On Terms of Service, and a Global Code

Sunday, November 25, 2012

Ben Kepes

4c1c5119b03285e3f64bd83a8f9dfeec

A little while ago Klint Finley wrote a post in which he profiled TOS;DR a site that aims to give end users visibility over the terms of service for different application. TOS;DR aims to, in their own words;

"[create] a transparent and peer-reviewed process to rate and analyse Terms of Service and Privacy Policies in order to create a rating from Class A to Class E."

As Finley suggests, TOS;DR aims to help with what is possibly the biggest lie on the internet, that which users make when they click that they have read, understood and accepted the terms of service of their provider. The fact is that no one reads them but rather vaguely hopes for the best.

This is a topic that I spent time talking with open source proponent Dave Lane about at the recent privacy summit that he and I both spoke at (previous coverage here). While the privacy summit was ostensibly focused on exploring the role of privacy in the age of big data, in a panel that Lane and I took part in we discussed the impact of terms of service on the privacy and security of individuals.

I was reminded by this issue once more when I received an email from an acquaintance aghast at the terms of service that CulturedCode, creator of ThingsMac and ThingsiPhone have users sign;

"you grant Cultured Code (and those we work with) a worldwide, non-exclusive license to use, host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute such Content, without any compensation or obligation to you. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Service, and to develop new ones."

My correspondent was uneasy, in the context of his use of these products for task listing, with the potential for his data to be made public. (Update: they’ve changed the terms as a result of customer complaints. A post in this user forum thread a few minutes ago by Werner explains the thinking both behind the original terms and the back down. Well done but the issue more generally still exists)

So in light of that, one would assume that a service like TOS;DR would be a good solution? Well not really, it seems to me to be very much a case of putting the ambulance at the bottom of the cliff – dealing with the symptoms and not the cause or one of any number of applicable metaphors.

What we really need is a groundswell towards a common code around End User License Agreements (EULAs) and Terms of Service (ToS). If all of these were written in a consistent language or, even better, utilized some kind of Creative Commons-like generic classification system whereby different icons indicated different privacy and licensing arrangements.

Of course the other solution to these sorts of problems is via an industry code of practice, something that is depressingly non existent in most countries. Down here in New Zealand we do have a code which I’ve been involved in creating. It take a broad, but valuable approach towards some of the ownership issues around ToS and the section focusing on that issue gives users of products that are certified to the CoP a degree of certainty over their data;

5.3  Ownership of Information
The ownership of data and information supplied by the client to the service provider needs to be clearly
disclosed, to ensure the rights to use the information are clearly understood.  This section helps identify
who owns client data, and data generated by the service provision.
•     We do / do not claim ownership of any data or information  uploaded to our service
•     Your data and information may traverse or be stored on  our upstream provider’s networks
or systems.  In these instances that provider  considers the data and information that you
use or transmit via our service as owned by client / service provider/ upstream provider
•     Meta data and other statistical information, such as anonymised data generated as a result
of the use of our service, is owned by  client / service provider / other and is / may be used
for the purposes of …………………………………….

Clearly we’re all signing u to more and more web services and entrusting our data with said services – any initiative which gives us clarity over the ownership and the sharing of that data is positive – this is a discussion which needs more exposure.

Cross-posted from Diversity

Possibly Related Articles:
10301
Cloud Security
Service Provider
Cloud Security Enterprise Security Cloud Computing Managed Services
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.