Red Hat, Inc. is a company that provides a Linux distribution and
the services and support that accompany
such a project in the enterprise market.
One of the most used
services provided by Red Hat is the Red Hat Network (rhn) service.
This service provides a central administration point for keeping
systems updated with the latest software and security fixes.
They have several legal pages linked on the site:
A general privacy policy at www.redhat.com/legal/privacy_statement.html
A policy about software patents at http://www.redhat.com/legal/patent_policy.html
Terms of Use for the website at http://www.redhat.com/legal/legal_statement.html
Red Hat Network legal and security statement at http://www.redhat.com/software/rhn/legal/
Red Hat Network Services Use and Subscription Agreement at http://www.redhat.com/licenses/rhn.html
The privacy policies provide mostly standard information. The company claims to be committed to privacy. They clearly identify what information they collect and how they plan to use it. They also state that they can change their plans at any time. The version I am using states it was last amended Aug 4, 2004.
The first of several interesting points in the general policy is in the section "Our Commitment to Privacy". In this section, Red Hat points out that to make this policy easy to find, it is available on the "homepage and every location where personally-identifiable information may be requested" In fact, it is in the small print footer at the bottom of each page.
In the same section, Red Hat claims to have "self-certified" with a couple of authorities on privacy. At the moment that includes the European Union "Safe Harbor" Principles with the United States Department of Commerce and the European Union Data Protection Authorities. It seems that Red Hat seeks credibility for privacy policy by using the beginnings of some international standards.
The final interesting item in the general privacy policy, is the reminder to users that the public forums are public. Red Hat reserves the right to remove inappropriate postings (ie for vulgar language) but otherwise, any information posted by an individual to a public forum is NOT protected by Red Hat privacy policy.
This page is new since the last time I looked at the Red Hat site and I am not aware of any similar pages on other software/services sites that I have visited. If they exist, they are not so prominent as in the small print footer of the homepage and most pages.
The page states the Red Hat opinion of software patents (that they generally impede innovation and are inconsistent with open source and free software) and the reality of living and working in a world with software patents. This includes the promise of respecting patents in general.
The general site terms of use covers trademarks and logos that are protected by copyright. It also points out that software, if warranted, is in accordance with the license agreement of that software. All other software is "AS IS". There are also general limits of liability and disclaimers.
One interesting piece of this document is that Red Hat has the "right, but not the obligation, to monitor the content of the website". Basically covering themselves against liability from improper use of forum posts, chat sites, and other public communication.
The other interesting section was the "Rules of Conduct" which states the standard "subject to all applicable local, state, national, and international laws" but also goes on to give examples of improper conduct including postings containing "viruses, worms, time bombs, Trojan horses" and others. Also explicitly prohibited is harvesting information about website visitors.
The sections about Red Hat Network service are very similar to the general policies of Red Hat, Inc. They do expand on the specific details collected for user accounts and how that information will be used. They also point out that the security of the user password is the responsibility of the user and not of Red Hat, Inc.
Because this is a fee based service, there are also sections pertaining to the payment obligations and renewal processes as well as conditions for termination of agreements.
Clarity of Language:
Throughout the policies at Red Hat, Inc. I have found the language easy to read. For example, there are clear lists in the privacy policy particularly under "The Information we Collect" section and "Using your Personal Information" section. The lists are bulleted, simple, but complete.
Loopholes:
I did not feel that the policies have any unusual loopholes. There are of course plenty of loopholes. These include the "AS IS" warranty for some software and the right to change the policy at any time. Also the reminder that public forums are not protected in the same manner and account password security is the responsibility of the user. The Privacy policy points out that links to other sites take a user to data out of the control of Red Hat and thus not the responsibility of Red Hat, Inc. And finally, the section of the legal_statement that Red Hat is not obligated to monitor the content of the site for compliance with the terms of use leaves lots of room to wiggle out of difficult situations.
Information Security:
Red Hat specifically states that they are committed to data security and use Secure Socket Layer (SSL) technology. In this same section, Red Hat states that they enter into confidentiality agreements with any partners that may have access to personal data. I believe that the commitments to the Children's Online Privacy Protection Act (COPPA) and the EU/US Safe Harbor Principles also strengthens Red Hat's data security and privacy commitment.
User control and responsibility:
Throughout the policies and terms of use there are several examples of privacy and security being placed back on the user. From the security of the account passwords to the choice of receiving email. Also the policy spells out the use of browser cookies and public forum usage.
Only a minimal amount of information is needed for many parts of the site. While the Red Hat Network Agreement indicated that the yearly subscription is an automatic renewal, I was not required to save any credit card information. Some web based information does not require any user account, others only require a username/password and a valid email address.
Some of the older pages should be rewritten for better format and clarity. For example the Red Hat Network use and subscription page is not as clear as the general privacy policy. There are more legal phrases in the Red Hat Network agreements and more easy to read lists in plain English in the general privacy policy.
While there is information on how to contact Red Hat, Inc. and statements about self-certification, it is not clear how long Red Hat, Inc. will save personal information if the account is disabled or agreements are terminated or otherwise end. Also how are the policies audited internally? Is it only self auditing or is there a security audit that is regularly performed and are any results ever available to the public - such as those related to financial policy required when companies trade on the stock market. While this is consistent with other companies, it would be interesting to know as a consumer.