TOS / EULA questions
0 views
Skip to first unread message
Steven Greenberg
Feb 11, 2009, 12:52:56 PM2/11/09
to dataportabi...@googlegroups.com
Our homework from the last meeting was to come up with the sorts of questions a person might want to answer when they consider joining a site. What should they know *before* they sign up?
Here are mine:
Steve
Here are mine:
- Do I need to create a new identity for this site, or can I use an existing one?
- Do I need to import information into this product, or can I have it refer to information that's stored someplace else?
- Can this site accept updates that I make on other sites?
- If I update information, is that information stored on this site or can I ask this service to store it elsewhere?
- Can I have other sites use the information that I've entered here?
- Can I download a copy of everything I've provided to this service?
- Can I download information that others have provided to the service?
- Will this site delete my account and all associated data upon my request?
Steve
Steve Repetti
Feb 11, 2009, 1:55:40 PM2/11/09
to DataPortability.General
Whoops, guess I posted mine in the wrong spot. Awesome thoughts Steve
G! Here's mine from the previous post:
The following is provided in response to a request from the Data
Portability EULA/TOS task force. The intent is to provide the basis
for conversation related to identifying and quantifying the specific
elements that might make up a user’s DP “Bill of Rights.”
[There is a great related discussion entitled "A Bill of Rights for
Users of the Social Web” (http://datasharingsummit.com/dsswiki/
index.php?title=Bill_of_Rights)
originated by Joseph Smarr, Robert Scoble, and Michael Arrington; and
signed by more than two dozen leading individuals]
More specifically, to me, when I go to a web site I should have a
reasonable expectation as to what I can and cannot due with the data
that I bring, create, or reference within the site. And, I should
also
have reasonable understanding as to what the site owners can and
cannot due with this collection of data related to me.
On the on hand, it doesn’t really matter what those boundaries are –
provided they are disclosed up front and upheld throughout my
relationship with the site. In this manner, I can make an informed
decision as to whether or not I choose to continue. On the other
hand, there must be disclosure, transparency, and accountability for
this to work.
Ideally, I would go to a web site and there would prominently sit a
Data Portability badge that identified the points of compliance in
these areas that I am most concerned about. Display of the badge
would provide the disclosure and transparency that I seek allowing me
to make an informed decision. Likewise, display of the badge would
also demonstrate accountability since the TOS identifying allowable
usage of the badge would require compliance.
Further, the badge would not likely simply state compliance or non-
compliance, rather “degrees” of participation. In a well structured
user bill of rights, it is not likely that every site I choose to
participate in will fully support every core tenant of Data
Portability. I should be able to quickly identify which of the core
elements that most interest me relevant to the site are in fact
supported by the site.
Some of the key elements in this matter are directly related to
privacy, usage, and control. From this we can then extrapolate a
series of compliance statements that hopefully begin to take the
shape
of a user’s “bill of rights.” Specifically:
Key concepts:
- Data I bring, I have the right to take away
- Data I create, I have the right to share
- I have the right to choose who can and cannot access my data
- I have the right to access my data internally and externally
Specific questions:
- User personal data is private (y/n)
- Private data is secured (y/n)
- Personal data is fully removed upon request (y/n)
- Personal data is not sold or reused without permission (y/n)
- User data is accessible outside of the website (y/n)
- User data is available using industry standard formats (which
ones)
Fringe thoughts:
- Public posts can be retracted (y/n)
- Public posts can be anonymous (y/n)
There is certainly more thought required in this area, both from me
and others. Love to get everyone else’s opinions on the matter.
-- Steve Repetti
(one of the other DP Steve's!)
On Feb 11, 12:52 pm, Steven Greenberg <green...@puzzlingevidence.net>
wrote:
> existing one?
> - Do I need to import information into this product, or can I have it
> - If I update information, is that information stored on this site or can
> - Can I download a copy of everything I've provided to this service?
> - Can I download information that others have provided to the service?
> - Will this site delete my account and all associated data upon my
> request?
>
> Steve
G! Here's mine from the previous post:
The following is provided in response to a request from the Data
Portability EULA/TOS task force. The intent is to provide the basis
for conversation related to identifying and quantifying the specific
elements that might make up a user’s DP “Bill of Rights.”
[There is a great related discussion entitled "A Bill of Rights for
Users of the Social Web” (http://datasharingsummit.com/dsswiki/
index.php?title=Bill_of_Rights)
originated by Joseph Smarr, Robert Scoble, and Michael Arrington; and
signed by more than two dozen leading individuals]
More specifically, to me, when I go to a web site I should have a
reasonable expectation as to what I can and cannot due with the data
that I bring, create, or reference within the site. And, I should
also
have reasonable understanding as to what the site owners can and
cannot due with this collection of data related to me.
On the on hand, it doesn’t really matter what those boundaries are –
provided they are disclosed up front and upheld throughout my
relationship with the site. In this manner, I can make an informed
decision as to whether or not I choose to continue. On the other
hand, there must be disclosure, transparency, and accountability for
this to work.
Ideally, I would go to a web site and there would prominently sit a
Data Portability badge that identified the points of compliance in
these areas that I am most concerned about. Display of the badge
would provide the disclosure and transparency that I seek allowing me
to make an informed decision. Likewise, display of the badge would
also demonstrate accountability since the TOS identifying allowable
usage of the badge would require compliance.
Further, the badge would not likely simply state compliance or non-
compliance, rather “degrees” of participation. In a well structured
user bill of rights, it is not likely that every site I choose to
participate in will fully support every core tenant of Data
Portability. I should be able to quickly identify which of the core
elements that most interest me relevant to the site are in fact
supported by the site.
Some of the key elements in this matter are directly related to
privacy, usage, and control. From this we can then extrapolate a
series of compliance statements that hopefully begin to take the
shape
of a user’s “bill of rights.” Specifically:
Key concepts:
- Data I bring, I have the right to take away
- Data I create, I have the right to share
- I have the right to choose who can and cannot access my data
- I have the right to access my data internally and externally
Specific questions:
- User personal data is private (y/n)
- Private data is secured (y/n)
- Personal data is fully removed upon request (y/n)
- Personal data is not sold or reused without permission (y/n)
- User data is accessible outside of the website (y/n)
- User data is available using industry standard formats (which
ones)
Fringe thoughts:
- Public posts can be retracted (y/n)
- Public posts can be anonymous (y/n)
There is certainly more thought required in this area, both from me
and others. Love to get everyone else’s opinions on the matter.
-- Steve Repetti
(one of the other DP Steve's!)
On Feb 11, 12:52 pm, Steven Greenberg <green...@puzzlingevidence.net>
wrote:
> Our homework from the last meeting was to come up with the sorts of
> questions a person might want to answer when they consider joining a site.
> What should they know *before* they sign up?
>
> Here are mine:
>
> - Do I need to create a new identity for this site, or can I use an
> questions a person might want to answer when they consider joining a site.
> What should they know *before* they sign up?
>
> Here are mine:
>
> existing one?
> - Do I need to import information into this product, or can I have it
> refer to information that's stored someplace else?
> - Can this site accept updates that I make on other sites?
> - If I update information, is that information stored on this site or can
> I ask this service to store it elsewhere?
> - Can I have other sites use the information that I've entered here?
> - Can I download a copy of everything I've provided to this service?
> - Can I download information that others have provided to the service?
> - Will this site delete my account and all associated data upon my
> request?
>
> Steve
Christian Scholz / Tao Takashi (SL)
Feb 11, 2009, 3:06:18 PM2/11/09
to dataportabi...@googlegroups.com
Hi!
--
Christian Scholz
http://mrtopf.de/blog
New Podcast: http://datawithoutborders.net
Here are my additions
Our homework from the last meeting was to come up with the sorts of questions a person might want to answer when they consider joining a site. What should they know *before* they sign up?
Here are mine:
- Do I need to create a new identity for this site, or can I use an existing one?
- Do I need to import information into this product, or can I have it refer to information that's stored someplace else?
- Can this site accept updates that I make on other sites?
- If I update information, is that information stored on this site or can I ask this service to store it elsewhere?
- Can I have other sites use the information that I've entered here?
And what control do I have about this on a detailed level. Otherwise it might be up to interpretation. So can I define controls for invidiual profile fields etc.?
- Can I download a copy of everything I've provided to this service?
And in which formats? Standards?
- Can I download information that others have provided to the service?
And how can I define what others are allowed to download from "my" data.
- Will this site delete my account and all associated data upon my request?
Another question might be what happens if data is transferred from one site to another, what sort of license can be attached to it or is it then free for all and they can export it elsewhere? How can I transmit e.g. certain controls (like only family is allowed to see it where family could be define by some URL and group protocol)?
So much for my quick thoughts.
-- Christian
Steve
--
Christian Scholz
http://mrtopf.de/blog
New Podcast: http://datawithoutborders.net
Elias Bizannes
Feb 11, 2009, 4:15:10 PM2/11/09
to dataportabi...@googlegroups.com
Draft minutes to the meeting (please review)
Attendees:
- Steve Greenberg
-Jessie Kanner
- Christian Scholz
- Phil Wolff
- Elias Bizannes
Other attendees
- Brett McDowell (via text chat)
- Recapped on last weeks agreement that we need report back in what we think are the freedoms users have
- Based discussion around Steve's submitted questions
- Elias mentioned http://opensocialweb.org/2007/09/05/bill-of-rights/ and http://bradfitz.com/social-graph-problem/
- Elias raised that what it all comes down to is the ability to use data in another system, nothing else.
- Discussion occured if deletion of data is a right
- Christian raised: http://www.raphkoster.com/gaming/playerrights.shtml
- it was clarified that the discussion is about questions people can say yes or not to, not rights. Should be as short as possible. The chair made comment that this is an optional thing for sites to support, and in no way are expected to have to adopt it - it is about a simple set of questions a person can ask when they sign up to a new service
- Jessie mentioned that the ability to delegate should be one of the expectations ie, a doctor being able to access your health data on your behalf
- Phil raised about data after your death, and whether it had scope
Output
- the following are the revised questions of the task force for consideration
- the action item is to review, tweak, consolidate, tighten and add to them by the next call
Questions
- Do I need to create a new identity for this site, or can I use an existing one?
- Do I need to import information into this product, or can I have it refer to information that's stored someplace else?
- Can this site accept updates that I make on other sites?
- If I update information, is that information stored on this site or can I ask this service to store it elsewhere?
- Can I have other sites use the information that I've entered here?
- Can I download a copy of everything I've provided to this service?
- Can I download information that others have provided to the service?
- Will this site delete my account and all associated data upon my request?
- If I am banned, can I still download my data?
- Can I delegate permissions to other agents or people?
- Can I restrict the flow of my data (ie, control only aspects of a data profile to flow to another system)
Elias Bizannes
http://liako.biz
Attendees:
- Steve Greenberg
-Jessie Kanner
- Christian Scholz
- Phil Wolff
- Elias Bizannes
Other attendees
- Brett McDowell (via text chat)
- Recapped on last weeks agreement that we need report back in what we think are the freedoms users have
- Based discussion around Steve's submitted questions
- Elias mentioned http://opensocialweb.org/2007/09/05/bill-of-rights/ and http://bradfitz.com/social-graph-problem/
- Elias raised that what it all comes down to is the ability to use data in another system, nothing else.
- Discussion occured if deletion of data is a right
- Christian raised: http://www.raphkoster.com/gaming/playerrights.shtml
- it was clarified that the discussion is about questions people can say yes or not to, not rights. Should be as short as possible. The chair made comment that this is an optional thing for sites to support, and in no way are expected to have to adopt it - it is about a simple set of questions a person can ask when they sign up to a new service
- Jessie mentioned that the ability to delegate should be one of the expectations ie, a doctor being able to access your health data on your behalf
- Phil raised about data after your death, and whether it had scope
Output
- the following are the revised questions of the task force for consideration
- the action item is to review, tweak, consolidate, tighten and add to them by the next call
Questions
- Do I need to create a new identity for this site, or can I use an existing one?
- Do I need to import information into this product, or can I have it refer to information that's stored someplace else?
- Can this site accept updates that I make on other sites?
- If I update information, is that information stored on this site or can I ask this service to store it elsewhere?
- Can I have other sites use the information that I've entered here?
- Can I download a copy of everything I've provided to this service?
- Can I download information that others have provided to the service?
- Will this site delete my account and all associated data upon my request?
- If I am banned, can I still download my data?
- Can I delegate permissions to other agents or people?
- Can I restrict the flow of my data (ie, control only aspects of a data profile to flow to another system)
Elias Bizannes
http://liako.biz
Christian Scholz / Tao Takashi (SL)
Feb 16, 2009, 4:10:36 PM2/16/09
to dataportabi...@googlegroups.com
Hi Elias, list!
just fyi: I copied your notes to the wiki.
And with the recent discussion of the Facebook TOS (I wrote about it here: http://mrtopf.de/blog/en/who-owns-your-data-facebook-does-of-course-and-now-forever/) I wonder if we not need an additional question:
Does the site own my data?
"own" of course is the human readable form of:
irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.
Which I only understand half (esp. regarding the privacy settings) anyway but at least as much as that FB has more rights to use my content than I'd like (same of course of youtube et al. except the passage where it says that this license also persists if I delete that content or leave the service completely. But the latter should be covered by a question we already have).
-- Christian
Elias Bizannes
Feb 16, 2009, 4:46:32 PM2/16/09
to dataportabi...@googlegroups.com
Thanks for raising that Christian. On a related note, I raised this with a Googler I know and apparently Google did a very similar thing for their products, but faced a massive backlash that has had them react. Google did it to protect themselves, as they potentially would get into trouble if other people used derivative work that Google had agreements promising to not redistribute.
So the reason Facebook is doing this is not because they want to own, but because they need to cover their arse's in the event of a lawsuit from either users or partners. The challenge, is trying to find a way to balance the two. The office of the general counsel will always be a step behind the developers and entrepreneurs creating new business models.
Something else relevant to our discussions
Elias Bizannes
http://liako.biz
Phil Wolff
Feb 17, 2009, 3:37:46 PM2/17/09
to DataPortability.General
Location Disclosure Questions:
In which country/countries (and states/provinces) is this site's owner
incorporated?
-- This tells me: Accessibility of legal remedies, laws governing the
company.
In which countries is my data stored?
-- A lesson from the cloud computing community: When your data leaves
your country, the country where your data is stored may define and
apply rights that don't exist in your own. For example, libel,
privacy, copyright, and free speech laws vary wildly even with the EU,
let alone the whole world. You may not want your medical records to be
arbitrarily stored outside your own country.
What options do I have for controlling where my data is stored?
- Can I choose to keep my data within my country?
- Can I choose among countries or adherents to specific treaties?
Which ones?
Are all countries receiving the same terms of service? If not, which
ones are
-- Some countries don't recognize any right of privacy from the
government.
-- e.g. China, Burma, etc.
Who owns the company?
-- This reveals: potential for bias and conflicts of interest
-- e.g. Privately held, Subsidiary of, Publicly traded
Phil
In which country/countries (and states/provinces) is this site's owner
incorporated?
-- This tells me: Accessibility of legal remedies, laws governing the
company.
In which countries is my data stored?
-- A lesson from the cloud computing community: When your data leaves
your country, the country where your data is stored may define and
apply rights that don't exist in your own. For example, libel,
privacy, copyright, and free speech laws vary wildly even with the EU,
let alone the whole world. You may not want your medical records to be
arbitrarily stored outside your own country.
What options do I have for controlling where my data is stored?
- Can I choose to keep my data within my country?
- Can I choose among countries or adherents to specific treaties?
Which ones?
Are all countries receiving the same terms of service? If not, which
ones are
-- Some countries don't recognize any right of privacy from the
government.
-- e.g. China, Burma, etc.
Who owns the company?
-- This reveals: potential for bias and conflicts of interest
-- e.g. Privately held, Subsidiary of, Publicly traded
Phil
Phil Wolff
Feb 17, 2009, 4:25:27 PM2/17/09
to DataPortability.General
Graceful Exit Questions (regarding eviction, survivor, and post-
closure rights)
EVICTION RIGHTS
What behavior would trigger your evicting me from this service?
Will you preserve my account and data if I am inactive?
What form does eviction take?
- Turn off the ability to add/modify data or correspond
- Block login to the account while preserving history
- Delete the user and their history from the space as if they never
existed
Once evicted, can an account and its history be restored?
Are evictions for a period of time or for the person's whole life?
What is the eviction process?
- What forms of notice do you give before eviction? email? phone call?
IM?
- How many warnings are given?
- How much notice is given?
- Does notice include details of an offense?
- Can corrective action change an eviction decision?
How can I appeal an eviction?
- What is the process once I've been warned?
- What is the process once I've been evicted?
- What arrangements do you have for third party mediation?
SURVIVOR RIGHTS
If I should die before your service closes:
What is the process for my estate to notify you?
What control of my data pass to my estate?
What rights to continue operating my account pass to my estate?
How can I pass my social capital to my family? My contacts, my
conversations and interactions with others, my public statements may
have sentimental, historic or economic value to my inheritors.
IN THE EVENT OF SITE CLOSURE OR OWNERSHIP TRANSFER
If your service closes before I die:
How much notice (days) will you give? What formats and channels will
you use to notify me?
In what formats will you make my data available?
With what agency will you make your archives available to members?
closure rights)
EVICTION RIGHTS
What behavior would trigger your evicting me from this service?
Will you preserve my account and data if I am inactive?
What form does eviction take?
- Turn off the ability to add/modify data or correspond
- Block login to the account while preserving history
- Delete the user and their history from the space as if they never
existed
Once evicted, can an account and its history be restored?
Are evictions for a period of time or for the person's whole life?
What is the eviction process?
- What forms of notice do you give before eviction? email? phone call?
IM?
- How many warnings are given?
- How much notice is given?
- Does notice include details of an offense?
- Can corrective action change an eviction decision?
How can I appeal an eviction?
- What is the process once I've been warned?
- What is the process once I've been evicted?
- What arrangements do you have for third party mediation?
SURVIVOR RIGHTS
If I should die before your service closes:
What is the process for my estate to notify you?
What control of my data pass to my estate?
What rights to continue operating my account pass to my estate?
How can I pass my social capital to my family? My contacts, my
conversations and interactions with others, my public statements may
have sentimental, historic or economic value to my inheritors.
IN THE EVENT OF SITE CLOSURE OR OWNERSHIP TRANSFER
If your service closes before I die:
How much notice (days) will you give? What formats and channels will
you use to notify me?
In what formats will you make my data available?
With what agency will you make your archives available to members?
Gordon Rae
Feb 18, 2009, 1:24:51 PM2/18/09
to dataportabi...@googlegroups.com
Mike Masnick posted an item on Techdirt yesterday proposing "a Creative
Commons-like standard setup for privacy policies". I think what he's talking
about is a small subset of what we're trying to accomplish.
http://techdirt.com/articles/20090216/1803373786.shtml
Gordon Rae
Commons-like standard setup for privacy policies". I think what he's talking
about is a small subset of what we're trying to accomplish.
http://techdirt.com/articles/20090216/1803373786.shtml
Gordon Rae
Reply all
Reply to author
Forward
0 new messages