search

twofas / 2fas-ios

Source code for 2FAS iOS app
GNU General Public License v3.0
505 stars 38 forks source link

The ToS seems overly broad #39

Open mortie opened 12 months ago

mortie commented 12 months ago

This isn't app-specific, but I'm reporting here since there's no repo for the website and the iOS app is where I was asked to accept the ToS (or at least linked to the ToS... there was no requirement to accept it?). This is about the ToS at https://2fas.com/terms-of-service/ as of 2023-09-11.

Clause 11.2 reads:

You represent and warrant that you will not modify, prepare derivative works of, or reverse engineer any of 2FAS’s Services.

Where the phrase "2FAS Services" is defined to mean "all products and services that 2FAS currently provides or may provide in the future", including the apps and the browser extension (but apparently not the server side? But I digress).

2FAS is an open source project, the apps are open source and licensed under the GPL. Is it really the intention of 2FAS to prohibit people from modifying the source code? Is it the intention of 2FAS to prohibit people from forking the repos (i.e to "prepare derivative works" of them)?

What does 2FAS consider "reverse engineering"? Everything is in the open. Is reading the source code "reverse engineering"? How about adding debug logs to trace API calls? Prohibiting "reverse engineering" in an open source project which encourages community contributions seems inappropriate, but if you do want to prohibit it, it needs a lot of clarification.

Clause 25.1 reads:

You agree to defend, indemnify, and hold harmless 2FAS, our future affiliates and their respective members, managers, shareholders, officers, directors, employees, agents, vendors, customers, indemnitees, representatives, successors, licensees and assigns, and each of them, from and against any and all claims, actions, demands, damages, losses, costs and expenses, including reasonable attorney’s fees and disbursements, charges, penalties, judgments, and interest sustained or which any of them may sustain arising out of, resulting from or relating to any material breach or alleged breach of any representation, warranty, obligation, or agreement made by you in this Agreement including, without limitation, any breach or alleged breach by you with respect to third party intellectual property, third party privacy, interference with third party or other User data, and non-permitted uses.

This seems impossible to interpret. I have tried to add parentheses around the various comma-separated lists in the sentence, but I'm unable to find a way to parenthesize it which results in a sentence which makes sense. I also find it weird that it requires me to defend and indemnify all the customers of any future affiliates of 2FAS.

Clause 11.1 reads, in part:

You represent and warrant that your use of the Services will not be for any illegal activities

I take tremendous moral issue with this. Illegal does not mean immoral or harmful. Worse, the ToS does not specify which jurisdiction it talks about; is it the one the user is registered in? The one the user currently resides in? The one 2FAS is registered in (Delaware)?

To illustrate the moral issue with this clause: Assuming the applicable jurisdiction is that in which the user lives: Should a user from a US state which has outlawed abortion be considered in breach of the ToS and risk 2FAS closing their account they use 2FAS to authenticate with a service which lets them have an abortion?

2fas-com commented 12 months ago

Thanks for this submission. You're right, of course, and we're already working on improving the ToS. It's a time-consuming process because of all the legal issues, and we know we're a bit late. But once we release the updated ToS, your feedback will be included!

mortie commented 12 months ago

Oh, I wasn't aware that you're already working on an updated ToS, that's awesome! I totally understand that these things take time.