Hacker News new | ask | show | jobs
by breppp 452 days ago
OP mentioned training AI on customer data

GDPR, CCPA, HIPAA, etc, as Google has no way of knowing which data they will train on, add to that copyright and that's just off the top of my head

cloud contract obligations are also pretty clear about customer data.

furthermore it would be bad engineering and security if Wiz had actual direct access to customer data, versus having their code having access to said data. That would be a huge issue in due diligence for example
3 comments
diggan 452 days ago
Did you skim through Wiz's Privacy Policy? They're keeping a lot of stuff that isn't "direct access to customer data" and already permitted to be sent to 3rd parties, wouldn't surprise me if you could aggregate what features are most used on AWS by collating some other sources than having actual access to customers cloud.

Obviously, existing agreements would need to continue to be run properly, no question about that. But there is always plenty of other data that probably could be used by Google to gain some insights.

link
breppp 452 days ago
what you talked about is different and is aggregated metrics

that might be legal and interesting but i highly doubt it's 30+ billion dollar interesting

i imagine you can buy that data from data brokers without any legal exposure but that's only a guess

link
majestik 451 days ago
Read through the Wiz MSA [0] at section 6 which discusses “Customer Data” and among other things specifically asks Customer not to send HIPAA data (perhaps to sidestep the issue you just raised) and concludes with this:

Customer hereby grants to Wiz a non-exclusive, worldwide, royalty-free right to use Customer Data to provide the Services and perform its obligations under this Agreement.

Or if reading terse legal documents isn’t your thing, go ahead and just read through Wiz’s own blog post about how their scanner works, which confirms they have full, direct access to customer EBS volume snapshots in the default “full SaaS” deployment model. [1]

Your point that due diligence would have taken issue with this might not be grounded in Google’s reality.

0: https://wiz.pactsafe.io/legal#wiz-subscription-agreement

1: https://www.wiz.io/blog/the-wiz-approach-to-agentless-scanni...

link
zachr 450 days ago
> [access to use customer data...] *to provide the Services and perform its obligations under this Agreement.*

"Services" – which you'll note is capitalized... lawyers do that for a reason – has a very specific meaning that very obviously does not include "whatever the fuck Google wants to do with it", nor "training general purpose AI models" in particular.

Why are you intentionally and blatantly misinterpreting Wiz's policies? Or are you just that good at ignoring/missing details in order to weave the story you've already decided to believe?

link
zifpanachr23 451 days ago
I've been consistently surprised at how common bad engineering and security practices seem to be within the security vendor space though. So idk this just makes it sound more plausible to me cause this would be exactly the type of company to have a scandal like that.
link