As such I would actually go as far as to prefer a site that requires (first-party session) cookies to one that doesn't.
> 5 GitHub requires cookies
5: means it's a low score. So it's considered bad, but it doesn't influence very much the whole class of GitHub.
> GitHub requires cookies to work and misleads you to
> believe that you remain anonymous while cookies contain
> “unique identifiers”. However, only session cookies are
> used, not persistant cookies.
The whole discussion is here https://groups.google.com/d/topic/tosdr/gyMiAkV5ZG0/discussi...
Do you agree/disagree? We welcome contributions!
So yes, I can testify that in this websites case their use of session ids in the url during a website renovation (where people were posting their urls on the forums to help fix bugs) led to a lot of people being made vulnerable.
I just wish they'd at least thanked me for informing them of the vulnerability...
A suggestion - rather than rating "A" through "E" why not change to the more recognizable (for US audience at least) scale of "A through F" (A/B/C/D/F) which we're all mercilessly trained to recognize through years of school grades?
"E" as your worst rating confused me at first glance - could be interpreted as "Excellent"
A-E seems appropriate to me, as an English speaker. For others perhaps not.
A-E is logical I'd say.
Well, apparently it's more complicated than that. I always assumed that the lack of E was so that there would be no confusion with the ESNU system (which a number of students used to have in elementary school, but then they switch over to the A-F system in middle school). Also, many countries outside the U.S., including non-english speaking ones, use the A-F system. Still researching the origin.
I had previously believed that the A-F system was universal across the US college system, though apparently University of Arizona has the 'E' grade.
A* to E, and then an actual failure is a U, so as to not just be a continuation from E I assume.
Because most internet users aren't in the US.
Update: I guess this could be used as an API of sorts: https://raw.github.com/unhosted/ToS-DR/gh-pages/points.json
<a href="http://webchat.freenode.net/?channels=#tosdr>#tosdr irc channel on freenode</a>
PS: hey Ben!
Let us know what you think!
Companies in the EU, are required to do various things under EU data protection law. E.g. they are legally required to protect your personal data, they can only use the personal data for things you agreed to, they must tell you what data they keep on you if you ask, if they are wrong and you tell them, they are legally required to update the data, there is a national body that is legally empowered to tell a company to stop doing a thing/delete data if they are in breech of data protection law, if they suffer a data breech they are legally required to inform users, etc. All of these things are good for users.
Some companies (e.g. those entirely in the USA) are not bound by these. Some companies (e.g. those entirely in the EU) are bound by this. Some companies (e.g. Facebook) say "If you're in the US or Canada, you're under US law, if you're anyone else, you're under EU law".
However I'd fear to get to the other extreme and to end up making a rating system saying which legislation is better than the other. It's not the scope.
One other thing: we think the terms should be self-explanatory. I don't think services should expect their users to know the EU data protection law. So it would seem smart for me that the services makes a statement about them in their terms (just like they state details about their security practices for instance).
You're already including references to the US Congress, why not let us EU citizens have something too?
It's one of those tradeoffs you make where you trade a tiny fraction of risk (e.g., that somebody might break into your system and steal the exact cat photo that one high profile blogger was embarrassed to have uploaded) so that you can have an easy fix for the dozens of emails you get each month from people who accidentally deleted the wrong photo and can't believe you deleted it even though I told you to and I'll sue you because that's ILLEGAL!
Definitely not worthy of a big red X against your site, since it's the only sensible choice.
I'd say a term that is more unfairly given a thumbs down is giving them a license to user content, since it's impractical to operate a user-generated content site without this.
Since all Twitpic does is hosting public pictures for Tweets, I would assume as a user that if I click "Delete" then the pictures would be… well. Deleted. Having a short period to rescue the picture from a back up would be acceptable.
I don't understand your example with the "high profile blogger".
Well...no. How is it important for a site that lets users delete their own content not delete it? Your statement is self-contradictory.
In practice, if you give your users a way to damage or delete their own account, they'll do it without giving it any thought. Then they'll think about it. And they'll want to undo it.
When they don't find an "undelete" button, they'll write you an email. And if you don't have an easy switch you can flip to magically fix the problem they caused for themself, they'll get mad at you.
So you quickly learn to just set an IsActive bit to false instead of actually deleting things. And it's not in any way a big deal for a "twitpic" style site where people are uploading things to the internet with the intention of sharing them.
Look, I (and likely many others here) know what you're talking about, and it's not necessary. You can deactivate things, sure, but you can also say "This cannot be undone," and people will know what that means. Software has commonly operated this way for almost the entire GUI era (at least). These things aren't cut and dried nor required, and they are entirely the product of business rules and policies, which in your case sounds like a little bit of "blame the victim" ("well then you shouldn't have uploaded it"). Users know what a warning means in this context, though.
I can only throw in my experience, which is that users of the sites I run have a history of not understanding what it means when they hit the delete button, regardless of how many warnings you give them.
As I said, it's a trade off. The upside for the site owner is less headache and angry users. The downside, at least in my experience, is nothing (apart from a red X on this website we're discussing today).
You'll pay less for storage, too.
In fact, until you make it possible for people to permanently delete things, you are not. The reason you haven't gotten any complaints is that the people who deleted things on purpose don't send you an email and don't know it can be undone.
Since this is something that's trivial to implement and is a UI principle that's extremely common, there is absolutely no excuse for keeping images around where the user wants to delete them. If you're annoyed at a dozen emails a month, you implement that and then you can easily respond "Wait, you sent it to trash bin, then deleted it, and NOW you change your mind?", in more polite terms.
(Edit: sorry, late for the party, I was linked here from another post on the same subject)
Also, this is not about whether someone steals your content but about it being your content. You should be able to do whatever you want to your content and that includes deletion.
Ownership: The copyright license you grant to 500px is transferable and sublicensable. The copyright license is limited for use “in connection with the Services” which includes promotional uses and redistribution “to other parties, web-sites, applications, and other entities” if you are credited properly. The license on your content terminates when you remove such content.
At least, we're working in total transparency and it's an open process. I hope that helps.
This seems like an excellent way to deal with this issue too!
I imagine this would be particularly valuable as a browser extension.
I could understand lack of support for IE7 (or perhaps crappy formatting), would raise an eyebrow at lack of support for IE8 (given the nature of the domain and that there's no compelling reason for a lack of graceful fallback in this case), but lack of IE9 support is a bit... suprising.
I certainly hope the team plans on addressing this, otherwise you're cutting a large chunk of browser users out of the picture for (from what I can see) no compelling reason related to the technical requirements of the kind of content you are delivering.
If somebody wonders why I want to use IE9: easily configurable and non-obtrusive, BUILT-IN plugin blockers and ad blockers [+ do-not-track lists].
We would be happy to get th umbrella of a non profit org like Mozilla or the EFF.
Any way, if you don't like our decision: you can get involved. Or you can fork it.
Edit: Take the domain and put it to good use, I no longer own it and it beats tos;dr!
Both labels could be changed to "Notification of data requests", and a user would have the benefit of knowing you were comparing the same thing across multiple sites.
As it stands it's hard to compare a sites rating.
Another (possibly more prominent) example: Github has "You don't grant any copyright license to github", right below that SoundCloud has "You stay in control of your copyright", and below that 500px simply has "Ownership".
Assuming those all refer to the same thing (owning your data/copyright), a simple, "Copyright ownership" would be much clearer and unbiased copy.
it's becoming pretty standard, especially among techies, to have a unique email per site, so you can easily tell if a site is selling your address (or is a victim of a hack, like dropbox was).
I emailed them about it -- too bad!
- To cancel the service
- To not join in the first place
- To raise a collective stink about something onerous in the terms
Any of these things, in high numbers, could force a service provider to update their TOS to be more friendly. That's a pretty good outcome even if saying "but the ToS;DR said!!!" would never hold up in court or anywhere else.
If enough people are aware of the terms it will exert pressure on providers to be more open and reasonable with their terms.
Of course whilst many free services might argue they have more leeway in imposing stricter terms, this still doesn't justify certain treatment of users.
Providing a summary of terms in a standardised manner will also make it much clearer where one particular service deviates in an unreasonable fashion.
In particular, user data and usage of third party cookies would be two categories where it would be good to get visibility.
So, +1 for tos-dr for letting me know, and a potential extra +1 if they help us get GH to change this policy. I'm going to let them know this matters to me, I hope others here will as well.
This is actually a problem with the methodology (I think): most probably, none of the service providers pledge to provide service to you, so they can all refuse service for any reason. Github should probably get credit because at least they are honest about it.
I'll be happy to reply over there :)
(if we spread the discussion too much, it will be lost)
That being said, use the same categories for each company, don't re-write the description based on how good/bad it is. It would be far more useful for creating a table (which would also be a great way to organize this information, businesses looking to improve the transparency of their ToS would need only look at top scored candidates to find inspiration).
What's the plan as terms of service change over time? Some greens might become redundant.
Yes, the facebook TOS are difficult to archive: http://wayback.archive.org/web/*/http://www.facebook.com/leg...
issue on GH if you have a solution: https://github.com/pde/tosback2-data/issues/1
Does anyone else think TL;DR is a terrible replacement for "Abriged:" or "Summary:"?