access". Maybe they can't just snoop as they please, but they do have the right (upon 24 hours notice, I believe) to enter their premises.

Re:Lemme guess, Dreamhost?

[Anonymous Coward]

You can argue the legality and ethics of a provider looking at users data, but to actually change a database schema is abominable.

Re:Slippery Slope?

[Kneo24]

The problem here is that the hosting company was looking at something that was unrelated to their problem (so they assume). You can ask your landlord to fix your sink, and whatever is under it is your problem if you don't want them seeing it, but that doesn't give them the right to go into your bedroom and rifle through your underwear drawer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Even for dedicated servers, it's hard

[TheRaven64]

There's no standard way to give out a permission that allows only the operations a co-location facility might need to perform - startup, shutdown, IP address change, and maybe encrypted backup

Actually, there is. First thing to note is that 'root' is just a name. It is UID 0 that is powerful, not the user named 'root'. You can create an account called root which has a different UID and it is just another user - give this account / password to the colo company and they will only find out that it's not root if they try to do something evil. Then, just give them permissions to modify the network config files and run shutdown / reboot as root and you're set.

Alternatively, you can create a 'colo' user which has write access to the network config files and has sudo access to the shutdown command, which might be cleaner, and if they complain about this limited access then move hosts.

It's all in the style

[hyades1]

This strikes me as one of those situations where what actually happened is less important than the company's reaction to your questions. The initial silence, followed by a response from a company official that is not in harmony with their published policy, screams "guilty conscience". They got caught with their hand in the cookie jar (yours, in this case), and they're just hoping you'll shut up and go away. I find myself wondering whether they routinely snoop databases hoping to find information that might be of use to them.

Three recommendations: Encrypt everything that matters if you decide to stay with this company; publish their name, along with a factual account of their actions and links to your documentation; if there is a relevant regulatory body or professional association, send your story to them and ask whether the company's actions and response are reasonable under the circumstances.

Use a smaller hosting company, get better service

[np_bernstein]

So, a while back - 2001 according to whois, I registered my personal domain at a small webhost. It was my personal domain, and, as such, not something I was to concerned, where reliability was concerned. Anyway, I picked this place off an ad on kuro5hin (heh, remember them?) and did so based *only* on price. It turned out it was running by one guy. Over the years we exchanged a number of emails and got to know each other by name. Now, I address my support emails directly to him, and I know they're not going to screw with my stuff.

So my advice is this: If you're going to use a webhost, use somewhere small, and take the time to get to know the admins. They'll value you a lot more than some huge conglomerate.

As for legality, look to the terms of use. If they offered you virtual private hosting, well, there's an assumption of privacy. Otherwise, look at that "terms of service" document you most likely clicked right though.

And to give the a quick plug (I neither work there, nor have a financial relationship outside of paying) http://ion-web.com/ [ion-web.com] is pretty good. Feel free to tell them Nick Bernstein recommended them, maybe they give me an even better deal.

Re:Slippery Slope?

[Anonymous Coward]

Read the sentence following that:
Regardless of the fact that they missed the boat with regards to the support question

Re:From home?

[Bogtha]

The 'at home' solution offers total control. If you're making enough money off your clients, it's worth it in my opinion.

So long as "enough money" is enough to employ multiple competent administrators. If a server goes down, somebody needs to bring it back up in a reasonable timeframe. Being on call 24/7 is not fun. What if you are sick or injured? What if you want to go on holiday? As you said, "Yay redundancy!" It's not just hardware that needs redundancy to be reliable, wetware needs it too.

Re:encrypt your data or dont co-lo

[blane.bramble]

Not sure what the situation is in the US, but here in the UK if it's co-location (i.e. you own the box) the ISP has no right to log into your box without your permission.

Re:I've had worse.

[HereIAmJH]

I can understand that 'scrapeX.php' might sound a little dubious, so I bet this guy thought he was doing his company a service by running it...

Not really. If he suspects a script, he shouldn't run it until fully understanding what it does. If the script does something bad, he has now executed it rather than preventing it. On top of that, he's most likely doing so from a privileged account.

Re:Slippery Slope?

[topham]

Keep reading the legal requirements and you'll find out that 24hr access also requires a legitimate reason, not just any reason. Generally this means they need to justify it, even if it is afte the fact. They have the right the deal with emergency situations immediately, even without 24hr notice. This would include such things as smoke/fire as well as visible signs of a water leak. Still wouldn't give them the right to go through your dresser.

It is entirely unacceptable to access a customers database without explicit permission. Period.
Maybe they were trying to be helpful, that unfortunately isn't the point in this case. They have no business accessing it now without some more direct permission. I usually handle such things by talking with the appropriate customer on the phone and telling them what I am going to do. I let them ride along to the extent possible (shared screens, whatever) so they can see what I am doing. If that level of their involvement isn't possible I still ask for permission and do what's required then.

If they refuse then they are left with the possibility of losing access to the server, or its data, etc, as required to protect my servers and my business. That still doesn't give me the right to access their data because I feel like it. Even if they asked for help.

note: I will say that I've had understanding with specific customers in the past that let me do what was necessary whenever it was necessary. This is followed up by a report of what was done, giving them an opportunity to complain about it if they so choose. If they were to complain I accessed their data without permission then they would receive an apology, I would refer to the previous understanding, and confirm that it would not happen again without their explicit permission. Period. Anything else is unprofessional.

The problem here is the tendency of admins to feel like they OWN a server, instead of them having certain, specific responsibilities for that server. It's an industry wide problem, and is somewhat exhibited by the recent issue in San Francisco. (Of which I believe both parties are significantly in the wrong. It's a pissing match and the system admin is not entirely right. Without explicit cause (imagination isn't cause) you do NOT configure a device without storing it's configuration in Flash. If you do that on a number of routers and there is a power failure it would take far to long to get everything back up and running.)

If, by nature of trying to track down an unknown problem an admin sees data that is otherwise not theirs to see I expect them to keep it to themselves. Not to discuss or disclose the contents. Depending on the nature of the data I would, however, expect them to disclose that such an incident occurred. I don't want them hiding the fact they saw 100 credit card numbers while packet sniffing for a specific problem. However, actual disclosure of those credit card numbers make them subject to termination.

You own the box, not it's data. You are responsible for keeping it running to the best possible, if that means deactivating a clients access, or applications then so be it. It doesn't mean you can go digging through their files.

I don't get why people don't understand this.

Re:From home?

[Bogtha]

Apparently you didn't even read my post, just picked parts out so you can criticize.

Yes, because I can't possibly have read your post and disagreed with it too, right? Get over yourself.

Only issue I've ever had was a power outage that lasted a good couple hours

Lucky you. Just because the gamble paid off for you, it doesn't automatically mean that it's a good idea to do it.

When you take on the burden of hosting, that involves making sure somebody is around to fix any problems that arise. Sure, you can cut corners and gamble that nothing is going to go wrong, but that's a big risk, and it can result in a lot of stress and downtime.

It is irrelevant, and you are overreacting

[mckyj57]

You are way overreacting here.

As an ISP, I look at anything and everything that I think may be related to the problem. Absolutely I look at databases.

The expectation of privacy is that I won't repeat this information to anyone else. If you have a doctor, it is the same thing. You have no privacy as to the contents of an X-ray, or as to your medical condition. You have expectations of privacy as to disclosure. And if you were damaged, even due to negligence like en clair data streams used by the ISP for their inspection, then you would have a basis for court action.

If you want privacy from the vendor, seek encryption and take all the upside and downside that it entails. Don't expect support that requires your constant attendance to grant permission. "May I look at this file? At this one? And how about this one?" If you hosted with me and wanted calls like this every ten minutes, I would charge you $200.00 per hour from the moment my hand reached for the phone dial (or IM key, or whatever.)

Re:encrypt your data or dont co-lo

[wtfispcloadletter]

Every colo I've seen in the US has a similar policy. In a colo situation it's your hardware in their facility. Some places have it setup so if a drive (or some other piece of hardware, RAM, power supply, etc) they can replace it for you, if you have a spare and you pay for that service. But other than that, they don't and can't (well not suppose to) touch your server.

This guy was in a colo, but decided to move to a webhost. It's no longer his hardware, just his data. Even if he has a "dedicated server" plan it's still their hardware. If your site is causing performance problems on their network, they can and do look into things without ever asking for your permission. They probably won't even inform you unless they determine it is your site causing problems. Then most hosts will shut you down or disable the script/database causing the problem, THEN inform you of the problem.

Re:Not necessarily unethical

[Vellmont]

It depends on the motive. From the text it seems as if they looked at the database to determine whether the data in it was causing the problem. I would say that it is reasonable for any sysadmin to look at data when it pertains to the smooth running of their system

I don't agree. I don't think it's ever ethical to look at private data without permission, even if you're trying to "fix" the customers problem. If the customers website is interfering with the smooth operation of the hosting business, disable the website and get your customer to fix it. If they don't know how/can't, then ask permission to fix it.

unless there was some explicit agreement that under no circumstances whatsoever were they to look at data.

That should be the norm, not the other way around. It's their hardware, and their system, but it's your data. It may not be legally defined like this but I'd never use a provider that didn't have this as part of the explicit agreement. It's rather sad that the attitude around here seems to be that admins can and should do whatever they please because "it's our hardware".

Re:You're a dumbshit.

[PunkOfLinux]

Unfortunately for you, since acceptable use for both parties was laid out *in a contract* your point is moot. If the contract says "we will not do x" and they then proceed to do x, they have just broken a legally binding contract.

here's a good analogy for you:
If I go to stay in a hotel, does that mean that when I go to the front desk to ask where the pool is they're allowed to search my room? No? Then the "it's their property" thing is null. In fact, since you are PAYING for this service...

Anyway, it's *his* data. Just because it's on their machines does *not* give them a right to the data, especially since he is paying them for the privelege. He's not paying them to search through his DB, he's paying them to provide hardware and support.

Re:Slippery Slope?

[Anonymous Coward]

That's not the same. Imagine that you call your landlord because, I don't know, a window's broken. He comes in while you're at work and fixes it (which is fine), but then you find out that he also went to your bedroom and read your diary.

This is exactly the same situation. Your landlord doesn't need to read your diary to replace the window, and despite the fact that he owns the property and despite the fact that he's there with your knowledge and consent, he doesn't have the right to read it, either.

The same goes for the webhoster.

Re:encrypt your data or dont co-lo

[hedwards]

Whether or not the co-location could access it or not, I doubt they would do so. Every time you're logging into a box in that situation you're opening yourself up for liability if something goes wrong later or just because.

If the policy is to not touch the boxes without written authorization the facility can push responsibility for those sorts of issues to the box's owner or employees should they get sued.

It's a lot easier to just focus on keeping the facilities in proper order and billing than to worry about the possibility of being held liable for errors that probably aren't your fault anyways.

Another way to look at it

[Venik]

The agreement with hosting provider would not specifically prohibit them from accessing your data. On the contrary, you should expect them to access your data for the purposes of backups and troubleshooting. In the question above, the support staff accessed the dude's MySQL database in response to his support query. Unless the contract specifically bars them from accessing customer data (which is highly unlikely), they are perfectly within their rights. The situation is the same when you own your own servers and hire a sysadmin to support them. You know he will have full access to your unencrypted data, which means you trust him.

Re:encrypt your data or dont co-lo

[Anonymous Coward]

Obviously, you have no clue how to admin a server. Or just a dumbass, I dunno.

You can fix a database without gleaning the data inside. The question isn't that the support person looks at his APPLICATIONS, it is that he looked at his DATA.

Re:bad database

[NitroWolf]

I don't buy that 'compromise other users' argument. It might be a shared database SERVER, but every customer should be at least one distinct database user and should get their own database on that server(*)(**). Nobody should be able to see anybody else. If the database server can't handle it, find one that does. If the hosting company doesn't bother giving everyone their own database user accounts, find one that does.

The only reason the hosting company should ever look at the contents of a customer's database is 1) court order or 2) to do transparent optimization to eliminate real performance hits on other users, as permitted by hosting contract. This would cover the case somebody else mentioned where the hosting company added indexes to his database. The hosting company should have kept him informed, though.

(*) you want multiple users so that the owner of the database tables is different from the web app. You might still get hit by SQL injection if you aren't careful, but you won't have some bozo altering your tables.

(**) the exception is if the host provides certain tools to all users, e.g., an interface to a credit card processing engine. In this case the app might have a common backend database, but should still be designed so that one user can't see any other user's data.

So are you under the mistaken impression that because each user has a separate and distinct database and/or database user that that separate and distinct user can't bring down the entire server with crazy tables or poor SQL statements?

I've seen exactly that many times, and often times you have to dig into the separate and distinct database and find out which table if fucking it up for everyone. On a shared server, such as the one in question, with neophytes creating applications, tables and queries, you are going to run into crazy stuff all the time.

Before you say "Just disable that users account/application." Yes, that's all well and good, but then you have other problems to deal with. Either way you are going to be dealing with problems. Some people choose to fix the problem, some people choose to disable the problem. Whatever you personally would choose doesn't matter - this particular company and many like it choose to potentially fix the problem (or think they are fixing the problem), and as such they find it acceptable to access user data. Since it's a legitimate way to go about solving the problem, complaining about it is ridiculous.

If he doesn't like the policy, get a co-lo server and secure the data. Then when something fucks up, you know it's your own fault.

Re:Another way to look at it

[Anonymous Coward]

Accessing and rummaging through it are different animals; For example, if I have a for-sale ebook up on my site, and my hosting company makes a backup, that is fine; however, if an employee decides to READ the document, that is not fine.

Why is it not fine if somebody reads your ebook? It doesn't hurt you if they read it. What if you get your book published on paper, and a bookstore employee reads it while they're on the toilet? Would that be just as bad? What if your book is published on paper, somebody puts a copy in the library, and millions of people read it? Would that be a disaster?

Re:Another way to look at it

[Venik]

I doubt the contract will contain a definition of "rummaging". If you submit a service request to your hosting provider saying that your customers are unable to read the ebook, I think the support analyst will have every right to open the file and view the contents. It is possible, afterall, the file is corrupt or has an unsupported format. The bottom line is: if you don't want admins "rummaging" through your data, either don't ask them to fix your problems or - even better - encrypt any sensitive data you put on a server over which you have no control. If, for example, some of your customers' confidential information leaks out because of a nosy sysadmin, your customers will have an issue with you and not with your hosting provider. It's important to keep this in mind when you decide on your hosting options. If you choose to entrust your data to a hosting company you have no reason to trust, then you have only yourself to blame for any security leaks.

Re:And the moral of the story is

[mpe]

Agreed, 100%. What I'd recommend is compiling a list of questions to start asking before paying and moving to another provider.

Such an interview can only give you a snapshot of what the situation is now. (Subject to the honesty of the company.) So called "privacy policies" can be changed (and changed back) at the drop of a hat as well as often being written in such a way that they do not for any kind of contractual obligation.

There are some exceptions - like when the government comes and tells you that you can't tell them but, well, look for a company that provides the courtesy of asking first.

Unless it's the "law of the land" (good luck finding a part of the US where that is actually the case) or you have an actual contract stating that then it would only ever be a "courtesy".

Re:Slippery Slope?

[mgblst]

It is more like he read your diary, notice you have been having some problems with your girlfriend, and rang up to offer some advice later that day.

Re:It is irrelevant, and you are overreacting

[mgblst]

If you have a doctor, it is the same thing.

Please tell us where you work so we can all avoid it like the plague. This is nothing like a doctor, a doctor is limited by laws put on him, and Hippocratic oath. There is nothing like that for IT, so you shouldn't be looking at the data.

If it is a shared database, that is one thing. If it is a separate database, then it is off limits.