Ask HN: Why did Microsoft, Meta, and PayPal update their ToS today?
I received communications about updated privacy policies and terms of service from Microsoft, Meta, and PayPal today (in that order, chronologically.) Was there a triggering event that caused them all to update at the same time?
190 comments
[ 3.5 ms ] story [ 260 ms ] threadI also received the PayPal email notification, but when clicking through the link the only legal agreement change this month was a week ago and was related to how much of your user data is available to a user visiting your PayPal.me page. Highly unlikely this is a coordinated change with Meta and MSFT.
Anyone can hit my username at gmail or telegram
Docacracy did it a decade ago, but closed shop.
The problem isn’t the tech — it’s coming up with a business model that pays for the system and upkeep. As much as people give lip service about privacy, they sure don’t throw money at lobbying efforts that protect their rights in those areas.
The similarity between standard contracts does make it harder to demonstrate a copyright violation based on the text alone though.
That sounds absurd. What country is this?
No form of intellectual property applies to “in the history of the world” — all IPs expire their monopoly protections after a period of time.
And yes, contracts must be distinctly different from copyrighted contracts. [1] Just because computers and the internet allow copy-paste of content with no effort does not mean it is necessarily legal.
[1] https://www.upcounsel.com/are-contracts-copyrighted#using-so...
Heck, this is very easy to google:
https://www.quora.com/If-you-ask-a-lawyer-to-draft-a-contrac...
https://law.stackexchange.com/questions/24521/are-the-indivi...
https://www.upcounsel.com/are-contracts-copyrighted
Contracts are text and text is subject to copyright. You seem to be confused about the difference between copyright, patents and trademarks though. That copyright applies to contracts does not mean it's possible for two different lawyers to end up writing almost identical contracts. It instead means it's very difficult to demonstrate copyright infringement based on the text alone. But if you simply copy a contract verbatim that you demonstrably had access to and can't demonstrate how you arrived at the exact same wording (e.g. if you're a layperson and have never written a contract before), it's probably an easy case for the copyright holder to win.
This will apparently blow your mind but in some jurisdictions outside the US such as the EU, mere collections of facts ("databases") are also protected by copyright: https://en.wikipedia.org/wiki/Database_right
Note that this does not mean you can't collect the same facts, it just means you can't harvest them from an existing collection and reproduce them the same way. So you couldn't just publish your own knock-off white pages phone book but you could publish a phone book as long as it is not sourced from an existing one. Please remember: this does not apply in US copyright law.
You can replace "garage" with whatever you want. Basically, if I'm a contractor I can sue every other contractor for uncreative derivative works. If I'm installing garages, I can sue my competitors. If I'm selling software, I can sue my competitors. https://en.wikipedia.org/wiki/Derivative_work
Even if it doesn't succeed 100% of the time, there is a non-zero chance people will settle. There's a non-zero chance that I can prevent other people from creating businesses in my market by simply writing every potential variation of some common contract elements.
That's why this is absurd that contracts can be copyrighted. You can argue that you'd have to prove intent, but people do that every day with news stories and win (I have a reporter friend that has been sued multiple times for 'copying stories' that they themselves wrote -- they win most of the time. In one case, I was sitting right beside him on the train while he wrote the story from his interview notes. The 'plaintive' tends to create a verbatim story on the web and change the publish date to some date in the past, then 'proves' they wrote it first. They don't win, but they do cause stories to be 'redacted' until it can be proven one way or the other. By then though, the news is old news.)
If I understand your example correctly, you would take an existing SaaS's ToS (i.e. copy their copyrighted work), publish it as your own (i.e. lie) and then file a DMCA takedown request (i.e. commit perjury) to force them to remove their ToS? Yes, you could do that. But since you likely can't demonstrate that you're the original copyright holder (e.g. trivially their SaaS pre-dates your service and they probably have internal documents like e-mails surrounding the drafting of the ToS whereas you don't unless you forge those as well) and sending a DMCA takedown request for works you don't actually own is literally a felony crime, I don't think that's a winning strategy.
To be clear: yes, there are laws against abusing DMCA takedown requests, precisely because otherwise anyone could just send them out for fun. Specifically DMCA takedown requests include a statement under penalty of perjury from the copyright holder that they hold the copyright. So this isn't a special DMCA law but just a boring old felony crime involved in fraudulently filing illegitimate legal claims.
If you're wondering why you've never heard of this it's probably because you're thinking of sites like YouTube which don't actually receive DMCA takedown requests normally but instead provide an arbitration system to allow content owners to avoid messy legal back-and-forths over the back of Google and instead be trusted based on who they are (i.e. smaller creators will be stuck in appeals limbo trying to talk to a human whereas large corporations will usually be trusted by default). This does not however apply to e.g. GitHub, which is why there is a public collection of DMCA takedown requests hosted by them: https://github.com/github/dmca
To speed up this conversation: if you can think of another example where your conclusion is "but this is dumb" then it's likely because your example is, not the legal situation you're looking at. Also "but this is dumb" is not a counter-argument to "this is what the law is like". The law does not care if you think it is dumb and saying it is dumb is not a good defense if you end up in court.
So technically scraping and republishing old ToS'es would be a copyright violation. You might have a case for fair use but then it becomes difficult to monetize the service.
Or you can use a friendlier service like the one provided by Codeberg.
https://docs.codeberg.org/getting-started/what-is-codeberg/#...
The problem is having people available to do the work that is needed to keep the system useful and up-to-date, which includes writing code that will parse the ToS, maintaining it, and upgrading programming languages, packages ... and most probably lawyers.
So where those diffs are hosted is a tiny cost of what is needed to make it work.
All these require effort. And effort can be paid with one of two things: time and money. And for someone to have time to work full-time on this, they need to have ... money to sustain themselves.
Thus this kind of project needs money => that either can be a grant, donation from a big entity, or business model. Donations from users are not working for long-term sustainability in most cases of good projects for society. Or at least I don't know a successful project like this.
People are too eager to expect some other person to invest their own time and effort in an open source project without considering the consequences of such an expectation.
People generally prefer convenience over privacy
Anyone with some knowledge of history can see what horrible things might happen if we build a comprehensive surveillance machine, but nothing terrible has happened yet. It’s hard to convince people to give up convenience to prevent a danger that hasn’t yet come and cannot be clearly seen.
With climate change it will take years of records for extreme weather being blown away. For this it might take a developed nation falling into hard core fascism and the digital dragnet being turned directly against its citizenry.
China is perhaps a case with its social credit system and camps, but it might not be extreme enough and may be too far away. It may have to happen here, or much worse. Americans in particular think “it can’t happen here” even though it almost has several times.
=> https://news.ycombinator.com/item?id=37064152 TOS Notify
I wonder if they are serving different ToS in the EU (haven't received anything from Microsoft yet).
For a little while, (and I should resume this behavior) I would capture TOS and save them away to read at leisure.
Because what happens, especially with fiddly mobile apps, is that you're granted a single glimpse at the bona fide link to TOS/EULA, and never again will you find how you got there. (Sometimes the link fails right off the bat, giving you zero opportunity to read through the terms!)
So I would take advantage of that and save it, by any means necessary: screen scrape, copy-paste, print-as-PDF, take photo of screen with second device, whatever it took, because they could make it difficult!
But then I would usually end up with a copy of the contract that I could later call up and check on. So, your suggestion that analytics can determine my dwell time on the document when it's presented to me, that's not going to be indicative of how much time I really spent reading it after copying and saving it.
I've found that this is a good practice, and not for the reason you're thinking of. I've found that I'm extraordinarily bad at reading legal documents like this (including my lease, employment contract, benefits and insurance docs, you name it) because even if I think I understand, I didn't get it, and it's pointless anyway because negotiating the wording is not on the table.
But it's a good practice to save these, because of this: there are often instructions included about how to resolve disputes and claims against the company. These instructions usually follow a strict procedure and they have rules about what you can do. They also have contact info, and again, you will never ever find this contact info anywhere else ever again if you don't save the EULA at first opportunity. They will tell you what kind of arbitration or court proceedings are acceptable, they will tell you the complaints procedure from start to end, time frames, and what to expect at each point. This info is gold, and it's not going to be available when you come to have a dispute, and you're not even going to be aware of the procedure at that point, and so you will automatically be disqualified and lose any dispute because you didn't follow procedure. Have fun!
I run it to see changes to my competitors websites. Well that’s the idea - I don’t actually monitor it LOL. I just have it running in Docker.
https://github.com/OpenTermsArchive
Disclaimer, I work on Monitoro.
Meta ToS - https://www.meta.com/legal/supplemental-terms-of-service-upd... Meta Privacy Policy - https://www.meta.com/legal/privacy-policy-updated/
PayPal - https://www.paypal.com/us/legalhub/upcoming-policies-full
The common denominator in the communication copy seems to be related to accounts belonging to minors. Microsoft mentions "If you are a parent or guardian, you are responsible for your child’s or teenager’s use of Microsoft products and services, including purchases", Meta's highlights revolve around "Parent-managed accounts", and PayPal did not provide anything meaningful about changes in the email.
Right now Google is sending out emails about their new Gmail inactive account policy. A lot of people use my domain name as their email address for some reason. I've gotten 17 emails so far, the first one dated July 20th, the last one yesterday August 18th. Almost a MONTH, and all the destination email addresses are their own!
it may even be longer since they're all in my trash and it auto-deletes after a month.
https://ec.europa.eu/commission/presscorner/detail/en/ip_23_...
These two bodies tend to counter each other a lot, I would expect to have a court ruling in 2 years that cancels this decision.
Court: "US law is incompatible with ours"
Executive: "Yeah but I'm sure we can all get along <wink wink>..."
https://noyb.eu/en/23-years-illegal-data-transfers-due-inact...
[0] https://noyb.eu/en/23-years-illegal-data-transfers-due-inact...
If any lawyers from the future are reading this: It was impossible for me to see what I was agreeing to. Furthermore, I was not given a chance to not agree with these (unknown) changes.
Is this your solution?
What else is there for corporate email?
(But you should think twice whether working for a legal entity where no people know legal stuff is a good idea)
Ut more importantly, you have no right to Microsoft products, and it regularly blows my mind when people try to argue otherwise.
Besides, if your beliefs are so incompatible with society that they exclude you from holding down a job, that belief becomes a pathology, not a conviction. Understanding how to operate successfully in society is a critical part of being an adult.
Microsoft goes to great lengths to court primary education systems to instill themselves as the "taught software stack". You say no one has any right to Microsoft's products... Then does that not run into somewhat of a public contradiction when public education systems shove it down students throats?
In point of fact, it sounds like the publically taught option should be exclusively GPL or other FLOSS software offerings, because contrary to your assertion, every student does have an implicit right to those as a public good.
If you want to nationalize Microsoft, petition your congressperson to do so.
But it is interesting to note how we got here.
https://www.npr.org/2023/07/13/1187543648/terms-and-conditio...
To summarize the podcast episode, contracts used to be individually tailored, but businesses found that too onerous and just wrote boilerplate contracts for all customers to sign. Then they decided the signing part became too onerous for businesses so courts decided that using the product was enough to agree to terms. So now we’re at a point where not using the product is legitimately the only way not to agree to whatever terms the company decides.
after all, you can argue/haggle/negotiate with a myriad of software developer firms (who are happy to build and operate a bespoke service for you). you can also do the same with many service providers, all you need is a big enough order and they are eager to give discounts. big enough check and you can pick and choose T&C too.
free market or not, market forces, mostly supply-and-demand and barriers to entry and costs lead to very few choices.
however, it's likely that the accumulation of software technology and decreasing costs will make a lot more features available in service form.
It seems like society would be better off if the law were set up to where only when clear communication has happened that the lawyer would bring benefit to their employer.
The problem is contracts of adhesion are inherently unconscionable, as are contracts that require signing away rights without consideration (above and beyond the use of the service). If you’re doing something with the data beyond providing the service (in a GDPR sense) then there needs to be an actual consideration to the customer for the resulting profit above and beyond the use of the service.
People primarily buy on cost, they’ll buy whatever is $10 cheaper. And in a truly efficient market this would be passed along to the consumer and people would buy the one that’s cheaper with worse tos - just like people buy ad-loaded smart tvs instead of a premium one with no telemetry or smarts or a tos attached.
Regulation is the only thing that’s gonna get you there. Contracts of adhesion are not gonna go away on their own unless you outlaw them. The market isn’t efficient like that, even if it were the efficient scenario is likely there one favoring cheapness and contracts of adhesion over consumer friendly behavior, and the behavior is unconscionable anyway. Just outlaw it.
The libertarian take on regulation is wrong, there’s a reason the EU does its consumer regulation with regulations and not with labeling. And in this case it’s actually contract law that is being warped by anticompetitive participants so you’d really think even the libertarians would be on board. A contract without consideration is not a contract, literally. And “we’re not going to let you use the good/service that you already paid for” is not a consideration, it’s blackmail and strongarm robbery.
Annotations don't work with legal code because there is a real risk the interpreter might use the escaped comments unexpectedly as production code(!). Imagine your C and C++ comments could generate production errors. You probably wouldn't use them much.
There's an argument for giving people a sheet of hypothetical inputs and projected code outputs when we're talking contracts. Biz gives you the 'code' and then in a separate sheet say: hypothetically, a shady backwater adtech company asks for your mother's maiden name; are we allowed to sell it without further consent? And then they give the code output: "Yes, we can do whatever we want." And they go through a list of these hypothetical.
The counterargument is such a sheet could be even more mind-numbing and unwieldy than the original code if not written in an entirely new spirit.
And FWIW, my personal view is that these 70-page contracts of adhesion are a travesty, an evolutionary step, and a weak fiction at this point. The industry does not have a right to force 3 months of mandatory bedtime reading for their userbase every few months, the whole thing is broken and we're all just waiting for courts to coalesce around a better model.
Practically what this means is that it is useless to negotiate with big companies or really even read their terms (unless you have skills to spot errors) - the best one can do is support campaigns for expanded privacy laws, consumer rights etc.
c.f. the whole "video calls to train their AI at Zoom" (later: "unless you opt out", sorta) pullava ...
Iirc there was (is?) a site which gives a rating to the various license agreements of popular services and the like, so maybe it’s a solved problem?
[1] https://tosdr.org/
Cherenkov radiation for the masses I say.
If it’s some other piece of software, you can go to a package repository such as the AUR [1] or Chocolatey [2], and leave a comment for the package even if it’s non-free.
If it’s a pure SaaS, there’s little you can do though, apart from tweeting, word-of-mouth, or Google reviews.
[1]: https://aur.archlinux.org
[2]: https://community.chocolatey.org/packages
This there seems to be more video only, nonskippable training that make sure you spend an hour watching. For now, running them in a vm in the background works.
Basically you can't sneak gotchas into a ToS, you have to make sure users know they're violating a rule. Ironically this is unlike actual laws where ignorance is not an excuse even if the law is weird and unexpected.
> Ironically this is unlike actual laws where ignorance is not an excuse
I think it's similar to real laws.
Unacceptable rules: sneaking in terms such as that your firstborn child will belong to me is not enforceable: nobody could expect or would agree to that. In law, similarly, you can't just upend someone's life for a minor infraction, or indeed take a child in exchange for your use of an ordinary government service. If this were to pass, a court would strike it down based on human rights or constitution, so you'd have to change/disavow those also as a country.
Acceptable rules: sneaking in terms that are fair are enforceable. Your third party client ban is an example where the rule is acceptable, but the consequences deemed disproportionate and so a warning is in order before cutting one off. This is similar to many laws, for example mildly dangerous driving gets you a fine or few days/weeks of driving ban. It takes repeat offences to get banned outright. Failure to pay taxes doesn't result in them showing up to auction your TV off, but they send a nice letter first, even if they'll eventually show up with a writ and after you're been warned that this is the next step, because indeed, we don't expect everyone to know everything.
I'm not a lawyer and can't cite relevant cases or anything, but this is my impression of law as a lay person. It's rarely perfectly fair towards everyone in all situations, and I think we should pay even more heed to "but how was I supposed to know"s whenever a situation is legitimately complex and good intent was shown (to avoid that people avoid doing good things because they don't know what legal risk it puts them in, such as what good samaritan laws are aimed to avoid), but it does try to find balances between what people can reasonably know and follow, at least in northwestern Europe which I'm most familiar with.
Yeah, that's the theory. But what a judge will decide qualifies for "minor" may or may not align with what is sane or what most people believe, and this gets worse and worse if you go into higher courts with politically appointed judges.
On practice governments upend people lives all the time, even for presumed infractions that may not be there at all.
Edit: from a place like Germany as the person above was talking about, to be clear. If such things are trivial to find in the USA would not surprise me in the slightest
There is a lot to be learned in this regard from financial products online. Most of them have built in functionality to let users know what they are doing and the associated risk.
Note that this also requires the user to be informed about what they will have to pay before they click the button. No bullshit surprise charges or hidden fees, mostly.
This is very interesting. Thanks for sharing.
I would not do that.
I think the problem is with the consumer, not the producer.
https://www.paypal.com/us/legalhub/upcoming-policies-full
No yea probably just some US EU Data regulations thing.
Simple reason was the EU/US Privacy Shield program came back into effect (to comply with GDPR), but it required slight changes to privacy policies (renaming Privacy Shield to something slightly different).
Any company participating in privacy shield will need to update their privacy policy if they haven't already.