Skip to page content

NDAs: What to Watch Out For

I finished off my masters program at UCI a few weeks ago, and like most other recent grads, I’ve started looking for a job. It’s not as bad out there as people would have you believe, but it’s just as hard as ever to find the right company. For me, that’s a company with a small team that’s working on an interesting product. Naturally, I’ve been eyeing a few startups. However, young startups tend not to have a lot of money to spend on the legal end of things, and it’s far too easy to pull down a seemingly standard legal document from the Internet, so as developers we need to be extra cautious about what we’re signing.

I was asked to sign a nondisclosure agreement (NDA) over the weekend that the CTO assured me was a standard NDA. All the investors and other employees signed it, so it must be OK. It looked normal to me, but I decided to play it safe and have my sister (a lawyer) give it a quick run-through. Turns out there were some bad bits that others might want to keep an eye out for.

  1. Typos: the “effective date” of the NDA was correct on the first page, but incorrect (a month prior) on the last page.
  2. Inconsistencies: one of the sections in the NDA referred to another section incorrectly. This is usually an indication that the company pulled down a “standard” NDA they found on the Internet and rearranged (and probably edited) things to their liking. I don’t see a professional lawyer making such an obvious mistake on a three-page document.
  3. Unusually long terms: from what I’ve been told, the standard amount is 2 years, meaning the NDA is effective 2 years after the “effective date” (the date you sign the NDA). The NDA I was asked to sign was 5 years—not a dealbreaker, but kind of long.
  4. No provision for counsel: an NDA should have a clause that allows you to share information with your lawyer. Something along the lines of:

    Therefore, the Receiving party covenants the following: Not to disclose or reveal Confidential Information received hereunder to any person except for Receiving Party’s employees, directors, counsel, agents and advisors (collectively, the “Representatives”) who are required to have such Confidential Information in order to perform their functions in connection with the Business Purpose;

  5. Clauses that don’t belong in an NDA: this one really irked me. Along with the typical NDA legalese, there was a “work for hire” clause thrown in there. It’s pretty standard in an employment contract—but has no place in an NDA.

I don’t think the company had bad intentions, and in the end, signing an NDA isn’t all that big of a deal. But as always, read before you sign or else you might just end up losing your soul.

BoxeeQ beta

Well, the winners of the Boxee/Twilio developer contest have been announced. Due to a mix-up, my entry never got considered :/ But that doesn’t mean you can’t have some fun with it. It’s called BoxeeQ and it’s a super-simple way to save movies and online videos to your Boxee/Netflix queue when you’re not at your computer.

You can read all about it here. Keep in mind this isn’t totally ready for the general public yet, so beware of exploding phones.

Working with the Netflix API in PHP


I spent part of last week working on an entry for the Boxee/Twilio developer contest. A few days before the deadline, I decided it’d be really slick if I added Netflix into the mix, so I started digging through the documentation. I think Twilio’s simple API and awesome debugging tools spoiled me because figuring out Netflix’s API was a pain. A lot of this had to do with there not being a really good PHP library to take care of authorization and making signed calls to the API. I went with OAuthSimple and ran into a lot of “invalid signature” errors and other little gotchas along the way. Hopefully, this write-up and sample code will save you guys some time.

Before You Begin

In order to get started, you’ll need to sign up for a Netflix developer account and apply for an API key. (This is separate from your normal Netflix account.) After you’ve been approved (as far as I can tell, approval is instant), you’ll receive a “key” and a “shared secret.” From here on out, we’ll call them the “consumer key” and “consumer secret.”

Screenshot of the Netflix API key management page.

Write both of those down, because we’ll be using them often. You’ll also want to get yourself a copy of the OAuthSimple library.

Getting Authorized

Netflix uses OAuth, so you’ll need to have users authorize your application before you can work with their data. In order to do this, we’ll create a link that takes them to the authorization page.

If all goes well and the user authorizes the application, Netflix will call the page you specified in the link above and pass it the user’s OAuth token. You can then exchange that temporary token for a permanent OAuth token, OAuth token secret, and user ID. You’ll want to save this information in your database (or however you’re storing data) since you’ll be using it to make calls to the Netflix API.

Making Calls to the API

Now that the user has authorized your application, you’re ready to actually start working with the API [1]. The API is REST based, so it’s as simple as specifying a URL, passing in the proper parameters, and parsing the data returned.

For example, here’s how to get a list of the movies in the user’s Instant Watch queue:

Adding movies to a user’s queue is similar—just specify the URL ([netflix_user_id]/queues/instant/disc), pass in the proper parameters, and parse the data returned. Also, remember that when writing data, set cURL to POST the data (curl_setopt($curl, CURLOPT_POST, true) and curl_setopt($curl, CURLOPT_POSTFIELDS, [parameters to pass])) and set the action to POST in the OAuthSimple library ($oauth->setAction('POST')).

Check out Netflix’s documentation for other examples of common tasks.


  1. You can work with some parts of the Netflix API without being authorized by the user, but nothing too interesting—just searching the Netflix catalog for movies/TV shows.