Terms of Use and Privacy Policy

[Zwyx]

Hi guys,

I noticed that you've been chatting about license recently.

This is great for the source code of PrivateBin, but there is another legal aspect that might need to be considered: Terms of Use and Privacy Policies for websites hosting PrivateBin.

I haven't seen any of these at privatebin.info, privatebin.net, or other instances.

Simply hosting might mean collecting user's IP addresses, which might mean having to declare it.

Also, Terms of use including limitation of liability might be important. Something saying "we do our best to provide a secure service, but we don't guarantee anything". Basically the MIT license.

I'm not sure about any of that. But I'm also creating web apps that I put online, so I asked two questions to learn more about our obligations.

So far, the answers don't satisfy me. It shows there is a lack of simple terms and privacy policies that people could use when they put an open source work online.

For source code, we have plenty of choice.
But when it comes to hosting a running version of this source code, I can't find anything simple.

Do you guys think that having terms of use and a privacy policy on PrivateBin's websites is important?

[elrido]

IMHO (and IANAL) that is a legal question and entirely depends on your hosts jurisdiction - it may be required by (local) law. It is entirely possibly to modify the template of your instance to add or replace, for example the footer with a legal blurb. Or, if it is shorter, or maybe with a link to a longer version, set the notice in the configuration file that gets displayed above the input field:

PrivateBin/cfg/conf.sample.php

Lines 47 to 48 in 6eb5fdc

	; (optional) notice to display
	; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."

Note that out of the box, the PrivateBin does not use cookies (one called "lang" gets used if you enable the language selection menu) or local storage (yet), so a cookie-banner, for example, is not necessary under GDPR. On the other hand, IPs and other client meta data may (or must, like in CH) get logged. I've so far never considered adding a note reg. the access logs on any of my services, since it is best practice to do so in any networked service and the only question open to debate is for how long these get kept before rotated into nirvana (to me a week is enough, but CH authorities insist on 6 months).

[Zwyx]

Thank you for your reply. It is indeed a legal question (and we are both not lawyers 😄) but I think it doesn't not only depends on your hosts jurisdiction. I think it also depends on the jurisdiction of your users (so basically any jurisdiction on the planet): as you said, if we store cookies, we have to show a banner for our users coming from the EU.

Apart from the privacy policy, what also concerns me is liability. Let's take an example:

• a new version of PrivateBin is published, but it contains a bug that make it store plaintext data in the server,
• someone uses an instance hosting this new version,
• their sensitive data gets stolen, and that cause millions of losses for their company.

In this case, could the owner of the instance by liable?

We could maybe prevent that by adding a simple notice, as you suggested, containing a link to a file in the repo that say somethings like « Our website and service are provided "as is", and we make no guarantees that they always will be safe, secure, or error-free, that they will function without disruptions, delays, or imperfections or content will be accurate, current and complete. To the extent permitted by law, we also disclaim all warranties, whether express or implied, including the implied warranties of merchantability, fitness for a particular purpose, title and non-infringement in relation to the website, the services and their content. »

[elrido]

It would be total news to me that the jurisdiction of your users has any impact on your service. Isn't this how the big GAFAM services have always refuted any of the EUs attempts to force them to be more privacy compliant? Only when services get threatened to get blocked will they usually concede to bow to jurisdictions outside of their origin, like when Google started to apply censorship to their services in some, to them, important markets.

Liability is absolutely out of the question. The zlib-license (which PrivateBin is licensed under) clearly states:

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Sure, you may still get dragged into a court case under your proposed scenario, but, assuming a fair legal process, it should be possible for you to show that you didn't hide what software your service was based on and refer to the software license which is publicly available.

If you do have your (valid) doubts, as said, you can totally add such a disclaimer to your instance, either with the configuration option for the notice on top, of via a small change to your HTML template file in any position of your choosing.

[Zwyx]

Oh yes you must be right about the jurisdiction: only when their services are threaten to be blocked, big companies will improve privacy. It wasn't legally required. Thank you. This clears things up for me.

I agree with you for the liability: if I have doubts, I'll add a disclaimer myself 🙂 I would just add that, just FYI, I'm pretty sure the zlib license only applies on the source code (for instance, when someone get the source code and run it themselves). It doesn't apply when someone accesses a running PrivateBin instance.

[HarisUmair001]

[elrido]

Here, have a fish: 🐟 ;-)

Should this by any chance not have been meant sarcastically, you can of course do that as per the standard internet process: Do a whois lookup on each of the domains in question, grab the abuse email address and report your issue.

[HarisUmair001]

idk how to do that much. i already reported that to UK, USA, UN, and my country child care. but its been 2 months and nothing has been resolved

the person is using redirecting link to private bin and then to other sources on linkvertise (cant report file coz it get changed every 24 hour)
(sorry about my english and little to no knowledge. I am kinda dumb and stuck. : )

[elrido]

Just to clarify: This is a software development project - We here do not run any software instances (websites) outside of the privatebin.net demo. If you have any paste URL to report on privatebin.net, send us an email to our abuse email address, as per whois record or to [email protected].

In general though, just sharing links will rarely be considered an issue (assuming the link URLs themselves contain no legally problematic words). You better tackle the root of your issue at the source. If all those pastes contain links to linkvertise, why not report the links on that services abuse address or get those accounts flagged or whatever?

In any case, this is not the right audience nor place to deal with your issue, sorry.

[HarisUmair001]

Thank you for sharing the email. yes indeed the link was on "privatebin.net". I will mail right away.
I am sorry if i caused you any trouble. I should have mentioned that the instance was on the "privatebin.net".
Also it would be kind of you if you can add a dedicated "contact us" or "reach us" button on your website.

Thank you : )