Security and Privacy Concern about Logos4 Phonning Home

Page 6 of 15 (285 items) « First ... < Previous 4 5 6 7 8 Next > ... Last »
This post has 284 Replies | 8 Followers

Posts 30907
Forum MVP
MJ. Smith | Forum Activity | Replied: Fri, Apr 23 2010 11:19 PM

Russ White:
That the software doesn't allow the user to determine which personal data will and won't be synch'd. I would like to see some way to choose which personal data I put on your servers.

I basically agree with Rosie that making such a basic design feature optional is fraught with problems. I also agree that there is a possible legal liability with regards to truly personal information. I suggest that Logos make it possible to flag individual prayer files to be marked as excluded from backup and syncing.

Orthodox Bishop Hilarion Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."

Posts 521
Russ White | Forum Activity | Replied: Sat, Apr 24 2010 4:30 AM

If you make it possible for users to disable some key feature of the product, some of them will do it, and a certain percentage of those will not read the fine print and will not understand what is really being disabled. Then they'll come crying to Logos if their computer crashes and they lose all their Notes. And it will be a support cost for Logos to give those people (even if it's just a small fraction of the users) some cold comfort over the phone when they are distraught over their years of sermon notes being blown away in one moment. And a certain number of those users will be upset at Logos for NOT backing up their data like it was supposed to, even though they disabled it themselves. And some of those ones will demand their money back. And it's yet another complexifying of the code, so an opportunity for subtle bugs to creep in, thus causing more potential user support calls. So none of this is easy for Logos to handle.

Four points to consider:

1. Are you saying that people should be responsible enough to read the fine print on the acceptable use agreements, and realize they should not put personal data in the software, but they shouldn't be responsible enough to know what they're doing when they turn off synchronization of some specific pieces of that same personal data? it's a long stretch to say, "my users aren't responsible enough to understand what they're doing when they turn off the synchronization of specific pieces of personal data, but they're responsible enough to know what sorts of personal data should, and should not, be placed into my software." The argument on personal responsibility cuts both ways, so it's a wash in either direction.

2. If someone reads the fine print on the acceptable use agreements, and comes to the conclusion that they cannot store personal data in Logos in good conscious, how does that change the situation in regards to their personal data being lost, specifically? Are they less likely to lose their personal data because they are forced to store that information in a different piece of software? The underlying logic is, "I'll protect the data you put into my software, but if you put something in there I don't think you should have, I'm not responsible, and if you put something in another piece of software and lose it, I'm not responsible." It's a bit contorted, to say the least.

3. How do the other pieces of software already on your computer deal with this situation? Does Microsoft require that you back your Word, Excel, or Powerpoint documents up to their server to keep you from losing them? In fact, I have several pieces of software that pop a dialog box when I exit that asks me, specifically, if I want to save backups of my work every X number of days (Embird, for instance). The point is no-one else forces me to lose privacy to save my data to cut their support costs; there are other reasonable solutions that have been found to this problem in the past, and any number of them could be successfully applied here, as well.

4. Will it be cheaper for Logos to deal with a few users who lose their personal data, or with a single court cases when data is unintentionally exposed? It seems to me it's a foolish bet to advertise, "your personal data is synchronized so you won't ever lose it," and then expect a "fine print waiver" stating you shouldn't put "really personal stuff," in the software in the first place. IMHO, the "fine print" is a legal fiction, and Logos would lose this one in court. Other companies have, in fact, lost on this line of argument (which is why there are many warning stickers on ladders, not just one).

I'm sorry, but this line of argument simply doesn't hold up. I completely understand the issue of keeping the software up to date--again, whether or not I agree with it is immaterial, really, when dealing specifically with personal data. But there is no argument for synchronizing personal data that doesn't cut both ways. In legal terms, I think Logos is setting itself up to be sued. Ethically, I think the idea of forcing users to synchronize their personal data, and then putting a "loophole" in place to try and protect yourself legally from the consequences of that synchronization, is questionable, at best.

:-)

Russ

==

Added:

You're also expecting people to understand the importance and implications of metadata in the data they do decide to store on Logos' servers when you say they should "know" they can't store "really personal stuff" in the software. Is this a reasonable expectation? In my experience, no. And it again runs counter to the claim that Logos is just covering for people who aren't responsible by backing their data up for them.

Finally, it's a defensible position for Logos to say, "we gave people the option, and this specific user decided to place this data on our server, contrary to our terms of use." It's not very defensible to say, "the terms of use say not to store this sort of data on the server. If the user didn't like those terms of service, their other option was simply not to use the software." I don't know of a single court case where the court has held in favor of the argument, "well, the user could have simply not used my product in the first place." You took the money for the software, you're responsible, end of story.

Posts 81
Ray Timmermans | Forum Activity | Replied: Sat, Apr 24 2010 7:55 AM

Russ White:

Finally, it's a defensible position for Logos to say, "we gave people the option, and this specific user decided to place this data on our server, contrary to our terms of use." It's not very defensible to say, "the terms of use say not to store this sort of data on the server. If the user didn't like those terms of service, their other option was simply not to use the software." I don't know of a single court case where the court has held in favor of the argument, "well, the user could have simply not used my product in the first place." You took the money for the software, you're responsible, end of story.

Russ,

On the contrary, Logos' position would be and is entirely defensible; particularly since, as has been noted above, there is more than one option than simply not using the product--namely, to use the "work offline" method of usage. Logos would have the additional argument that "We not only gave the user the EULA warning, we also provided them with two different options, to work offline and to turn Internet access off. If they choose a specific function that demands Internet access, and, in so doing they are taking that risk knowingly" the consequences are theirs and theirs alone to bear.  To expect otherwise places an undue burden on Logos' development team to have to anticipate every user's quirk in usage. The EULA is a contract and the "four corners" rule would apply. There is nothing wrong with "adhesion" contracts--which is what this is. They are standard in software licensing agreements. The EULA is there, the user is presumed to have read it and made an informed decision, end of story.

When a user makes a choice about the EULA, s/he should be willing to abide by it. Having made that choice, and having been informed in advance not to store private data, and having rejected that advice, they would have the weaker legal argument. 

Also, by defined the issues in terms of a contract by a EULA which the user has agreed to, the potential remedies any suing party has have been reduced. Tort remedies on "privacy" issues are eliminated--even further strengthening Logos' position.

Posts 3729
Floyd Johnson | Forum Activity | Replied: Sat, Apr 24 2010 9:33 AM

Russ White:
Does Microsoft require that you back your Word, Excel, or Powerpoint documents up to their server to keep you from losing them?

It is my understanding that MS Office 2010 will be making use of the cloud to store files - so they become accessible from any hotspot.  I do not know how much control they will give to the user to decide what goes into the cloud and what does not.

Blessings,
Floyd

Pastor-Patrick.blogspot.com

Posts 521
Russ White | Forum Activity | Replied: Sat, Apr 24 2010 1:57 PM

Ray Timmermans:

Russ White:

Finally, it's a defensible position for Logos to say, "we gave people the option, and this specific user decided to place this data on our server, contrary to our terms of use." It's not very defensible to say, "the terms of use say not to store this sort of data on the server. If the user didn't like those terms of service, their other option was simply not to use the software." I don't know of a single court case where the court has held in favor of the argument, "well, the user could have simply not used my product in the first place." You took the money for the software, you're responsible, end of story.

The EULA is there, the user is presumed to have read it and made an informed decision, end of story.

I'm sorry, but I've seen court cases where the prior existing warnings were not enough, especially when the company in question sold the product on specific advertising claims. In this case, Logos is making a specific advertising claim. I happen to know of companies caught in this specific trap, and the EULA didn't save them.

When a user makes a choice about the EULA, s/he should be willing to abide by it. Having made that choice, and having been informed in advance not to store private data, and having rejected that advice, they would have the weaker legal argument.  Also, by defined the issues in terms of a contract by a EULA which the user has agreed to, the potential remedies any suing party has have been reduced. Tort remedies on "privacy" issues are eliminated--even further strengthening Logos' position.

In other words, you think there's absolutely no moral or legal reason for Logos to allow users to determine what personal information is stored on their servers, short of simply not using the software at all? Again, if your argument is, "well, the user should be smart enough not to store data there in the first place," then why does Logos offer to synchronize the data, and advertise the software with this as a feature, specifically for personally entered data?

Russ

Posts 521
Russ White | Forum Activity | Replied: Sat, Apr 24 2010 2:07 PM

Floyd Johnson:

Russ White:
Does Microsoft require that you back your Word, Excel, or Powerpoint documents up to their server to keep you from losing them?

It is my understanding that MS Office 2010 will be making use of the cloud to store files - so they become accessible from any hotspot.  I do not know how much control they will give to the user to decide what goes into the cloud and what does not.

In which case Microsoft will lose every corporate, military, and government client it has.

Okay, I have a challenge for those on this thread who think it's perfectly fine for Logos to require you to synchronize personal data (such as notes and prayer lists):

1. What possible cost savings could there be to Logos to force this issue beyond the cost of coding the feature itself? The cost of people losing their private data is a nonsense claim, so don't bother with that one. Find a real reason creating such a feature would cost Logos money, explain it, and given an example.

2. What is your objection to such a feature? Is it that you are afraid of losing your data if Logos created such a feature?

IMHO, this is such a simple request, with absolutely no downside, with a strong moral and legal force behind it, that I really cannot understand why people are against providing such a feature. What is your motivation for arguing against a feature that allows you to choose which private data to store on the Logos server? I've given my reasons such a feature should exist, but they've been generally "poo-poo'd," treated as if they have no basis in fact. Now, what are your reasons? Let's see why you think Logos should force users to synchronize notes files, prayer lists, etc, onto their servers--other than the claim that it will "save people from themselves."

Russ

P.S. It frightens me that a group of people should be so unaware of the privacy and security implications of their actions, and even actively support losing their privacy.

Posts 13413
Mark Barnes | Forum Activity | Replied: Sat, Apr 24 2010 2:23 PM

Russ White:
IMHO, this is such a simple request, with absolutely no downside, a lot of moral and legal force behind it, that I really cannot understand why people are against providing such a feature

Although I personally have no need to switch it off, you are, of course right.

Having said that, as most of us we will be increasingly using multiple devices during the life of Logos 4, a more fine-grained approach would be better in the long term (i.e. the ability to mark some notes as private to this particular machine).

It would also be good for Logos to encrypt the data on their servers using a password of our choosing - not our Logos passwords. That way we could be even more confident that personal data wasn't going to be misused (and comply with government legislation in the UK for example).

Posts 30907
Forum MVP
MJ. Smith | Forum Activity | Replied: Sat, Apr 24 2010 2:31 PM

Russ White:
with absolutely no downside,

Every option built into a program is another potential source of problems and another branch for testing - there are several features that Logos has added on user request that I would have preferred that they had waited to see if it was a real need or simply a hangover from how I used to do it. This particular request is deep in the fundamental design of the product which makes me more leery.

Russ White:
It frightens me that a group of people should be so unaware of the privacy and security implications of their actions, and even actively support losing their privacy.

You sound just like my sister so I am very aware of your side of the issue. Personally, privacy is of far less concern to me than community. Privacy is also a rather late comer in the history of ideas - one I see as isolating individuals. Yes, there are things I keep private but I have no fear regarding being "exposed". And I certainly have more important things to worry about than privacy - people being fed, housed, employed, access to medical & dental care, education, Christian worship & faith formation ... Privacy seems to me to be of very secondary importance. I should hope that doesn't make me frightening to you.

Orthodox Bishop Hilarion Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."

Posts 3729
Floyd Johnson | Forum Activity | Replied: Sat, Apr 24 2010 2:36 PM

Russ White:

Floyd Johnson:

Russ White:
Does Microsoft require that you back your Word, Excel, or Powerpoint documents up to their server to keep you from losing them?

It is my understanding that MS Office 2010 will be making use of the cloud to store files - so they become accessible from any hotspot.  I do not know how much control they will give to the user to decide what goes into the cloud and what does not.

In which case Microsoft will lose every corporate, military, and government client it has.

My first guess is that the user will have some control over what is stored and what is not stored on the cloud.  I would also guess that corporate management will be able to define its own cloud environment, rather than using a generic, publicly available storage location.  These are my guesses - not an experts opinion.  But it would also seem like the direction that Logos might consider going.

 

 

Blessings,
Floyd

Pastor-Patrick.blogspot.com

Posts 82
James Ng | Forum Activity | Replied: Sat, Apr 24 2010 3:10 PM

It's still the same problem in a sense. Even *IF* Microsoft allows what is sent to/from the cloud they still need to secure its transport AND its storage. I still have no clue how Logos is doing EITHER. If I'm really enterprising I could fire up Wireshark and see what's going on but it doesn't appear that there is any information as to what the program is doing by way of securing transportation of data and then storage.

Russ is correct, Microsoft can't force the storage of data into the cloud. There's too much sensitive data out there. Even if Microsoft put up in BOLD letters everytime you hit save not to send it into the cloud that doesn't prevent lawsuits. Its a matter of who has more lawyers and can afford the attrition of the legal system and last time I check...that would be the government and military :).

Finally, as Russ said I'm baffled as to the resistance of people in this scenario...but just as the people arguing for it isn't willing to back away from the discussion the only people I really care to hear from is Logos as to what they're going to do about it. If their answer is they're not concerned and there's nothing they're going to do about it then I need to know and act accordingly. If they are planning to "fix" it then I want to know too.

The part that is absolutely annoying is the silence from Logos other than the prior posting which clearly wasn't addressing the main issues.

Posts 81
Ray Timmermans | Forum Activity | Replied: Sat, Apr 24 2010 4:06 PM

Russ White:

In other words, you think there's absolutely no moral or legal reason for Logos to allow users to determine what personal information is stored on their servers, short of simply not using the software at all? Again, if your argument is, "well, the user should be smart enough not to store data there in the first place," then why does Logos offer to synchronize the data, and advertise the software with this as a feature, specifically for personally entered data?

Russ

It is kind of sad that we have to resort to having to restate the obvious, isn't it? Yes, I think a person should be smart enough to know, especially after having been warned not to, not  to store private or sensitive information there in the first place.

And lets not confuse things by injecting morals into legality: what is legal is not always what is moral and vice versa. I am making a legal (and common sense) judgment, not a moral one--because legal arguments are what flies in court. Courts could care less about a company's morals.

Your comment also seems to miss the point that usage is based on an Agreement--in essence, a contract. You and I and everyone else who uses Logos 4 has agreed to a contract. In order for there to be a contract there is an offer, acceptance and consideration. And the contracting parties not only agree as to what the software will do, but also what it is not supposed to be used for--in this case the EULA is quite specific. Anyone who expects the software to do something that it isn't supposed to do or who uses it in a way that it isn't designed for or who thinks that private information ought to be protected when the EULA specifically says not to, really ought to rethink using the product. I have no doubt, based on my experience with them, that Logos employees live with ethical standards higher than what is on the books statutorily. But what flies in court is not their morals or ethics but whether a user is using the program for its intended usage--namely, biblical and theological research.  

As I understand the synchronize data function,  it is designed to keep a person's research in place with the ability to return to it. If a independent third party--say a court for example--were looking at the function and purpose of the Logos 4 software, I suspect they would conclude that it is designed to do research--not store sensitive data. So to expect Logos to have liability for a duty that they don't have and haven't breached, again, I think unduly burdens the Logos development team when the issue is addressed in the EULA.

It really doesn't matter what I think about the matter because I have agreed to the EULA with a click of a button. What matters is what has been agreed to by the parties. That is the EULA. In my book,  that settles the matter legally.  I will let others debate the question of morals and ethics. I am satisfied that Logos 4 has met its obligation in advising me about the product's usage . But I don't expect moral arguments to be compelling to a court of law (nor should you) where the rights and duties of the parties are specifically spelled out in the EULA and have been agreed to. Nor do I feel I can blame Logos for not being more protective of my privacy rights when I have the opportunity to turn off Internet access, work offline, etc., etc. 

Posts 8967
RIP
Matthew C Jones | Forum Activity | Replied: Sat, Apr 24 2010 4:40 PM

James Ng:
Microsoft can't force the storage of data into the cloud. There's too much sensitive data out there. Even if Microsoft put up in BOLD letters everytime you hit save not to send it into the cloud that doesn't prevent lawsuits.

Give me the last three cases Microsoft was held liable for security breaches across their product line.How much were the damages awarded?  Big Smile Even God gets sued in the United States. (Really. Check the record.) The judge dismissed the case because 1) God wasn't properly served papers & 2) the court's jurisdiction did not include wherever God resides.

If ye are the light of the world, why do you want to hide under a bushel? Martha is right. There are plenty of real life issues to deal with. I don't care if the world finds out I use Logos. And the only thing Logos sees is; I spend too much time on their product pages coveting more stuff.

Logos 7 Collectors Edition

Posts 30907
Forum MVP
MJ. Smith | Forum Activity | Replied: Sat, Apr 24 2010 5:34 PM

James Ng:
The part that is absolutely annoying is the silence from Logos other than the prior posting which clearly wasn't addressing the main issues.

I suspect that Logos believes that it has answered the question and that repeating the answer (rather than referring us back to it) would not be productive.

Orthodox Bishop Hilarion Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."

Posts 3729
Floyd Johnson | Forum Activity | Replied: Sat, Apr 24 2010 5:37 PM

Ray Timmermans:
It really doesn't matter what I think about the matter because I have agreed to the EULA with a click of a button. What matters is what has been agreed to by the parties. That is the EULA. In my book,  that settles the matter legally.  I will let others debate the question of morals and ethics. I am satisfied that Logos 4 has met its obligation in advising me about the product's usage . But I don't expect moral arguments to be compelling to a court of law (nor should you) where the rights and duties of the parties are specifically spelled out in the EULA and have been agreed to. Nor do I feel I can blame Logos for not being more protective of my privacy rights when I have the opportunity to turn off Internet access, work offline, etc., etc. 

So if LOGOS has a security hole and a third party gets a hold of your confidential prayer requests or other notes, LOGOS is not responsible.  But that does not keep you from being sued by a parishioner or his or her non-believing spouse.  Of course, you have the opportunity to turn off Internet access, work offline, etc., etc.  But then how many of us have really done this?

I am not terribly concerned - I have not turned Internet access off.  But I would like to know how our information is being stored on LOGOS' servers.

Blessings,
Floyd

Pastor-Patrick.blogspot.com

Posts 82
James Ng | Forum Activity | Replied: Sat, Apr 24 2010 6:26 PM

MJ. Smith:

James Ng:
The part that is absolutely annoying is the silence from Logos other than the prior posting which clearly wasn't addressing the main issues.

I suspect that Logos believes that it has answered the question and that repeating the answer (rather than referring us back to it) would not be productive.

Except they haven't in my opinion. Someone pointed me to their website security which is completely different. It's 3 simple questions to me.

What transport is the Logos 4 application using when it communicates with their server? (IP? IPsec? SSLVPN? Something else?)

Is the data encrypted before or during transmission? (Yes/No?)

If it is encrypted, what algorithm is it using? (3DES? AES? Something else?)

I'll play the fool since I clearly haven't found it. Feel free for anyone to point me to ANY thread or website from Logos with this information instead of just saying I don't need to worry about it.

Posts 30907
Forum MVP
MJ. Smith | Forum Activity | Replied: Sat, Apr 24 2010 7:19 PM

James Ng:
If it is encrypted, what algorithm is it using? (3DES? AES? Something else?)

Tell you and ruin all the fun for hackers?Big Smile

James Ng:
the only people I really care to hear from is Logos as to what they're going to do about it.

But it seems to me that you've changed what you want Logos to tell you. I can tell you from vast personal experience - people answer (or don't answer) the question I asked, not the question I now realize I should have asked.

Orthodox Bishop Hilarion Alfeyev: "To be a theologian means to have experience of a personal encounter with God through prayer and worship."

Posts 8967
RIP
Matthew C Jones | Forum Activity | Replied: Sat, Apr 24 2010 7:37 PM

James Ng:
Except they haven't in my opinion. Someone pointed me to their website security which is completely different.

Maybe you missed Bob Pritchett's post. Bob is the CEO of Logos and has addressed this issue already. http://community.logos.com/forums/p/7813/62089.aspx#62089

It wouldn't be wise for Logos to tell you:
-how many locked doors you have to breach to get to their mainframe or where the physical plant is,
-whose finger you need to cut off or which retina you will need to clear biometric scanners,
-which downloadable decoy file will destroy your hard drive,
-how many warrants the government has served on their databases.

Ronald Reagan's Secret Service details were not broadcast. It is just plain prudent not to discuss the details. Just don't upload private details if it endangers lives, careers, or freedoms.

James Ng:
saying I don't need to worry about it.

   OH, But you do need to worry about it! Devil

Logos 7 Collectors Edition

Posts 82
James Ng | Forum Activity | Replied: Sat, Apr 24 2010 8:22 PM

Bob's "reply" doesn't address any of my questions and the disclosure of any of that information isn't/shouldn't be a threat. They explain EXACTLY how their webpage is secured. I'm looking for the same information for their program.

No I haven't changed my questions, I'm simplifying it for them since it seems that people are confusing a number of topics. When they tell me those answers it'll tell me what I need to do.

ETA: I just opened a ticket with them with my specific questions as this thread really isn't yielding any answers for me.

Posts 3729
Floyd Johnson | Forum Activity | Replied: Sat, Apr 24 2010 8:31 PM

James Ng:
I'm looking for the same information for their program.

I am missing something - do you mean you want the same information for your data?  I really do not care about how their webpage is secured or how their program is secured.  I should care about how my data is secured.  Again, I have done nothing to turn Internet access off - but I also have not started using notes or prayer requests within LOGOS.   

Blessings,
Floyd

Pastor-Patrick.blogspot.com

Posts 82
James Ng | Forum Activity | Replied: Sat, Apr 24 2010 9:07 PM

Exactly. I want to know for my DATA, but everyone says Logos has answered this question and they clearly haven't. The OP seemed to indicate you don't share this type of information which isn't true. I'm pointing out there's nothing secret about this or shouldn't be. They shared the information with their webpage which is protect Credit Card information. I want the SAME information for my data from the Logos 4 program.

I want to know HOW they send it to their server and what type of encryption if any. Depending on how they answer the basic questions determines how I respond.

ie, What transport are they using?

What security algorithm?

I'm not even concerned about their server protection yet, I'm not convinced they're protecting my data on the WAY there. If they're not even protecting the data on its way there then I clearly can't trust them to protect it on the server.

Page 6 of 15 (285 items) « First ... < Previous 4 5 6 7 8 Next > ... Last » | RSS