People who regularly read my blog will notice that I started removing accounts from pages and services of whose ToS and PP I do not agree with. So I decided to also read the ToS and PP of services before I create an account there. And obviously, if I do not agree with them, do not create an account there.
And if I am already reading it, I decided I may as well make the best for the community and publicly post my thoughts about them and notify the company or person who wrote them. I feel this is the only way to make a change.
So, as the first ToS and PP that I will analyse publicly, I chose those of Cherokee Market. Cherokee Market is the brand new market of the small, fast and user friendly web server Cherokee. The idea behind it is to make it dead easy to install and set up web applications (e.g. Drupal, Wordpress, Trac, Nagios) with only a few clicks directly from your web server's web interface.
Please do take notice that this is not intended as a complete review of the Cherokee Market's ToS and PP, but just my comments while I read it. You are still advised to read it yourself, as you should read any other legal contract you sign!
In short, I think Cherokee Market's ToS and PP are OK, but I would rather see some changes I commented on below, before I agree to it.
Terms of Service (December 1, 2010)¶
All in all, personally I think Octality's ToS regarding Cherokee Market is not bad. There are a few places below that I would like to see explained or changed and in some cases very much so.
First thing you have to take into consideration though is that some additional web applications may include additional ToS. So you have to read those too, if you want to install such apps. Also worth noting is that when the universal Cherokee Market ToS and additional web application's ToS differ, the clauses in the additional ToS override the universal ones.
In article 2.2 I find the point (B) a bit odd:
2.2 You can accept the Terms by:
(A) clicking to accept or agree to the Terms, where this option is made available to you by Octality in the user interface for any Service; or
(B) by actually using the Services. In this case, you understand and agree that Octality will treat your use of the Services as acceptance of the Terms from that point onwards.
Also, as I have previously stated regarding web services I stopped using, I have an issue with ToS that discriminate groups of people, by arbitrarily disallowing them use. Point (b) in article 2.3 sounds a bit like that:
2.3 You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Octality, or (b) you are a person barred from receiving the Services under the laws of the United States or other countries including the country in which you are resident or from which you use the Services.
Frankly I would very much welcome and explanation as to why what seems like US embargo (and other countries') laws apply to a service that is located in Spain. A possible explanation would be that they are trying to make sure that wherever their service may be hosted in the cloud, just in case if there is a law that prohibits some people access and use of such services.
The ToS includes the so far (from the users' point of view sadly) standard clauses that the service provider may at its own discretion and any time without prior notice stop or limit some services to a user or users in general.
Again, we see in article 5.2 a clear hint that user data may be exported to US and/or other countries (outside of EU). I would want to see this clarified further.
The geek in me is not particularly happy with the 5.3 clause which forbids connecting (or even trying to!) and using the services any other way then via the web interface, and explicitly mentions scripts as such forbidden method. Although the clause states you may specifically get granted such right.
In article 9.1 this is a very funny clause (same in 9.4):
You acknowledge and agree that Octality (or Octality’s licensors) own all legal right, title and interest in and to the Services, including any intellectual property rights which subsist in the Services (whether those rights happen to be registered or not, and wherever in the world those rights may exist).
How can in the world can anyone claim rights and in the same sentence explicitly say that they may not exist?!?
Otherwise the copyrights of the software and content that Octality offers you on Cherokee Market via sections 9 and 10 seem to be sanely handled, if we take into account the interpretation that GPL, AGPL and other Free Software licenses take precedence over universal ToS. If, by some odd chance Octality sees this or behaves otherwise, there could be license violation issues. But personally, I think this looks OK.
In section 11 you grant Octality "a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services", while still keeping full copyright. This section also includes that Octality may forward your content to third parties for syndication or distribute it to public networks. It always bothers me that such clauses almost never explain what such content will or may consist of. I would very much like to see a more explicit explanation of this.
Section 12 states that Cherokee Market may update the software you installed from it and you agree to it. That is pretty useful.
For what reasons Octality may and how you can stop the relationship is explained in section 13. There is nothing particularly surprising here, to be honest. Although I wonder a bit about the clause that Octality may stop serving a certain user, if it decides that they're not commercially viable to them anymore. Also it bares noting that both parties keep all already acquired rights from agreement. Which in my understanding means in practice that if you stop using Cherokee Market, your Cherokee server should still be allowed to flawlessly continue to run the services you installed by it. But it also means that Octality keeps the copyright license on the content you contributed. Also in Section 16 it says that its policy is that repetitive (alleged) copyright (and trade mark) infringements will cause Octality to terminate your account.
Liability waiver is located in sections 14 and 15 and seems pretty standard. Basically Octality limits all its warranty and liability to the minimum legally permitted level and offers its services "as is". Also any other information or promise you get from Octality regarding warranty should broaden this. Basically you have to depend on binding local law to see what claims you have in case anything goes wrong.
Some services may be supported by showing ads, as is explained in Section 17. Octality reserves the right to change the manner, mode and extent of advertising without any notice to you, which personally I would rather see notified, but I know I'm one of the very few that care. Don't worry though, this means only that these ads will be on Cherokee Market, not your website!
Since its services may change, Octality also reserves the right to change the ToS. I am extremely happy to see that they intend to version them and keep an accessible archive of previous versions. But section 19 does not mention anything about notifying its users about the changes and since they deem that if you continue to use the services you agree to the new ToS, I would very much like to be notified beforehand about such changes! This is mentioned later in article 20.3 but as an option that Octality may do so, but is not obliged to. Also, since they plan to have a versioned archive, it would be pretty novel and nice to see side-by-side comparison and differences between the previous and current version.
Also worth noting (although also pretty common) is the fact that all daughter companies and only them are third-party beneficiaries of these ToS (article 20.6). It's a reasonable clause, but if you haven't read any ToS before, it is something that you might find new.
Also something that most people skip, because it is a) boring and b) usually the last article in a long long document is the jurisdiction and applicable law clause. Article 20.7 states that you agree that the applicable law is the law of Comunidad de Madrid, Spain (which is in the EU, in case you did not know). As I am not familiar with Spanish law, I do not know what its conflict of laws provisions means in practice. But I suppose it is worth reading, since you agree not to use it. Also the exclusive jurisdiction is granted to the courts located within the Comunidad de Madrid, Spain regarding any provisions of the ToS (including PP). This is pretty important! I wonder though about why Octality has reserved the right to apply for injunctive remedies (or an equivalent type of urgent legal relief) in any jurisdiction.
Privacy Policy (December 1, 2010)¶
With Cherokee Market’s PP in general I am content. There are some bits I nitpick below, but nothing too major. Well, except that ToS mentions US law at several places, while the PP does not seem to include provisions that would safe guard export of user data to third countries. Under EU law when exporting personal data outside the EU both the exporter and importer have to meet a few criteria and the users need to agree with it (there are a few exceptions though). I would very much like to see this situation clarified in the ToS and PP.
Again you have to take into account that for some additional web applications you have to read and follow the appropriate additional PP.
Information we collect and how we use it¶
I am not completely happy with this bit located already in the first paragraph:
We may combine the information you submit under your account with information from other Octality services or third parties in order to provide you with a better experience and to improve the quality of our services.
But they do let you opt out in certain cases, so I guess it could be worse. Personally I still find this a bit ambiguous.
The Cherokee Market PP also mentions cookies for ad services as well as unique identification of your browser and I think we all know those can be used for profiling. Well, at least these can be (to some extend) circumvented with a sane cookie policy, ad blocker and tweaking the browser ID (if you need it). An option to disable cookies is also mentioned in the PP itself, which is kinda nifty.
This bit is also find a bit iffy:
In some cases, we may process personal information on behalf of and according to the instructions of a third party.
I can guess this clause is meant to be used just in case, but at the very least, I'd like to know about these instructions.
Choices for personal information¶
Nothing too odd in this section.
It's pretty cool though that they mention you can disable cookies and not submit personal data if you don't care to use the services that require it.
Another plus in my book is that it is hosted in the EU, where (currently) the privacy laws are quite stricter then in e.g. USA.
Information sharing¶
This section thankfully narrows down my concern from the first section.
You have to opt in to let Octality share any of your sensitive personal data (under EU law this is currently a relatively broad category) with third parties.
Octality's subsidiaries, affiliated companies and other trusted businesses or persons for the purpose of processing personal information on Octality's behalf also may have access to your personal data, but have to legally and technically use the rules as strict as Octality's.
Then there's also the obvious clause about sharing data when needed because of law, court orders, violations of ToS, checking against infringements, fraud, etc. – I've seen far worse already at my relatively young age.
And I particularly like this bit:
If Octality becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will ensure the confidentiality of any personal information involved in such transactions and provide notice before personal information is transferred and becomes subject to a different privacy policy.
Information security¶
Another nice feature about services hosted in the EU is that they have to state not only how they secure your personal data legally but also technically. To be honest, if I was writing the PP, I would describe it more in detail. It may be that the statement they use is deemed by (Spanish) law enough, but I feel it lacks on the technical side.
But otherwise, nothing iffy here.
Data integrity¶
Again, nothing iffy, but I would warmly welcome more technical details on how this data integrity is achieved. E.g. is the data backed up regularly, if so what happens with the data in the backups when the user deletes that piece of data or their whole account etc.
Accessing and updating personal information¶
Again, sounds reasonable enough.
But since in this section it expressively states that they deem requests concerning information residing on backup tapes as so labour intensive that they might decline to process it, it would make even more sense if how your personal data in the backups is handled.
Enforcement¶
This states where you can submit your comments and concerns about privacy and that they plan to update the PP.
Changes to this Privacy Policy¶
It states that any changes to the PP will be versioned by date and all the older versions will be archived and accessible to the user. It is also refreshing to see that all changes will be notified to the users and if the changes are major by more prominent notices and/or e-mail. It is also great to see that that the users' privacy rights will not be reduced without the their explicit consent.
Update: Sadly, with commercial support from Octality gone, Cherokee market is no more. It was a great idea and I hope the Cherokee community picks it up someday.