Please fix your Mastodon instances' Privacy Policies
====================================================
An open letter to Mastodon instance administrators.
Dear Instance Admins,
I recently noticed that many of you managed to carefully craft your instances'
community guidelines (or "code of conduct") -- I absolutely welcome those
efforts you made on these particular documents. However I also noticed that most
of you haven't changed a thing in your Privacy Policy document and are still
using Mastodon's default. And while I appreciate Gargamel's intentions to not to
ship his software without such a document, if left untouched your instances'
privacy policies scares me to death.
The explanation is simple: many of us left Twitter and joined the Mastodon
community because we were fed up with how Twitter handles our data and erodes
our online privacy. Mastodon gave us the hope that we again can gain control
about who we are going to give our data to and we'll know what can and will
happen to our data. With you using the default Privacy Policy, we are nowhere
near to that desired knowledge.
Mastodon's default document is full of "may-s" (therefore also "may not-s"): it
is unable to provide a deeper understanding of how you'll handle our (your
users') data, nor it is able to reassure us that our data is in good hands.
While many of us users converse daily with you, even believe that you guys on
the right side of this matter, it is now time to prove it.
Please fix your instances' Privacy Policies as soon as possible.
If you are more agile than that, here you go: "I, as a user, by reading the
Privacy Policy of the instance, would like to know *exactly* what kind of data
you collect about me and how *exactly* are you using that data".
To clarify my problem here, let's walk through the default document hand in
hand. I'll indicate the most problematic pain points by _underlining them_, and
explain my concerns afterwards. I will not correct the problematic parts, as I
strongly believe that each instance should craft its own document, since all of
you operate your instances by your own measures. However please feel free to
contact me[0] if you need my contribution for creating your PPs.
That being said, here we go.
---
"What information do we collect?
We collect information from you when you register on our site and gather
data when you participate in the forum by reading, writing, and evaluating the
content shared here.
When registering on our site, _you may be asked to enter your name and
e-mail address_. You may, however, visit our site without registering. Your
e-mail address will be verified by an email containing a unique link. If that
link is visited, we know that you control the e-mail address.
When registered and posting, we record the IP address that the post
originated from. We also _may retain server logs_ which include the IP address
of every request to our server."
---
As far as I understand Mastodon's default Privacy Policy was derived from the
same document of Discourse[1] (lines 3185 and onward), however we never
considered Mastodon to be a "forum" -- even Mastodon doesn't refer to itself as
a "forum". It is eg. a microblogging service. The initial statement about the
data collection should *clearly refer* to the service, which is definitely not a
forum.
About entering your name upon registering: no, you may not be asked for such.
There isn't even a form field for that. Users can derive their handles and/or
email addresses from their names, but this is fully up to the user. By default,
the admins are only aware about my real name if I eg. use the handle
"adam.paszternak" or I provide an email address like "adam.paszternak at
whatever". If any of you actually modified the registration form to ask for the
name of the user, state it without "may". Also, you *do* ask for an email
address, so again: there is no need for a "may" here.
About retaining server logs: you either keep them, or you have a zero-logging
policy on your instance. Please don't tell me you "may retain logs" -- do you
actually retain them or not? If you do, what *exactly* do you log? I'd assume my
IP address and the exact timestamp of my actions for the very least. Please
investigate your logfiles and/or logging policy and reflect your findings as
facts in your instance's Privacy Policy.
---
"What do we use your information for?
Any of the information we collect from you _may be used_ in _one of the
following ways_:
* To personalize your experience — your information helps us to better
respond to your individual needs.
* To improve our site — we continually strive to improve our site offerings
based on the information and feedback we receive from you.
* To improve customer service — your information helps us to more effectively
respond to your customer service requests and support needs.
* To send periodic emails — The email address you provide may be used to
send you information, notifications that you request about changes to topics or
in response to your user name, respond to inquiries, and/or other requests or
questions."
---
Again, "may". Do you actually use my data to carry out any of the listed
actions? If so, what data, to carry out which one and how exactly? Also,
probably you use my data for *more than one of those*, so instead of "one of",
please state "any of", and remove all points not applicable from the list, also
add any additional ones that you use my data to carry out.
---
"How do we protect your information?
We implement a _variety of security measures_ to maintain the safety of your
personal information when you enter, submit, or access your personal
information."
---
This is nice, however my imagination is a bit... well, weird sometimes. I'd
assume you spill the blood of a black rooster upon your servers once a week
(which would be a perfectly valid countermeasure for instances like
"witches.town[2]"). If this is not the case, please name your "security
measures" at least on a low level to reassure me that you are taking good care
of my data. If you only use Mastodon's built-in security functions, state that
as well.
---
"What is _your_ data retention policy?
We will make _a good faith effort_ to:
* Retain server logs containing the IP address of all requests to this
server _no more than_ 90 days.
* Retain the IP addresses associated with registered users and their posts _no
more than_ 5 years."
---
About *my* data retention policy: well, I don't have one. See the previous
questions? Those refers to instance admins as "we" ("we use...", "we
protect..."). And the document here switches to "FAQ mode" referring to the
admins as "you" ("your... policy"). Don't do this. Stick to "we" ("What is *our*
data retention policy?").
Also, when driving my Corolla, I make "a good faith effort" to not to run over
someone. I am mostly successful in this effort, but, you know, shit happens, a
pedestrian can jump in front of me or something. This is called an accident. On
the other hand, I haven't ever seen any logfiles jumping out of the way of your
flush cron or whatever. So let's make this clear.
* Do you retain server logs?
* If so, do you flush them regularly?
* If so, how often your flush job runs?
* Do you use Mastodon's defaults (which are probably 90 days and
5-holy-shit-years for logs and IPs respectively)?
As you might keep other types of logs, don't forget to actually name the kind of
logs you keep and also state their flush intervals. And please don't give me the
"good faith effort" BS. This is a Yoda thing: you're not trying here, you either
do it, or don't[3]. It's as simple as that.
---
"Do we use cookies?
Yes. Cookies are small files that a site or its service provider transfers
to your computer's hard drive through your Web browser (if you allow). These
cookies enable the site to recognize your browser and, if you have a registered
account, associate it with your registered account.
We use cookies to understand and save your preferences for future visits and
compile aggregate data about site traffic and site interaction so that we can
offer better site experiences and tools in the future. We _may contract with
third-party service providers to assist us in better understanding our site
visitors_. These service providers are not permitted to use the information
collected on our behalf _except to help us conduct and improve our business_."
---
So, a straightforward question to start with: do you have any contract with any
third-party service provider? If you do, name them and state *exactly* what kind
of data associated with me or with my activity is handed over to this particular
third-party service provider? If you don't have such contract, remove this
clause. Your Privacy Policy should reflect your *current* data handling policy
and there is - again - no place for "may-s" and "we will probably have such
contract in the future-s".
Also, if/when you involve third-party providers, it would be nice to know what
kind of data they use and what exactly is done with it to "conduct and improve
your business". Remember, Twitter calls personalized ads a "feature" and an
"improved user experience" -- if you involve eg. marketing agencies, please
state that "improving your business" means for example "better targeted ads".
Furthermore: does your hosting provider (if you have one) have access to your
logfiles, or are those encrypted by default meaning that only you can access
them? Because you actually have a contractual relationship with your hosting
provider and it is definitely a third-party entity. So either make sure that
they have no access to your logs, or please do make at least a note about this.
---
"Do we disclose any information to outside parties?
We do not sell, trade, or otherwise transfer to outside parties your
personally identifiable information. This does not include _trusted third
parties who assist us in operating our site, conducting our business, or
servicing you_, so long as those parties _agree to keep this information
confidential_. We may also release your information when we believe release is
appropriate to comply with the law, enforce our _site policies_, or protect ours
or others rights, property, or safety. However, _non-personally identifiable
visitor information may be provided to other parties for marketing, advertising,
or other uses_."
---
Now, this is a heavy one. As discussed above, state if you actually involve such
third-party entities. Also the fact if you have a clause about data
confidentiality in your contract. Assistance in "operating our site" covers the
above mentioned case about hosting providers. Check their Terms of Service and
Privacy Policy about client data, and refer to them as part of your own Policy.
Check what kind of policies do you actually have. Do you have "Community
Guidelines" as well as "Terms of Service"? Refer to the one(s) you'll release my
information (to whom?) to enforce. Also please describe the "non-personally
identifiable visitor information" if such information is released for whatever
uses (no such case as "other uses" -- what are those?).
---
"Third party links
Occasionally, _at our discretion, we may include or offer third party
products or services_ on our site. These third party sites have separate and
independent privacy policies. We therefore have no responsibility or liability
for the content and activities of these linked sites. Nonetheless, we seek to
protect the integrity of our site and welcome any feedback about these sites."
---
Fair enough. But do you actually offer that kind of third-party products and
services? As discussed above: your Privacy Policy should reflect your *current*
data handling policy.
Don't "may" me here.
"Say »may« again. Say »may« again, I dare you, I double dare you $!%@, say »may«
one more $!%@ time!"
---
"Children's Online Privacy Protection Act Compliance
Our site, products and services are all directed to people who are at least
13 years old. _If this server is in the USA_, and you are under the age of 13,
per the requirements of COPPA (Children's Online Privacy Protection Act) do not
use this site."
---
Ok, two possibilities here:
01. this server is located in the USA; or
02. this server is located outside of the USA.
If former, COPPA is applicable -- simply remove the "if". If latter, first check
whether your country has a similar Act to protect the privacy of children. If
so, refer to that act instead of COPPA and also double-check what is actually
required for you to comply with that specific Act.
---
"Online Privacy Policy Only
This online privacy policy _applies only to information collected through
our site and not to information collected offline_."
---
Don't you say?! Yes, since this is the Privacy Policy document for your online
microblogging site, I was quite aware of that. You can either remove this, or
leave it be, but it kind of states the obvious since you haven't indicated at
the beginning of the document that you also collect information offline.
(If you actually happen to collect information offline, you'd need a section
explaining what you collect, how and why or for what reason. Also state that at
the beginning of your Privacy Policy as part of the scope of your data
collection practice.)
---
"Your Consent
By using our site, you consent to our web site privacy policy."
---
This is fine, but please declare this at the very beginning of the document.
Something like "By using our site and/or our services, you consent to our
privacy policy as below. Please read the following document carefully." would do
it.
---
"Changes to our Privacy Policy
If we decide to change our privacy policy, _we will post those changes on
this page_."
---
This is a "no". A big "no". A "NOOOOO-oooooo".
You users should be informeg *beforehand* you modify your Privacy Policy. This
can be done via your Mastodon administrator account as a toot, or via mass email
(don't forget to include this scenario in your Privacy Policy, namely that
you'll use users' email addresses to communicate upcoming changes in your ToS or
PP). Best practice is to inform your users 30 or 15 days before you roll out the
changes, declaring what is going to be changed and why, and what impact is this
going to have on the user. A second, friendly reminder can be sent out 8 days
before the change.
Even better if you either post or provide the raw text of the new Terms or
Policy (eg. via Pastebin or in email) along with a brief explanation of why it
it necessary.
You shouldn't assume that your users visit your Privacy Policy or Terms of
Service pages on a regular basis. It is your responsibility to inform them about
proposed changes.
You should never forget that your user base is your greatest asset when
operating a Mastodon instance. Mastodon is all about user participation and it
was built upon the foundation of "giving back control to the users". Or, as the
Mastodon README[4] puts it:
"[t]he social focus of the project is a viable decentralized alternative to
commercial social media silos that returns the control of the content
distribution channels to the people."
It is vital for the integrity of Mastodon philosophy that you let your users
know what is going on and how they are in control. Please always remember that.
Thank you in advance.
Adam Paszternak
Mastodon user "since before it was cool"
---
[0]
https://paszternak.me/about
[1]
https://github.com/discourse/discourse/blob/e90187cbf72168fb75d8701005de279bea4026a1/config/locales/server.en.yml
[2]
https://witches.town/
[3]
http://www.yodaquotes.net/try-not-do-or-do-not-there-is-no-try/
[4]
https://github.com/tootsuite/mastodon/blob/master/README.md
