Security and Privacy Concern about Logos4 Phonning Home

You will either have to go online or freeze your library size and seriously cripple the program.

And when this happens, I will be canceling all of my prepubs, and right now I have over $3,000 worth of prepubs orders.

The definitive information about Logos internet access.

I have tested Logos with Internet=OFF, and confirm that with this setting:

• Manually running the command "Update Now" does connect to the internet.
• Manually running the command "Sync Now" does connect to the internet.
• Going to the home page or changing your preferred Bible does not connect to the internet.

I've been running Logos for quite a while with the internet setting turned off, and monitoring what it does. Apart from me issuing those manual commands, it did not attempt to connect to the internet at all. I see this as perfectly acceptable - indeed, it is good that I can switch the internet connection off then manually over-ride the setting as a one-off with a command.

I'm not sure what all the fuss is about.

PS: I ran the tests with 4.0c beta 4.

This thread kind of reminds me of someone picking up the telephone, dialing a number and then showing utter shock at someone on the other end answering and saying "Hello?" If the initiator of this thread doesn't want to make a telephone call, then I suggest don't pick up the receiver and dial. Simple as that!

1. That the software doesn't really provide any way to work offline completely. We would like to see a way for this to be possible.

Start Logos with the Ctrl key held down. You are then taken to the login screen and can choose "Work Offline." This, in conjunction with "Use Internet = NO" should completely prevent Logos from "phoning home."

IMHO, both of these are important,worth considering, and very little (if no) trouble from a technical support perspective.

If you make it possible for users to disable some key feature of the product, some of them will do it, and a certain percentage of those will not read the fine print and will not understand what is really being disabled. Then they'll come crying to Logos if their computer crashes and they lose all their Notes. And it will be a support cost for Logos to give those people (even if it's just a small fraction of the users) some cold comfort over the phone when they are distraught over their years of sermon notes being blown away in one moment. And a certain number of those users will be upset at Logos for NOT backing up their data like it was supposed to, even though they disabled it themselves. And some of those ones will demand their money back. And it's yet another complexifying of the code, so an opportunity for subtle bugs to creep in, thus causing more potential user support calls. So none of this is easy for Logos to handle.

I'm not saying they shouldn't do it, if enough people want it. I'm just saying don't be so quick to assume it would be "very little (if no) trouble" for them. I'm sure there are costs associated with this suggestion, beyond the development time to implement it.

[quote]If you make it possible for users to disable some key feature of the
product, some of them will do it, and a certain percentage of those will
not read the fine print and will not understand what is really being
disabled. Then they'll come crying to Logos if their computer crashes
and they lose all their Notes. And it will be a support cost for Logos
to give those people (even if it's just a small fraction of the users)
some cold comfort over the phone when they are distraught over their
years of sermon notes being blown away in one moment. And a certain
number of those users will be upset at Logos for NOT backing up their
data like it was supposed to, even though they disabled it themselves.
And some of those ones will demand their money back. And it's yet
another complexifying of the code, so an opportunity for subtle bugs to
creep in, thus causing more potential user support calls. So none of
this is easy for Logos to handle.

Four points to consider:

1. Are you saying that people should be responsible enough to read the fine print on the acceptable use agreements, and realize they should not put personal data in the software, but they shouldn't be responsible enough to know what they're doing when they turn off synchronization of some specific pieces of that same personal data? it's a long stretch to say, "my users aren't responsible enough to
understand what they're doing when they turn off the synchronization of
specific pieces of personal data, but they're responsible enough to know
what sorts of personal data should, and should not, be placed into my
software." The argument on personal responsibility cuts both ways, so
it's a wash in either direction.

2. If someone reads the fine print on the acceptable use agreements, and comes to the conclusion that they cannot store personal data in Logos in good conscious, how does that change the situation in regards to their personal data being lost, specifically? Are they less likely to lose their personal data because they are forced to store that information in a different piece of software? The underlying logic is, "I'll protect the data you put into my software, but if you put something in there I don't think you should have, I'm not responsible, and if you put something in another piece of software and lose it, I'm not responsible." It's a bit contorted, to say the least.

3. How do the other pieces of software already on your computer deal with this situation? Does Microsoft require that you back your Word, Excel, or Powerpoint documents up to their server to keep you from losing them? In fact, I have several pieces of software that pop a dialog box when I exit that asks me, specifically, if I want to save backups of my work every X number of days (Embird, for instance). The point is no-one else forces me to lose privacy to save my data to cut their support costs; there are other reasonable solutions that have been found to this problem in the past, and any number of them could be successfully applied here, as well.

4. Will it be cheaper for Logos to deal with a few users who lose their personal data, or with a single court cases when data is unintentionally exposed? It seems to me it's a foolish bet to advertise, "your personal data is synchronized so you won't ever lose it," and then expect a "fine print waiver" stating you shouldn't put "really personal stuff," in the software in the first place. IMHO, the "fine print" is a legal fiction, and Logos would lose this one in court. Other companies have, in fact, lost on this line of argument (which is why there are many warning stickers on ladders, not just one).

I'm sorry, but this line of argument simply doesn't hold up. I completely understand the issue of keeping the software up to date--again, whether or not I agree with it is immaterial, really, when dealing specifically with personal data. But there is no argument for synchronizing personal data that doesn't cut both ways. In legal terms, I think Logos is setting itself up to be sued. Ethically, I think the idea of forcing users to synchronize their personal data, and then putting a "loophole" in place to try and protect yourself legally from the consequences of that synchronization, is questionable, at best.

:-)

Russ

==

Added:

You're also expecting people to understand the importance and implications of metadata in the data they do decide to store on Logos' servers when you say they should "know" they can't store "really personal stuff" in the software. Is this a reasonable expectation? In my experience, no. And it again runs counter to the claim that Logos is just covering for people who aren't responsible by backing their data up for them.

Finally, it's a defensible position for Logos to say, "we gave people the option, and this specific user decided to place this data on our server, contrary to our terms of use." It's not very defensible to say, "the terms of use say not to store this sort of data on the server. If the user didn't like those terms of service, their other option was simply not to use the software." I don't know of a single court case where the court has held in favor of the argument, "well, the user could have simply not used my product in the first place." You took the money for the software, you're responsible, end of story.

Does Microsoft require that you back your Word, Excel, or Powerpoint documents up to their server to keep you from losing them?

It is my understanding that MS Office 2010 will be making use of the cloud to store files - so they become accessible from any hotspot.  I do not know how much control they will give to the user to decide what goes into the cloud and what does not.

Does Microsoft require that you back your Word, Excel, or Powerpoint documents up to their server to keep you from losing them?

It is my understanding that MS Office 2010 will be making use of the cloud to store files - so they become accessible from any hotspot.  I do not know how much control they will give to the user to decide what goes into the cloud and what does not.

In which case Microsoft will lose every corporate, military, and government client it has.

Okay, I have a challenge for those on this thread who think it's perfectly fine for Logos to require you to synchronize personal data (such as notes and prayer lists):

1. What possible cost savings could there be to Logos to force this issue beyond the cost of coding the feature itself? The cost of people losing their private data is a nonsense claim, so don't bother with that one. Find a real reason creating such a feature would cost Logos money, explain it, and given an example.

2. What is your objection to such a feature? Is it that you are afraid of losing your data if Logos created such a feature?

IMHO, this is such a simple request, with absolutely no downside, with a strong moral and legal force behind it, that I really cannot understand why people are against providing such a feature. What is your motivation for arguing against a feature that allows you to choose which private data to store on the Logos server? I've given my reasons such a feature should exist, but they've been generally "poo-poo'd," treated as if they have no basis in fact. Now, what are your reasons? Let's see why you think Logos should force users to synchronize notes files, prayer lists, etc, onto their servers--other than the claim that it will "save people from themselves."

Russ

P.S. It frightens me that a group of people should be so unaware of the privacy and security implications of their actions, and even actively support losing their privacy.

It's still the same problem in a sense. Even *IF* Microsoft allows what is sent to/from the cloud they still need to secure its transport AND its storage. I still have no clue how Logos is doing EITHER. If I'm really enterprising I could fire up Wireshark and see what's going on but it doesn't appear that there is any information as to what the program is doing by way of securing transportation of data and then storage.

Russ is correct, Microsoft can't force the storage of data into the cloud. There's too much sensitive data out there. Even if Microsoft put up in BOLD letters everytime you hit save not to send it into the cloud that doesn't prevent lawsuits. Its a matter of who has more lawyers and can afford the attrition of the legal system and last time I check...that would be the government and military .

Finally, as Russ said I'm baffled as to the resistance of people in this scenario...but just as the people arguing for it isn't willing to back away from the discussion the only people I really care to hear from is Logos as to what they're going to do about it. If their answer is they're not concerned and there's nothing they're going to do about it then I need to know and act accordingly. If they are planning to "fix" it then I want to know too.

The part that is absolutely annoying is the silence from Logos other than the prior posting which clearly wasn't addressing the main issues.

Microsoft can't force the storage of data into the cloud. There's too much sensitive data out there. Even if Microsoft put up in BOLD letters everytime you hit save not to send it into the cloud that doesn't prevent lawsuits.

Give me the last three cases Microsoft was held liable for security breaches across their product line.How much were the damages awarded?  [:D] Even God gets sued in the United States. (Really. Check the record.) The judge dismissed the case because 1) God wasn't properly served papers & 2) the court's jurisdiction did not include wherever God resides.

If ye are the light of the world, why do you want to hide under a bushel? Martha is right. There are plenty of real life issues to deal with. I don't care if the world finds out I use Logos. And the only thing Logos sees is; I spend too much time on their product pages coveting more stuff.

It really doesn't matter what I think about the matter because I have agreed to the EULA with a click of a button. What matters is what has been agreed to by the parties. That is the EULA. In my book,  that settles the matter legally.  I will let others debate the question of morals and ethics. I am satisfied that Logos 4 has met its obligation in advising me about the product's usage . But I don't expect moral arguments to be compelling to a court of law (nor should you) where the rights and duties of the parties are specifically spelled out in the EULA and have been agreed to. Nor do I feel I can blame Logos for not being more protective of my privacy rights when I have the opportunity to turn off Internet access, work offline, etc., etc. 

So if LOGOS has a security hole and a third party gets a hold of your confidential prayer requests or other notes, LOGOS is not responsible.  But that does not keep you from being sued by a parishioner or his or her non-believing spouse.  Of course, you have the opportunity to turn off Internet access, work offline, etc., etc.  But then how many of us have really done this?

I am not terribly concerned - I have not turned Internet access off.  But I would like to know how our information is being stored on LOGOS' servers.

Bob's "reply" doesn't address any of my questions and the disclosure of any of that information isn't/shouldn't be a threat. They explain EXACTLY how their webpage is secured. I'm looking for the same information for their program.

No I haven't changed my questions, I'm simplifying it for them since it seems that people are confusing a number of topics. When they tell me those answers it'll tell me what I need to do.

ETA: I just opened a ticket with them with my specific questions as this thread really isn't yielding any answers for me.

Exactly. I want to know for my DATA, but everyone says Logos has answered this question and they clearly haven't. The OP seemed to indicate you don't share this type of information which isn't true. I'm pointing out there's nothing secret about this or shouldn't be. They shared the information with their webpage which is protect Credit Card information. I want the SAME information for my data from the Logos 4 program.

I want to know HOW they send it to their server and what type of encryption if any. Depending on how they answer the basic questions determines how I respond.

ie, What transport are they using?

What security algorithm?

I'm not even concerned about their server protection yet, I'm not convinced they're protecting my data on the WAY there. If they're not even protecting the data on its way there then I clearly can't trust them to protect it on the server.