Hacker News new | comments | ask | show | jobs | submit login
ToS;DR — TL;DR for Terms of Service and Privacy Policy (tos-dr.info)
629 points by hugoroy on Aug 7, 2012 | hide | past | web | favorite | 128 comments

I'd be very careful counting the requirements for cookies as a bad thing (as seen in the github section):

First-Party session cookies are a totally valid use of cookies and actually help improving the security in that a session-id in a cookie will never be copy & pasted by accident (it happens to URL-based session-id's at times) and cookies can be marked as both httponly and secure, making it more difficult to impossible (depending on browser) to XSS the session-id away.

As such I would actually go as far as to prefer a site that requires (first-party session) cookies to one that doesn't.

Thanks for your feedback. The whole explanation can be found about cookies can be found here. Tell us what you think!


> 5 GitHub requires cookies

5: means it's a low score. So it's considered bad, but it doesn't influence very much the whole class of GitHub.

> GitHub requires cookies to work and misleads you to

> believe that you remain anonymous while cookies contain

> “unique identifiers”. However, only session cookies are

> used, not persistant cookies.

The whole discussion is here https://groups.google.com/d/topic/tosdr/gyMiAkV5ZG0/discussi...

Do you agree/disagree? We welcome contributions!

Not to be a stickler, just trying to help, but persistant is misspelled (persistent).

Not at all ;) thanks (not a native English speaker)

Url based session ids led to me finding a quite substantial security hole in a popular games mod website that allowed me to modify and delete my mods without being logged in. Also was able to view my own download history, potentially very embarrassing for some people.

So yes, I can testify that in this websites case their use of session ids in the url during a website renovation (where people were posting their urls on the forums to help fix bugs) led to a lot of people being made vulnerable.

I just wish they'd at least thanked me for informing them of the vulnerability...

Great concept and smart execution.

A suggestion - rather than rating "A" through "E" why not change to the more recognizable (for US audience at least) scale of "A through F" (A/B/C/D/F) which we're all mercilessly trained to recognize through years of school grades?

"E" as your worst rating confused me at first glance - could be interpreted as "Excellent"

I vouch for a more international 5-star system.

Yep. Especially since A/B/C/D/F is confusing to non-Americans. Here in Britain there's the Scottish and English systems, with different A-F or A-G scales.

actually the original inspiration was https://en.wikipedia.org/wiki/European_Union_energy_label

If stars, then with the lowest grade as zero.

A-E seems appropriate to me, as an English speaker. For others perhaps not.

The stars are crucial: if we used numbers instead it would fail (some countries use 1 for best, some 5 for best).

I went to high school in Virginia where a failing grade was an E.

I'm not from the US, but doesn't F have a different meaning than A-D? I.e. it means you failed and have to do the test/project/whatever again?

A-E is logical I'd say.

Yes, Fail is right. Seems appropriate here too. I agree with the OP, A-F would work better.

Though, is colleges (at least in Minnesota), D is also usually failing grade.

Wait the US doesn't have an 'E'? (Is 'F' short for Fail? I thought it was just the continuation of the sequence). Regardless, at least A is best, B is worse than that, etc. which makes sense.

> Wait the US doesn't have an 'E'? (Is 'F' short for Fail? I thought it was just the continuation of the sequence)

Well, apparently it's more complicated than that. I always assumed that the lack of E was so that there would be no confusion with the ESNU system (which a number of students used to have in elementary school, but then they switch over to the A-F system in middle school). Also, many countries outside the U.S., including non-english speaking ones, use the A-F system. Still researching the origin.

I had previously believed that the A-F system was universal across the US college system, though apparently University of Arizona has the 'E' grade.

At the University of Utah, we have the 'E' grade also.

Dartmouth has E as well.

Well I think "it Depends." At my school we had E's both E's and F's where failing, but the difference was that with E's you could make up the class in summer school, with F's you had to repeat the class the next year, multiple F's would mean you had to repeat the grade.

If what you are saying is correct then it seems like the British a-level system is almost exactly the same in terms of grades.

A* to E, and then an actual failure is a U, so as to not just be a continuation from E I assume.

In Poland, high schools have 1-6 grade scale (6 is the best), but universities have 2-5 scale (5 is the best, 2 is a failing grade). Decades ago, high schools also had 2-5 (or maybe 2-6) scale. I have no idea why the 1 grade is nonexistent.

> why not change to the more recognizable (for US audience at least)

Because most internet users aren't in the US.

An API and chrome addon would be very nice. I wouldn't check the site, but I would like warnings when I accessed the registration page of a bad website.

Agreed. This seems like something Mozilla should also get behind. I'd love to see this sort of information as part of the site identity dialog, which now only has SSL certificate details.

Update: I guess this could be used as an API of sorts: https://raw.github.com/unhosted/ToS-DR/gh-pages/points.json

I noticed that it's under the AGPL. That might be an issue for developing a Chrome plugin.

AGPL is our JS+HTML+CSS code. The data itself (JSON) is CC-BY-SA.

would it be possible to add ixquick and webchat.freenode you suggest?

What do you mean?

To have ixquick privacy policies reviewed next to duckduck, and contact us via IRC (the #tosdr irc channel on freenode) ->

  <a href="http://webchat.freenode.net/?channels=#tosdr>#tosdr irc channel on freenode</a>

Aaand a first version of the Chrome plugin is done. Install and try it out: https://github.com/unhosted/ToS-DR/issues/11#issuecomment-76...

PS: hey Ben!

tossos.com was built about 6 months ago. Trying to do similar things as this. It has a Chrome Plugin... check it out.

Yes. I have been in touch with the author and invited to cooperate. But... where is the code? how does it work exactly? How can it interoperate with other projects trying to back up archives of terms? etc. etc.

We now also have a first version of the Chrome extension ready to try out: https://github.com/unhosted/ToS-DR/issues/11#issuecomment-76...

Let us know what you think!

Suggestion: Include a "Under EU Data Protection law: all/some/none" category.

Companies in the EU, are required to do various things under EU data protection law. E.g. they are legally required to protect your personal data, they can only use the personal data for things you agreed to, they must tell you what data they keep on you if you ask, if they are wrong and you tell them, they are legally required to update the data, there is a national body that is legally empowered to tell a company to stop doing a thing/delete data if they are in breech of data protection law, if they suffer a data breech they are legally required to inform users, etc. All of these things are good for users.

Some companies (e.g. those entirely in the USA) are not bound by these. Some companies (e.g. those entirely in the EU) are bound by this. Some companies (e.g. Facebook) say "If you're in the US or Canada, you're under US law, if you're anyone else, you're under EU law".

Yes. Differences between legislations is one thing that's making the task harder. I think it's better to focus to what the terms actually state. But I always keep in mind the jurisdiction under which the company operates as it can influence the meaning of the terms.

However I'd fear to get to the other extreme and to end up making a rating system saying which legislation is better than the other. It's not the scope.

One other thing: we think the terms should be self-explanatory. I don't think services should expect their users to know the EU data protection law. So it would seem smart for me that the services makes a statement about them in their terms (just like they state details about their security practices for instance).

Shouldn't "Defending your privacy in US Congress" be out of scope as well, then? It certainly isn't part of a website's terms and conditions. Plus, it's hard to judge how well those activities are going, and how committed the company is in pursuing those activities in the future.

You're right. I was actually unsure at the time. The data comes from the EFF.

I can see why you don't want to have dozens of different "In juristicion X" and then rank them, but I suggest including EU law, since it includes a large amount of pro-user stuff, and would be an easy way to know what you can do.

You're already including references to the US Congress, why not let us EU citizens have something too?

Seems a bit biased in places. One of the example sites has a big scary red X next to "Deleted images are not really deleted", despite that being an important feature for any site that lets users delete their own content.

It's one of those tradeoffs you make where you trade a tiny fraction of risk (e.g., that somebody might break into your system and steal the exact cat photo that one high profile blogger was embarrassed to have uploaded) so that you can have an easy fix for the dozens of emails you get each month from people who accidentally deleted the wrong photo and can't believe you deleted it even though I told you to and I'll sue you because that's ILLEGAL!

Definitely not worthy of a big red X against your site, since it's the only sensible choice.

They could let you delete deleted items permanently, like Dropbox does. Storing data you uploaded with no way to delete it does have privacy implications, since it may be looked at by people working there and could be a lot more sensitive than a cat photo.

I'd say a term that is more unfairly given a thumbs down is giving them a license to user content, since it's impractical to operate a user-generated content site without this.

I agree. But sometimes the copyright license conceded by the user goes way beyond what's needed for the service. Why do you give rights to sublicense and to transfer to Facebook or Twitter?

Details: http://tos-dr.info/topics.html#copyright-scope

So the developers who built apps that read your FB/Twitter stream are also licensed to show the content.

Not necessary (see SoundCloud for instance). The whole problem is that the copyright license is just overbroad and not limited at all.

Partially necessary. And I completely agree with you. The licenses they demand are far broader than what they need, but that goes to the imbalance inherent in the relationship: big company with lots of money for lawyers versus some person just wanting to tell his friends what he had for lunch.

You're welcome to discuss this specific point at https://groups.google.com/d/topic/tosdr/b6ryqY9NdMw/discussi...

Since all Twitpic does is hosting public pictures for Tweets, I would assume as a user that if I click "Delete" then the pictures would be… well. Deleted. Having a short period to rescue the picture from a back up would be acceptable.

I don't understand your example with the "high profile blogger".

despite that being an important feature for any site that lets users delete their own content.

Well...no. How is it important for a site that lets users delete their own content not delete it? Your statement is self-contradictory.

That's a common outlook to have if you've never run a site where users upload content.

In practice, if you give your users a way to damage or delete their own account, they'll do it without giving it any thought. Then they'll think about it. And they'll want to undo it.

When they don't find an "undelete" button, they'll write you an email. And if you don't have an easy switch you can flip to magically fix the problem they caused for themself, they'll get mad at you.

So you quickly learn to just set an IsActive bit to false instead of actually deleting things. And it's not in any way a big deal for a "twitpic" style site where people are uploading things to the internet with the intention of sharing them.

My privacy policy that explains this makes a point of telling you that "If you don't want the things you upload to be on the Internet, please don't upload them to the Internet". I still field plenty of "undelete my stuff" mails, and it's nice to know that it's a 30 second fix to fix it. (And I've never once gotten a mail from an angry user because I didn't actually delete the bits from the hard drive when he hit the delete button)

Oh please, do condescend to me about what sites I have run and which I have not, much less ones I have or have not written myself.

Look, I (and likely many others here) know what you're talking about, and it's not necessary. You can deactivate things, sure, but you can also say "This cannot be undone," and people will know what that means. Software has commonly operated this way for almost the entire GUI era (at least). These things aren't cut and dried nor required, and they are entirely the product of business rules and policies, which in your case sounds like a little bit of "blame the victim" ("well then you shouldn't have uploaded it"). Users know what a warning means in this context, though.

No condescension intended. Sorry if it came across that way.

I can only throw in my experience, which is that users of the sites I run have a history of not understanding what it means when they hit the delete button, regardless of how many warnings you give them.

As I said, it's a trade off. The upside for the site owner is less headache and angry users. The downside, at least in my experience, is nothing (apart from a red X on this website we're discussing today).

I basically agree with you that supporting undelete is a lot friendlier to 95% or more of the population. But you can get the best of both worlds by simply keeping it around for a fixed time (and letting the user know how long after they hit delete) and then hard deleting. You can even offer them a "if you didn't mean to do that, click here; if you would like to permanently delete this now, click here"

You'll pay less for storage, too.

I don't think you are morally correct just because you haven't gotten any complaints.

In fact, until you make it possible for people to permanently delete things, you are not. The reason you haven't gotten any complaints is that the people who deleted things on purpose don't send you an email and don't know it can be undone.

You could also delete it definitively after a certain time (say 5 days). You would get the best of both world.

Is it not as simple as to add a "Trash" function? It's been around on operating systems for years, everyone understands how it works and that you can restore something from the trash, but you lose it forever if you empty the trash.

Since this is something that's trivial to implement and is a UI principle that's extremely common, there is absolutely no excuse for keeping images around where the user wants to delete them. If you're annoyed at a dozen emails a month, you implement that and then you can easily respond "Wait, you sent it to trash bin, then deleted it, and NOW you change your mind?", in more polite terms.

(Edit: sorry, late for the party, I was linked here from another post on the same subject)

The only sensible choice would be to mark items as deleted for a while, say a week or two and then delete them for real. The site may even notify the user before the permanent deletion, so he/she can think twice about what to get rid of or not.

Also, this is not about whether someone steals your content but about it being your content. You should be able to do whatever you want to your content and that includes deletion.

Some of these are a bit too terse. e.g. 500px says "Ownership". What does that mean? And why is it less worrying than twitpic's "Takes credit for your content"? (And how does that make sense? Twitpic puts the username of the uploader on each page, no?)

If you click on "Read the Details", you will see a bit of text under each point.

Ownership: The copyright license you grant to 500px is transferable and sublicensable. The copyright license is limited for use “in connection with the Services” which includes promotional uses and redistribution “to other parties, web-sites, applications, and other entities” if you are credited properly. The license on your content terminates when you remove such content.

Oh, I just assumed "Read the Details" would send me to the ToS! Maybe that should be renamed too :)

I also think it's a poor choice. What do you suggest?

Make each of the line items clickable to reveal the detailed info. And perhaps move the current button to the top right of the block and rename it to something like "Expand All".

"Tell me more"?

Maybe "more details" or "expand" or just "More"?

maybe "Rationale", but that sounds complicated as well.

Yeah "Ownership" is meant as a category rather than a title. I guess I forgot to give this one a proper title. Will fix this soon.

Alright, I just think it's important not to call a copyright license "ownership".

It seems idealistic, but a service like this would be incredibly insightful. I only "read" (read: skim) the TOS of a select few companies (Apple, for one), so the high-level summaries shown on this landing page are immensely valuable (though the scoring system seems obtuse). Of course, now one has to worry about the objectivity of the summarizers.

Yes, trust is one problem. I think we're being objective (at least we are trying, with building a scoring system that's automatic). But for sure, we are not being neutral. We do think that tracking should always be opt-in, not opt-out.

At least, we're working in total transparency and it's an open process. I hope that helps.

Re: neutrality, I'm delighted to see that your perspectives align with mine. Dubious legal terms deserve to be called out. And the transparency is nice, but... well, if I'm too lazy to read a 50-page legal document, I hope I don't have to sift through a 50-page mailing list thread just to establish confidence in the summary of the document itself. :)

Shouldn't be much of a problem if the summaries quote relevant passages. You can just Ctrl-F and see if your intuition agrees with theirs.

Thank you so much for offering this service! I think the transparency is extremely important, and I am impressed with your execution so far.

How about a TOS Wiki?

This seems like a VERY good idea! Even when i take the time to read the TOS on sites (granted, it is rare), i come away unsure that i really understand it.

This seems like an excellent way to deal with this issue too!

Thanks ToS;DR!

Brilliant idea!

Fantastic to have. It is really hard for companies to offer simply legal terms, since any simplification starts to undermine the actual detailed terms. Awesome to have this from a third party.

I imagine this would be particularly valuable as a browser extension.

Good news: a first version of the Chrome/Chromium extension works! If you’d like to try it out you have to install it yourself at the moment, it’s pretty easy though: https://github.com/unhosted/ToS-DR/issues/11#issuecomment-76...

Given the purpose of the site and it's broad potential reach (and the fact that it's not a domain that requires pushing the envelope in terms of rich user experience), I was pretty suprised to see that the entire 'Rated Services' section was a giant white block in Internet Explorer 9.

I could understand lack of support for IE7 (or perhaps crappy formatting), would raise an eyebrow at lack of support for IE8 (given the nature of the domain and that there's no compelling reason for a lack of graceful fallback in this case), but lack of IE9 support is a bit... suprising.

I certainly hope the team plans on addressing this, otherwise you're cutting a large chunk of browser users out of the picture for (from what I can see) no compelling reason related to the technical requirements of the kind of content you are delivering.

When I first loaded the page, I was unsure about whether they have no sites, i.e., whether they're just showing a proof of concept. The text said they were planning to review ToS of major sites by middle of july, so that prompted me to fire up Opera.

If somebody wonders why I want to use IE9: easily configurable and non-obtrusive, BUILT-IN plugin blockers and ad blockers [+ do-not-track lists].

thank you very much for reporting this. As we're all working on non-windows systems, we would not have found out by ourselves!

that's my fault, and was definitely not intended, sorry. thanks for reporting it, i'll make sure it gets fixed somehow.

it should be fixed now hopefully

I understand that the project welcomes contributions, but who has the final say on the rating of a website? Are there any gate-keepers, and who are they?

For the moment: Anyone who can push to the 5apps.com git master branch. That is people at http://unhosted.org

We would be happy to get th umbrella of a non profit org like Mozilla or the EFF.

Any way, if you don't like our decision: you can get involved. Or you can fork it.

If this site gets big, its neutrality will be questioned, and you've got to be ready with answers. I don't want to see good efforts like these go to waste.

I attempted a similar feat in 2010 with the now defunct tosgrok.com. This is a very needed service!

Edit: Take the domain and put it to good use, I no longer own it and it beats tos;dr!

To be fair, neither is exactly terminology familiar with the average user, who I think they're trying to reach out to here. Both are clever, but known mostly by avid Internet users or nerds.

I think ToS;DR is less nerdy. "Grok" makes me visualize gray-bearded Unix programmers, but young internet-savvy people of all stripes know what TL;DR means. Didn't 4chan popularize that abbreviation?

Certainly. But I think people who care what provisions the TOS of a service contain are the exception and not the average person.

I think one of the goals with providing brief, easy to read summaries can (and should) be expanding the number of people who care what is in the TOS.

For those who have decent experience in machine learning (and NLP) and its theoretical foundations...isn't there enough examples of TOS and conventions of the "art" that a classifier could be built to determine restrictiveness and such? Not completely accurate, but even something that's 60% right would be a huge help to services like the OP's

check out commonterms.net ;)

I haven't read through all the comments but standardized and unbiased copy writing would really benefit the site. "Promise to inform about data requests" gets a plus while "No transparency on law enforcement requests" get a minus.

Both labels could be changed to "Notification of data requests", and a user would have the benefit of knowing you were comparing the same thing across multiple sites.

As it stands it's hard to compare a sites rating.

Another (possibly more prominent) example: Github has "You don't grant any copyright license to github", right below that SoundCloud has "You stay in control of your copyright", and below that 500px simply has "Ownership".

Assuming those all refer to the same thing (owning your data/copyright), a simple, "Copyright ownership" would be much clearer and unbiased copy.

Gravatar: No Right to leave the service. Really?

Yes. Which is a bit silly, I haven't really understood their justification for it. But if they want to clear that up, it would be a good idea.

random gripe: if you use a different email on gravatar than on github, your gravatar wont show up on github.

it's becoming pretty standard, especially among techies, to have a unique email per site, so you can easily tell if a site is selling your address (or is a victim of a hack, like dropbox was).

I emailed them about it -- too bad!

You could register your different email again with Gravatar.

Great initiative. Can the mere length of a TOS and it's complexity be a factor in the rating too? The crowd here may be able to somewhat grasp the legalese in a TOS. It's not fair to expect that from any normal visitor.

This is a very convenient service for the users, but it might raise some issues if any of these terms are ever argued in court. Defending that you read the ToS;DR and not the terms of service might not hold much water.

I think the main value here is not in court, it's giving people a better "bird's eye view" of how a service treats you and your data. From this point, you might decide:

- To cancel the service

- To not join in the first place

- To raise a collective stink about something onerous in the terms

Any of these things, in high numbers, could force a service provider to update their TOS to be more friendly. That's a pretty good outcome even if saying "but the ToS;DR said!!!" would never hold up in court or anywhere else.

This has the potential to be a great educational tool and hopefully in time will reach a wide audience.

If enough people are aware of the terms it will exert pressure on providers to be more open and reasonable with their terms.

Of course whilst many free services might argue they have more leeway in imposing stricter terms, this still doesn't justify certain treatment of users.

Providing a summary of terms in a standardised manner will also make it much clearer where one particular service deviates in an unreasonable fashion.

In particular, user data and usage of third party cookies would be two categories where it would be good to get visibility.

Given how open source projects are increasingly using GitHub as the canonical repository, I'm a bit disappointed that they can refuse you service for any reason at all. I want to believe that the GH guys are good people and were just lazy here.

So, +1 for tos-dr for letting me know, and a potential extra +1 if they help us get GH to change this policy. I'm going to let them know this matters to me, I hope others here will as well.

> I'm a bit disappointed that they can refuse you service for any reason at all.

This is actually a problem with the methodology (I think): most probably, none of the service providers pledge to provide service to you, so they can all refuse service for any reason. Github should probably get credit because at least they are honest about it.

That's a fair point. You can discuss this at https://groups.google.com/d/topic/tosdr/hI5Too_uDVk/discussi...

I'll be happy to reply over there :) (if we spread the discussion too much, it will be lost)

I like the idea and the layout is nice.

That being said, use the same categories for each company, don't re-write the description based on how good/bad it is. It would be far more useful for creating a table (which would also be a great way to organize this information, businesses looking to improve the transparency of their ToS would need only look at top scored candidates to find inspiration).

I love the color coding, makes it easy to see at a glance.

What's the plan as terms of service change over time? Some greens might become redundant.

The plan is to work with the EFF's tosback https://github.com/pde/tosback2 (they need contributors too BTW) and track changes over time so we can notify people when something wrong is going on (they'd be able to subscribe to a list of services' ToS;DR)

They should use V8 to fetch TOS so that Facebook don't get away with its latest TOS change.


Yes, it's in Javascript so not crawlable by TOSBack. The TOS is obfuscated to ... protect its privacy ? So ironic coming from those who claim privacy is dead.

tosback.org is no longer updated.

Yes, the facebook TOS are difficult to archive: http://wayback.archive.org/web/*/http://www.facebook.com/leg... issue on GH if you have a solution: https://github.com/pde/tosback2-data/issues/1

This is awesome! It would be cool if this could be turned into a browser plugin so you could see what class site you're visiting.

A first version of the Chrome extension is ready to try out. Feel free to install it and let us know what you think! :) https://github.com/unhosted/ToS-DR/issues/11#issuecomment-76...

I have been thinking about doing something similar for quite sometime now. Specifically I wanted to build a browser extension that highlights only the important parts of agreement. And the important points will in turn be decided by the community of users with the system keeping track of different versions of agreements and data of interest in it.

We now have a first version of the Chrome/Chromium extension working! Feel free to install it and let us know what you think: https://github.com/unhosted/ToS-DR/issues/11#issuecomment-76...

This is a great idea. The extension can be something like DIIGO does - highlight parts of the agreements that are deemed important or critical to consumer + provide snapshots of the TOS/Privacy policy whenever there are changes.

Heads up – we have a first version of the Chrome extension ready to try out: https://github.com/unhosted/ToS-DR/issues/11#issuecomment-76...

Great idea - similar to my website that got frontpaged a few weeks ago (www.tldrlegal.com). Very well done; I will definitely be using this in the future.

you have a good site, shame this one came out too (for you!)

This is a side topic related (so sorry for the threadjack!):

Does anyone else think TL;DR is a terrible replacement for "Abriged:" or "Summary:"?

While checking this out I wondered whether there exists a service for generating ToS. Does that exist?

Yay! This I have been waiting for.

Would love an extension that showed a summary of a site's ToS on the sign-up page.

This is awesome.

Too long introduction; didn't Read

My preferred ToS:

Be nice.

Still don't want to read it.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact