| Hey, thanks for jumping in. I personally don't see anything wrong with cloning and open sourcing projects for educational purposes. However, one thing that is concerning for me is this: > The employee used his access at Vercel to find his personal email, location, and the list of his projects. (from https://twitter.com/nico_jeannen/status/1713139186474406206) I'm unsure if this tweet is 100% truth, and I certainly don't believe it's "normal" as the tweet implies at the end - but it would be nice to get some sort of feedback on this, ideally. (e.g. "the employee was let go" + "we've reiterated internally that this is absolutely not something anyone at Vercel should do"). Last piece of thought - maybe the ToS need some clarifications to see if you could make it less permissive w.r.t. data and content? I understand you need to distribute it etc but would it be an option to e.g. rephrase "you hereby grant right to distribute data and content [...] only to provide you the customer with Service". Note that I'm typing all this in good faith and I appreciate the work you folks do at Vercel. |
Three quick reactions:
- The employee did not find location information on our platform. Our security team is certain of this and that the system worked as intended, but the employee misused it.
- Everyone at the company takes PII and protecting customer data extremely seriously. We have and we will continue to reinforce this in light of this situation.
- Our ToS are specifically designed to protect our customers. Note that in the terms folks are discussing we mention “only in connection to providing our services”. That said I’ll be following up internally to see if more clarifications can be made (I’ve seen companies provide high level summaries in the past to help with the legalese interpretation)