Join the forum discussion on this post
CrystalTech Web Hosting Inc fails the most basic criteria for a responsible Privacy Policy, so much so that the Secure Surfing Organization advises individuals and businesses to exclude this company from any consideration. Stay away from this company unless and until it publishes a Privacy Policy that actually recognizes Privacy, as in your rights to restrictions on what they can do with your information, rather than about permissions to allow them to do what they want with your information.
First, a relative minor matter, CrystalTech chooses not to publish a standalone Privacy Policy so that customers can easily identify how their personal and confidential information will be treated. Instead various privacy issues are scattered throughout the company’s Terms of Service agreement.
The key factors in Failing CrystalTech are the use of unnecessarily expansive and absolutist language in requiring customers to sacrifice privacy rights.
Here is a relevant paragraph from the CrystalTech TOS, followed by an SSO What-It-Means Translation ™:
You hereby consent and agree that any information CrystalTech may collect from You and/or maintain with respect to You, including but not limited to Your account information, dates of service, billing CrystalTech, billing records, usage statistics, site statistics, services purchased, domain name purchases, correspondence to or from CrystalTech concerning You or Your account, or other information which in CrystalTech’s sole judgment is reasonable, CrystalTech may disclose such information to public or private third parties as applicable law may require or permit. The decision as to whether to disclose such information as may be required, permitted or otherwise reasonable shall be within the sole discretion of CrystalTech and may include but shall not be limited to (1) compliance with court order, subpoena or other request of any State or Federal government, (2) compliance with the Electronic Communications Decency Act, (3) compliance with the Digital Millennium Copyright Act.
Breaking it down you first find that one of the most fundamental principles of acceptable privacy practice is repudiated in the first sentence. That principle is that the information collected about people should be limited to that which is necessary to complete the intended purpose. Note that the “intended purpose” is the clearly understood intended purpose of the customer, not the information collector.
Note the phrase “including but not limited to” is frequently used in legal agreements to ensure what is called an “expansive interpretation.” For average customers the construction of such sentences can be understood as hoping what is noticed is the list of apparently reasonable things like “account information, dates of service,” and so on. But the list is basically irrelevant because they have prefaced it with the expansive “not limited to” language.
The entire phrase
You hereby consent and agree that any information CrystalTech may collect from You and/or maintain with respect to You, including but not limited to Your account information, dates of service, billing CrystalTech, billing records, usage statistics, site statistics, services purchased, domain name purchases, correspondence to or from CrystalTech concerning You or Your account,
can be translated into
“You hereby consent and agree that any information CrustalTech may collect from You and or maintain with respect to You”
The rest of it is window dressing.
CrystalTech not only asserts its rejection of limiting collection of information about people to that which is clearly necessary to render the services being purchased, it repeats its right to collect whatever it wants, “or other information,” which it alone decides is reasonable.
The policy then proceeds to eradicate the meaning of privacy protection by asserting that it may disclose your personal information, not merely as required by law, but as permitted by law. In plain language unless you can prove that what it is doing with your information is actually against the law, then it gets to do what it wants.
An acceptable privacy policy assures customers or users that they will only disclose personal information when required by law, or to prevent actual harm that can be reasonably foreseen. Those companies that insist on using the “or permitted by law” expansion should be avoided.
But CrystalTech wants to ensure that there is no mistaking how far it is going. So it underlines that it shall be the sole decider of what is “permitted or reasonable.”
So to finish our What-It-Means Translation, we can take everything that comes after our first citation and replace it with
“may be disclosed to anyone so long as it is not against the law.”
Hence the entire paragraph can be reduced to
“You hereby consent and agree that any information CrystalTech may collect from You and or maintain with respect to You may be disclosed to anyone so long as it is not actually a crime.”
So the Privacy Policy of CrystalTech boils down to a not-so-strong promise not to break any laws. In such circumstances there is literally no value in having privacy protection terms in the agreement at all, since you don’t need anyone to promise not to break the law. The government and law enforcement take care of that consideration.
This is a Privacy Policy that belongs on the junk heap with it’s fellow disingenuous manipulators of expansive, permissive policies when a Privacy Policy by definition is intended to be restrictive — restricting what can be done to you and your information.
Bif Fat FAILURE for CrystalTech.
