Privacy Policy and TOS Links #1533
Comments
|
I don't like the idea of being contractually obligated to visit an external site for an application that could otherwise be served entirely through https://discordapp.com. |
Maybe add fields for the Privacy Policy and ToS text and serve it through Discord? |
|
Would this be something developers have to do? Or would it be optional to non-verified but required for verification. |
Maybe. I'm not a lawyer, but the idea sounds like it requires Discord to legally endorse a bot or a bot's policies, which seems contrary to the ToS:
|
|
It would be pretty useful simply to have a free-text "about this bot" field in the bot settings page, and an UI that allows end users to access that text in a common way -- e.g. from the bot's profile popup. Dedicating it specifically to ToS and privacy policy is probably best avoided -- it seems to imply a small can of worms, as Sinister points out. However, just having a standard place to look for usage instructions for a bot would be a UX improvement. If we imagine a size limit of 2000 characters (like an ordinary Discord post), there would be plenty of space to link to several kinds of off-site documentation. A privacy policy could be a natural part of that for bots that want to disclose one. (It could be considered whether having one should be a condition for verification, but that is not essential for the general feature to be useful). I don't think viewing the information should be restricted to the Oauth flow where the bot is added. Such metadata will also be interesting for ordinary members of a guild that contains the bot -- and even guild admins have no easy way to get back to the authorization screen if they wish to see the documentation again after several months and no longer remember where they found the original joining link. |
could just use the existing application description field and show it in more places (currently it only shows in the Authorized Apps settings page) |
That would indeed go a long way. However, I think that for an app that both ask some users to authenticate with Oauth2 and has a bot present in a guild, a user wondering "what is this app I authorized for my account?" will generally need a different kind of answer than the user who wonders "what is this bot I see in the user list in the server where I'm chatting?" So it will be even more useful to have an opportunity for them being different. |
I'm not sure I understand what you mean. I'm not proposing any new contractual obligations. I'm only proposing that Discord give developers a way to notify users of the developer's privacy practices and conditions. I brought up consideration for a requirement for verified bots, but that's less important to me than the ability to put the links in and allow users to receive notice through Discord.
Nothing about this is me suggesting Discord endorse anything. Only that Discord provide a link to the developer's policies as notice to the end user during the authorization flow. |
I agree with most of what you're saying here. Perhaps bots could be added to the applications part of user settings where this information could go? |
My thought is it would simply be an option, however, it's something I wouldn't mind seeing as a requirement for verified bots. I'm only suggesting it as a feature though, not as a requirement. |
|
My opinion is that the inclusion of third-party terms of service or privacy policies, or references to them, as an official part of a bot's authorization flow effectively requires users to agree to them when adding the bot to a server, or maybe when directly interacting with the bot or when sharing a server with the bot. I do not think it is a good idea to require Discord users to agree, sometimes implicitly, to arbitrary third-party terms or policies that can be abusive, changed at-will, and/or written by someone with no legal education or background. This could be ameliorated by having Discord verify the terms, but I suspect that this would require some sort of legal endorsement. |
|
@SinisterRectus Fair enough, man. I don't particularly agree, but I do understand your point. I am of the opinion that any public bot should already have these things and this would be a way to give users more proper notice that inviting the bot to a server is subject to them. I would prefer something like this over a makeshift solution, which I'm having to do now. There are plenty of other services where this kind of feature is standard. In fact, many of them require that you have at least a privacy policy. This isn't a new concept. |
@SinisterRectus Please take what I'm about to say, with the knowledge that I am not a lawyer, and that I may not be fully correct. (However, I think I know enough to at least have confidence in what I'm saying) This is not how the law works. A developer cannot simply make a change to the contract, and suddenly make that change apply retroactively to every user. If they want to make a change to the contract, users have to be given a chance to decline that change in some way (i.e. not continuing to use the bot, for example by kicking it) -- and on top of that, the link to the ToS has to be made clearly visible. Trying to hide a ToS, only to then try to enforce it, is a recipe for disaster -- Redbox tried it, and it didn't work out for them, so why would it work for bot developers? Then, on top of that, abusive contracts are already a hassle to enforce. Courts aren't usually stupid -- most of them can recognize when a contract is full of BS, or when something clearly isn't fair... and even when a contract isn't full of BS, they can recognize when a person's objection makes sense. To try to make abusive contracts even conceivably work, you would need lawyers the size of Disney's legal, and even that might not be enough. And as for "written by someone with no legal education or background"... I feel like we could both agree that someone doing that would be a bad idea, no questions asked. It's like trying to write a program without any programming knowledge -- yeah, copying off stackoverflow could work, but if you want to make sure it actually lives up to what you want it to be, you need someone with experience in programming. This is all assuming that someone even wants to use these links -- to me, the problem I see with this feature, is that I don't see it being used by anything but the big bots (you know, the ones that already direct you to their own website). The hassle of hiring a lawyer would already be too much for most people... and even then, there would be no point to writing a contract, as it's already a given that a user abusing a bot (or a bot abusing a user) wouldn't be allowed. |
|
@LikeLakers2 Just to clarify, are you saying that we should not be concerned about agreeing to terms/policies because they are not enforceable when poorly administered? |
|
@SinisterRectus I can't say whether some terms/policies are All I can say for sure is that abusive contracts are probably unlikely to hold up in court, and that contracts can't just... be changed, as both signers of the contract need to know what they're getting into, and need to be given a chance to say "no". That said: You should always be concerned about agreeing to terms/policies (even when it's with someone you trust, or a company you trust, like Discord), because the law is very finicky. I am just explaining that the common perception of terms/policies (that they can be as abusive as they want), a perception that I thought you were sharing based on what I quoted, is wrong. (edit: mixed up my words in the first sentence, my bad) |
|
I don't disagree with you, I'm just saying that, when using a Discord bot and if given the opportunity, I'd rather not agree to potentially bogus terms than have to agree with them and later prove that they are bogus. |
|
You could have that same problem with websites, though. So I'd have to ask, and I mean this in an honestly curious manner: What's difference do you feel there is between a Discord bot having terms/policies, and a website having terms/policies? Is it that the bot feels more likely to have bogus terms? |
|
Not sure how to answer that question since I'm not sure of the relevance. I don't think that there is a meaningful difference. Maybe if someone can give a scenario where a Discord user would need to be "subject to additional terms and policies" by adding or using a Discord bot, or why the standard Discord terms do not cover "what end user data the bot developer collects and how they use that end user data", then I can better understand this. Keep in mind you don't have to convince me, I'm just curious at this point. |
|
I am curious if this feature request is attempting to solve a problem, or is a matter of convenience for the end user (when a developer chooses to opt into the system by providing said links). If the former, then the point Sinister brings up 'why the standard Discord terms do not cover "what end user data the bot developer collects and how they use that end user data"' would need to be addressed. If the latter, then it sounds like a matter of personal opinion that bots should be encouraged to produce some kind of privacy policy or ToS. Edit: Nothing wrong with personal preference. Would just shine some perspective on the intent behind the feature request and possibly rule out any XY problems. |
This is avoided by reading the terms and understanding what you're agreeing to. If you don't like them or think they're bogus, don't agree and find another bot. Frankly, there's plenty out there and they'll all likely have different terms.
This feature request is trying to solve the problem of users being able to add bots and not being presented with the developer's privacy policy before it starts processing end user data. The user is given no notice about who the developer of the bot is, what information that developer collects with their bot, and how that information is going to be used. You might potentially be able to find a website for the bot with this information or it might be contained within the bot, but both of those aren't great solutions. For the former, the end user might not know about such a site and for the latter, the bot is already processing end user data before they have a chance to know the full terms and policy. Both of those are inadequate, in my opinion. |
I appreciate your thoughts and agree with what you've said for the most part. I would like to point out, however, that bots aren't able to direct you to their own website until after they're added to a guild, which isn't always the case. It also can't be assumed. The hassle of hiring a lawyer is beyond the scope of this feature request and irrelevant, in my opinion. It's also true that your access to the API is governed by Discord's developer terms, but that's the relationship between you and Discord, not you and the end user. The end user has no way of knowing who you are as a developer and what you're doing with their information, which they have a right to know, in my opinion. |
I don't mean to be facetious when I say that there is already a solution to the problem you have presented: don't add the bot if you can't find any docs on how it uses your data and that concerns you. If you are concerned with how a particular developer, organization, company, etc. is using data and/or you are weary about lack of documentation on such, then don't participate. It is your choice. Is there more to it? Maybe that bot developers are held more accountable somehow or that there's convenience for the user in not hunting down docs? You already stated that the feature request would not be enforceable. Anybody could write anything. Putting that thought aside, you said it could help Discord determine how a bot uses various data, but that's already being solved with the verification process and the "privilege-itization" of certain data. I'd say there's a good chance that Discord is going to go further along the privileged intent route and message content and the like will also be put behind "need-to-know". I would say that if your concern is the wrong people having access to data, you should be aiming to restrict that access further rather than have average joeshmoe opt-in by slapping a self-made label on it. I'm not ignoring the idea of new cultural norms developing, and in order to be a "reputable bot" the norm could eventually evolve that users expect developers to have a link to a boilerplate privacy policy (regardless of whether or not they know you as a developer and can trust that your privacy policy is even remotely truthful). I'm also not convinced that this will solve a problem that exists beyond convenience. So let me rephrase my earlier questioning:
Keeping in mind that adding a bot to a guild is the user's choice, why do you feel that a user not being presented with a Privacy Policy when adding a bot to a guild is a problem that needs solving? Another way of asking that is, what is it about a Privacy Policy that assuages your concerns in the process of adding a bot to a guild? (The answer should be beyond "transparency" because transparency is as clear as mud if you have no other reason to trust the person behind the Privacy Policy.) |
|
@mr-calrissian In my view, the solution you've stated isn't a solution at all. It isn't the user's responsibility to try and find this information. As a developer of an application that uses end user data, it is my responsibility to ensure that the end user receives notice. It's less of a convenience to end users than it is an easier way to comply with privacy laws for developers. If you think what you're doing as a developer is good enough, then by all means keep doing what you're doing. Personally, I don't think that what you've suggested as a solution is good enough to provide users proper notice. The ability to provide users advance notice would make me more comfortable that I'm being complaint with privacy laws as a business owner. I can implement a solution to do this, but this would be more favorable for both me as a developer and for an end user. |
@SinisterRectus @mr-calrissian Sorry, I missed this when I was reading through the comments. The policies and terms of Discord apply between end users and Discord, not developers and end users. The end user receives no notice of who the developer is, what information the developer collects and uses, and how the developer specifically uses the information for their bot and the Discord policies don't cover this. The developer terms governs bots, but that's between the developer and Discord. The end user is not party to that agreement. It's also worth noting that any terms or policies from the developer need to comply with Discord's policies pursuant to the developer terms. This means that while a developer cannot enact policies that are contrary to Discord's own policies, a developer can enact policies that are more stringent. |
|
Your original proposal appeared to me to impose additional, external conditions, terms, or policies on bot users supplementary (rather than complementary) to the Discord ToS and privacy policy:
That is what I do not agree with. However, simply clarifying what data a bot collects and the user's rights to that data, in accordance with Discord's privacy policy, could be a good thing if done right. I've meddled enough in this issue, so this will probably be my last comment on it. |
|
@SinisterRectus I'm not suggesting that bot developers impose additional terms and policies because this can be done already and often is with large bots. The issue is that end users don't always receive proper notice that adding a bot is subject to those terms and policies. Put another way, my proposal would allow users to receive notice when additional terms and policies exist before adding a bot to a guild instead of no notice at all. It's better for everybody if end users receive this notice before a bot starts to collect and process end user data. To clarify, my proposal is only to present notice to the guild owner or administrator that adds the bot to their server, not every single user in the guild, in case there's any confusion there. Just to provide an example of why you may want your own terms, Discord's terms of service do nothing to limit a developer's liability for damages your bot may cause to the end user. Discord only protects their own liability. You have to protect your own. Having your own terms helps do this. |
|
For the avoidance of doubt, this proposal is NOT intended to require developers to have their own privacy policy or terms. I'm proposing these fields as OPTIONAL fields for those that might want to use them. I've updated the description to better reflect this. |
night
changed the title
|
Now that the language of the new Developer TOS from #1780 requires a privacy policy to be provided, I'm wondering if there'll be a change that allows developers to provide a link to that privacy policy to the end user when they add a bot to their server. |
I personally see complications with this, as this would require to have the policy to be stored somewhere (like a website, or a message in a text channel) that not everyone would've access to. |
This doesn't make any sense to me. Of course the link would have to be stored. How else would Discord be able to present the link to your privacy policy to end users? Why wouldn't someone have access to a privacy policy? You have an obligation to make sure your end users can access the link to the privacy policy, so end users should have no problem accessing it. A Discord channel/message is not the best place for a privacy policy, in my opinion. Finally, your suggestions don't address the problem that the issue addresses and that's the user should be informed of the privacy policy and any terms of using a bot BEFORE it is added to their server and the bot starts to receive user data. The only way to do that is to give notice to the user when they're adding the bot via the oauth flow. |
I agree, there should be an area in the developer portal where we can specify a link to the privacy policy. This link could then show up on the oAuth page when adding the bot. To extend this, perhaps it could even appear on the bot's profile? |
I don't talk about how discord would present/store the info, but rather how you would do it.
Tell that all the 13+ people that made a bot now. How many will even not make a Policy because of their "fuck this shit. I don't care" mindset?
I just listed possible solutions people might take here. |
|
We have added privacy policy and terms of service link support in the developer portal. |
@night Awesome, thank you. Do you happen to know when and where these links will be shown to the end user? |
They should appear in the OAuth Screen when inviting the bot to my knowledge. |
@Andre601 I'm not seeing them on bot OAuth screens, are you? |
|
They're currently only shown on the oauth screen for embedded applications, they'll likely be shown for all applications in the future |
|
It would be nice if there were a way to get the privacy policy link for an ordinary member of a server the bot is in, who is not himself authorizing anything with Oauth. |
|
They are now shown on the OAuth screen for all applications, and if the application has a dev license, the set developer name shows instead of "The developer". |
|
Yeah |
I'd like to see Discord applications have OPTIONAL fields to specify links for a privacy policy and terms of service for the application in the developer portal for developers who may have them. The purpose of this would be to allow users to have proper notice if using a developer's bot is subject to any conditions and give notice to users of the developer's privacy practices, including what end user data the bot developer collects and how they use that end user data.
Discord could then use the links provided to notify the user via the authorization flow to let users know that the application/bot they are authorizing is subject to these additional terms and policies.
I think it's also worth pointing out that many of the questions that are asked as part of the bot verification process could probably be answered if they were able to review a developer's privacy policy, the same one which users would see.
In closing, I believe that this would be a valuable change for both developers and end users. Developers will more easily be able to communicate the rules of using their bot, while users will be informed of the developer's privacy practices. Additionally, Discord can also review developer's privacy policies to ensure that they are in line with Discord's own privacy policy and comply with the developer terms.
--
EDIT: This feature request is trying to solve the problem of users being able to add bots and not being presented with the developer's privacy policy before it starts processing end user data. For example, the user is given no notice about who the developer of the bot is, what information that developer collects with their bot, and how that information is going to be used. You might potentially be able to find a website for the bot with this information or it might be contained within the bot, but both of those aren't great solutions. For the former, the end user might not know about such a site and for the latter, the bot is already processing end user data before they have a chance to know the full terms and policy. Both of those are inadequate, in my opinion.
EDIT: For the avoidance of doubt, this proposal is NOT intended to require developers to have their own privacy policy or terms. My proposal is only an attempt to solve a problem for developers that already have their own privacy policy or terms from being able to give proper notice to end users. For further clarification, when I refer to an "end user", I'm referring to a server owner or administrator that adds a bot, not every member of a guild.
The text was updated successfully, but these errors were encountered: