UPDATE:
Terms of Service are now finalized and located at https://www.drupal.org/terms.
Privacy Policy is now finalized and located at https://www.drupal.org/privacy


Almost half a year ago, with the help of the Drupal.org Content Working Group and lawyers, the Drupal Association started working on a Drupal.org Terms of Service (ToS) and Privacy Policy. After a number of drafts and rewrites, we are now ready to introduce both documents to Drupal.org users.

Why do we need a ToS?

Drupal.org has grown organically for many years. Currently the site has thousands of active users that generate lots of content every day. Our current Terms of Service are limited to a short line on the account creation form:

“Please note: All user accounts are for individuals. Accounts created for more than one user or those using anonymous mail services will be blocked when discovered.”

This line is an insufficient ToS for a website of our size. In fact, Drupal.org is probably the only website of this size which operates without a published Terms of Service. This situation is uncomfortable, and even dangerous, for both Drupal community and the Drupal Association, which is legally responsible for Drupal.org and its contents.

In the absence of a ToS, a lot of rules—“do’s and don’ts”—regarding the website are just “common knowledge” of users who have a long memory and accounts created in the early days of Drupal.org. This might result in new users making mistakes and misbehaving only because they do not know what the unwritten rules are. Website moderators often lack guidance on how to react in specific situations, because those policies are not written anywhere. Some policies, such as organization accounts policy or account deletion policy still need to be defined. Lastly, absence of clearly defined Terms of Service and Privacy Policy could lead to legal disputes regarding the site.

What’s next?

The new Drupal.org Terms of Service and Privacy Policy are published now for the community review. We'll continue refining them based on community feedback and announce the 'official' implementation day additionally. On that day all existing users will have to accept these ToS and Privacy Policy to continue using the website. All new users starting on that day will have to accept the ToS and Privacy Policy upon account creation.

Click to review Drupal.org Terms of Service

Click to review Drupal.org Privacy Policy

In the future, we will make sure to keep ToS and Privacy Policy up-to-date and update them every time policies or functionality of the website changes. We will proactively notify users of all modifications to both documents.

Thanks

We’d like to say thanks to the Drupal.org Content Working Group members and community members who already reviewed proposed documents and provided us with their valuable feedback.


UPDATE: Edits to the original drafts were made on 21st of August, 2014, based on feedback in comments to this post.

UPDATE #2 (03.09.2014): We are postponing ToS/PP official launch and will come back with an updated draft shortly.

Comments

dstol’s picture

Is there an issue queue where the community can comment on these documents?

tvn’s picture

You can comment right here.

pwolanin’s picture

I think this draft ToS is absurdly long and complex - it's about as friendly and accessible as a Microsoft EULA. The entire section F makes me a bit ill.

Overall, it needs to be cut to about 2 pages and kill the excessive legal boilerplate that comes across as user-hostile instead of community-enhancing.

Most of the bullets at the end of section B should go - condense them to about 3.

A ToS requirement to post in English seems misguided.

Minor, but this seems poorly worded and copy/pasted from someplace else:

The Website is operated by Drupal Association ("Company", "we" or "us")

should be more like:


The Website is operated by the Drupal Association ("Association", "we" or "us")

I would also suggest all references to "Company" be replaced by "Association"

---
Work: BioRAFT

catch’s picture

Pretty sure I've posted in (bad) Japanese at least once on Drupal.org.

gdemet’s picture

I agree that some of the legalese is pretty inaccessible, and one option that we discussed in the Content Working Group is having a plain language "translation" of some of the more complex sections. Is this something that would help mitigate some of your concerns?

pwolanin’s picture

No, please make the actual policy concise and plain language. Who is this for? lawyers or our community?

---
Work: BioRAFT

lvthunder’s picture

It's for the lawyers of course. They said in the post they were worried about legal action. Nowhere did it say the community was out of control.

Anonymous’s picture

Plain language is inherently unclear.

HowTheMarketWorks’s picture

I agree that the ToS is absurdly long and complex. However, I'm guessing it's all about protecting themselves. I am wondering if they actually care if anyone is reading/understanding it?

MARShot’s picture

That is a good point. It seems ridiculous that you have to read the ToS and the ToCs but you know 90% of people don't understand what the heck it is saying.

tvn’s picture

I would also suggest all references to "Company" be replaced by "Association"

Good point, thanks. Will replace.

Jeff Burnz’s picture

dstol’s picture

After a quick reading..

From the ToS:

General comments:

While I appreciate there was, at least, some effort to make it simpler, there are many places that make my native english, well-educated head spin with legalese. Imagine a non-native speaker reading this; it needs to be simplified and boiled down. See http://500px.com/terms for a great example of boiled down.

There are some things here that make me worried: Binding 3rd party arbitration, no active notification of users of policy changes outside of a posted node. If you look at https://tosdr.org/classification.html, we are probably in the B-D range. It'd would be nice if we were an A.

You will not impersonate or attempt to impersonate the Drupal Association or a Drupal Association employee, another user, or person or entity (including, without limitation, the use of email addresses or screen names associated with any of the foregoing);

  • The security team regularly impersonates "another user, or person or entity" but I would imagine there are other teams that do things as other users from time to time.

You may link to the Website, provided you do so in a way that is fair and legal and does not suggest any form of association, approval or endorsement on our part where none exists. The Website must not be framed on any other site. You agree to cooperate with us in causing any unauthorized framing or linking immediately to cease. We reserve the right to withdraw linking permission without notice.

  • Some folks are associated, core committers, infrastructure members, security team, etc. Does this mean I can't link to d.o as David Stoline, Drupal security team member?
  • "We reserve the right to withdraw linking permission without notice" is funny.

From the Privacy Policy:

General comments:
No mention of historical data being used, stored, and processed, say I change my name, company, or gender, etc.

Information from Other Sources. We may collect information about you from other third party or public sources, such as from public forums, social networks (i.e., Facebook, LinkedIn, Twitter, or others), blogs, other users, or our business partners.

  • Absolutely not. How do I opt out?

We cannot delete your personal information except by also deleting your account.

  • I understand that we might not be able to control what 3rd parties do, but say profile information or other items in our control should be removable.
catch’s picture

Some folks are associated, core committers, infrastructure members, security team, etc. Does this mean I can't link to d.o as David Stoline, Drupal security team member?

Core committers don't have any formal association with the DA at all, so I'd assume not.

drupalshrek’s picture

I think the http://500px.com/terms are a good way of keeping the lawyers happy and the 99% rest of us who just want the general idea.

drupalshrek

gdemet’s picture

Yep, the 500px approach is exactly what we were thinking of.

Mile23’s picture

Legalese is there for a reason. It's like coding standards. When you add a 'Basically...' column, you are making a second set of promises which are only tangentially related to the 'real' promises.

For instance if you look at 500px' 'User Conduct' section, it lists a bunch of things that a user shouldn't do. Then at the very bottom it says '500px reserves the right, but has no obligation, to monitor disputes between you and other users.' This is not mentioned in the 'basically...' synopsis, however. So which is wrong?

Is it better to leave that out of the synopsis? It'd be hard to add it, by saying something like, "We reserve the right to take sides with other users against you." That doesn't seem very nice. So it's omitted. Is that shady? You be the judge. :-)

tvn’s picture

No active notification of users of policy changes outside of a posted node.

We were definitely planning to have active notification - an email to website users in addition to blog post, Twitter, etc. Will clarify this in the ToS text. Thanks for notice.

nerdcore’s picture

Whenever a web site updates its ToS, it should be accompanied by active notification to its user (via email presumeably) with a reasonable grace period. It's absolutely no fair to say "as of NOW, our ToS has changed" and then expect people to loginn and continue using the service.

If there are material changes to the ToS, and if my use of the site constitutes acceptance (all too common), then I should be given notification with a chance to login and delete my content before the updates are imposed. I would suggest at least 72 hours notification when material changes to the ToS are to take place.

nerdcore’s picture

We may update or amend this Privacy Policy at any time. This Privacy Policy will reflect the date it was last updated or amended. If we make any material amendments, we will notify you by posting a notice of such amendments on this Website. All amendments will take effect immediately upon our posting of the updated Privacy Policy on this Website. Your continued use of this Website will indicate your acceptance of the changes to the Privacy Policy.

(emphasis mine)

so if I do not agree to the amendments, what recourse do I have to remove my account? Removal of my account would require accessing the Website, and thereby accepting the policy I disagree with. This makes no sense. How do I remove my account (and associated PII) without accepting the amended Policy?

tvn’s picture

Thanks for your comments. I clarified the text around notifications. We will send an email to all user accounts in case of material changes to both ToS and Privacy policy. We will send it 72 hours prior to changes going into effect.

jpwarren00’s picture

I think you've made a very important point about language. This TOS should definitely have a transitional project spun up to ensure everyone understands this explicit contract.

nerdcore’s picture

The content you publish will not promote sexually explicit or pornographic material, violence, or discrimination based on race, sex, religion, nationality, disability, sexual orientation or age.

This is HILARIOUS. Clearly written by lawyers who do not understand the world wide web. If you do not notify me, I cannot be expected to remove a link, and AFAIK "linking permission" is not a thing. I'll link whatever I damned well please on my site. Full Stop.

tvn’s picture

I removed 'without notice' part. Of course, everyone can link to whatever site they want on the web. The specific usecase we are covering here is, for example, if someone writes on their website "Drupal Association says we are the best Drupal hosting available" linking to us, we will ask them to remove the text and link.

tvn’s picture

The security team regularly impersonates "another user, or person or entity" but I would imagine there are other teams that do things as other users from time to time.

Not really, that would mean change someone's password and log in to their user account. Or create user account using someone elses name, bio, picture etc. Security team and development teams are not doing that.

Some folks are associated, core committers, infrastructure members, security team, etc. Does this mean I can't link to d.o as David Stoline, Drupal security team member?

You can link, as long as you don't say there is association or endorsement which does not exist. E.g. if you link and say "I am a board member of this association" when you aren't. Or "Association says we are the best Drupal services company in the world", when we don't.

No mention of historical data being used, stored, and processed, say I change my name, company, or gender, etc.

I added the link to Privacy policy to say that we store all the data in our backups for 2 weeks. So if you removed something from your user profile, this data will be completely gone in 2 weeks.

Information from Other Sources.

Removed this paragraph.

but say profile information or other items in our control should be removable.

And they are removable by users themselves.

pwolanin’s picture

The privacy policy is also so long as to be un-parseable except by a legal team.

It's very wordy and has a lot of duplicate text. This should also be cut to about 1.5 pages if it's going to be meaningfully understood to by any human.

---
Work: BioRAFT

hass’s picture

...to protect data in real. Here we have a lot stronger protection of personal data than in the US where the government grab anything they can spy. Also move the company home to DE to be no longer under patriot act force and to protect data. Everything else is useless and you could also put all the data to the public as NSA can request anything from you including passwords.

aj045’s picture

It's also extraordinarily costly to run a business in Germany (and Europe in general) when compared to the US. Even worse for non-profits. Not saying you're wrong about the issue of data privacy, but the decision on where to headquarter a business is a bit more complex.

lvthunder’s picture

What data does drupal.org have that you are worried about the government getting a hold of? As far as I know everything except your password is public anyways.

Mile23’s picture

Connection logs. Your IP. Your location. Your SSH key.

Anonymous’s picture

They only have a public key, and even then you should really be using unique keypairs per application.

greggles’s picture

Clarification: Your public ssh key.

hass’s picture

Don't forget d.o SSL certificate private keys, email addresses, emails send via contact form, etc.

Any maybe d.o collects other information in future.

joshtaylor’s picture

Considering that your public key is well... public ... does it really matter if it is out there?

Even github shows everyones public keys publicly.

greggles’s picture

I suggest sorting items by relevance. For example, items A.6 and A.7 should be at the top while A.1 and A.2 can be at the bottom.

tvn’s picture

Thanks, greggles, I moved the items you mentioned up.

dddave’s picture

If there is no important legal reason, "Company" as synonym for the DA has to go.
Wordings like this make this look very anti-user. Be aware that "binding arbitration" is seen but many (esp. consumer associations) as a very anti-user provision. I understand why it is there but for people who care about ToS it looks blergh (that said, I doubt most people will care).
Are these caps-lock segments really necessary?

Information from Other Sources. We may collect information about you from other third party or public sources, such as from public forums, social networks (i.e., Facebook, LinkedIn, Twitter, or others), blogs, other users, or our business partners.

I think this needs a bit more discussion. What? Why? Provide an opt-out.

The "Visiting the website from outside of the US"-segment made me smirk. Nice way to put it.

tvn’s picture

Are these caps-lock segments really necessary?

Sadly yes :( I did ask specifically for them not being caps, seems we have to keep them.

jbrauer’s picture

Sadly yes :( I did ask specifically for them not being caps, seems we have to keep them.

That being the case could we get an explanation of why that is? Normally this is done for no reason other than to make things look intimidating. Does it change the meaning of the words? Are these sections somehow more the terms of service than others? Can they possibly have special meaning if that special meaning isn't also explained in the document?

There are potentially both accessibility and issues for people who are not primarily English speakers with using this improperly formatted text. For example WCAG 2.0 draft contains the idea that "care in the use of all-capital letters where normal sentence case might increase comprehension".

From a quick read of a few sources like this it seems there are other means of accomplishing a requirement that certain clauses be conspicuous if that is the underlying reasoning.

--

tvn’s picture

Make things look intimidating is definitely not our motivation. Indeed, having that specific text be conspicuous is the main reason. While I personally don't like CAPs, similar to our community, legal community has own standards or established ways of doing certain things. Sadly CAPS is an established practice within legal community for conspicuous text requirement. Therefore, we really have to keep it. We did add a short line to explain why we have it. I hope it will look less intimidating now.

jbrauer’s picture

I've thought a great deal about this and was going to just walk away but this particular point is indicative of much of what has gone awry in this process.

A few points:

  • Screen readers (I tested with Voice Over) do not give the user any indication that text is "all caps" or in any other way designed to be 'conspicuous'. The can, however note markup that is designed to make text conspicuous.
  • The text that was added incorrectly states that the lawyers made us do something. Lawyers can not make any organization do anything. Lawyers can give bad advice. They can give good advice. They can be wrong. They can be right. They cannot make anyone do anything. It is the duty of the recipient of the advice to make a choice about how to act on the advice. A more accurate statement would be that they recommended it and we, as a community, didn't do enough to make it right — that we considered that advice more important than our users, our community.
  • Lest it seem all this is just conjecture the 9th Circuit court (among many others) addressed this over a decade ago:
    “Lawyers who think their caps lock keys are instant "make conspicuous" buttons are deluded. [...] A sentence in capitals, buried deep within a long paragraph in capitals will probably not be deemed conspicuous. Formatting does matter, but conspicuousness ultimately turns on the likelihood that a reasonable person would actually see a term in an agreement. Thus, it is entirely possible for text to be conspicuous without being in capitals.”

The issue here is more than following advice that courts have already called deluded. It is indicative of this whole document, the process. I've read it several times and nowhere does it give me any impression of the Drupal community, or even the drupal.org websites being anything remotely like what I've experienced over more than a decade. Sections differentiate some members of our community for branding with a special sub-class requiring parental consent yet, COPPA, the apparent genesis of such language, explicitly does not apply to nonprofits.

For a document more than 6-months in the making to be sprung on the community and only very minor edits made in a four week period where the whole of the community is then told to take or leave it is very un-Drupal. These documents are alienating and exclusive. The Drupal community is collaborative and inclusive. A small group of well-meaning and great-hearted people working in seclusion with a cadre of lawyers cannot produce the same caliber of document as a community working together. For this community member the leap from the content working group's charter to drafting these documents is a pretty big leap. Further the group has posted no meeting minutes since April, notably in April 2014 minutes the group was discussing translating pages on the site, which would now be banned by this ToS.

Can an alienating and exclusionary ToS really be a good thing for Drupal? Where is the transparency in this process? Even with the many comments here such a tiny fraction of our community has been engaged on this discussion to make such a sweeping change. What should happen? The process should start with a community discussion aligning our goals, what is important for our ToS? What values must it include? How do we reflect the inclusive and collaborative theme of the Drupal Code of Conduct (in outline form) in a document guiding our central online "home". With this guidance in hand a small group should then work with legal counsel, association staff etc on setting forth a draft that reflects our community values.

--

tvn’s picture

I updated both documents to replace all occurrences of 'Company' with 'Association'.

Information from Other Sources. We may collect information about you from other third party or public sources, such as from public forums, social networks (i.e., Facebook, LinkedIn, Twitter, or others), blogs, other users, or our business partners.

Since we don't actually collect or store any information about anyone, which can be found on other public sources, nor do we plan to, I removed this paragraph completely.

mpdonadio’s picture

The ToS is missing information on how to contact someone for questions concerning the ToS, reporting ToS violations, etc.

tvn’s picture

Good catch. Thank you!
We have contact information in Privacy policy doc only. Will copy to ToS.

tvn’s picture

Added contact information to ToS.

Darren Oh’s picture

I fail to see the point of much of section B.5. The point of a TOS is to define the conditions of legal use. If we try to specify illegal uses, there is no way to be sure we have provided a complete list. I suggest that we simply specify the legal jurisdiction we are operating under. Unlawful uses of a site are prohibited by definition. Even if we said an illegal use was allowed, it would still be prohibited.

Anonymous’s picture

Hi,

Thanks for all the effort that has gone into this. The only thing that stands out to me is the procedure for changes - it says a notice will be displayed on the website and continued use of the website means acceptance of these changes. I think it should be changed to require acceptance of these changes via an 'I accept' button like most other places do. If this is going to be the case then it's not clear within the current documents.

I also agree the general tone of the documents is quite technical & terse, I understand of course the reasons for that and love the example shown from http://500px.com/terms

Steve

tvn’s picture

Thanks, Steve. We'll clarify the wording around changes procedure.

tvn’s picture

I clarified the wording around change notifications. We will send an email prior to any material changes taking place.

gisle’s picture

[B.3] All code on Drupal.org is licensed under the GNU General Public License. See Licensing FAQs [https://drupal.org/licensing/faq] for more information on legal uses of Drupal.org content.

This overlaps with B.4 (which says that users need to comply with the Drupal Git Repository Usage policy), but as it currently stands, it is not even accurate. Not all code on Drupal.org is currently licensed under the GNU General Public License, see #2175005: [META] Changes are required before it will be safe to assume code from Drupal.org's git repo is really GPLv2+ or GPLv2 compatible.

The current reality is much more complex than "all code on Drupal.org is licensed under GPL". Even if the disregard the number of blatant violations of this policy that is deliberately ignored (e.g. jQuery update), we have an official whitelisting that permits non-GPL licenses that we consider compatible with GPL, so it should say: "All code on Drupal.org is licensed under the GNU General Public License or some license considered compatible with GPL".

However, there also exists non-code assets (mentioned in the Drupal Git Repository Usage policy but omitted from B.3), so to be complete, it should also mention non-code assets.

I think it will be very difficult to mirror all aspects of something as complex as Drupal Git Repository Usage policy in the ToS. Instead of presenting an inaccurate and incomplete version of it, we should just point to the Drupal Git Repository Usage policy.

In other words, I suggest that B.3 is deleted (since it is just an inaccurate version of B.4), and that the reference to the licensing FAQ is instead included in B.4. I think also B.4 can be made less oblique. In the ToS draft, it says:

[B.4] To be able to use the Drupal.org version control system you will have to accept Git access agreement and agree to Drupal Git Repository Usage policy.

While not false, this is rather oblique. What users want to do, is not "to be able to use the Drupal.org version control system", but to push to a git repo (i.e. a project or sandbox) hosted on Drupal.org. So why do we not say so. My suggestion for a revised B.4:

To upload materials to a Git repository hosted on Drupal.org, you must accept the Git access agreement and agree to the Drupal Git Repository Usage policy [https://www.drupal.org/node/1001544 ]. See the Licensing FAQs [https://drupal.org/licensing/faq ] for more information on legal uses of Drupal.org content.

- gisle

Pages