The debut of Cisco’s Connect Cloud service this week has been marred by technical problems and some serious disconnects between user expectations of privacy and Cisco’s apparent eagerness to monitor user data.
The new Connect Cloud service is Cisco’s attempt to introduce a new way for home and small-business owners to manage their Internet routers. Past methods, such as a browser-based interface to a control server within the router itself or an installed application on a network-connected machine, have been local. Cisco’s new service will be based remotely, enabling users to manage their router’s settings in the cloud.
While interesting on paper, the actual launch has not gone well since rollout on June 26. Using the new service requires either a manual update to the firmware on Cisco’s E2700, E3500 or E4500 routers, or an automatic update to that firmware.
But because the Automatic Firmware Update setting is activated by default when these routers are shipped, a lot of customers have suddenly been stuck with a very new interface to their router controls – even without specifically choosing to update their systems. Worse, it wasn’t just a jarring new interface: To use Connect Cloud, users have to also register for a Cloud Service account.
To make matters worse, it appears that even users who wanted to manually update their firmware were having problems.
The Real Damage Is to Privacy
But the real damage from this product debut goes beyond the technology. Sharp-eyed users almost immediately noticed this controversial clause buried in the Connect Cloud privacy policy (cached):
“When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); internet history; how frequently you encounter errors on the Service system and other related information (‘Other Information’)”
The notion that Cisco would be monitoring users’ traffic and usage patterns is hugely unsettling to Cisco customers, who have become very vocal in their disapproval.
Cisco has since removed the offending clause from the privacy policy, and Brett Wingo, General Manager of Cisco’s Home Networking Business unit, posted a mea culpa blog entry Friday that backed off the idea that Cisco would be doing active monitoring, as well as apologizing for the lack of clarity in the service’s opt-in/opt-out policies. Cisco has also posted instructions on how to rollback to the Classic EA series firmware.
Apologies Not Enough
Users are not yet assuaged by the changes, particularly since pointed questions still remain about additional language in the Cisco Connect Cloud Terms of Service.
“You agree not to use or permit the use of the Service: (i) to invade another’s privacy; (ii) for obscene, pornographic, or offensive purposes; (iii) to infringe another’s rights, including but not limited to any intellectual property rights; (iv) to upload, email or otherwise transmit or make available any unsolicited or unauthorized advertising, promotional materials, spam, junk mail or any other form of solicitation; (v) to transmit or otherwise make available any code or virus, or perform any activity, that could harm or interfere with any device, software, network or service (including this Service); or (vi) to violate, or encourage any conduct that would violate any applicable law or regulation or give rise to civil or criminal liability.”
Tellingly, those Terms still reserve Cisco’s right to terminate your account for violations, which could include “any related data, information, and files, and bar any further access to such data, information, and files through use of the Service. Such action may include, among other things, accessing your data and/or discontinuing your use of the Service and any and all rights granted to you in connection with the Service without refund or compensation.”
Many customers are looking at that clause and wondering why, if Cisco is really not going to monitor its users’ content, what is a clause like that doing in the Terms of Service? On the surface, this could appear to be a breach of privacy pretty much on par with the traffic-monitoring clause that was lopped off of the Privacy Policy.
Legal Escape Clause?
More likely, though, this is probably little more than a legal escape clause for Cisco. On the off chance that someone were to try to sue the network hardware vendor because such illicit activities were being enabled by Cisco’s Connect Cloud service, the company could try to defend itself by pointing to these terms in a court of law as proof that it told its users not to be naughty.
One big takeaway from this incident is another reminder not to ignore the terms of service and other legal documentation that comes with your software, hardware and services – especially cloud-based services. It may be tedious, but aggressive monitoring policies like the one Cisco may have tried to slip in makes it clear that this kind of diligence may be as necessary as regularly checking your systems for malware.
For Cisco, the incident is a black eye that demonstrates the difficulties a company can face when it transitions from selling hardware directly to large enterprises to selling services and equipment to consumers and small businesses.