Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom privacy policies / terms for each instance #721

Closed
StaticallyTypedRice opened this issue May 15, 2020 · 20 comments
Closed

Custom privacy policies / terms for each instance #721

StaticallyTypedRice opened this issue May 15, 2020 · 20 comments
Labels
area: docs Documentation fixes extra: help wanted Extra attention is needed

Comments

@StaticallyTypedRice
Copy link
Contributor

StaticallyTypedRice commented May 15, 2020

To my knowledge, many jurisdictions (like the EU) require websites to have a comprehensive privacy policy, and in general having one is just a good idea. My suggestion would be to have a page that administrators can edit in order to describe their server’s privacy practices.

We could also provide a default one for all instances, but chances are that to stay accurate, each instance will have to edit it. This should also be made clear to instance administrators.


Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@dioraman
Copy link
Contributor

dioraman commented May 21, 2020

I second this.
Mastodon adopts default terms of service + privacy policy for any instance. It is originally adapted from Discourse but I think the Mastodon basis can be improved.

@dessalines
Copy link
Member

Does mastodon / pleroma have an editable privacy policy?

@dioraman
Copy link
Contributor

dioraman commented May 21, 2020

I knew Mastodon and Pleroma instances with modified privacy policies.

Edit: Mastodon "[e]nd goal would be making them dynamically editable by the instance admin, but we need a sensible default". (reference)
I proposed a pull request for their project to be safe on the legal side. We may use the same paragraph as well.
If you do not feel confident for this adoption, we may ask e.g. to Software Freedom Conservancy.

@nathgit
Copy link

nathgit commented Jun 28, 2020

In general, I'm very hesitant to sign up to any site without reading their privacy policy first, & I would hope I'm not the only one so I hope one is coming. At least since this one doesn't require an email address, there's no worry of them being able to sell your email address to companies that will spam you. The downside to that is if you forget your password, there's no way to recover it. Email aliases and/or filters are good ways to fight spam too though. Reddit doesn't require an email address either from what I've heard but that doesn't mean there aren't still potential privacy issues. There's atleast 2 sites that list all publicly available knowledge about any reddit username you type in, all derived from info they've posted, comments they made, communities they follow, etc;. The amount of info you can find is unbelievable.

@dessalines
Copy link
Member

There's atleast 2 sites that list all publicly available knowledge about any reddit username you type in, all derived from info they've posted, comments they made, communities they follow, etc;. The amount of info you can find is unbelievable.

There isn't a way to prevent that unfortunately for publicly available data, I'm sure there's tools to do this for fediverse users too. But when we add private communities, then that'll be a way to restrict your viewable content.

@nathgit
Copy link

nathgit commented Jun 28, 2020

I know. I just meant that people put a lot of private data on social networks (which they shouldn't), so a privacy policy is needed.

@nathgit
Copy link

nathgit commented Jun 29, 2020

Is there any sort of functioning privacy policy template? I'm considering signing up but generally don't sign up on sites without a privacy policy. Not that I don't trust it, just being careful especially since the account can't be deleted.

Is it at least possible to add an email later if I create an account without one?

@nathgit
Copy link

nathgit commented Jul 13, 2020

@Nutomic
Copy link
Member

Nutomic commented Jul 13, 2020

We are hosted in the EU so a privacy policy for the US wont help us.

@dessalines
Copy link
Member

Ya. Anyone who wants to make this, I'd suggest starting with mastodon's as a template that @dioraman linked.

@nathgit
Copy link

nathgit commented Jul 19, 2020

To my knowledge, many jurisdictions (like the EU) require websites to have a comprehensive privacy policy, and in general having one is just a good idea.

California has calOPPA, (which actually took effect in '04 but has been amended since). It requires any site operating in California (any site providing a service to people living in California, it doesn't refer to where the company is located) that collects user info to have a privacy policy explaining how they use that info & mandates certain things that must be included in the privacy policy, like an outline of exactly what info is collected.

@dessalines dessalines added the extra: help wanted Extra attention is needed label Jul 22, 2020
@nathgit
Copy link

nathgit commented Jul 29, 2020

We are hosted in the EU so a privacy policy for the US wont help us.

EDITED:
Here's a couple sites Specific to GDPR privacy policies. The first explains how to make one, the second is a generator.
GDPR privacy policy
Generator
The generator creates a privacy policy, a cookie policy, & several others compatible with GDPR, calOPPA, Google Analytics, etc; There's 7 different ones total.

Edit:
CCPA $29 (Required by California law)
GDPR $29
calOPPA $12 (Required by California law)
=$70

Without GDPR/CCPA/calOPPA wording the generator is free.

@Nutomic Nutomic changed the title We should write a privacy policy Custom privacy policies / terms for each instance Mar 15, 2022
@nicfab
Copy link

nicfab commented May 17, 2022

I second this.
I was thinking of creating an ad hoc web page with my privacy policy reachable from my Lemmy instance.
It would be much more appreciable to have a default Lemmy space/box or page to fill with policy contents.

@nathgit
Copy link

nathgit commented May 17, 2022

There should be some sort of privacy policy. I was admittedly a little confused by the seeming lack of interest when I listed the links I did above allowing you to easily generate a privacy policy. I take my privacy seriously & I read every site's privacy policy before signing up so I know what is being done with my data, so a site not having one is a red flag for me. At the very least I would use an email alias, which is a good idea anyway, in case of a site being hacked, or sold.

Nutomic added a commit that referenced this issue May 19, 2022
@Nutomic
Copy link
Member

Nutomic commented May 19, 2022

I opened a pull request for this, please have a look.

#2273

Nutomic added a commit that referenced this issue May 19, 2022
@nicfab
Copy link

nicfab commented May 19, 2022

@Nutomic Thank you very much.
I appreciate your commit.
From my perspective, the title "Legal information" is not wrong, but you can also think of shortening it to only "Legal."
I agree with you on the other considerations related to the content; each admin will fill the space with the appropriate content.
I would also highlight that the content should at least be terms and conditions and privacy policy.
For example, as I read, in the Mastodon "legalese" default document (from my Mastodon instance), there is a section related to data retention for IP addresses that they set, by default, in 90 days.
An admin can know that information only from developers.
In conclusion, besides the appreciable commit, the admin should also know some technical information from the developers. The admin will provide adequate information to the users to guarantee that nobody else apart from the sysadmin can access that information only for technical purposes.
The sysadmin, obviously, has to adopt any security measure on his server.

@Nutomic
Copy link
Member

Nutomic commented May 20, 2022

About IP addresses, Lemmy doesnt store them at all. They are only stored in log files, but that also happens when you serve static html files from your server.

makotech222 pushed a commit to hexbear-collective/lemmy that referenced this issue Jun 3, 2022
@BanzooIO
Copy link

I feel this is pretty important to the survival of Lemmy. I AM NOT A LAWYER, but I have created a template based on the Mastodon privacy policy if anyone wants a basic framework to start from:

https://github.com/BanzooIO/federated_policies_and_tos/blob/main/lemmy-privacy-policy.md

I am not overly experienced with instance management yet, but I have done my best to cover all aspects of how data is shared. Please contribute in correcting any errors.

I also feel it is important for admins to disclose the lack of SSL support in connecting to PostgreSQL and what the local admin has done to mitigate the risk.

@nicfab
Copy link

nicfab commented Jun 22, 2023

If it can be helpful for you and the project, here is the privacy policy on my Lemmy instance: https://community.nicfab.it/legal
Furthermore, here is the privacy policy on my Mastodon instance: https://mastodon.nicfab.it/privacy-policy
Both are works in progress, and they might be modified anytime.

@BanzooIO
Copy link

If it can be helpful for you and the project, here is the privacy policy on my Lemmy instance: https://community.nicfab.it/legal Furthermore, here is the privacy policy on my Mastodon instance: https://mastodon.nicfab.it/privacy-policy Both are works in progress, and they might be modified anytime.

Awesome, nice to see an admin actually on this. Thanks. Definitely open to all input on this, and as you've correctly deduced from the title, plan to expand into other platforms. How would you prefer to be attributed (or if you would prefer not).

As my current version is going to maybe be a bit unsettling for uninformed users, I have created an additional optional policy introduction: https://github.com/BanzooIO/federated_policies_and_tos/blob/main/optional-privacy-policy-intro.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: docs Documentation fixes extra: help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

7 participants