Open natv opened 8 years ago
pkirkovsky
commented
8 years ago This looks like generic legal boilerplate seen on a number of other sites. I agree that it's still very unsettling in the context of this service.
Does ciphertext fall under the category of "data or files"? Does cleartext (for those who uploaded private keys and use the site to encrypt)? How about your local keyring?
zQueal
commented
8 years ago you hereby grant to us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, transferable (in whole or in part), fully-paid and sublicensable right, subject to the Privacy Policy, to use, reproduce, modify, transmit, display and distribute Your Content in any media known now or developed in the future, in connection with our provision of the Service.
This sensitive information probably isn't contained on a single media, I would assume. If Keybase ever switches servers, do you expect them to poll for permission to transfer PPI? Right now the stage0 staging site with new features and the Go client are different media, or at the very least could be considered as such. I highly doubt Keybase wants to be sued for copying PPI from the main Keybase database to the new staging database (if they're actually different) or any other derivation therein because a user feels their privacy is being infringed upon as they didn't give permission.
When dealing with personal information, there's no such thing as a perfect closed system. Especially not with PGP. You're uploading sensitive PPI. There are gonna be risks to that. The only thing that keeps me using Keybases' service is that Keybase can't actually decrypt the information therein. It's still all private and encrypted with their FOSS encryption standard triplesec.
But other than that, I'll easily give you that the wording is a bit scary and should be revised. Just my honest opinion.
Muraad
commented
8 years ago "Generic legal boilerplate" is a bit down played i think. I have only 180 search results. Lots of them are about ebay (and other marketing/money company´s). An official response from keybase would be nice.
zQueal
commented
8 years ago @maxtaco @malgorithms
I wouldn't expect a reply too soon, everyone's pretty busy right now, but I would certainly love to see a reply.
malgorithms
commented
8 years ago We're going to have to update our ToC and privacy policy in the coming months, as we'll be launching a product that allows for actual file hosting. So it's good to get the feedback now that those sections are upsetting.
As @pkirkovsky said, that part was boilerplate and not written custom for us. (I assume law firms all have their own templates of these, hence your number of results.) Our files were modified in some small ways but that stuff pasted above was handed to us, and we've spent very little time on it.
The answer you probably won't want to hear is that in some variation, the main points of those 4 paragraphs will have to survive, as they're actually necessary for us to provide the service without getting sued. The broad-sweeping legalese sucks, but all of those paragraphs are saying something true, at least beneath the surface. For example, we really do need to "distribute Your Content ... in connection with our provision of the Service." as section 1 says. Evertyhing around it is trying to make sure you don't sue us when we do that.
In answer to these:
Does ciphertext fall under the category of "data or files"?
It's not needed for "provision of the service", so you're definitely not granting us a license to post that. If we did go around posting people's ciphertexts on purpose to "promote" the service, I assume you'd be able to sue us.
Does cleartext (for those who uploaded private keys and use the site to encrypt)?
Some clarification here: the site doesn't know your cleartext anywhere in this process, even for a moment. It also doesn't know your private key. If you host your private key, you first prove you know your password (not by sending it, but by stretching/hashing it client side), and then you download your private key, decrypt it, use it, and throw it away.
So, since this is never sent to us, so no, you've never provided it to the service, and this is our official stance on the meaning of that wording. Technically speaking, we would have to modify our software to send us your cleartext after decryption or before encryption. Uhh. That would be a bad idea no matter what. We won't do that, and nothing about our terms changes that.
But if this is in your threat considerations, you shouldn't use the website, since a website can serve targeted code per-user. In that case you should stick to just the open source clients. (New, better ones coming very soon!)
As for what the government can force us to do, there's absolutely no policy that can protect you from government coercion. Only your client software can. No matter what a service claims, a sufficiently advanced hacker could always get access to whatever you post on a service. You have to assume there's some risk of whatever you send to Keybase getting leaked. I'm not saying that that's argument against changing wording/policy, I'm just saying you shouldn't feel much better if we do. You have to use client software that doesn't give away secrets you don't want. And the whole goal of Keybase is to try to make clients that don't trust servers.
pkirkovsky
commented
8 years ago The broad-sweeping legalese sucks, but all of those paragraphs are saying something true, at least beneath the surface. For example, we really do need to "distribute Your Content ... in connection with our provision of the Service." as section 1 says. Evertyhing around it is trying to make sure you don't sue us when we do that.
Sure, some of these things are necessary for Keybase to operate, but there must be a better way to accomplish the same goals without resorting to vague and broad legalese that makes privacy-minded people nervous. Such legalese may work great for covering all of Keybase's bases (pardon the pun), but it's not in the best interest of users.
These portions of the ToS need to be tailored specifically for what Keybase does and spell out exactly what is meant by "Your Content", "provision of the Service", etc.
But if this is in your threat considerations, you shouldn't use the website, since a website can serve targeted code per-user.
Maybe the suggestions in #761 and #901 can also help assuage these concerns?
Muraad
commented
8 years ago @malgorithms thanks for your response! I´m more concerned about content than about privacy/key-management. It sounds a bit like when i upload something to keybase i hand over the ownership of my data to you, e.g. you can do what you want with it. With the upcoming features (file upload) I imagine someone is uploading company data (backup). I wonder what that would mean, e.g. what are the implications of
you hereby grant to us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, transferable (in whole or in part), fully-paid and sublicensable right, subject to the Privacy Policy, to use, reproduce, modify, transmit, display and distribute Your Content in any media known now or developed in the future, in connection with our provision of the Service.
But I also understand your concerns to get sued.
Greetings!
malgorithms
commented
8 years ago Ok, I'll explore alternative wordings of that with our lawyers, especially when we work on the file service. We really don't have an interest in owning your data.
taniki
commented
7 years ago Any update about this issue?
compumike08
commented
7 years ago @Muraad: Regarding your concern about giving ownership of your content to keybase, that is not what the section you referenced actually means:
you hereby grant to us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, transferable (in whole or in part), fully-paid and sublicensable right, subject to the Privacy Policy, to use, reproduce, modify, transmit, display and distribute Your Content in any media known now or developed in the future, in connection with our provision of the Service.
That section says you are giving keybase a "...right...to use...your content" (emphasis added). You're retaining ownership of your content, you're just giving Keybase the right to "use" your data to provide their service. It's like if you want a friend to take your car to the car wash for you. In order for them to do that, you obviously have to give your friend the right to use your car. You're not transferring ownership of the car to your friend, you're just giving them the right to use it in order for them to provide the service you asked them to provide. Of course, in the car example, the right to use your car is implied when you ask them to take it to the car wash for you, and your friend trusts you not to turn around and report your car as stolen as soon as you leave.
In the case of a business like Keybase, with countless users who Keybase doesn't know and has no reason to trust, they have to protect themselves against people who might use the service and then sue for copyright infringement and lie and say they didn't intend to grant Keybase the right to use their content (technical people would consider that very obvious, but people who have no clue about computers may not). There are plenty of people out there who would do something like that to get money from Keybase in a lawsuit. Having explicit Terms and Conditions like this protects Keybase from unscrupulous people who might try to take advantage.
The irony here is that the wording required by the law is often very confusing to people who don't have a legal background. Unfortunately, the text of Keybase's Terms and Conditions is pretty boilerplate, and there isn't really a lot of room for them to change it.
However, while simplifying the text of their terms and conditions may not be practical from a legal standpoint, Keybase should consider adding simplified, summary text next to each section explaining in plain English what each section means. I've seen some other sites do that, like Zapier (https://zapier.com/terms/). Of course, any plain English summary will need to be reviewed very carefully by Keybase's lawyers to avoid legal issues. But I think a lot of people would appreciate a plain English summary of their "legalize".
DISCLAIMERS:
@malgorithms
I think the concept of keybase is great, but I was a little horrified at your Terms of Service / Privacy Policy, especially section 5 of your TOS pasted below.
Keybase is targeted to security professionals (or at least security conscious people), I don't know how this is going to fly with with the user community. This is worst than Facebook's policies.
You represent and warrant that none of the following infringe any intellectual property, publicity or other proprietary rights: your provision of Your Content to us, your causing Your Content to be posted using the Service, and use of any such content (including of works derived from it) by us, other users of the Service, or others in contract with us that is done in connection with the Service and in compliance with these Terms.
You acknowledge and agree that we may access or disclose information about you or any other information or data collected, stored or processed on our servers, including Your Content, if required to do so by law or in the good-faith belief that such action is necessary to: (a) comply with any law, regulation, legal process or lawful governmental requests; (b) protect the rights or property of Keybase or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Keybase employees, customers, or the public.
We retain the right to block or otherwise prevent delivery of any type of file, email or other communication to or from the Service as part of our efforts to protect the Service, protect our customers, or stop you from breaching these Terms.