Reasonable Expectation of Privacy From Web Hosts?

Shafted writes "I'm in a bit of dilemma, and I'm wondering what fellow Slashdotters think regarding this subject. I've been hosting web sites for some clients for years using my own server. About a year and a half ago, I got a reseller account with a company that will remain nameless. They are, however, fairly large, and they did come highly recommended. Other than the usual slow tech support, occasional server overloading, and... well... typical support staff, it's been pretty good and has saved me from having to deal with problems like hardware and driving down to the colo at 4AM to figure out a routing problem. All-in-all, it was acceptable. Until yesterday, when I was asking for a relatively minor email-related fix, and by the tech support staff's response, they had accessed my MySQL database directly and looked at the contents; presumably, in order to tell me what I was doing wrong. Regardless of the fact that they missed the boat with regards to the support question, I found it surprising that they would access my database data without my consent. When I asked them why they were accessing the database without my permission, they've pretty much ignored me, despite repeated requests asking why they think this is acceptable. So, my question is this: Do I, as a customer who, according to the acceptable use policy, owns my data, have a reasonable expectation of privacy for the data which I own, despite it being hosted on a third-party's server? Or do web hosting companies have the right to poke around at everyone's data as they see fit?" Read below for the rest of the question. Shafted continues: "I did get a response from one of the higher-ups, who said it was ok - they were perfectly within their rights, and their privacy policy supports that. Problem is, I've read the privacy policy, terms of service and acceptable use policy, and nowhere does it make mention that they have the right to look at files or data. It does indicate that I am the one who owns the data (presumably to cover copyright infringement). Another fellow indicated he felt that, as site admin, he had the right to look at whatever he wanted on the site, whether it's his data or a customer's (he, from what I can tell, is not an employee). I can understand looking at data to determine whether it violates the AUP or TOS, provided that it's justified (i.e. a scanner or audit indicates that something fishy is going on). But since I haven't violated the AUP or TOS, do they have this right? Is this something all web hosting companies do? If it isn't expressly stated, either that they do or do not have the right, does that automatically give them the right? Is this an industry norm, or did someone make a mistake and they're simply unwilling to admit to it? I'd really like to hear what some of you have to say, knowing that many of you probably have sites hosted by third-parties, and some of you may work for web hosting companies. Since this is the first one I've ever dealt with, I'm unsure whether I should expect this anywhere else, and if so I may end up going back to self-hosting."

From home?

[corychristison]

I run a few servers here at home that are web-facing.

I have never found a provider that will accommodate me in any ways that I see fit, so the home solution has won me over every time I go looking.

I host my own work as well as customers. I'm running it all on a Business Class 7Mbit ADSL line... never any problems as most sites are pretty low on bandwidth.

I've recently got a new client (signed and sealed -- working on the project right now, actually). Their project is going to require their own server(s -- Yay redundancy!) for some power behind their project... if all goes well I'm going to lease some office space outside of my home and upgrade the connection to whatever the best is I can get.

The 'at home' solution offers total control. If you're making enough money off your clients, it's worth it in my opinion.

Re:Slippery Slope?

[Bogtha]

The problem here is that the hosting company was looking at something that was unrelated to their problem (so they assume).

Where does he say that? It's unusual to have mail configuration depend upon a database, but it's not unheard of. For example, the simplest way of setting up a web interface to SpamAssassin is to configure it to read rules from a database. The only thing the Ask Slashdotter says on the matter is:

they had accessed my MySQL database directly and looked at the contents; presumably, in order to tell me what I was doing wrong.

It sounds like he has put some mail-related configuration in his database and they looked at it because his mail wasn't working correctly and they suspected he had screwed it up somehow.

RTF Summary at least

[theshowmecanuck]

About a year and a half ago, I got a reseller account with a company that will remain nameless. They are, however, fairly large, and they did come highly recommended. Other than the usual slow tech support, occasional server overloading, and... well... typical support staff, it's been pretty good and has saved me from having to deal with problems like hardware and driving down to the colo at 4AM to figure out a routing problem.

He said he switched from colo to hosted to avoid having to take care of his own server.

sudo can help, but be careful

[straponego]

Others have mentioned sudo, and indeed it can be very useful, but it's not as secure as many think. For example, if you give some access to vim or other editors, or less/more, they can escape to a root shell. So you have to be very careful with what you allow. I think of sudo more as an tool for accountability and audit trail for non-malicious users. It can keep honest people from making mistakes, and sometimes help you figure out what happened when mistakes were made.

Sudo in combination with a script that would modify your network config might work in your case. You'd also want to allow shutdown and reboot.