Improving our Terms of Service

Introduction

As of 2017-09-14 the Terms of Service are set to the default text from Discourse.
This text not only does not match our situation, as we are in Europe, but it also does not match our expectations, as we’re willing to match a class A at ToS;DR: to treat you fairly, respect your rights and to not abuse your data.

This topic is:

  • to openly discuss upcoming changes in our ToS.
  • to ensure they match ToS;DR’s class A requirements.
  • to ensure they comply with European law.
  • to announce changes in the terms.

Changelog

This is where we’ll note the changes in our ToS.

  • 2018-05-25: GDPR enters into force. We have a wiki to improve our privacy policy.
  • 2017-09-23: changed jurisdiction of ToS from USA to Belgium.
  • 2017-09-14: start this topic.

Open Tasks

  1. IANAL, so a good start would be to find an interested lawyer, or an existing set of ‘class A’ terms of service.

  2. If you want to follow changes, you should “watch” the topic. Probably at some point we’ll just make a single Announcements topic that every user MUST watch in order for us to comply with the requirement to have you review the terms well before they come into effect.

  3. Section 18 states:

    this Agreement, any access to or use of the Website will be governed by the laws of the state of California, U.S.A.

    Yeah, of course not. This must be changed ASAP.

  4. Review all sections and discuss them.

1 Like

ToS;DR Criteria

ToS;DR is a grassroots initiative to analyze and classify the terms of service on the Web on behalf of the users. It’s a collaborative project that takes a lot of energy, so you’re welcome to help them. :slight_smile:

This post introduces the categories and topics used by ToS;DR to classify terms of service. We shall use these to help our process of improvement. You’re welcome to quote from here and comment. The categories and topics (questions) come straight from https://edit.tosdr.org/ and reflect the upcoming v2 of the system. They’re reproduced here for the purpose of improving our terms of service.

For each category I will go like this:

  1. check the existing terms and report
  2. write what we want to achieve
  3. incorporate comments

Anonymity and Tracking https://tosdr.org/topics.html#track

Are you being spied on?

Changes to the Terms https://tosdr.org/topics.html#changes

Notice of Changing Terms

Q: Are users notified when terms change?
A: Yes, that’s the purpose of this topic.

Q: Are they given enough time to find out what changed and discuss this with each other before deciding whether to continue to use the service under the new terms?
A: Yes, that’s the purpose of this topic.

User Involvement in Changing Terms

Q: Are changes proposed as a request for feedback, or imposed unilaterally as a take-it-or-leave-it deal?
A: We’re negotiating here in this very topic.

User Choice

Q: How much can YOU decide?
A: It mostly depends on YOUR engagement. We also have a formal non-profit association behind it.

User Information

Transparency and education

Equality of Right (not yet linked)

Is everyone treated the same?

Governance

Your relationship with the service and the community

Easy to read

Q: Are the terms easy to find and well written?
A: Well, not really :stuck_out_tongue:

Jurisdiction and Governing Laws

Q: Where can you sue, or be sued, for breaching of the rules?
A: In California, which is why we must change the terms, as we’re based in EU.

Law and Government Requests

How do services deal with government requests?

Law Enforcement and Due Process

Q: What are the law enforcement standards followed by the service?
A: First, we try to understand what’s going on, second we inform our users, and then we see what to do legally. There’s no ‘gag order’ in the EU, and if there were, we’d rather close the service and move away from Europe than comply to such fascist order.

‘Ownership’

What happens with the content you generate on the service?

Rights to Leave the Service

To avoid lock-in and stay in control

Suspension and Censorship

Can they end your use of the service at any time?

Third Parties

What 3rd parties are involved and how the service deals with them.

Uncategorized

Business Transfers

Is your data a business asset?

Cookies

and related technologies

Data Portability

Q: Can you get your data back?
A: Yes! You Own Your Own Words (YOYOW). Go to your profile page and click ‘Download All’.

Guarantee

Some services will guarantee you certain features, or explicitly reject any guarantee.

Logs

Q: How long do they keep them?
A: Too long. The server is in Germany… What can we do to minimize privacy issues for our users?

Personal Data

Can you control your privacy?

Scope of the Copyright License

Do you grant only the necessary rights?

Waving Your Rights

What kind of rights do you give up on?

Resources to Research Data Protection

Data Protection Authorities

From ec.europa.eu

Belgium (where :ps: is registered)

Commission de la protection de la vie privée
Rue de la Presse 35
1000 Bruxelles
Tel. +32 2 274 48 00
Fax +32 2 274 48 10
e-mail: commission@privacycommission.be
Website: http://www.privacycommission.be/

Germany (where this site is hosted)

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30
53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
e-mail: poststelle@bfdi.bund.de
Website: http://www.bfdi.bund.de/

The competence for complaints is split among different data protection supervisory authorities in Germany.
Competent authorities can be identified according to the list provided under
https://www.bfdi.bund.de/bfdi_wiki/index.php/Aufsichtsbehörden_und_Landesdatenschutzbeauftragte

Art 29 WP Member: Ms Andrea VOSSHOFF, Federal Commissioner for Freedom of Information
Curriculum vitaepdf(170 kB)

Art 29 WP Alternate Member: Prof. Dr. Johannes CASPAR, representative of the federal states

ToS;DR September Meeting

I’m scheduled to participate in a Jitsi meeting circa September 22, 2017, where I will get acquainted with the current ‘reboot’ of the project, and point the team to this topic. If you want to join the meeting, check the framadate for ToSDR September meeting.


The meeting was attended by Michiel de Jong, founder of ToS;DR, and @pksl_, team member and fellow from the Source radio broadcast at Radio Campus.
Current work is about creating a Rails application to take care of tracking terms of service and making it easy to rate them and consume the information.
A lot of boring work needs to be done to process data entry in the database, and to kill the development backlog.
The team doesn’t seem to be interested in engaging with us at this point to create a class A ToS for Europe, especially as they consider that ToS are likely to be service-specific. We keep in touch anyway to advance that agenda while we keep working on this topic. It was nice to see Michiel!

Let’s get some inspiration by the EU itself.

Example: Disroot

Customer Commons

The idea is to turn terms of services upside down: instead of having to go to each company’s ToS and read them, which nobody will, create a common customers agreement that matches customer rights, and have companies agree to that.

A very interesting approach, especially as it is much less time-consuming to customers.

http://customercommons.org

1 Like

https://www.gdpr-expert.eu/#textesofficiels

@angus made a fantastic privacy policy for his sandbox. Have a look!

https://discourse.angusmcleod.com.au/privacy

I was about to use his custom wizard plugin to add a notice for consent, and found it updated for GDPR-compliance. Well done!

Here is a proposal to replace the default privacy policy, directly inspired from @angus’… Unless someone objects to it, it will replace the existing (inappropriate) default within 15 days. It’s in place!

Privacy Policy

This policy decribes how ps.zoethical.org – Petites Singularités or :ps: for short – collects and uses data about you.

Shortcuts

What is Petites Singularités?

:ps: is a non-profit association registered in Belgium and interested in collective practices and free software. You can read our statutes (in French). This site is a Discourse instance and our main online working tool.

How does :ps: collect data about me?

:ps: collects data about you when:

  • you browse this site
  • you create and use an account here
  • you post, send private messages, and otherwise participate in :ps:.

:ps: do not buy or otherwise receive data about you from data brokers or any other third parties.

What data does :ps: collect about me, and why?

Petites Singularités collect data about visits to forums.

When you visit this site, whether you have an account or not, the forum uses cookies, server logs, and other methods to collect data about what pages you visit and when.

:ps: use data about how you use the website to:

  • optimize the forum, so that it’s quick and easy to use
  • diagnose and debug technical errors
  • defend the forum from abuse and technical attacks
  • compile statistics on forum and topic popularity
  • compile statistics on the kinds of software and computers visitors use

:ps: usually stores access data for 2 weeks. These data do not contain your IP information, but if you are logged in, it contains your username. In special circumstances, like extended investigations about technical attacks, :ps: may preserve log data longer, for analysis.

Petites Singularités collect account data.

Many features of :ps: require a forum account. For example, to post and reply to topics.

To sign up for a forum account, :ps: requires a username and a valid email address. Your name is optional and may be a pseudonym, no questions asked.

:ps: use your account data to identify you on the forum, and to create pages specific to you, like your profile page. Some parts of :ps: are public, so some of your account data is published on the Internet.

:ps: use your email address to:

  • notify you about posts and other activity on the forum
  • reset your password and help keep your account secure
  • contact you in special circumstances related to your account
  • contact you about any legal requests that may occur.

You may provide additional data for your account, like a short biography, your location, or your birthday, on the profile settings page for your account. :ps: makes that data available to others who can access the forum. You don’t have to provide this additional information, and you can erase it at any time.

:ps: stores your account data as long as your account remains open.

Petites Singularités collect data about posts and other activity on the forum.

:ps: collect the content of your posts, plus data about bookmarks, likes, and links you follow in order to share that data with others, through the forum. :ps: publishes your activity.

:ps: also collects data about private messages that you send through the forum. :ps: makes private messages available to senders and their recipients, and also to forum administrators.

:ps: stores your posts and other activity as long as your account remains open.

How can I make choices about data collection?

You can make choices about how data about you is used on the settings page for your account. When a forum uses access restrictions that vary by category, you can choose who will see your post by choosing the appropriate category.

:ps: does not respond to the Do Not Track HTTP header.

Where does :ps: store data about me?

:ps: stores your data on Hetzner’s servers in Germany.

Does :ps: comply with the EU General Data Protection Regulation?

Yes! And we’re quite happy about this. :ps: respects privacy rights under Regulation (EU) 2016/679, the European Union’s General Data Protection Regulation (GDPR). Information that GDPR requires :ps: to give can be found throughout this privacy notice. So can information about specific rights, like access, rectification, erasure, data portability, and objection to automated decision-making.

Where can I access data about me?

You can see your account data at any time by visiting your account page on the forum. Your account page also lists your posts and other activity on the forum.

Your account activity page also includes a link to download all of your activity in standard comma-separated values format.

How can I change or erase data about me?

You can change your account data at any time by visiting the profile settings page for your account. The settings for a particular forum may also allow you to close your account, on the settings page for your account. Closing your account starts a process of erasing or anonymizing :ps: records of data you provided for your account. Forum administrators can also erase and anonymize accounts.

Depending on the settings for your particular forum, you may also be able to edit, anonymize, or erase your posts. When you edit posts, :ps: will keep all versions of your posts. Forum administrators can view old versions of posts, and optionally make them visible to other forum visitors.

Does :ps: make automated decisions based on data about me?

:ps: uses data about posts and activity to set trust levels automatically.

Depending on how administrators of your forum configure the forum, the forum may use data about your posts and activity to award you badges and calculate a trust level for your account. Your trust level may affect how you can participate in the forum, such as whether you can upload images, as well as give you access to moderation and management powers in the forum. Your trust level therefore reflects forum administrators’ confidence in you, and their willingness to delegate community management functions, like moderation.

If you think your trust level has been set incorrectly, contact an administrator of your forum. They can manually adjust the trust level of your account.

Does :ps: share data about me with others?

:ps: shares account data with others as mentioned in the section about account data.
:ps: shares data about your posts and other forum activity with others as mentioned in the section about forum activity data.

:ps: does not sell or give information about you to other companies or services. However, :ps: do use services from third parties: the companies behind those services may collect data about you on their own, for their own purposes. Some of these services may be used to collect information about your online activities across different websites.

Service Privacy Notice Description
Hetzner Online GMBH https://www.hetzner.com/rechtliches/datenschutz Hosts :ps: and stores backups.

Other individuals and companies may also reuse data about you that :ps: publishes, such as your posts to public forums.

You can send questions and complaints to:

“Petites Singularités” <privacy@zoethical.com>

We also discuss our Terms of Service, including this Privacy Policy, collectively on this platform.

For complaints under the GDPR, European Union users may lodge complaints with their local data protection supervisory authorities.

What if this privacy notice changes?

This version of :ps: privacy notice took effect on MONTH, DAY, YEAR.

:ps: maintains this privacy policy at Privacy - petites singularités.

We also discuss our Terms of Service, including this Privacy Policy, collectively on this platform, in an open and transparent process: all changes are announced there.

2 Likes

The new privacy policy is up, not 15 days after the call, but 6 months later :blush:

1 Like