Who Owns The Data/Apps?

A reader writes: "There's an interesting Dan Gillmor column about the whole ASP/online storage thing. What happens when these places go away? What happens when they change? "

YNAL (You need a lawyer)

[sphealey]

If you are getting involved with outsourced storage or apps, you absolutely need the assistance of a lawyer who has worked with this type of contract before. Contrary to current hype, neither the ASP model nor outsourced storage is new, so there should be good examples around (can you say "service bureau"? If not, that tells me how young you are).

At a _minimum_, your contract must absolutely specify that the applications, data, and backups belong to you and only you, that you can recover them at any time, that such rights survive change of control and bankruptcy, that you will receive a copy of your backup tapes at a meaningful interval (daily, weekly, hourly?), and that the vendor will sign the necessary contracts with insurance companies and bonding agencies to ensure that these things happen.

That's a MINIMUM from a non-lawyer. Before you take chances with your company's future, you absolutely must get good legal advice and assistance. Otherwise you might be finding out what happens to a person with "C" in their title when your employer makes a claim against their D&O insurance.

sPh

Re:It's theirs

[Detritus]

They own the disk drives, not the data stored on those drives. If I park my car in a free parking lot, the owner of the lot does not have the right to sell or scrap my car.

Where will YOU go when SourceForge dies?

[Bowie+J.+Poag]

Perhaps a more poigniant question:

VA continues to slip steadilly towards bankruptcy. Most analysts give the company a TTL of ~6 months. That means, if your project is housed on SourceForge, you and your project are going to have to find a new placew to live within the next 6 months. The pipe that VA leases (yes, they pay money for it. No pay, no play.) will dry up leaving you without access and more than likely without adequate warning as well. Thats been the cast with most of the .com's... That doesn't bode well for people who have invested alot of time in centralizing resources.

Maybe now you see my point for all the yelling and screaming I did about how it was a mistake to centralize development at one location--Youre assuming that location is going to survive, when the evidence says it won't.

Lets further examine our mess for a moment--The resources that VA owns that you visit frequently, ala Slashdot, Freshmeat, and others--What's going to happen to them? Is there a plan in place that describes what to do when your parent company hits the skids? If Themes.org can be taken down for several weeks over something as simple as a security breach, it tells me they're largely unprepared for these sorts of events. Everyones got too much sunshine going up their ass to sit down and think about what to do when the party's over.

Don't go tell me "Oh, VA's a good company, they'll find a way to rescue us!" because thats total horseshit. You and I both know that business doesn't work that way. Rob and Jeff can't exactly go back to their dorms..So where's our beloved Slashdot going to move to? If they cant remain profitable on their own, or under the management of a parent company, who's to suggest they can be profitable at all?

Cheers,

Re:ASP's are like banks circa 1800

[WNight]

If you don't have any cash on you, you're hooped when the ATMs are down. Very few people I know rely completely on the banks.

In the ASP world, this is like saying that everyone keeps local copies of current projects, but uses the ASP for non-critical data, backups of old projects, etc.

I doubt that this will be widely used though, security is too hard to get perfect which for most businesses, is a requirement.

Think of the banking analogy, if someone transfers $100,000 out of your account (if either of us had that to begin with...) it'll leave an audit trail. It's pretty easy to prove that you didn't do that and get your money back.

The thief might have gotten the $100k, but it's a generic $100k...

Now imagine that your data was stolen and deleted. Even if the ASP has decent backups and can restore it, your non-generic data is out there, in the hands of your competitors perhaps.

On a related note, ATM transactions only require a second or so of network time, can you imagine the problems of having to be connected the whole time you're using MS Word (for instance) in order to save your document?

I can see the ASP model offering some benefits, when used with standard systems, but in the diskless workstations that people predict...

I think it says something that many bank employees (higher-level security types) (two of my friends) do keep their money in their matress, or rather, do keep enough cash on hand to deal with a week-long bank outage. It's good enough to rely on for the little things, but you want to be able to buy food when it inevitably dies.

I work in the ASP industry

[RebornData]

This may be an issue for free / cheap consumer services, but I've seen the contracts the corporations sign with ASPs, and data ownership (including what happens to the data in the circumstance of contract or service termination) is ALWAYS in there and favorable to the corporation.

A key difference of using an ASP (compared to internal IT) is that contract. It spells out expectations and committments explicitly, and if they are not met, penalties. In my experience, corporate lawyers have a full understanding of the implications of that, and the contracts are long and detailed, covering everything from traditional IT SLAs to intellectual property, business continuity, and privacy / confidentiality.

In some ways, a corporation can have *more* "business" control over data and such with an ASP because the contract puts it all on the table.

Again, this does not apply to the bogus unnegotiated click-through agreements on consumer services, but you get what you pay for.

Re:I let someone who runs a free site keep my data

[Brento]

Anyone who cries when a free website is changed and they are not notified is an idiot

Well, on one hand, I think it's only fair to try to maintain a good relationship with the community, even when you're going out of business. If you know your customers will be screwed by your deletion of data, you have the responsibility to your customers (as well as your advertisers and investors) to at least notify the community 72 hours beforehand. If I was one of their advertisers, and the service just died, I'd be pissed because my name was associated with such poor service.

On the other hand, if I ran a free data storage, and I knew that notifying the public would result in massive bandwidth use (suddenly everyone logs on to get their stuff), then I might not tell them after all. That would be low and underhanded, but sometimes that's how you get through business.

Easy to sharpshoot, but look at the biz side

[Infonaut]

Sure, it's easy to say "what a bunch of dumbasses! They shouldn't have let someone else store their data," etc., etc.

But think of this from the business point of view. Many companies have a very hard time attracting and maintaining competent technical staff. Like any service, ASPs were really offering their expertise more than anything.

Sure, I could buy a few RAID drives down at Fry's and hook them up to my LAN, but if I were the average "computer guy" that most companies have, I wouldn't really know what I was doing.

People in some businesses were willing to put their bets on ASPs because they finally found someone who seemed to know what they were doing.

Of course, the ASP industry is just like most tech industries - there are a few geniuses, a good number of smart people, and then the lumpen proletariat who are just along for the ride.

As for free website services, you're right. You do get what you pay for. But before you hammer people for believing the hype, remember these "next great things" some of us believed in:

- Linux for the desktop will topple M$!

- Java applets will topple M$!

- The Web will overthrow big, bloated corporations!

- ICANN!

Businesspeople may not be technically savvy most of the time, and they may make stupid decisions, but that doesn't mean that they're all idiots. And they're certainly not alone in wanting to believe things that are too good to be true.

ASPs -- love/hate

[connorbd]

For the most part, I don't think ASPs are worth the risk. I was offered equity but no pay in an ASP company a while back for doing some Palm development for them; it would have looked good on my resume, but as I told the guy making the offer, "I can't eat equity."

ASPs have a certain attraction for business managers because they cut costs, but I still don't see how the risk is worthwile when critical data is on the line. I had a discussion with someone who was talking about "minimizing risk" -- seems to me that outsourcing things like desktop application isn't doing that.

/Brian

ASP's are like banks circa 1800

[gentlewizard]

Back in the olden days, people thought that giving your money to someone else to hold was risky. And sure enough, many banks did fail and took their depositor's funds with them. But over time, controls and standards were put in place. Now it's the people who keep their money at home in a mattress are the ones considered crazy.

Is data any different than money? Right now, keeping your data at an ASP is risky and everyone says that in-house hosting is the only way to go. I think it's just because the ASP industry is like the banking industry before a lot of standards were developed. In 10 years, will we look at people who keep their own servers and infrastructure as the crazy ones? Why are they taking the risk of uptime, backup/recovery, non-redundant net connection, power failure, correct server configuration/patches upon themselves?

Current problems, like being involuntarily upgraded, will find solutions even as the banks found solutions to the problems of bank robbers and (later) interstate branch banking. Let's not throw the baby out with the bathwater.