response from PGP -- PGP EULA and Business Realities

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Jon Callas <jon () pgp com>
Date: Sun, 23 Feb 2003 23:20:46 -0800
To: dave () farber net
Subject: PGP EULA and Business Realities

Dave,

I'd like to respond to Tim O'Connor's concerns about our EULA.

As part of being a business, we must process personal information. Perhaps
most sensitively, your credit card number. Along with that, we may end up
with a postal address (because credit card companies like that), an email
address, and other bits of information about customers.

It feels almost flippant to say this, but we have to send those credit card
numbers and any necessary additional authentication information to a bank so
that the transaction takes place.

Beyond direct sales, PGP Corporation sells through distributors and
resellers worldwide. In order for this system to work, personal information
must flow among the multiple parties involved in the transaction, ourselves
included, and often across national borders.

As Matthew Blackmon points out, we go out of our way to inform our customers
of this fact; this is part of our corporate culture. We feel we have a duty
to inform our customers as accurately as we can about what will happen with
the information they provide to us.

To provide a quick comment on the business transfer clause, we agree with
Matthew Blackmon. Experience in the business world has shown that if we said
anything more, we'd be at best optimistic and at worst negligent. We're not
going to promise something we think we couldn't deliver on.

If any readers have concrete ideas on how to make the EULA accurate,
informative, and less ominous, please send them to me. We have made
corrections in the past to it.

In plain English, the EULA says: As part of buying stuff from us, we may
bill you, ship stuff to you, email you, and so on. As part of that process,
we'll learn personal things about you. We must give your credit card number
to your bank. They may require your billing address. If we ship something,
we must give your shipping address to the shipping company.

We won't give out superfluous information. For example, we won't send your
bank information to the shipping company.

Would it help at all if we put in a couple of sentences as an example? I
have thought of putting in one that says something like (FOR EXAMPLE, WE MAY
GIVE YOUR SHIPPING ADDRESS TO OUR SHIPPER) but to my mind, that is almost
like getting a pizza in a box that says, "Warning, contents may be hot." A
reasonable person would read each of these and reply, "What do you mean
*may*? You'd better!" More information is better, but I would rather not be
the subject of someone else grousing about creeping lawyerese.

We are doing our utmost to protect our customers. We also feel compelled to
let you know what we might do, without having to enumerate every possible
case. I would love to find ways that allow us to be more accurate about
describing our business realities, but without becoming excessively
detailed, rendering such a license even more soporific or unintentionally
funny.

    Jon

-- 
Jon Callas         
CTO, CSO           
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/