Table of Contents
- Definitions
- Introduction
- Terms of Service and Privacy Policy Documents
- Terms of Service and Privacy Policy Change Notification
- Process for Terms of Service Enforcement
- Transparency About Terms of Service Enforcement
- Identity Policy
- Security Oversight
- Third-Party Requests for User Data
- Data Control
- Data Collection
- Minimal Data Collection
- Data Use
- Data Retention and Deletion
- Threat Notification
- User Notification About Third-Party Requests for User Information
- Transparency Reporting
- Governance
- Open Source
- Interoperability
- Ownership
- Resale
- Functionality Over Time
- Privacy by Default
- Best Build Practices
- Authentication
- Encryption
- Known Exploit Resistance
- Vulnerability Disclosure Program
- Security Over Time
- Product Stability
- Personal Safety
- Open Innovation
- Business Model
- Repair Accessibility
- Repair Penalty
- Data Benefits
Process for Terms of Service Enforcement
Criteria: I know how, when, and why the company or organization unilaterally closes user accounts and/or restricts access to services.
See this test in action:
Indicators
- The company or organization clearly explains what types of activities it does not permit.
- The company or organization clearly explains why it may restrict a user’s account.
- The company or organization clearly discloses the mechanisms it uses to identify accounts that violate the rules.
- The company or organization clearly discloses whether any non-government and non-judicial entities receive priority consideration when identifying accounts to be restricted for violating the company’s rules, and if so, how that priority status is conferred.
- The company or organization clearly explains its process for enforcing its rules.
- The company or organization provides clear examples to help the user understand what the rules are and how they are enforced.
Methodology for Assessing Each Indicator
1) The company or organization clearly explains what types of activities it does not permit.
- Obtain and review the product’s terms of service.
- Review the product’s terms of service for language listing specific activities that are not permitted.
- If a list of types of activities the company does not permit is included in the terms of service, mark PASS.
- If a list of types of activities the company does not permit is not included in the terms of service, mark FAIL.
2) The company or organization clearly explains why it may restrict a user’s account.
- These restrictions may be different than those listed in the types of activities that the terms of service will and won’t permit. For example, some activities that violate the terms of service could result in a content takedown, others may result in closing a user’s account.
- If there is a list of reasons available in the terms of service, mark PASS.
- If there is not a list of reasons available in the terms of service, mark FAIL.
3) The company or organization clearly discloses the mechanisms it uses to identify accounts that violate the rules.
- If information about these mechanisms is available in the terms of service, mark PASS.
- If information about these mechanisms is not available in the terms of service, mark FAIL.
4) The company or organization clearly discloses whether any non-government and non-judicial entities receive priority consideration when identifying accounts to be restricted for violating the company’s rules, and if so, how that priority status is conferred.
- This indicator does not ascribe value to whether actors receiving, or not receiving, priority consideration is a positive or negative for consumer privacy and security. Therefore, if we are using pass as a signal of adhering to best practices, it is unclear what our ideal situation is.
- If the company does not provide information about any sort of priority status, whether they provide that status or not, then they would fail the test. For privacy and security purposes it would be preferable that companies not provide any sort of priority consideration, but as this indicator is written, they would not receive any credit for treating all requests equally should they fail to include that stipulation in their terms of service.
- If this information is available in the terms of service, mark PASS.
- If this information is not available in the terms of service, mark FAIL.
5) The company or organization clearly explains its process for enforcing its rules.
- If information about these mechanisms is available in the terms of service, mark PASS.
- If information about these mechanisms is not available in the terms of service, mark FAIL.
6) The company or organization provides clear examples to help the user understand what the rules are and how they are enforced.
- If examples are available in the terms of service, mark PASS.
- If examples are not available in the terms of service, mark FAIL.