Microsoft had an apparently unexpected hit on their hands with the unveiling of the “How Old Do I Look?” service at the Microsoft Build conference last week. By the weekend my Facebook feed was filling up with friends from all over the globe sharing the results of their own submissions to the service. For the three of you that haven’t come across this viral hit recently, “How Old Do I Look” allows a user to upload a photo and will attempt to correctly guess the age of the subject of the picture, with the results ranging from the spectacularly awful to the incredibly accurate.
From the “Materials Posted on this Website” section of the ToU (my own bolding):
“[…] by posting, uploading, inputting, providing, or submitting your Submission, you are granting Microsoft, its affiliated companies, and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat your Submission; to publish your name in connection with your Submission; and to sublicense such rights to any supplier of the Website Services”
These are actually the standard ToU for Microsoft’s Azure cloud services, they are broadly similar to the ToU of many, many other online services. While I am not trying to insinuate that Microsoft have some sneaky photo-stealing agenda, these ToU do really serve to illustrate a couple of perennial problems in information security.
– The scale of customers’ unwillingness to inform themselves of what exactly they are agreeing to when making use of information technology.
These terms were not hidden away, they were clearly linked from the front page of the service, yet not one of the people I spoke to had bothered to click through. Perhaps we have been educated into apathy. Many companies are certainly guilty of producing reams and reams of agreements and terms that a customer could never reasonably be expected to digest (*cough*iTunes*cough*) but this was not an example of that. These Terms were relatively clear and concise and not overly long.
– The cult of overasking.
These kinds of clauses help no one. In most cases the motivation behind such a broad legal definition of rights is a technical one. The service provider needs to cover the processing, caching, and publishing of user submitted data. They need to legally define the normal operation of their service. However, the legal eagles, in attempting to define that service, grant themselves such a broad swathe of rights, going on to qualify them with phrases such as “without limitation” that the end result is Orwellian in scope.
When the rights reserved by the operators of “How Old” are pointed out to the users of the service they are clearly concerned, often to the extent that they wish they had never used the service. This isn’t fear-mongering, this is a natural and understandable reaction to the feeling that a faceless corporation is “taking liberties” with their data or duping them with a “bait and switch” scam. “We don’t keep the photo (but we can if we want to)”.
These things must end. It is our own responsibility to keep ourselves informed of the content of agreements that we make. Whether that’s a pen and ink signature on an agreement of a digital click of acquiescence. We need to reject terms with which we are uncomfortable and push back on overly greedy legal documents.
At the same time, the legal officers, particularly of the global mega-vendors have a duty to become more tech-savvy. To be able to better define the technical rights necessary for the operation of a service accurately, without the need for land-grabbing phrases such as “without limitation”