This is going to be a long post today. It covers a topic that is in direct response to people like Carl Bass at Autodesk 2012 and Teresa Payton former Whitehouse CIO who was a speaker there. In thinking about this whole cloud thing and the amount of blatant deception that accompanies it I can only say I am disgusted with how patronizing and duplicitous cloud purveyors have become towards people who are their target markets. This will quote from the Cadalyst articles on Autodesk 2012 and I respond accordingly. This will also quote from Verizon Data Breach Investigations.
These are lengthy reports but I will quote from two of them. These individual reports for 2011 and 2012 can be found at the link above.
Two quotes of interest. 2011 pg 4 “We are often asked whether the cloud factors into many of the breaches we investigate. The answer is “No–not really” It’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the cloud.”
2012 pg 33 top “Web applications abound in many larger companies and remain a popular (54% of breaches) and successful (39% of records) attack vector.”
The common thread in all these problems in the above reports is reliance on the web. Autodesk when they demand you go to the web forces you to be subject to a myriad of things forever beyond your control. They know this and will leave you on your own when problems strike. Proof of this is found by their own words as you read on. One of the more disturbing aspects of the above studies where CAD creation is concerned is that they feel that many IP thefts are not detected and so subsequently not reported. Unlike financial data where a loss is generally quickly detected because of math discrepancies IP theft may never be detected as how do you police an idea incorporated into competing products? Maybe you find out when your competitor beats you to the patent office with your design. Maybe you find out when knockoff products flood the world designed with your time and money and produced by the Chinese and their shopping carts.
These first two segments go together because it concerns Bass’s statements and Fusion 360 and deceptive promises of concern for customers security. From part 1.
“I think there are a huge number of obstacles to every organization, you know, adopting cloud technology, and I don’t think they’re insignificant,” Bass told the media. “The … one that jumps to everyone’s mind is the question of security — privacy, liability — something around levels of service in some ways and concern about confidential information. I think some of those will fall by the wayside; I think others will be there. … Do you expect to see dramatic breaches of privacy? Yeah, we’ve already seen them. … That will continue to happen. To the extent we [store data on the cloud] or anywhere else, there will be serious things to consider. I think that is not [a concern] that goes away easily.”
Another concern I hear frequently but that Bass didn’t address is the issue of data ownership. Rumors persist that any customer data stored on the Autodesk cloud becomes the property of Autodesk; however, that isn’t the case according to the Autodesk 360 Terms of Service (rev. 9/6/2011):
2. Proprietary Rights 2.1 Your Rights. As between You and Autodesk, and subject to Section 2.2 (License by You; Disclosure), You and Your licensors have and will own all right, title, and interest in and to Your Content.
From part 2
“When it comes to moving from desktop software solutions to cloud-based options, Discher said, companies today are most concerned with data security and how to make a successful transition to new cloud-based tools and workflows. Her advice: “Take the cloud tools that will improve the processes you have in place. Don’t reinvent processes.” Regarding security, she said, “Concerns are real and valid, so customers will have to make some moves they might not be 100% comfortable with in order to tap the tremendous benefits” of cloud-based tools.”
“Contrary to what is true for some popular cloud-based solutions today, Discher told me that users of Fusion 360 maintain ownership of data the created and stored there. This is true of all Autodesk 360-based services, she added, except for some parts of PLM 360. (See Autodesk 360 Terms of Service [rev. 9/6/2011]).”
So who exactly does own your data online? Contrary to the attempts at Autodesk promising that you do there are some exceptions to this. http://yro.slashdot.org/story/12/11/02/1737219/us-government-you-dont-own-your-cloud-data-so-we-can-access-it-at-any-time will take you to the Megaupload site problems where many legitimate businesses still to this day do not have their data back. When a site is seized it is the position of the US government that you put your data there it does not belong to you irregardless of empty promises made by those who sold you a service. Clouds work off of server farms right? Is there a single server farm in this world that is totally squeaky clean and not subject to this? Is it impossible now to see the Chinese who are expert at IP theft declaring the same and seizing server farms to go grocery shopping? The right the US government gave themselves afterall has been established and now can be used worldwide by any country. I would also mention the Patriot Act here. This gives sweeping powers to the US government to seize or view things and never notify those who are affected. I think we have entered a period of Chicago style pervasive corruption in Washington with the Fox now guarding the Hen House. This is also happening around the world with other countries and is endemic in places like China. I can easily see a government deciding to gain advantage for whatever reason for a variety of special interest groups by selling or leaking your data to them.
This server farm based cloud thing opens up in new ways the can of worms you could suffer from legally. Is it unreasonable to consider the numerous legal problems the life blood of your company could be subject to? How about bankruptcy with the server farm and everything is tied up until it is resolved. How about an equipment provider suing a server farm for non payment or say a record company suing for piracy and now it is all locked down. We know for sure with the piracy aspect it has happened and could happen again. You readers are smart enough to extrapolate the ways this could happen so I won’t go on.
This however brings us to the crux of the situation where Autodesk is concerned and let us go to the Terms of Service for Fusion 360 as referenced by the link above.
4.3 Service Providers; No Sensitive Personal Data. You acknowledge that Autodesk may use third-party service providers in connection with the Services, including without limitation the use of cloud computing service providers which may transmit, maintain and store Your data using third-party computers and equipment in locations around the globe. You acknowledge that any data storage functionality associated with the Services is not intended for the storage of Social Security numbers, credit or debit card numbers, financial account numbers, driver’s license numbers, medical information, health insurance information, sensitive data about personal characteristics such as race, religion, or sexual orientation, or other personal data that may pose a risk of harm to the individual if improperly disclosed (collectively, “Sensitive Personal Data”). You agree not to upload or otherwise submit any Sensitive Personal Data in connection with the Service and further agree that Autodesk Parties will have no responsibility or liability with respect to any such Sensitive Personal Data that is processed, transmitted, disclosed, or stored in connection with the Service.
Is the definition of sensitive just this or do these things include your invention and the data used to create it. Who is “your”. Is it unreasonable to think lawyers for Autodesk would construe this to mean “your company” to? Now also think about what they are saying here. Your data is not secure with third party vendors.
5. Indemnification. You shall, at Your sole expense and to the fullest extent permitted by law, indemnify, defend (at Autodesk’s request), and hold harmless Autodesk Parties against any and all losses, liabilities, expenses (including reasonable attorneys’ fees) suffered or incurred by Autodesk Parties by reason of any claim, suit or proceeding (“Claim”) arising out of or in connection with: (a) Your Content or use of Your Content, including, without limitation, any assertion that Your Content or the use thereof may infringe any copyright, trademark, or other intellectual property or other rights of any individual or entity, or are a misappropriation of any individual or entity’s trade secret, or contain any libelous, defamatory, disparaging, pornographic, or obscene materials or use thereof caused death or bodily injury or damage to the real or tangible property of any third party; (b) any breach of or failure by You to comply with these Terms (including, without limitation, any Policies and Additional Agreements); or (c) use of the Service Offering by You (or anyone who accesses the Service through You pursuant to Section 1.3). If requested by Autodesk to defend a Claim, You will not agree to any settlement without the prior written consent of Autodesk, and Autodesk shall have the right to participate, at its own expense, in the defense of any Claim with counsel of its own choosing.
Does the above sound like Autodesk is confident of the security on the cloud and on server farms beyond their and your control?
6.2 Warranty Disclaimer. NOTWITHSTANDING ANY WARRANTY APPLICABLE TO THE SOFTWARE IN THE LICENSE AGREEMENT, THE SERVICE OFFERING IS PROVIDED “AS IS” AND “AS AVAILABLE.” AUTODESK PARTIES MAKE NO, AND HEREBY DISCLAIM ALL, REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, WITH RESPECT TO THE SERVICE OFFERING, INCLUDING, WITHOUT LIMITATION, ALL WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AND ALL WARRANTIES THAT MAY ARISE FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. YOUR USE OF THE SERVICE OFFERING IS AT YOUR OWN DISCRETION AND RISK. AUTODESK PARTIES DO NOT WARRANT THAT ANY USE OF OR ACCESS TO THE SERVICE OFFERING WILL BE ERROR-FREE, COMPLETE, SECURE OR MEET YOUR REQUIREMENTS OR EXPECTATIONS; THAT OPERATION OR AVAILABILITY WILL BE UNINTERRUPTED; OR THAT ERRORS OR FAILURES WILL BE CORRECTED OR REMEDIED; AND AUTODESK PARTIES HEREBY DISCLAIM ANY AND ALL LIABILITY IN CONNECTION THEREWITH. AUTODESK PARTIES DO NOT WARRANT THAT THE SERVICE OFFERING WILL PERFORM IN ANY PARTICULAR MANNER AND HEREBY DISCLAIM LIABILITY FOR NEGLIGENCE AND GROSS NEGLIGENCE. WITHOUT LIMITATION OF THE GENERALITY OF THE FOREGOING, YOU ACKNOWLEDGE AND AGREE THAT YOU ARE SOLELY RESPONSIBLE FOR (AND AUTODESK PARTIES ASSUME NO RESPONSIBILITY AND WILL HAVE NO LIABILITY OF ANY KIND FOR) (i) THE DECISIONS THAT YOU MAY MAKE REGARDING THE SERVICE OFFERING, (ii) USE OF THE SERVICE OFFERING INCLUDING ANY CONTENT, DATA, INFORMATION, OR OTHER MATERIAL ACCESSED BY YOU IN CONNECTION WITH THE SERVICE OFFERING, OR (iii) ANY EFFECTS ON YOUR BUSINESS THAT MAY RESULT FROM SUCH USE. AUTODESK PARTIES MAKE NO WARRANTIES TO ANY THIRD PARTY. YOU ARE SOLELY RESPONSIBLE FOR ANY DAMAGE IN CONNECTION WITH THE SERVICE OFFERING INCLUDING ANY CONTENT, DATA, INFORMATION, OR OTHER MATERIAL ACCESSED BY YOU IN CONNECTION WITH THE SERVICE OFFERING, INCLUDING, WITHOUT LIMITATION, TO YOUR COMPUTER SYSTEM OR LOSS OF DATA. AUTODESK PARTIES DO NOT REPRESENT OR WARRANT THAT THE SERVICE OFFERING IS OR WILL BE APPROPRIATE OR AVAILABLE FOR USE IN ANY PARTICULAR JURISDICTION AND YOU ACKNOWLEDGE AND AGREE THAT AUTODESK MAY LIMIT A SERVICE OFFERING’S AVAILABILITY, IN WHOLE OR IN PART, TO ANY GEOGRAPHIC AREA, JURISDICTION OR LANGUAGE THAT AUTODESK CHOOSES, AT ANY TIME, IN AUTODESK’S SOLE DISCRETION. This Section 6.2 will be enforceable to the maximum extent allowed by applicable law. No information or advice (whether written, oral or otherwise) provided by Autodesk Parties or their representatives will create any warranty or in any way affect the disclaimers of warranty or limitations of liability expressly provided in these Terms.
Basically I read this as yes our leader may stand behind the lectern at Autodesk world 2012 and make statements about security and reliability but we here at the legal department responsible for CYA tell you we make no service or security promises and you are on your own. So you have those pesky NDA’s with your customers as a condition of doing business with them? Don’t look to Autodesk for help when what we make you use violates these.
6.3 Functionality Limitations. THE SERVICE OFFERING IS NOT A SUBSTITUTE FOR YOUR OWN JUDGMENT (INCLUDING PROFESSIONAL JUDGMENT) OR INDEPENDENT TESTING, DESIGN, ESTIMATION OR ANALYSIS, AS APPLICABLE. DUE TO THE LARGE VARIETY OF POTENTIAL APPLICATIONS FOR THE SERVICE OFFERING, THE SERVICE OFFERING HAS NOT BEEN TESTED IN ALL SITUATIONS UNDER WHICH IT MAY BE USED AND MAY NOT ACHIEVE THE RESULTS YOU DESIRE. WITHOUT LIMITATION OF SECTION 3.2 (RESPONSIBILITY FOR YOUR CONTENT) OR 6.2 (DISCLAIMERS), AUTODESK PARTIES SHALL NOT BE LIABLE IN ANY MANNER WHATSOEVER FOR ANY RESULTS OR OUTPUT OBTAINED OR OTHERWISE VIEWED THROUGH THE SERVICE OFFERING OR ANY MATERIALS DEVELOPED BY YOU IN CONNECTION WITH THE SERVICE OFFERING. YOU ARE RESPONSIBLE FOR THE SUPERVISION, MANAGEMENT AND CONTROL OF THE SERVICE OFFERING. THIS RESPONSIBILITY INCLUDES, BUT IS NOT LIMITED TO, THE DETERMINATION OF APPROPRIATE USES FOR THE SERVICE OFFERING AND THE SELECTION OF THE SERVICE OFFERING AND OTHER PROGRAMS TO ACHIEVE YOUR INTENDED RESULTS. YOU ARE ALSO RESPONSIBLE FOR ESTABLISHING THE ADEQUACY OF INDEPENDENT PROCEDURES FOR TESTING THE RELIABILITY, ACCURACY AND COMPLETENESS OF SERVICE RESULTS, OUTPUT OR MATERIALS DEVELOPED BY YOU IN CONNECTION WITH THE SERVICE OFFERING (IF ANY), INCLUDING ALL ITEMS VIEWED OR DESIGNED USING THE SERVICE OFFERING.
We make a lot of implied promises when we talk about our pay for play strategy and our desire to try to end piracy by making you check in and work off of remote servers. However we know the infrastructure you must work off of stinks and to bad, so sad that we have just thrown a huge monkey wrench into your ability to streamline your data creation. Oh and by the way, single threaded applications still are so at our end too even though we have 10,000 server cores you can rent. And by the way, we are not responsible for all the new fees you will have to pay your ISP plus the third party server dudes for data storage. Pretty much they are telling you if you were silly enough to believe anything we say about clouds saving you cash and being more capable than what you could do for yourself you get what you deserve.
7. Limitation of Liability. TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY OR LIMITATION OF LIABILITY, (A) IN NO EVENT WILL AUTODESK PARTIES BE LIABLE HEREUNDER FOR SPECIAL, INDIRECT, CONSEQUENTIAL, OR ANY OTHER DAMAGES WHATSOEVER (HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WHETHER DERIVED FROM CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE) OR OTHERWISE), INCLUDING WITHOUT LIMITATION LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF USE, LOSS OF DATA, BUSINESS INTERRUPTION, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES OR OTHER COVER, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS OF ANY KIND, EVEN IF ADVISED OF THE POSSIBILITY THEREOF, NOR WILL ANY OF THE FOREGOING PARTIES BE LIABLE FOR ANY DAMAGES WHATSOEVER RESULTING FROM A FORCE MAJEURE OR AN ACT OF A THIRD PARTY OR OF NO FAULT ON ITS BEHALF, AND (B) THE TOTAL CUMULATIVE COLLECTIVE LIABILITY OF AUTODESK PARTIES FOR ALL COSTS, LOSSES OR DAMAGES FROM ALL CLAIMS, ACTIONS OR SUITS HOWEVER CAUSED OR ARISING FROM OR IN RELATION TO YOUR USE OF THE SERVICE OFFERING SHALL NOT EXCEED THE LESSER OF ALL AMOUNTS PAID BY YOU FOR THE SERVICE OFFERING GIVING RISE TO THE CLAIM IN THE TWELVE MONTHS IMMEDIATELY PRECEDING THE CLAIM OR ONE HUNDRED DOLLARS ($100).
Icing on the cake for all of us Autodesk corporate types. We don’t care what happens to you when/if we force you to the cloud and you run into trouble there. We appreciated your loyalty and your business but now because you have run into trouble using our stuff it is time for you to go away and shut up.
Last but not least we come to the culmination of Autodesk corporate babblespeak, deception and legal CYA nonsense. http://www.cadalyst.com/cad/product-design/autodesk-and-cloud-part-2-fusion-360-will-deliver-professional-level-cad-cloud-15
“You have a right to be concerned about security of your intellectual property on the cloud,” she said. Data security should always be your first priority, whether it’s stored on the cloud or in your own systems. “You need a prenup with your cloud vendor,” she advised. If the company goes out of business or if you move off the platform in the future, what happens?
“I believe with the right best practices and the right conversations with your vendor, you can actually be safer in the cloud,” Payton concluded. “Pick your partners wisely. Everyone is penetrable. The key is figuring out what guidelines to follow when your digital assets are gone, and figuring out how to handle the incident and how to let your customers know.
“You cannot protect that which you do not have in your line of sight. And that is what makes you nervous about the cloud. But, in some regards, you’d be better off going to the cloud because you can hold that provider contractually liable and ensure that your data is secure.”
This is from a former Whitehouse CIO. Remember this person was hired by Autodesk to speak as an authority on data security so they must think she is. So now we have the whole security liability protection plan for users and the reason to go to the Autodesk cloud. You can put your data on a third party server farm and since they know you can sue them THEY will make your data secure. Unless of course you had to sign an agreement with them like you had to sign with Autodesk. Oh, and by the way Autodesk, about that prenup thing your guest speaker mentions. I think a snowball in you know where has a better chance of surviving than one of your customers getting one of these prenups from you. And while we are at it here are some other questions for you to address that apply to you as well as Dassault and no I won’t hold my breath waiting for honest answers.
Any of you who adopt these Autodesk cloud services under these conditions truly deserve every bad thing that may happen to you. The company that wants you to stand loyally behind them with your continued financial support does not intend reciprocity.
Oh, before I forget I am sure Autodesk wishes you all a happy and prosperous 2013!