I'm not sure how to begin searching for this, so forgive me if it's been raised before.
I've written a perl application to interface to another organization's web application using XML. It's a no brainer. Send a request, get some data, apply an update here and there. It's all good. The users are thrilled.
The other organization requires a user id and password which was provided to me for the application. If you log into their website directly, you must accept a privacy disclaimer before continuing. Obviously, the XML interface also requires a user id and password, but there's no privacy disclaimer included in the interaction.
Today one of the users asked why it is that they can access the other organization's data without first agreeing to the privacy disclaimer and I'm at a loss as to how to answer.
Obviously, the XML interface was created to allow direct application to application communication and no disclaimer is involved in the transaction. I could add more code to my application to throw up a privacy disclaimer before users are allowed to use this functionality, but that will get tiresome quickly. Besides, the idea of copying another organization's disclaimer and enforcing it through my application doesn't seem any more black and white in my eyes.
I'd like to believe that by using the XML interface with the user id and password given, my application has already agreed to disclaimer and no further notice to the end user is required. Maybe this is naive.
I know I'm not the only one interfacing to password protected sites (XML interfaces or not). I guess the question is what (if any) are the accepted practices when faced with privacy disclaimers?
Re: Do you accept the terms of our agreement?
by tilly (Archbishop) on Nov 23, 2007 at 04:26 UTC
|
Find out what contract you have with the other organization then talk with a lawyer.
If that contract allows what you're doing, then you're fine. But there is an excellent chance that your contract does not. In which case you need to figure out what you need to do about that.
Remember, just because you can do something doesn't mean that you're allowed to do it. And when in doubt, talk with an expert on the distinction. (That would be a lawyer.) | [reply] |
Re: Do you accept the terms of our agreement?
by erroneousBollock (Curate) on Nov 23, 2007 at 03:59 UTC
|
Firstly, IANAL.
Authorised access to an interface is just that.
If your organisation has permission from the other organisation to use the XML interface (which neither enforces a disclaimer nor proffers one) then you've fulfilled your obligations as a developer (unless your organisation is located in a country with extremely strong privacy laws - I believe Germany and France are examples - where you may be requred to make sure that your code is compliant with privacy statutes).
If your management feels that the disclaimer (from the non-XML interface) contains information that would be truly important (legally) to your users (and that isn't covered by in-house handbooks or guides), you might have your legal department draft a disclaimer for your own organisation which can be displayed by your application.
Displaying the other organisation's disclaimer does nothing to cover you nor your organisation.
-David | [reply] |
Re: Do you accept the terms of our agreement?
by jZed (Prior) on Nov 23, 2007 at 07:46 UTC
|
A similar issue to the one you bring up has recently gained attention as it applies to Facebook's tracking of user purchases -- privacy is guaranteed for their materials on the website, but apparently Facebook doesn't apply the same rules to XML feeds and other kinds of APIs, see this article for more. | [reply] |
|
Good! References to other cases. That's what I was hoping for.
From the article, I gather that other organizations (for a fee) are able associate their customers with Facebook accounts without the customer consent. To me this would also imply that Facebook has provided XML access to their Facebook user information which doesn't require authentication of the individual user. Or maybe I misunderstand? I don't see this as a violation by other organizations, but a lack of security and commitment to privacy on Facebook's part.
To put my own situation in similar context, the other organization would be the equivalent of Facebook, and our organization would be the equivalent of a house of family members sharing a single facebook account using automated tools. The data the other organization holds is not private from us, it is in fact the data we've already given it and we are only privy to our own data.
| [reply] |
Re: Do you accept the terms of our agreement?
by ruzam (Curate) on Nov 23, 2007 at 23:43 UTC
|
Just to add some closure, here is the (edited) response to my question from the other organization regarding this:
This is not how we had originally designed it. We wanted the
vendors to force the user to log in. To the best of my
knowledge all of the vendors have written the real-time transfer
as you have mentioned. If you are going to send the information
this way then the user id owner must realize that he/she is
taking the responsibility and if there is any breach of
security then the user id owner will be the person that
is contacted.
So in this case it would seem my assumptions are allowed (if not correct).
I plan to do one step better than the 'other vendors' by having my application require the user to enter the other organization user/password the first time it needs access, rather than defaulting it in the configuration. At the very least this will remind users that there is another system involved without un-necessarily inconveniencing them for the rest of their logged in time. | [reply] [d/l] |
Re: Do you accept the terms of our agreement?
by ww (Archbishop) on Nov 23, 2007 at 12:44 UTC
|
I'd like to believe that by using the XML interface with the user id and password given, my application has already agreed to disclaimer and no further notice to the end user is required. Maybe this is naive.
Would you be comfortable if my application, without warning, disclaimed, on your behalf, your privacy?
| [reply] |
|
No, I wouldn't.
But then I wouldn't create an XML interface to my application with out first disclaiming acceptable use of the interface by other applications.
My wording could have been better. Maybe something more like:
"I'd like to believe that by using the XML interface with the user id and password given, my application has been granted permission for this use by the owner of the user id and no further notice to the end user is required."
The question of my naivety is still open to the floor :)
| [reply] |
|
Your new phrasing is definitely helpful, so perhaps I can improve my comment too, and clarify that my remark was not accusatory, but rather, intended to highlight a consideration which may or may not -- in your judgment -- be relevant in your circumstances:
The lack of a disclaimer (popup or whatever) troubles me because if I understand you correctly, your description suggests that the ap is -- effectively -- waiving the privacy rights of its user(s) without their knowledge.
| [reply] |
|
Re: Do you accept the terms of our agreement?
by Gavin (Archbishop) on Nov 23, 2007 at 19:58 UTC
|
My take on this in the UK would be that by bypassing the “privacy disclaimer” and not accepting, as would be normal via the user id and password, your organisation is accepting responsibility for maintaining the privacy of the accessed site. Thus making your organisation responsible for any breaches of said privacy.
The consequences of this will of course depend on what damage is done by the disclosure of the information, but could be substantial. As already mentioned by tilly you need good legal advice in this specific area. | [reply] |
|
|