Loomio
Mon 24 Sep 2012

Community Terms of Service and Privacy Policy

ST
Sean Tilley Public Seen by 74
ST

Sean Tilley Mon 24 Sep 2012

One of the more important issues that Diaspora's community members have been concerned about is the inclusion of Terms of Service and a Privacy Policy.

Many pods at the moment have no TOS at all, and some countries require that every site hosted in their country have something. Not having clear policies in place can be problematic; moreso to the point that it can create legal barriers for those that just want to host their own pod.

Here's what I think: We need a generic TOS and PP. They are important for creating a form of legal protection for podmins and users, and they also help establish the guidelines of that specific pod's culture. Some pods, like Diasp.org, don't allow for pornographic content. Of course, users can still access it by federating with other pods, but general guidelines for memberships on a pod can set a certain standard for the type of audience that uses it.

For example, a school/work-appropriate pod could be encouraged to follow a set of guidelines for language and content that sets the standard for how people interact there, but other pods geared towards different communities could have much more relaxed restrictions, or in some cases, no restrictions at all.

Of course, the Terms should also address that a podmin is not responsible for the content and users of the site, so as to produce a Safe Harbor. For that matter, it ought to also be indicated that a podmin isn't responsible for content from other pods on the network.

JH

Jonne Haß Mon 24 Sep 2012

Sorry Sean, this feels like a duplicate of http://loom.io/discussions/728 to me (except that this one has a better title).

ST

Sean Tilley Mon 24 Sep 2012

What would also be extremely useful is to have a system in place for podmins to easily change the TOS. I think it'd be neat to keep the generic TOS/PP in a database table as a string, or failing that, part of the app config. Modifying the terms could work like so:

  1. Podmin updates terms to the site via some field in the admin panel.

  2. As soon as the TOS is updated, all users are flagged with a simple value of true or false for a "signed-tos" variable.

  3. Users that have the value "false" are presented with a popup modal presenting the new Terms of Service, with a checkbox for a user stating that they understand and agree to the terms. In the future, it'd be nice to allow for users that disagree to still be able to export their data and photos to move to a pod with terms that they DO agree with.

  4. As soon as a user signs it, their personal value is flipped to "True", and they don't have to worry about it until the terms are updated again.

ST

Sean Tilley Mon 24 Sep 2012

@Jonne: Although this too points to the need for a TOS/PP, this applies more to a project-wide support of easily being able to update the Terms of Service / Privacy Policy on any Diaspora pod, rather than illustrating that joindiaspora.com itself needs them.

JH

Jonne Haß Mon 24 Sep 2012

Well the discussion over there went to project wide stuff pretty fast, that's why I said the title is just better here :)

T

tortoise Mon 24 Sep 2012

While the original discussion began with the absence of TOS/PP on JD, the proposal there actually asks for what you are discussing here. Sometimes discussions are not algorithmic! :) (I suppose I will get a beautifully friendly comment from Jonne on that.)

@Sean, these are excellent ideas. I am grateful to see some serious consideration about this. Podmins should be free to modify any TOS/PP to reflect what they deem to be fair use and fair conduct they expect on their pod, but there should be something that is actually posted and easy to find.

The boilerplate in the install sounds good (if this is what you are decribing). Also how users are pinged if there is a new revision.

Might it be possible that a "auto-survey" is done on the network that shows if a TOS/PP is posted at a pod. Could there be a way this is verified with some kind of ping? The results would be posted at a neutral site, such as DiasporaFoundation, or whatever.

If a pod has one posted, the link is downloaded and a thumbs up icon is displayed. If none, then a thumbs down.

People can decided where they want to go by surveying the different pods and the variety in their TOS/PP off of one page.

Perhaps even a grid that shows "features" like Porn OK? (check). Trolling not tolerated? (check). Animated avatars? (check). OK these are just illustrations.

This reporting chart also encourages a podmin to stay on top of it. It encourages trust. If people want to go to the dark side of the tracks they certainly are free to. But at least people are better informed before they sign on to a pod.

EP

elf Pavlik Tue 25 Sep 2012

I encourage you to collaborate on ToS topic with friends from http://tos-dr.info (of http://unhosted.org fame)

G

goob Tue 25 Sep 2012

Sean, your ideas look good to me on first reading. I think it would be worth developing two things (which are really two instances of the same thing):

  1. a generic, default ToS/PP for Diaspora pods, which can be adapted by podmins to suit the kind of pod they run (for instance, you mention diasp.org not allowing pornographic imagies);

but within this,

  1. a minimum ToS/PP, to which any pod must subscribe in order to be able to connect to the Diaspora network. In this, what are the 'deal-breakers' - such as basic respect for user privacy; not to retain a copy of user data once an account has been closed or migrated; not to harvest or retain any user data from accounts on other pods, and so on. This gives users some security, knowing that any pod they sign up to will subscribe to these minimum terms, and any pod which doesn't come up to these standards will be kicked off the network (if that's possible).

Does that make sense?

ST

Sean Tilley Tue 25 Sep 2012

Hey Goob,

I agree that a generic, minimalistic TOS is probably fine for shipping by default, but I'm not sure about forcing pods to have a TOS to be part of the network. It just strikes me as something that is not only difficult to enforce, but it could be viewed as a restriction against the Open Web ("Accept these conditions as a podmin, or you can't federate with us.").

I think if we're going to really be a decentralized network that federates with other platforms, those kind of restrictions are problematic in principle.

As for working with TOS;DR, I'm all for it. Maybe if we talk to them, they could set up a section for Diaspora pods or, failing that, maybe PodUptime could link to each pod's TOS through the TOS;DR service?

JR

Jason Robinson Tue 25 Sep 2012

Yeah I would strongly be opposed personally to forcing some kind of TOS on pods. Podmins should be able to set their ToS as they wish.

G

goob Tue 25 Sep 2012

OK, I'm trying to think of how to prevent dodgy types setting up pods in order to harvest the personal data of unsuspecting people who sign up to their pod. It's an issue that D* has yet to address. Perhaps TOS isn't the way to approach it, but it needs to be addressed otherwise D* could become notorious as a means for criminals to harvest people's data.

G

goob Tue 25 Sep 2012

Of course, if someone sets up a pod just for themselves and no one else, their TOS and PP can be whatever they want.

JR

Jason Robinson Tue 25 Sep 2012

Only public posts and posts that people share to other pods will be federated. Public posts are public so even Google can index them if it happens to find one.

AFAIK it's a security problem if someone can hack other pods non-public posts over the federation protocol.

JR

Jason Robinson Tue 25 Sep 2012

And also some pods might be private and still want to federate. For example our company has a pod and the ToS if there was one would be quite different from a public pod. The ToS of course is mostly governed by company NDA since the pod is company property.

ST

Sean Tilley Tue 25 Sep 2012

@Goob: perhaps the problem of user-data harvesters is one that could be addressed by adding a list of dodgy pods to PodUpti.me, which users could give feedback on?

T

tortoise Tue 25 Sep 2012

I hope it is clear that I am not advocating a TOS/PS that is one-size fits all. But just that there IS one.

This is completely different than saying everyone must have identical TOS/PP. And I have the sentiment that that is how people are responding to the original suggestion that one is mandated if you set up a pod, in the same spirit of using the trademark. If Diaspora encourages, and this is the culture, then it will create more trust.

What I'm not clear about is what the disagreement here is. Is there a philosophical disagreement about what constitutes privacy and how important that is to give users a notice in advance before using the system (even with regards to public posts), or that it's more important to "let podmins run their pods as they like."?

If it's the former, then I have to ask, why presume that everyone wants to adopt someone else's idea of what privacy is? It's the latter then, why is encouraging a podmin to post a TOS/PP any different than posting the D logo? How does that stymie the activity of a podmin to run their pod as he or she wants to?

Please clarify that for me?

G

goob Tue 25 Sep 2012

Possibly, Sean. I'm not sure what the answer is, but it's something that needs some thought given to it before D* gets much bigger.

Apologies if I've muddied the waters by suggesting it on a TOS discussion, though.

ST

Sean Tilley Fri 5 Oct 2012

David Morley over at Diasp.org adopted the Wordpress.org, which in all honesty might not be a bad option to consider. It's under a Creative Commons license, so we're free to add additional legal code if we want to.

You can see the standard Wordpress TOS here: http://en.wordpress.com/tos/

Some things to think about:

  1. How could a TOS account for the fact that some content comes from other pods, therefore being beyond the podmin's control?

  2. What do we do about copyrighted content? Should it even be addressed?

  3. What parts of the TOS need to be flexible to provide better options for customization?

  4. If we wanted to get TOS;DR to work with us on reporting different pods Terms of Service, what would we need to do first? Could it be something that could be linked to from PodUptime?

DS

Dennis Schubert Sat 6 Oct 2012

We wrote some German terms of service which are prooved by two lawyers. CC-BY. Just in case somebody needs that... https://github.com/geraspora/german-terms-of-service

ST

Sean Tilley Fri 12 Oct 2012

Wanted to bump this. I have a link to a current working draft, based entirely off of David Morley's modifications of the Wordpress TOS.

Here's what I want to get everyone thinking about: phrasing and necessary cleanup aside, what kind of modifications should we make for a general-use TOS? Should we omit items? Should we add them?

G

goob Tue 16 Oct 2012

Hi Sean, this looks good to me. I haven't been through it with a fine-toothed comb yet, but will do. It looks like a good starting point, though.

I think it would be worth asking someone with legal expertise in this field to have a look at it - perhaps worth doing by a shout-out via the Diaspora HQ account? Probably worth getting them to give it the once-over before we do much alteration so they can alert us to any potential issues with the ToS as it stands, and then once when we've made all our changes to make sure that there are no pitfalls left in it.

I see Dennis and co have already done this for German pod-runners, which is brilliant. It may be that we can take much of that, but if it is specific to German law it might not apply to other pods.

  1. What established services are out there which pull in data from other services? Thinking like a blog or news accumulator or similar, ones which take data from other providers. Their TsoS might give us good clues as to how we might account for the fact that content comes from various sources not all under the podmin's control. We could find out that way if there are legal pitfalls in this.

  2. Copyrighted content is an issue that does need to be addressed at some point, as if/when Diaspora gets big enough, copyright holders will start to sit up and take notice. It's something we raised with the guys when they were creating Makrio, because that's almost exclusive about content appropriated from other sources. Perhaps you could ask how they've addressed this. One way of at least mitigating it might be to code it so that if media (image/audio/video file) are embedded in Diaspora, when you move the cursor over it a pop-up appears which contains the source, where this was taken from. If the media are embedded from other sources rather than uploaded to D*'s servers, this should be possible, I'd think. I expect a disclaimer in the ToS to the effect 'please make sure you have permission from copyright holders to upload whatever to D*'s servers before doing so' would help. Embedding things such as YouTube videos where an embed code is specifically provided by the source site can't carry any copyright problems from that site - and if the content on that site (eg YouTube) is there without permission from copyright holders, that must be YouTube's problem rather than ours. But good to get a law type to look at this.

3,4. Not sure about these yet. Might have further ideas once I've read the Tos more carefully, but might not be able to do that for a while.

I could strip out references to David/diasp.org and so on from the draft, if you'd like, to generalise it, but would it be best to discuss some of the potential issues first and decide how we're going to approach it? I don't know, just thinking aloud.

I'm afraid I honestly don't know much at all about the issues brought up by writing TsoS, but hope some of these thoughts are useful.