I'd be very careful counting the requirements for cookies as a bad thing (as seen in the github section):
First-Party session cookies are a totally valid use of cookies and actually help improving the security in that a session-id in a cookie will never be copy & pasted by accident (it happens to URL-based session-id's at times) and cookies can be marked as both httponly and secure, making it more difficult to impossible (depending on browser) to XSS the session-id away.
As such I would actually go as far as to prefer a site that requires (first-party session) cookies to one that doesn't.
Url based session ids led to me finding a quite substantial security hole in a popular games mod website that allowed me to modify and delete my mods without being logged in. Also was able to view my own download history, potentially very embarrassing for some people.
So yes, I can testify that in this websites case their use of session ids in the url during a website renovation (where people were posting their urls on the forums to help fix bugs) led to a lot of people being made vulnerable.
I just wish they'd at least thanked me for informing them of the vulnerability...
A suggestion - rather than rating "A" through "E" why not change to the more recognizable (for US audience at least) scale of "A through F" (A/B/C/D/F) which we're all mercilessly trained to recognize through years of school grades?
"E" as your worst rating confused me at first glance - could be interpreted as "Excellent"
Yep. Especially since A/B/C/D/F is confusing to non-Americans. Here in Britain there's the Scottish and English systems, with different A-F or A-G scales.
Wait the US doesn't have an 'E'? (Is 'F' short for Fail? I thought it was just the continuation of the sequence). Regardless, at least A is best, B is worse than that, etc. which makes sense.
> Wait the US doesn't have an 'E'? (Is 'F' short for Fail? I thought it was just the continuation of the sequence)
Well, apparently it's more complicated than that. I always assumed that the lack of E was so that there would be no confusion with the ESNU system (which a number of students used to have in elementary school, but then they switch over to the A-F system in middle school). Also, many countries outside the U.S., including non-english speaking ones, use the A-F system. Still researching the origin.
I had previously believed that the A-F system was universal across the US college system, though apparently University of Arizona has the 'E' grade.
Well I think "it Depends." At my school we had E's both E's and F's where failing, but the difference was that with E's you could make up the class in summer school, with F's you had to repeat the class the next year, multiple F's would mean you had to repeat the grade.
In Poland, high schools have 1-6 grade scale (6 is the best), but universities have 2-5 scale (5 is the best, 2 is a failing grade). Decades ago, high schools also had 2-5 (or maybe 2-6) scale. I have no idea why the 1 grade is nonexistent.
An API and chrome addon would be very nice. I wouldn't check the site, but I would like warnings when I accessed the registration page of a bad website.
Agreed. This seems like something Mozilla should also get behind. I'd love to see this sort of information as part of the site identity dialog, which now only has SSL certificate details.
Yes. I have been in touch with the author and invited to cooperate. But... where is the code? how does it work exactly? How can it interoperate with other projects trying to back up archives of terms? etc. etc.
Suggestion: Include a "Under EU Data Protection law: all/some/none" category.
Companies in the EU, are required to do various things under EU data protection law. E.g. they are legally required to protect your personal data, they can only use the personal data for things you agreed to, they must tell you what data they keep on you if you ask, if they are wrong and you tell them, they are legally required to update the data, there is a national body that is legally empowered to tell a company to stop doing a thing/delete data if they are in breech of data protection law, if they suffer a data breech they are legally required to inform users, etc. All of these things are good for users.
Some companies (e.g. those entirely in the USA) are not bound by these. Some companies (e.g. those entirely in the EU) are bound by this. Some companies (e.g. Facebook) say "If you're in the US or Canada, you're under US law, if you're anyone else, you're under EU law".
Yes. Differences between legislations is one thing that's making the task harder. I think it's better to focus to what the terms actually state. But I always keep in mind the jurisdiction under which the company operates as it can influence the meaning of the terms.
However I'd fear to get to the other extreme and to end up making a rating system saying which legislation is better than the other. It's not the scope.
One other thing: we think the terms should be self-explanatory. I don't think services should expect their users to know the EU data protection law. So it would seem smart for me that the services makes a statement about them in their terms (just like they state details about their security practices for instance).
Shouldn't "Defending your privacy in US Congress" be out of scope as well, then? It certainly isn't part of a website's terms and conditions. Plus, it's hard to judge how well those activities are going, and how committed the company is in pursuing those activities in the future.
I can see why you don't want to have dozens of different "In juristicion X" and then rank them, but I suggest including EU law, since it includes a large amount of pro-user stuff, and would be an easy way to know what you can do.
You're already including references to the US Congress, why not let us EU citizens have something too?
Seems a bit biased in places. One of the example sites has a big scary red X next to "Deleted images are not really deleted", despite that being an important feature for any site that lets users delete their own content.
It's one of those tradeoffs you make where you trade a tiny fraction of risk (e.g., that somebody might break into your system and steal the exact cat photo that one high profile blogger was embarrassed to have uploaded) so that you can have an easy fix for the dozens of emails you get each month from people who accidentally deleted the wrong photo and can't believe you deleted it even though I told you to and I'll sue you because that's ILLEGAL!
Definitely not worthy of a big red X against your site, since it's the only sensible choice.
They could let you delete deleted items permanently, like Dropbox does. Storing data you uploaded with no way to delete it does have privacy implications, since it may be looked at by people working there and could be a lot more sensitive than a cat photo.
I'd say a term that is more unfairly given a thumbs down is giving them a license to user content, since it's impractical to operate a user-generated content site without this.
I agree. But sometimes the copyright license conceded by the user goes way beyond what's needed for the service. Why do you give rights to sublicense and to transfer to Facebook or Twitter?
Partially necessary. And I completely agree with you. The licenses they demand are far broader than what they need, but that goes to the imbalance inherent in the relationship: big company with lots of money for lawyers versus some person just wanting to tell his friends what he had for lunch.
Since all Twitpic does is hosting public pictures for Tweets, I would assume as a user that if I click "Delete" then the pictures would be… well. Deleted. Having a short period to rescue the picture from a back up would be acceptable.
I don't understand your example with the "high profile blogger".
That's a common outlook to have if you've never run a site where users upload content.
In practice, if you give your users a way to damage or delete their own account, they'll do it without giving it any thought. Then they'll think about it. And they'll want to undo it.
When they don't find an "undelete" button, they'll write you an email. And if you don't have an easy switch you can flip to magically fix the problem they caused for themself, they'll get mad at you.
So you quickly learn to just set an IsActive bit to false instead of actually deleting things. And it's not in any way a big deal for a "twitpic" style site where people are uploading things to the internet with the intention of sharing them.
My privacy policy that explains this makes a point of telling you that "If you don't want the things you upload to be on the Internet, please don't upload them to the Internet". I still field plenty of "undelete my stuff" mails, and it's nice to know that it's a 30 second fix to fix it. (And I've never once gotten a mail from an angry user because I didn't actually delete the bits from the hard drive when he hit the delete button)
Oh please, do condescend to me about what sites I have run and which I have not, much less ones I have or have not written myself.
Look, I (and likely many others here) know what you're talking about, and it's not necessary. You can deactivate things, sure, but you can also say "This cannot be undone," and people will know what that means. Software has commonly operated this way for almost the entire GUI era (at least). These things aren't cut and dried nor required, and they are entirely the product of business rules and policies, which in your case sounds like a little bit of "blame the victim" ("well then you shouldn't have uploaded it"). Users know what a warning means in this context, though.
No condescension intended. Sorry if it came across that way.
I can only throw in my experience, which is that users of the sites I run have a history of not understanding what it means when they hit the delete button, regardless of how many warnings you give them.
As I said, it's a trade off. The upside for the site owner is less headache and angry users. The downside, at least in my experience, is nothing (apart from a red X on this website we're discussing today).
I basically agree with you that supporting undelete is a lot friendlier to 95% or more of the population. But you can get the best of both worlds by simply keeping it around for a fixed time (and letting the user know how long after they hit delete) and then hard deleting. You can even offer them a "if you didn't mean to do that, click here; if you would like to permanently delete this now, click here"
I don't think you are morally correct just because you haven't gotten any complaints.
In fact, until you make it possible for people to permanently delete things, you are not. The reason you haven't gotten any complaints is that the people who deleted things on purpose don't send you an email and don't know it can be undone.
Is it not as simple as to add a "Trash" function? It's been around on operating systems for years, everyone understands how it works and that you can restore something from the trash, but you lose it forever if you empty the trash.
Since this is something that's trivial to implement and is a UI principle that's extremely common, there is absolutely no excuse for keeping images around where the user wants to delete them. If you're annoyed at a dozen emails a month, you implement that and then you can easily respond "Wait, you sent it to trash bin, then deleted it, and NOW you change your mind?", in more polite terms.
(Edit: sorry, late for the party, I was linked here from another post on the same subject)
The only sensible choice would be to mark items as deleted for a while, say a week or two and then delete them for real. The site may even notify the user before the permanent deletion, so he/she can think twice about what to get rid of or not.
Also, this is not about whether someone steals your content but about it being your content. You should be able to do whatever you want to your content and that includes deletion.
Some of these are a bit too terse. e.g. 500px says "Ownership". What does that mean? And why is it less worrying than twitpic's "Takes credit for your content"? (And how does that make sense? Twitpic puts the username of the uploader on each page, no?)
If you click on "Read the Details", you will see a bit of text under each point.
Ownership: The copyright license you grant to 500px is transferable and sublicensable. The copyright license is limited for use “in connection with the Services” which includes promotional uses and redistribution “to other parties, web-sites, applications, and other entities” if you are credited properly. The license on your content terminates when you remove such content.
Make each of the line items clickable to reveal the detailed info. And perhaps move the current button to the top right of the block and rename it to something like "Expand All".
It seems idealistic, but a service like this would be incredibly insightful. I only "read" (read: skim) the TOS of a select few companies (Apple, for one), so the high-level summaries shown on this landing page are immensely valuable (though the scoring system seems obtuse). Of course, now one has to worry about the objectivity of the summarizers.
Yes, trust is one problem. I think we're being objective (at least we are trying, with building a scoring system that's automatic). But for sure, we are not being neutral. We do think that tracking should always be opt-in, not opt-out.
At least, we're working in total transparency and it's an open process. I hope that helps.
Re: neutrality, I'm delighted to see that your perspectives align with mine. Dubious legal terms deserve to be called out. And the transparency is nice, but... well, if I'm too lazy to read a 50-page legal document, I hope I don't have to sift through a 50-page mailing list thread just to establish confidence in the summary of the document itself. :)
This seems like a VERY good idea! Even when i take the time to read the TOS on sites (granted, it is rare), i come away unsure that i really understand it.
This seems like an excellent way to deal with this issue too!
Fantastic to have. It is really hard for companies to offer simply legal terms, since any simplification starts to undermine the actual detailed terms. Awesome to have this from a third party.
I imagine this would be particularly valuable as a browser extension.
Given the purpose of the site and it's broad potential reach (and the fact that it's not a domain that requires pushing the envelope in terms of rich user experience), I was pretty suprised to see that the entire 'Rated Services' section was a giant white block in Internet Explorer 9.
I could understand lack of support for IE7 (or perhaps crappy formatting), would raise an eyebrow at lack of support for IE8 (given the nature of the domain and that there's no compelling reason for a lack of graceful fallback in this case), but lack of IE9 support is a bit... suprising.
I certainly hope the team plans on addressing this, otherwise you're cutting a large chunk of browser users out of the picture for (from what I can see) no compelling reason related to the technical requirements of the kind of content you are delivering.
When I first loaded the page, I was unsure about whether they have no sites, i.e., whether they're just showing a proof of concept. The text said they were planning to review ToS of major sites by middle of july, so that prompted me to fire up Opera.
If somebody wonders why I want to use IE9: easily configurable and non-obtrusive, BUILT-IN plugin blockers and ad blockers [+ do-not-track lists].
I understand that the project welcomes contributions, but who has the final say on the rating of a website? Are there any gate-keepers, and who are they?
If this site gets big, its neutrality will be questioned, and you've got to be ready with answers. I don't want to see good efforts like these go to waste.
To be fair, neither is exactly terminology familiar with the average user, who I think they're trying to reach out to here. Both are clever, but known mostly by avid Internet users or nerds.
I think ToS;DR is less nerdy. "Grok" makes me visualize gray-bearded Unix programmers, but young internet-savvy people of all stripes know what TL;DR means. Didn't 4chan popularize that abbreviation?
For those who have decent experience in machine learning (and NLP) and its theoretical foundations...isn't there enough examples of TOS and conventions of the "art" that a classifier could be built to determine restrictiveness and such? Not completely accurate, but even something that's 60% right would be a huge help to services like the OP's
I haven't read through all the comments but standardized and unbiased copy writing would really benefit the site. "Promise to inform about data requests" gets a plus while "No transparency on law enforcement requests" get a minus.
Both labels could be changed to "Notification of data requests", and a user would have the benefit of knowing you were comparing the same thing across multiple sites.
As it stands it's hard to compare a sites rating.
Another (possibly more prominent) example: Github has "You don't grant any copyright license to github", right below that SoundCloud has "You stay in control of your copyright", and below that 500px simply has "Ownership".
Assuming those all refer to the same thing (owning your data/copyright), a simple, "Copyright ownership" would be much clearer and unbiased copy.
random gripe: if you use a different email on gravatar than on github, your gravatar wont show up on github.
it's becoming pretty standard, especially among techies, to have a unique email per site, so you can easily tell if a site is selling your address (or is a victim of a hack, like dropbox was).
Great initiative. Can the mere length of a TOS and it's complexity be a factor in the rating too? The crowd here may be able to somewhat grasp the legalese in a TOS. It's not fair to expect that from any normal visitor.
This is a very convenient service for the users, but it might raise some issues if any of these terms are ever argued in court. Defending that you read the ToS;DR and not the terms of service might not hold much water.
I think the main value here is not in court, it's giving people a better "bird's eye view" of how a service treats you and your data. From this point, you might decide:
- To cancel the service
- To not join in the first place
- To raise a collective stink about something onerous in the terms
Any of these things, in high numbers, could force a service provider to update their TOS to be more friendly. That's a pretty good outcome even if saying "but the ToS;DR said!!!" would never hold up in court or anywhere else.
This has the potential to be a great educational tool and hopefully in time will reach a wide audience.
If enough people are aware of the terms it will exert pressure on providers to be more open and reasonable with their terms.
Of course whilst many free services might argue they have more leeway in imposing stricter terms, this still doesn't justify certain treatment of users.
Providing a summary of terms in a standardised manner will also make it much clearer where one particular service deviates in an unreasonable fashion.
In particular, user data and usage of third party cookies would be two categories where it would be good to get visibility.
Given how open source projects are increasingly using GitHub as the canonical repository, I'm a bit disappointed that they can refuse you service for any reason at all. I want to believe that the GH guys are good people and were just lazy here.
So, +1 for tos-dr for letting me know, and a potential extra +1 if they help us get GH to change this policy. I'm going to let them know this matters to me, I hope others here will as well.
> I'm a bit disappointed that they can refuse you service for any reason at all.
This is actually a problem with the methodology (I think): most probably, none of the service providers pledge to provide service to you, so they can all refuse service for any reason. Github should probably get credit because at least they are honest about it.
That being said, use the same categories for each company, don't re-write the description based on how good/bad it is. It would be far more useful for creating a table (which would also be a great way to organize this information, businesses looking to improve the transparency of their ToS would need only look at top scored candidates to find inspiration).
The plan is to work with the EFF's tosback https://github.com/pde/tosback2 (they need contributors too BTW) and track changes over time so we can notify people when something wrong is going on (they'd be able to subscribe to a list of services' ToS;DR)
Yes, it's in Javascript so not crawlable by TOSBack. The TOS is obfuscated to ... protect its privacy ? So ironic coming from those who claim privacy is dead.
I have been thinking about doing something similar for quite sometime now. Specifically I wanted to build a browser extension that highlights only the important parts of agreement. And the important points will in turn be decided by the community of users with the system keeping track of different versions of agreements and data of interest in it.
This is a great idea. The extension can be something like DIIGO does - highlight parts of the agreements that are deemed important or critical to consumer + provide snapshots of the TOS/Privacy policy whenever there are changes.
Great idea - similar to my website that got frontpaged a few weeks ago (www.tldrlegal.com). Very well done; I will definitely be using this in the future.
First-Party session cookies are a totally valid use of cookies and actually help improving the security in that a session-id in a cookie will never be copy & pasted by accident (it happens to URL-based session-id's at times) and cookies can be marked as both httponly and secure, making it more difficult to impossible (depending on browser) to XSS the session-id away.
As such I would actually go as far as to prefer a site that requires (first-party session) cookies to one that doesn't.