> Nevertheless, some courts have been willing to make browsewraps enforceable under certain circumstances. The more a site calls the user’s attention to the terms while browsing, the more likely a court will be to find it enforceable. On the other hand, if a service provider places the notice out of sight, such that a user must scroll down in order to see but not in order to use the service, courts will likely find such an arrangement does not show meaningful assent on the part of the user.
I believe they can only connect your searches if you are logged in while searching. Otherwise, of course they can collect data on anonymous searches but not ones that would be specific to you.
I can see from an clean request to google.com that they set two cookies on your browser that are set to expires 6 months from the last request to google.com.
So assuming you use google more than once every 6 months they can keep a running log of your searches, and as soon as you log in to any google service with that cookie they will associate it with your account (I'm guessing).
If you clear your cookies reguarly or use incogneto it's not an issue.
IP address seems incredibly unreliable in this regard. What exactly is to be gained by associating it with an IP? If a company uses one external IP, are all my searches altered/bubbled by what everybody else in the company is querying?
You know that the ToS ONLY makes sense if you are signing up for Google's account right? How else are they going to link your searches to your "profile"?
Your account can be suspended and your data deleted any time for any reason.
The addition:
...forfeiture and relinquishment of all Content in your Account
I'd like to think they go to suspension first and deletion as a very last resort well after you're notified of a reason. This rather draconian provision feels unnecessary when you could similarly go with just a "if you store illegal/liebelous/infringing stuff here, we'll delete it" clause.
They're not unique in this regard, but I'm curious as to why companies that genuinely care about the integrity of the data and the trust you place in them to store it will include such a statement in the first place.
That conflicts with the next one quite badly.
Transparent security practices
How is an opaque deletion policy considered transparent?
We don't consider their opaque deletion policy transparent. We only consider that they are transparent about some of their security (compared to most equivalents i'd say). See the whole thing (click "Expand"):
> + Transparent security practices Discussion
> GitHub gives a detailed overview of their own security practices and their service providers' practices and obligations.
I'm not sure about this site...it would be nice if someone like the EFF ran it and got actual lawyers to look at these. In this case:
> Google can share your personal information with other parties: Google will share your personal information with other parties. For sensitive information (medical, racial, ethnic, political, religious or sexuality) Google requires “opt-in”. Google can also share or publish aggregated data that does not identify a person
which quotes this part of google's privacy policy:
> We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply:
> With your consent: We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.
and then he proceeds to conclude that because google separates the notion of "personal information" and "sensitive personal information", and the latter is covered by the "opt-in consent" clause above, that must mean that the former (plain "personal information") must be sharable because consent is assumed.
Logically that doesn't follow at all, since the base assumption would be that they don't share personal information unless it falls under one of the listed exceptions, and just because one "consent" has "opt-in" in front of it, does not mean that any other "consent" means some kind of assumed consent. If the words "opt-in" had never appeared, there would be no reason to guess otherwise.
What's worse, that line appears to be the sole source of information for him (and no one else came in to discuss it), so that becomes the authoritative line, without a caveat about how he arrived at that conclusion (though, luckily, a link to the "discussion" of that line). The site also says Hugo Roy is an "Economic Law student" in Paris, but his reading of those terms doesn't sound legal in the EU even if that was the correct conclusion.
One great thing about this project is that it's something no old media company would have ever attempted, through worries about liabilities, or fear of offending corporate partners, or just a perceived lack of interest from their viewers. It will hopefully be a great way for the actual users of the internet to keep companies accountable. On the other hand, if somehow an old media company had written about this, many would have consulted an expert (and possibly google themselves) before making that kind of sweeping conclusion. The EFF would have too. Hopefully participation can increase in this project so it's not just one guy's reading of a bunch of ToSs. I can consult random HN comments for that sort of thing :)
> I'm not sure about this site...it would be nice if someone like the EFF ran it and got actual lawyers to look at these. In this case:
I agree with everything you said but isn't it pathetic that we require a trained lawyer to be able to interpret something that affects a staggering amount of people.
A ToS shouldn't have to require the above, I also kind of like the idea of a layman having a stab at it, I would love to have a site that lists ToSes and allows wiki style discussions on certain points (Think Github pull request commenting). If only to highlight how bloody stupid it is that no one can understand or can agree on them.
For reference, here's what we're showing on tosdr.org:
> Google can share your personal information with other parties
> Google will share your personal information with other parties. For sensitive information (medical, racial, ethnic, political, religious or sexuality) Google requires “opt-in”. Google can also share or publish aggregated data that does not identify a person
Now, what I am writing in the "discussion" forum is not on tosdr.org exactly because it is all difficult to interpret. My conclusion, is what is on tosdr.org -- if you think the current statement written there is wrong, please submit a patch :)
Now about what I wrote under "discussion" (which is as it suggests, all here to be discussed:) Yes, it does not sound legal in the EU. That's actually the whole problem and why Google is currently under scrutiny by European Data protection agencies. http://www.cnil.fr/english/news-and-events/news/article/goog...
"[thumb_down] Spotify doesn't guarantee data security"
I do not really agree on that being a "thumb down" - rather the opposite.
Also the "You cannot delete your account" is present under some sites, but not on facebook.
Last time I checked it wasn't possible to remove all data on facebook(?).
Is it a good thing that Spotify doesn't guarantee that they won't leak your data? So you're saying that it would be a good thing for them to make it easy for people to steal your payment information?
You can't be sure that they actually delete your data but you /can/ delete your account.
My point being that to guarantee that would obviously be irresponsible - since there is no such thing as 100% data security. It's way better, in my opinion: "you probably shouldn't put anything too sensitive here - we have been hacked and will get hacked again". Obviously they will try their best to secure their systems either way, this because the biggest cost is the "user reaction" (users leaving the service or alike) when getting hacked.
Alright! Over all I like your idea, it's indeed needed.
While I have you on the line - a suggestion: While I have you on the line - a suggestion: I think it would be really appreciated if it was possible to "click" each of the 'points'. When doing so the clicked point's section of the TOS shows up highlighted. I believe that this would give a increased level of trust and also help to better understand a 'point' if one were uncertain about its exact meaning.
We store search terms (and the cookie IDs associated with search terms) separately from any account information that directly identifies the user, such as name, e-mail address, or phone numbers. We have technological safeguards in place designed to prevent the unauthorized correlation of this data and we remove the entirety of the IP address after 6 months, cookies and other cross session identifiers, after 18 months.
It's better, but the problem is that unless they are very smart filtering the search strings, they can be de deanonymized. For example see the AOL case: https://en.wikipedia.org/wiki/AOL_search_data_leak
It's amazing how many people ware willing to let Google (or anyone for that matter) see and keep their most private information for ever. Your online searches and emails can truly show what's on your mind, there's no way I am going to let an advertising company connect them to my real name and address and /or catalog them forever.
Nope, not even if you show me what movie is playing when I pass near a theater. I'll manage to do without that or associated advertising that will almost certainly come.
Google with their search engine and Gmail and GDocs and all the other services they are offering, do provide a valuable service to users.
It's true that users are somewhat the product, the real customers being the advertisers in partnership with Google. However, at least right now, nothing forces you to use their products and leaving Google, even if you aren't a paying customer, is still like voting with your wallet, especially since one user can convince others to leave too.
I personally don't mind giving Google my data. Even though I'm fully aware of the implications, I consider it a fair trade, because really, the data that Google has on me is really not that valuable.
I do have sensitive pieces of data that I need to store online. And because I am aware of Google's practices, that's one reason for why I'm not using GDrive or Picassa. I'm also a user of the browser's incognito mode when searching for porn, a mode that is fair to remind was popularized by Google Chrome.
If I have a beef against Google, is for their awful customer support, even in cases where you are the paying customer. However, that's an unrelated issue and I personally was aware that Google tracked my searches to use for interest-based ads serving ever since they launched Adsense in 2003.
To me the backlash against such practices, are 10 years too late.
But for Google, anyone can perform a search without agreeing to any ToS at all. What are the legal groundings and implications with regards to this?