Please fix your Mastodon instances' Privacy Policies
====================================================

An open letter to Mastodon instance administrators.

Dear Instance Admins,

I recently noticed that many of you managed to carefully craft your instances' 
community guidelines (or "code of conduct") -- I absolutely welcome those 
efforts you made on these particular documents. However I also noticed that most 
of you haven't changed a thing in your Privacy Policy document and are still 
using Mastodon's default. And while I appreciate Gargamel's intentions to not to 
ship his software without such a document, if left untouched your instances' 
privacy policies scares me to death.

The explanation is simple: many of us left Twitter and joined the Mastodon 
community because we were fed up with how Twitter handles our data and erodes 
our online privacy. Mastodon gave us the hope that we again can gain control 
about who we are going to give our data to and we'll know what can and will 
happen to our data. With you using the default Privacy Policy, we are nowhere 
near to that desired knowledge.

Mastodon's default document is full of "may-s" (therefore also "may not-s"): it 
is unable to provide a deeper understanding of how you'll handle our (your 
users') data, nor it is able to reassure us that our data is in good hands. 
While many of us users converse daily with you, even believe that you guys on 
the right side of this matter, it is now time to prove it.

Please fix your instances' Privacy Policies as soon as possible.

If you are more agile than that, here you go: "I, as a user, by reading the 
Privacy Policy of the instance, would like to know *exactly* what kind of data 
you collect about me and how *exactly* are you using that data".

To clarify my problem here, let's walk through the default document hand in 
hand. I'll indicate the most problematic pain points by _underlining them_, and 
explain my concerns afterwards. I will not correct the problematic parts, as I 
strongly believe that each instance should craft its own document, since all of 
you operate your instances by your own measures. However please feel free to 
contact me[0] if you need my contribution for creating your PPs.

That being said, here we go.

---

"What information do we collect?

We collect information from you when you register on our site and gather 
data when you participate in the forum by reading, writing, and evaluating the 
content shared here.

When registering on our site, _you may be asked to enter your name and 
e-mail address_. You may, however, visit our site without registering. Your 
e-mail address will be verified by an email containing a unique link. If that 
link is visited, we know that you control the e-mail address.

When registered and posting, we record the IP address that the post 
originated from. We also _may retain server logs_ which include the IP address 
of every request to our server."

---

As far as I understand Mastodon's default Privacy Policy was derived from the 
same document of Discourse[1] (lines 3185 and onward), however we never 
considered Mastodon to be a "forum" -- even Mastodon doesn't refer to itself as 
a "forum". It is eg. a microblogging service. The initial statement about the 
data collection should *clearly refer* to the service, which is definitely not a 
forum.

About entering your name upon registering: no, you may not be asked for such. 
There isn't even a form field for that. Users can derive their handles and/or 
email addresses from their names, but this is fully up to the user. By default, 
the admins are only aware about my real name if I eg. use the handle 
"adam.paszternak" or I provide an email address like "adam.paszternak at 
whatever". If any of you actually modified the registration form to ask for the 
name of the user, state it without "may". Also, you *do* ask for an email 
address, so again: there is no need for a "may" here.

About retaining server logs: you either keep them, or you have a zero-logging 
policy on your instance. Please don't tell me you "may retain logs" -- do you 
actually retain them or not? If you do, what *exactly* do you log? I'd assume my 
IP address and the exact timestamp of my actions for the very least. Please 
investigate your logfiles and/or logging policy and reflect your findings as 
facts in your instance's Privacy Policy.

---

"What do we use your information for?

Any of the information we collect from you _may be used_ in _one of the 
following ways_:

* To personalize your experience — your information helps us to better 
respond to your individual needs.

* To improve our site — we continually strive to improve our site offerings 
based on the information and feedback we receive from you.

* To improve customer service — your information helps us to more effectively 
respond to your customer service requests and support needs.

* To send periodic emails — The email address you provide may be used to 
send you information, notifications that you request about changes to topics or 
in response to your user name, respond to inquiries, and/or other requests or 
questions."

---

Again, "may". Do you actually use my data to carry out any of the listed 
actions? If so, what data, to carry out which one and how exactly? Also, 
probably you use my data for *more than one of those*, so instead of "one of", 
please state "any of", and remove all points not applicable from the list, also 
add any additional ones that you use my data to carry out.

---

"How do we protect your information?

We implement a _variety of security measures_ to maintain the safety of your 
personal information when you enter, submit, or access your personal 
information."

---

This is nice, however my imagination is a bit... well, weird sometimes. I'd 
assume you spill the blood of a black rooster upon your servers once a week 
(which would be a perfectly valid countermeasure for instances like 
"witches.town[2]"). If this is not the case, please name your "security 
measures" at least on a low level to reassure me that you are taking good care 
of my data. If you only use Mastodon's built-in security functions, state that 
as well.

---

"What is _your_ data retention policy?

We will make _a good faith effort_ to:

* Retain server logs containing the IP address of all requests to this 
server _no more than_ 90 days.

* Retain the IP addresses associated with registered users and their posts _no 
more than_ 5 years."

---

About *my* data retention policy: well, I don't have one. See the previous 
questions? Those refers to instance admins as "we" ("we use...", "we 
protect..."). And the document here switches to "FAQ mode" referring to the 
admins as "you" ("your... policy"). Don't do this. Stick to "we" ("What is *our* 
data retention policy?").

Also, when driving my Corolla, I make "a good faith effort" to not to run over 
someone. I am mostly successful in this effort, but, you know, shit happens, a 
pedestrian can jump in front of me or something. This is called an accident. On 
the other hand, I haven't ever seen any logfiles jumping out of the way of your 
flush cron or whatever. So let's make this clear.

* Do you retain server logs?

* If so, do you flush them regularly?

* If so, how often your flush job runs?

* Do you use Mastodon's defaults (which are probably 90 days and 
5-holy-shit-years for logs and IPs respectively)?

As you might keep other types of logs, don't forget to actually name the kind of 
logs you keep and also state their flush intervals. And please don't give me the 
"good faith effort" BS. This is a Yoda thing: you're not trying here, you either 
do it, or don't[3]. It's as simple as that.

---

"Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers 
to your computer's hard drive through your Web browser (if you allow). These 
cookies enable the site to recognize your browser and, if you have a registered 
account, associate it with your registered account.

We use cookies to understand and save your preferences for future visits and 
compile aggregate data about site traffic and site interaction so that we can 
offer better site experiences and tools in the future. We _may contract with 
third-party service providers to assist us in better understanding our site 
visitors_. These service providers are not permitted to use the information 
collected on our behalf _except to help us conduct and improve our business_."

---

So, a straightforward question to start with: do you have any contract with any 
third-party service provider? If you do, name them and state *exactly* what kind 
of data associated with me or with my activity is handed over to this particular 
third-party service provider? If you don't have such contract, remove this 
clause. Your Privacy Policy should reflect your *current* data handling policy 
and there is - again - no place for "may-s" and "we will probably have such 
contract in the future-s".

Also, if/when you involve third-party providers, it would be nice to know what 
kind of data they use and what exactly is done with it to "conduct and improve 
your business". Remember, Twitter calls personalized ads a "feature" and an 
"improved user experience" -- if you involve eg. marketing agencies, please 
state that "improving your business" means for example "better targeted ads".

Furthermore: does your hosting provider (if you have one) have access to your 
logfiles, or are those encrypted by default meaning that only you can access 
them? Because you actually have a contractual relationship with your hosting 
provider and it is definitely a third-party entity. So either make sure that 
they have no access to your logs, or please do make at least a note about this.

---

"Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your 
personally identifiable information. This does not include _trusted third 
parties who assist us in operating our site, conducting our business, or 
servicing you_, so long as those parties _agree to keep this information 
confidential_. We may also release your information when we believe release is 
appropriate to comply with the law, enforce our _site policies_, or protect ours 
or others rights, property, or safety. However, _non-personally identifiable 
visitor information may be provided to other parties for marketing, advertising, 
or other uses_."

---

Now, this is a heavy one. As discussed above, state if you actually involve such 
third-party entities. Also the fact if you have a clause about data 
confidentiality in your contract. Assistance in "operating our site" covers the 
above mentioned case about hosting providers. Check their Terms of Service and 
Privacy Policy about client data, and refer to them as part of your own Policy.

Check what kind of policies do you actually have. Do you have "Community 
Guidelines" as well as "Terms of Service"? Refer to the one(s) you'll release my 
information (to whom?) to enforce. Also please describe the "non-personally 
identifiable visitor information" if such information is released for whatever 
uses (no such case as "other uses" -- what are those?).

---

"Third party links

Occasionally, _at our discretion, we may include or offer third party 
products or services_ on our site. These third party sites have separate and 
independent privacy policies. We therefore have no responsibility or liability 
for the content and activities of these linked sites. Nonetheless, we seek to 
protect the integrity of our site and welcome any feedback about these sites."

---

Fair enough. But do you actually offer that kind of third-party products and 
services? As discussed above: your Privacy Policy should reflect your *current* 
data handling policy.

Don't "may" me here.

"Say »may« again. Say »may« again, I dare you, I double dare you $!%@, say »may« 
one more $!%@ time!"

---

"Children's Online Privacy Protection Act Compliance

Our site, products and services are all directed to people who are at least 
13 years old. _If this server is in the USA_, and you are under the age of 13, 
per the requirements of COPPA (Children's Online Privacy Protection Act) do not 
use this site."

---

Ok, two possibilities here:

01. this server is located in the USA; or
02. this server is located outside of the USA.

If former, COPPA is applicable -- simply remove the "if". If latter, first check 
whether your country has a similar Act to protect the privacy of children. If 
so, refer to that act instead of COPPA and also double-check what is actually 
required for you to comply with that specific Act.

---

"Online Privacy Policy Only

This online privacy policy _applies only to information collected through 
our site and not to information collected offline_."

---

Don't you say?! Yes, since this is the Privacy Policy document for your online 
microblogging site, I was quite aware of that. You can either remove this, or 
leave it be, but it kind of states the obvious since you haven't indicated at 
the beginning of the document that you also collect information offline.

(If you actually happen to collect information offline, you'd need a section 
explaining what you collect, how and why or for what reason. Also state that at 
the beginning of your Privacy Policy as part of the scope of your data 
collection practice.)

---

"Your Consent

By using our site, you consent to our web site privacy policy."

---

This is fine, but please declare this at the very beginning of the document. 
Something like "By using our site and/or our services, you consent to our 
privacy policy as below. Please read the following document carefully." would do 
it.

---

"Changes to our Privacy Policy

If we decide to change our privacy policy, _we will post those changes on 
this page_."

---

This is a "no". A big "no". A "NOOOOO-oooooo".

You users should be informeg *beforehand* you modify your Privacy Policy. This 
can be done via your Mastodon administrator account as a toot, or via mass email 
(don't forget to include this scenario in your Privacy Policy, namely that 
you'll use users' email addresses to communicate upcoming changes in your ToS or 
PP). Best practice is to inform your users 30 or 15 days before you roll out the 
changes, declaring what is going to be changed and why, and what impact is this 
going to have on the user. A second, friendly reminder can be sent out 8 days 
before the change.

Even better if you either post or provide the raw text of the new Terms or 
Policy (eg. via Pastebin or in email) along with a brief explanation of why it 
it necessary.

You shouldn't assume that your users visit your Privacy Policy or Terms of 
Service pages on a regular basis. It is your responsibility to inform them about 
proposed changes.

You should never forget that your user base is your greatest asset when 
operating a Mastodon instance. Mastodon is all about user participation and it 
was built upon the foundation of "giving back control to the users". Or, as the 
Mastodon README[4] puts it:

"[t]he social focus of the project is a viable decentralized alternative to 
commercial social media silos that returns the control of the content 
distribution channels to the people."

It is vital for the integrity of Mastodon philosophy that you let your users 
know what is going on and how they are in control. Please always remember that.

Thank you in advance.

Adam Paszternak
Mastodon user "since before it was cool"

---

[0] https://paszternak.me/about
[1] 
https://github.com/discourse/discourse/blob/e90187cbf72168fb75d8701005de279bea4026a1/config/locales/server.en.yml
[2] https://witches.town/
[3] http://www.yodaquotes.net/try-not-do-or-do-not-there-is-no-try/
[4] https://github.com/tootsuite/mastodon/blob/master/README.md