Cloud Server Host Vultr Rips User Data Ownership Clause From ToS After Web Outage

Tobias Mann reports via The Register: Cloud server provider Vultr has rapidly revised its terms-of-service after netizens raised the alarm over broad clauses that demanded the "perpetual, irrevocable, royalty-free" rights to customer "content." The red tape was updated in January, as captured by the Internet Archive, and this month users were asked to agree to the changes by a pop-up that appeared when using their web-based Vultr control panel. That prompted folks to look through the terms, and there they found clauses granting the US outfit a "worldwide license ... to use, reproduce, process, adapt ... modify, prepare derivative works, publish, transmit, and distribute" user content.

It turned out these demands have been in place since before the January update; customers have only just noticed them now. Given Vultr hosts servers and storage in the cloud for its subscribers, some feared the biz was giving itself way too much ownership over their stuff, all in this age of AI training data being put up for sale by platforms. In response to online outcry, largely stemming from Reddit, Vultr in the past few hours rewrote its ToS to delete those asserted content rights. CEO J.J. Kardwell told The Register earlier today it's a case of standard legal boilerplate being taken out of context. The clauses were supposed to apply to customer forum posts, rather than private server content, and while, yes, the terms make more sense with that in mind, one might argue the legalese was overly broad in any case.

"We do not use user data," Kardwell stressed to us. "We never have, and we never will. We take privacy and security very seriously. It's at the core of what we do globally." [...] According to Kardwell, the content clauses are entirely separate to user data deployed in its cloud, and are more aimed at one's use of the Vultr website, emphasizing the last line of the relevant fine print: "... for purposes of providing the services to you." He also pointed out that the wording has been that way for some time, and added the prompt asking users to agree to an updated ToS was actually spurred by unrelated Microsoft licensing changes. In light of the controversy, Vultr vowed to remove the above section to "simplify and further clarify" its ToS, and has indeed done so. In a separate statement, the biz told The Register the removal will be followed by a full review and update to its terms of service. "It's clearly causing confusion for some portion of users. We recognize that the average user doesn't have a law degree," Kardwell added. "We're very focused on being responsive to the community and the concerns people have and we believe the strongest thing we can do to demonstrate that there is no bad intent here is to remove it."

Wow

[TwistedGreen]

Never heard of this service, but come on... You don't need a law degree to see that this is bullshit. What else could they have intended by such a clause? Glad someone noticed.

Re:Wow

[thegarbz]

What else could they have intended by such a clause?

Most companies other than ones specifically harvesting your data don't intend anything. The biggest problem today is not only do users not read the ToS, but the companies which put them up don't either. They just pay some legal consultant who copies and pastes it without ever thinking of the repercussions and shit it out in an agree-or-go-away dialogue.

Re:

[TwistedGreen]

That's true, as far as we know the entire TOS was generated by ChatGPT and nobody read it on either side.

Really makes you wonder how these TOS documents are even enforceable. Contract law is due for an overhaul.

Re:

[Anonymous Coward]

Never heard of this service, but come on... You don't need a law degree to see that this is bullshit. What else could they have intended by such a clause? Glad someone noticed.

I'm not speaking for this instance, I'm speaking generally here.

Legal documents such as TOS are almost always written by lawyers, not written by the chief officers.
Whomever at the company that is responsible for this instructs a legal team what their intent is, and the lawyers are to convert this into legalese.

You don't need a law degree to see just how many points of failure along that path exist.

The company officer may have communicated their intent poorly, or even not at all. The lawyers could have misi

Re:

[TwistedGreen]

Thanks, good interpretation.

Probably illegal in Europe

[gweihir]

I would guess these ToS are immoral and hence invalid.

No poison pill clauses? Empty promise.

[khchung]

"We do not use user data," Kardwell stressed to us. "We never have, and we never will.

Did Vultr have poison pill clauses in the ToS, such as, Vultr losing all rights to user data if they were bought by another company, or management changes, or going bankrupt, etc? Otherwise, how could anyone keep such promise that a company would not do something in the future?

Re:

[postbigbang]

It's a very serious insult to their clientele to write the ToS, and still worse to play them for fools when they have to claw it back. Someone needs better crisis management and better still, better legal counsel. Will they do THAT? Somehow, I doubt it.

Seems like an other CEO, baffled that his BS was found out. Lots of that going around....

Re:

[ctilsie242]

If a cloud provider goes bankrupt, all the data stored on it is a free-for-all. Trade secrets, PII, or other data? The new owner of the servers could throw that stuff into pastebin or a torrent, and there would be zero legal action that can be taken. Since after a bankruptcy, the contracts are null and void, even if a cloud provider promises to get rid of the data, they really don't have to, and the new buyer can take all data on the servers and use it for whatever they feel like, be it LLM training, sel

most contracts and policies are cut and pasted

[rta]

In my experience, most Terms of Service, Employee Handbooks and the like are not read, understood or thought about much by people in the company. Some contractor , lawyer, accountant , HR person (depending on the document), put it together as "best practices" and most of it wasn't closely considered by stakeholders.

Only exception is if you have some persnickety nerds in charge of those areas for some reason, which is the exception rather than the rule at small and medium companies or to specific clauses that let them do something or get out of some liability. Otherwise they're given as much attention by the people publishing the docs as the people who supposedly are reading them (but actually just clicking "agree" ... if there is even something to click on )

Re:

[iAmWaySmarterThanYou]

This.

Re:

[Bongo]

Yep. One of the many ways otherwise productive reasonable smart people are made by the system to waste time in mindless drivel and be paid to do so. Meanwhile people who do produce actual survival value get run into the ground.

Re:

[leonbev]

It makes you think, though. If their legal and compliance team produced those terms of service that were completely bogus, it makes you wonder if things like their SOC 2 and HI-TRUST compliance statements are believable as well.

If I was in a highly regulated industry, this wouldn't be a place where I would want to stick my data.

Re:

[rta]

SOC 2 and HI-TRUST specifically, compared to some others like the lower levels of PCI, require you to have a have 3rd party auditor check you out. They demand "evidence" of various things and then do "fieldwork" where they poke around to spot check things ("show me X", "show me the config for Y"). So they have some significant correspondence to reality.

You can count on the fact that they at least have VPNs , encryption, RBAC, firewalls ... and some documentation of who accesses what / who can change wha

copy-paste stupidity

[Local ID10T]

This is a common clause included in social-media(Facebook) and video sharing (YouTube) type sites, where it was written to protect the company from lawsuits for sharing user creations... which is the purpose of the site.

There is no reason this company needed such a clause.

They likely just copied their entire TOS from another site and thought "Well it works for them, so it should be good enough for us!".

Re:

[evanh]

I don't buy the standard boilerplate reason either. By claiming ownership it also claims the liability. A standard boilerplate disclaimer should be distancing the company from any user posts.

Re: copy-paste stupidity

[Ronin Developer]

This belongs entirely on the legal department at VULTR. Somebody authorized the release of the original TOS? Who gave that authorization?

  Do they actually employ licensed lawyers reviewing legal documents or is this the result of someone believing reading. "Dummy's Guide to Contract Law" is good enough?

Re:

[LegionX]

Do they actually employ licensed lawyers reviewing legal documents or is this the result of someone believing reading. "Dummy's Guide to Contract Law" is good enough?

They're a 51-200 employee company with over 30 global data center locations. My bet is that their employees are spread very thin, and their legal department is one person and a couple of unpaid interns, if it's even in-house.

FUCK THE CLOUD

[Anonymous Coward]

Fuck all of it and all this bullshit.

Re:

[Canberra1]

Ditch Them. As they had no-one check the lawyers pitch, they deserve all that's coming. OTOH, I believe Windows 11 has the same user data theft provisions. Europe and their GDPR has not made appropriate noises. In the meantime, double digit cloud price increases, mean one should think about inhouse again.

Wait what?

[Torodung]

Their name is literally Vultr?

Wow, I would complain about them being freaking vultures, but it's already in the ToS.

You're missing the good part

[Redsnerts]

All the comments I see so far are ripping on the provider. Don't you see the good part? They didn't waffle. They didn't fauxpologize. They changed it. Instantly. To me this looks like an honest mistake that was corrected as soon as they realized it was a mistake.

Re:You're missing the good part

[echo123]

As a customer of several years using VULTR I agree with your read of the situation. VULTR is a solid cloud host with a competitive price, solid services, and good support. They're not the only cloud service I use, and I recommend them. As a developer, I see no difference between VULTR, Digital Ocean, and Linode -- they're all good and about the same price. Nothing bad I can say about VULTR, even after reading TFA.

Re:You're missing the good part

[thegarbz]

To me this looks like an honest mistake

Mistake is when you do something and make an error. Asking users to agree to terms you claim to have written without any thought as to your own business is outright incompetence.

We need to end the scourge of ToS. Not only do users not read them, the damn companies don't either.

Motivation

[coopertempleclause]

Most commentators I saw discussing this reasoned that the company was trying to allow itself to sell content to AI LLM providers on the side. I don't think they were actually planning to be like "We see your store is making money.... it's ours now." but they certainly gave themselves permission to do that.

WTF does "separate to" mean?

[rpresser]

It's always been "separate from" where I learned English.
https://www.myenglishteacher.e... [myenglishteacher.eu]