[arch-dev-public] AUR ToS: Brainstorming
Hi, As discussed previously [1], it is high time to look into terms and conditions for the AUR. Optimally, these terms should be as short as possible with everything relevant covered. I would like to collect things we should include. A sketch of what came into my mind is given below, please complement if anything is missing. For convenience, I split the terms into ToS and a Privacy Statement. Let us start with the ToS: * Introduction saying that using the service means accepting the terms. * Liability clause, say that users are responsible for uploaded content. * Forbid to upload unlawful, harmful or copyrighted content. * Explicitly forbid illegal software copies and malware. * Licensing of things uploaded to the AUR. * Notes on what happens when the ToS are changed. * Notes on what happens when the AUR is shut down. Things that should be covered in the Privacy Statement: * What kind of personal information we collect and where it is stored. * How the information is used. * Notes on what happens when there are changes to the Privacy Statement. More explicitly, we should explain what is stored as part of the web server logs, that we store the personal information provided voluntarily upon account registration and that we store the time stamp and the public IP address of the last login in the database. Maybe also add some note on cookies. We should explain that content transmitted with a registered account is public (including, but not limited to, user names, the full Git history of packages, the content of comments and the content of package requests). Additional personal information provided voluntarily upon registration, such as the real name, is visible to all registered users. This also applies to email addresses, unless one explicitly makes use of the option to hide it in the account settings. We should also mention that the email address is always visible to the staff, including Trusted Users and developers, even if this option is enabled. Then, some paragraph that we will not disclose any other personal information that is collected apart from the usual exceptions. Am I missing anything? It would be awesome to have some volunteer writing a first draft of these two documents. Preferably somebody who is a native speaker and has *some* experience with this kind of legal stuff. If nobody else steps up, I will give it a try myself even though I have neither of these two requirements/skills. It might also be helpful to look for some (public domain) templates of sentences we might reuse. As mentioned in the other thread, we should also agree on whether we want the final terms be checked by a lawyer. Regards, Lukas [1] https://lists.archlinux.org/pipermail/arch-dev-public/2017-March/028726.html
[IANAL, the following is not legal advice] On Fri, Mar 24, 2017 at 9:03 PM, Lukas Fleischer <lfleischer@archlinux.org> wrote:
Let us start with the ToS:
* Introduction saying that using the service means accepting the terms. * Liability clause, say that users are responsible for uploaded content. * Forbid to upload unlawful, harmful or copyrighted content. * Explicitly forbid illegal software copies and malware. * Licensing of things uploaded to the AUR. * Notes on what happens when the ToS are changed. * Notes on what happens when the AUR is shut down.
Things that should be covered in the Privacy Statement:
* What kind of personal information we collect and where it is stored. * How the information is used. * Notes on what happens when there are changes to the Privacy Statement.
A privacy policy and terms of service should definitely be separate. The privacy policy should be an informational document for users and visitors, which details just like you said what personal information is collected, what tracking information is collected, IP addresses, server logs, etc; how long that information is retained, whether it's shared with anyone (directly or indirectly as part of some third party web service usage...), and so on. The privacy policy is not a document users generally need to *agree to* as it's informational only, but it is safe to have a clause in the TOS requiring users to say they have read and understood the privacy policy. To add to the terms of service: 1. A DMCA policy. It's already policy afaik that copyrighted assets cannot be distributed on the AUR. I invite you to set up dmca@archlinux.org and enact a policy similar to this one: https://github.com/HearthSim/legal/blob/master/TERMS.md#9-digital-millennium... It doesn't *have* to be part of the terms of service (users don't need to agree to it), it can be a separate document, but it often is and I highly recommend taking care of that at the same time regardless while you're taking care of legal documents, as it's bound to come up at some point. 2. Ensure that any user input (including comments, package metadata etc) is covered under the TOS. TOS documents generally have very broad wording which cover essentially everything the user can put into a site, so that you don't have to change the terms every time a new feature is added to the AUR. 3. Ensure that there are usage limits for the API, crawling the site, etc. Clearly state that users can be banned if they are found to be acting maliciously or abusively. 4. Ensure volunteer staff, trusted users etc are not liable for the actions of users. The TOS should protect Arch Linux and all its volunteers and/or paid staff.
Am I missing anything? It would be awesome to have some volunteer writing a first draft of these two documents. Preferably somebody who is a native speaker and has *some* experience with this kind of legal stuff. If nobody else steps up, I will give it a try myself even though I have neither of these two requirements/skills. It might also be helpful to look for some (public domain) templates of sentences we might reuse.
I can't afford the time to write one, but I can volunteer some to review drafts. Starting from an existing document is a good idea - I highly recommend the Auttomatic Terms of Service: https://en.wordpress.com/tos/ They are CC-BY-SA, very reasonable and apply quite nicely to Arch. Strike the sections that don't apply, rewrite the ones that do. Additionally, I HIGHLY recommend this to be a general document that applies not just to the AUR but to the Arch Linux web properties. You can have users only agree to it when using the AUR if you wish, but it's very useful to have a single policy and not deal with a dozen different ones. I would recommend enacting them for the arch forums as well, FWIW.
As mentioned in the other thread, we should also agree on whether we want the final terms be checked by a lawyer.
YES. Get the document reviewed by a lawyer, 100%. This is a document that should/will legally protect Arch and the people involved in Arch. Make sure it's good.
Regards, Lukas
[1] https://lists.archlinux.org/pipermail/arch-dev-public/2017-March/028726.html
J. Leclanche
participants (2)
-
Jerome Leclanche
-
Lukas Fleischer