2818

Update (April 19, 2016): This change is now live. You can view the updated Terms of Service here, or read about them below.


tl;dr:

We’re planning to make some changes to our Terms of Service to stop companies from scraping profile information from multiple websites and spamming users. The changes only restrict a specific kind of commercial use of profile data that is scraped or copied from our site without the user’s permission. The changes don’t impact Q&A content (like posts or comments) in any way.

What’s happening:

A number of companies seem to have the following business plan:

  1. Use scrapers, bots, or very cheap labor to collect developers’ profile information from sites like Stack Overflow

  2. Merge that information with profiles they find on other sites (open source contributions, LinkedIn, etc.)

  3. Create a huge database of spammable users

  4. Sell this database as a "careers product" to slimy recruiters to use for spamming purposes (often telling those recruiters that these developers are their "members")

  5. Profit!

Why it’s bad:

  • We don’t want any more of our users to get annoyed and spammed by these bozos people.

  • It’s directly competing with our jobs business. We’ve built a jobs site that respects developers and puts them in control of when they are contacted. We don’t appreciate competitors who take our users’ data without their permission and don’t show developers the same respect.

We believe that developers should have full control over how their personal information is used, and whether or not they want to be contacted by recruiters. Acting in the developer’s interest is one of the central tenets of Stack Overflow Jobs. That means we don’t allow spam, and we put developers fully in control of who can (and can’t) contact them. So we find it pretty infuriating to see companies whose entire business model is scraping our users’ info and spamming them.

What’s changing:

The following will be explicitly prohibited in the Terms of Service, and applies to all sites in the Stack Exchange network:

Scraping users’ profile info for commercial purposes:

Profile Content that is NOT available via the Stack Exchange API ("Personal Profile Content") cannot be used for any commercial purpose, individually or in aggregate, or be republished without the explicit consent of the author of such Personal Profile Content or the explicit consent of Stack Exchange.

We were very careful in how we worded this in order to ensure three things:

  1. We did not want to restrict normal user-generated content (posts, comments, etc.) in any way, or undermine one of our earliest promises: We don’t own your content, and if we turn evil, it’s available to you or someone else to liberate. (Did you know that the entire Stack Overflow data set is available as a creative-commons licensed downloadable data dump?)

  2. We didn’t want to restrict anyone using the API to access profile content innocently, for doing things like linking posts to users, etc. All content previously available through the API (usernames, rep, etc.) is still available.

  3. Nothing about this transfers any rights from our users to us. Users can even give permission for these "services" to scrape their profile info from our site. We don’t know why you would want to, but it’s there for ya if you do.

Today, this restricts just a handful of fields that are on the public profile, but not in the API (like "People Reached.") In the future, it will also cover the personal information in the Developer Story, including all public information about your career history.

Claiming users you found on Stack Overflow are your service’s "members":

Additionally, no Profile Content, including API Profile Content, may be used in any way that implies a user is affiliated with, has signed up for, or is in any way associated with a third party without explicit permission from Stack Exchange or the user.

Some users asked if, "without the explicit consent of the author... or the explicit consent of Stack Exchange" might mean that this granted us the right to opt you into some other organization's membership. Fear not - it grants us no new powers to put you on the membership rolls of the National Order of TRS-80 Enthusiasts (or any other org). All it says is that if a company has not gotten permission from one of us, they may be sure that they are in violation.

Creepy stuff, and we don’t have to debate what "creepy" means:

Stack Exchange may also terminate, block, or suspend any and all Services and access to the Network immediately, without prior notice or liability, in its sole discretion, for any reason or no reason at all

We don’t have to let anyone scrape our users' private data, and if they do so to harass or misrepresent our users, or do anything else that makes users’ lives even slightly less lovely, we have the right to block them. (This doesn’t really change anything - we already have the right to block malicious IPs, and do so occasionally, but our lawyers tell us that saying so explicitly in the ToS can save time dealing with bad actors.)

A couple of notes:

  • We plan to keep everything that's currently available through the API available in the future, although it’s possible that could change if we see companies annoying users in ways that seem to outweigh the benefits.

  • This has no impact on how "normal" content (posts, comments, etc.) is licensed on Stack Exchange. You may remember our prior proposal to change the license for code contributions. Our initial ideas for that were controversial, so we slowed that process down to give us time to work with the community on the best solution to code licensing.

Source materials:

Here are the key new sections, all in one place. (Many of these are excerpted above)

Profile Content is information about you (a Subscriber) that is contributed by you or inferred about you by your activity. Profile Content includes, but is not limited to, display names, reputation scores, avatars, your role and company, and other user generated content found on a Subscriber's profile such as "About Me" content.

Profile Content that is available via the Stack Exchange API ("API Profile Content") is perpetually and irrevocably licensed to Stack Exchange and its Subscribers under the Creative Commons Attribution Share Alike license.

Profile Content that is NOT available via the Stack Exchange API ("Personal Profile Content") cannot be used for any commercial purpose, individually or in aggregate, or be republished without the explicit consent of the author of such Personal Profile Content or the explicit consent of Stack Exchange.

Stack Exchange reserves the right to exclude Content, including Profile Content, from the Stack Exchange API at any time without prior notice.

Additionally, no Profile Content, including API Profile Content, may be used in any way that implies a user is affiliated with, signs up for, or is in any way associated with a third party without explicit permission from Stack Exchange or the user.

Under no circumstances will Subscriber use the Network or the Service to (a) send unsolicited e-mails, bulk mail, spam or other materials to users of the Network or any other individual, (b) harass, threaten, stalk or abuse any person or party, including other users of the Network, (c) create a false identity or to impersonate another person, or (d) knowingly post any false, inaccurate or incomplete material, or (e) copy, download, or scrape any Personal Profile Content for the purpose of indexing software engineers, social recruiting, sourcing, employment-related services, compiling databases of employment solicitation targets, providing content for a hiring platform without the express permission of Stack Exchange or the User.

And here’s a link to the current version, if you want to see what’s changing, or really like to read long-winded, lawyer-y stuff.

103
  • 214
    This is a pretty big problem. And that's only the latest report.
    – user50049
    Commented Mar 24, 2016 at 18:22
  • 34
    Just so I fully understand all this legal stuff: There is currently no button/link/checkbox or any other way in my profile to grant explicit consent to 3rd parties or SE to use my Personal Profile Content, right?
    – rene Mod
    Commented Mar 24, 2016 at 18:28
  • 57
    @Richard, legally speaking, that's not really new, it's just more explicit. It's basically, "Like any free site that hasn't guaranteed access for something, we reserve the right to block those we feel are misusing it." The language there doesn't really give us new rights in that regard, but since SOP for some of these guys is to stall when you challenge them by debating what's NOT in the ToS, saying it explicitly apparently saves time.
    – Jaydles Staff
    Commented Mar 24, 2016 at 19:01
  • 34
    @Richard They already had it.
    – ArtOfCode
    Commented Mar 24, 2016 at 19:05
  • 29
    Are you planning to terminate Google? <jaw drop> Commented Mar 24, 2016 at 19:24
  • 45
    "National Order of TRS-80 Enthusiasts"? I am intrigued by this possibility. Commented Mar 26, 2016 at 0:34
  • 80
    Thank you for not pretending like this has nothing to do with Jobs. A lot of companies will pretend like this was done exclusively for the users and it's nice to see the full truth (even if that truth isn't negative).
    – Jon
    Commented Mar 26, 2016 at 4:33
  • 37
    @TimPost: There's something that's concerned me regarding SO: for some bizarre reason, when I Google my full name and restrict it using site:stackoverflow.com, I get 1 result: my profile. This is pretty stunning because nowhere in the web have I put (or can I find) a link to my profile, and in fact, my last name does not appear on the page either. I literally cannot figure out how Google associates my last name with my profile, but I'm worried SO might've had a role in it. Is there any chance I could deeper into this with you or SO privately? (I don't want my full name here.)
    – user541686
    Commented Mar 26, 2016 at 7:35
  • 35
    How has a ToS ever stopped shady businesses from doing things they think they can get away with? Does stackoverflow plan to actively pursue legal action against anyone suspected of breaking the ToS?
    – Jacco
    Commented Mar 26, 2016 at 19:11
  • 15
    @Mehrdad That's nothing on our part, but Google does delight in showing you results that please you, particularly when you self-Google - that might be what's going on. To answer factually I'd need to work there and not sign a NDA, both parts of that are very unlikely :)
    – user50049
    Commented Mar 26, 2016 at 19:27
  • 9
    @Jacco We're dropping the headache of dealing with funded companies that like to argue that they aren't technically violating our terms (even though they are) while totally ignoring the intent of them. When you break a cottage industry with firewall rules, they really tend to scream :) This lets us ignore that.
    – user50049
    Commented Mar 26, 2016 at 19:29
  • 11
    "Stack Exchange may also terminate, block, or suspend any and all Services and access to the Network immediately, without prior notice or liability, in its sole discretion, for any reason or no reason at all" I think we do need to debate what creepy means Commented Mar 27, 2016 at 8:40
  • 10
    @pablo, that's what I'd have thought, but legally, it's probably wrong for cases like this. The key question tends to be if it's reasonable to think the party should know that there are relevant conditions for use of the content, and I'm told that if you run a company based on "borrowing" and re-publishing content, you'll be laughed out of court if you try to pull a "how could we know there were rules for how we could use that content???"
    – Jaydles Staff
    Commented Mar 28, 2016 at 13:24
  • 23
    I really appreciate that you are honest about this scraping conflicting with your business interest. Commented Apr 6, 2016 at 9:14
  • 29
    Terms of use changes to increase my privacy. Today must be opposite day!
    – toddmo
    Commented Apr 19, 2016 at 15:56

9 Answers 9

320

A few clarifications here.

The 'diff' here is minor, but not at all unimportant.

By 'minor' - we're simply saying that the scope of the change is small (in size), but not in importance. Think of it like a "minor edit" that makes a clear difference.

It clarifies how we've been executing and operating, while closing loops for bad actors to argue. I'm not sure what else to call it, small? That doesn't quite work either.

We've been doing this for a long time, that's nothing new.

Fun fact, AWS instances are restricted to using our API - they can't load full content pages. Amazon instances were restricted to our API. This was put in place to combat the hordes of SEO scrapers that were misusing our services. Better handling of scrapers in general let us relax this restriction, but it's an example of measures we take to combat evil robots.

We also drop traffic from hosts that send us bats**t-crazy numbers of requests per second without giving it another thought. This happens daily.

If we catch machines up to naughty things, we don't think twice about blocking them at the network level - we must.

But when people have built business models around scraping your profiles and information, they fight back significantly harder when we block them.

We want them to stop. They'd prefer a protracted game of rule-lawyering that puts them in a position similar to this:

neener neener neeeeeeener

They don't deserve that much time and attention from us. We'd rather give it to you. This change lets us block them at every occurrence, while alleviating us of the need to listen to any of the horses**t that ensues.

Think of it like a burglar so delusional that they complain about your door locks interfering with their profits, and thinks it's a totally valid gripe. Yeah.

This doesn't change how we handle behavioral concerns administratively.

Even spammers identified by our anti-spam system are allowed to read the site. We really hate using lower level blocks because of the risk of blocking actual humans.

This change in no way signifies that we're abandoning our long-held model of giving discussion every possible chance before reaching a series of timed suspensions of varying length. If there's any evidence that someone finds their account valuable for normal use of the site, we'll work with them to keep it. Sometimes this just doesn't work, but that's extremely rare, and nothing new.

Spammers & blatant trolls are zapped on sight, because they fail this pretty critical test of caring about their account and the normal use of the site that it enables.

As custodians of your trust, we must adapt over time.

This kind of crap needs to stop. We can't really define what 'creepy' is, but that's a pretty darn good example of it. When the actions of third-party bad actors result in folks questioning the trust that they've so graciously put in us, we must take measures.

I hope that's the last time for the foreseeable future that we have to touch that particular document. I don't know that it will be, I can't see into the future - but we will be very open and transparent about new problems that we need to solve and why they're important.

30
  • 18
    Why not embed this somehow in the announcement itself? Coming as answer, high chance people will miss it. Unless I miss something myself here? Commented Mar 25, 2016 at 7:05
  • 9
    @ShadowWizard I don't think it'll be missed, and we can always link to it if needed. Jay's announcement is really clear and to the point, and I think most people read what I've said here into that, this is here just in case folks were left wondering.
    – user50049
    Commented Mar 25, 2016 at 7:07
  • 13
    @PatrickHofman It's more of "Please stop emailing us with your BS, we're not unblocking you, go read the terms". In us being able to say "Nope, now go away and stop bothering us" it's going to be hugely effective :)
    – user50049
    Commented Mar 25, 2016 at 7:16
  • 4
    @PatrickHofman In other words, the DROP target in our firewall is very effective against stopping the scraping. This change calls a total halt to the "you're breaking my crummy, greedy, shady little business" rhetoric.
    – user50049
    Commented Mar 25, 2016 at 7:20
  • 1
    since people object to "minor update" wording, consider calling this change "adding clarification"
    – gnat
    Commented Mar 25, 2016 at 8:02
  • 13
    @JDługosz It's not SEO folks we're targeting here, we can deal with scrapers well enough. It's companies that see you participate on SO, and then endeavor to put as much information about you as they can for sale at a very high price to recruiters that spam the crap out of you. These are companies that notice you use gravatar and put a GPU farm to work to get your email, then mention us as being the source of it. It's a disgusting, bottom-feeding practice and we're going to put an end to it.
    – user50049
    Commented Mar 28, 2016 at 18:37
  • 6
    @Jaco I think he was directly referring to this beeing a way to dismiss people who actively complain about beeing blocked. These people then attempt to nitpick the ToS with things like "Well technically this doesn't say its explicitly forbidden, so you have to unblock us". The update is so that SE no longer even has to argue or even talk to you.
    – Magisch
    Commented Mar 30, 2016 at 6:09
  • 7
    Do you know who the legal entities behind this nonsense are well enough to send them warm fuzzy invites to courtrooms? I'd love to crowdfund some tame lawyers to kick some backsides in this space. Commented Mar 30, 2016 at 7:51
  • 3
    @TimPost, you seem to be conflating scraping & spamming. Spamming is illegal under statute law in most jurisdictions, & it is perfectly legitimate to take technical measures to reduce its occurrence. However, scraping may be legal. Some of the measures you describe appear to directly contradict the CC BY-SA 3.0 license under which you publish the content users have licensed to you: "You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License."
    – user136089
    Commented Apr 3, 2016 at 19:37
  • 6
    Congratulations to S.O. for taking steps against what has, in great part, tainted or poisoned online participation in sites like SO. These slimy big-data practices, a bulk by some of the big names online, need to be quashed at every turn. SO is well within its right and has complete support to block/drop offenders as it sees fit. This is the same type abuse of service that has rendered land-line telephone service a pay-to-be-annoyed proposition. Legislation to force offenders to compensate for the costs to protect against their abuse is the only way it will end. Commented Apr 19, 2016 at 16:34
  • 4
    @sampablokuper Hitting every profile route sequentially to see who might be using gravatar, or possibly used it in a past (through the web archive), in order to feed the hash to a rainbow table and produce a list of people ordered by rep isn't remixing and reusing, it's a blatant pattern of abuse. Even more jerkish - they often say we (Stack Overflow) gave them this info. I'd never dream of interfering with honest use of the site and any content it offers, but no one likes being covered in leeches after a swim.
    – user50049
    Commented Apr 19, 2016 at 18:42
  • 4
    @sampablokuper, I'm just curious; would you have advocated against the abolitionists for their activities against what were at the time fully legal business practices? I'm factually curious. Your argument is that since Tim Post's opinion may be found to be legally incorrect, he should withhold it? And since a court may find scraping to be legally defensible, and this TOS update may not be legally upheld in an imagined court battle, it should never have been made?
    – Wildcard
    Commented Apr 19, 2016 at 23:22
  • 5
    @sampablokuper: Got it, glad to hear that. I think the crux of the matter is the licensing status of user profiles. To echo your question from earlier, you do agree that if user profiles are not considered as "contributions" licensed under CC BY-SA 3.0, then Tim's actions here are perfectly legal and ethical, right? :) (Aside: I'm astonished that you evidently consider user profiles as user-contributed "Free Content." Right to privacy much?)
    – Wildcard
    Commented Apr 19, 2016 at 23:51
  • 3
    @Wildcard, no English dictionary is canonical. I won't engage with any particular dictionary's definition. Suffice it to say, a contribution is a thing that is given. Creating a user account on an SE site results in SE creating a generic profile page that contains stats and layout and other standard gubbins that is common to all SE profile pages. Users may optionally contribute additional information: e.g. give it to SE, Inc., under CC BY-SA 3.0, to publish on their profile page(s). Those contributions enrich SE and make it more interesting. In some cases, they may even make SE more useful.
    – user136089
    Commented Apr 20, 2016 at 0:30
  • 3
    @sampablokuper, why not post these views as an answer?
    – Wildcard
    Commented Apr 20, 2016 at 1:09
141

I'm sure this will be unpopular, however... I don't feel this is a good policy, nor a necessary one. Some key points:

  • Every job I've received, (day job or otherwise), in the last 4 years was due to someone finding me on Stack Overflow. Almost all of these have been casual, 1:1 situations where I answered a few of someone's questions and they decided to hire me.
  • Disallowing commercial usage of profile data, with user permission or not, will stop all legitimate relevant usage of Stack Overflow as a recruiting tool. This is an opt-in policy with no clear way to do so. Am I to put something at the bottom of my profile that says, "you may use this profile for commercial purposes"? Who would bother using Stack Overflow for this purpose if there would be 1 out of 10,000 developers that would do this?
  • Not everyone using profile data for commercial purposes is some giant disrespectful spammer. This proposed policy casts far to wide of a net. For example, if I have a small project that I'm working on and I see that a particular user has a lot of domain knowledge in what I need, I might check their profile to see if they've listed an e-mail address. If they have, I might e-mail them and ask if they are available. This isn't what most people call spam. This isn't disrespectful. This is how a community networks and helps each other out.
  • We can opt out today by simply not sharing information. There is no need for anything else. If you don't want someone to have your e-mail address, don't publish your e-mail address.
  • A policy won't prevent illegitimate usage. Spammers will ignore your policy and do whatever they want anyway. I understand that having more legal tools in the tool box may theoretically help, but the best way to stop someone from getting your information is to not make it available in the first place. Leave it up to the user to decide what to publish, as we can already do today.

Just in case I'm not stating my argument very well, let me clarify a bit more:

Under no circumstances will Subscriber use the Network or the Service to (a) send unsolicited e-mails…

Every e-mail to someone not suspecting it is unsolicited. According to your new terms of service, I can no longer e-mail anyone on Stack Overflow for any reason, commercial or not, unless they're expecting it in some way. What's the point of having an e-mail address field at all?

The changes only restrict a specific kind of commercial use of profile data that is scraped or copied from our site without the user’s permission.

Maybe that's your intent, but that's not how I read the new ToS change. There's very little specific about it. It applies to all commercial usage, which is a very broad net.

Why it’s bad:

  • It’s directly competing with our jobs business.

Your Jobs business is extremely expensive in some situations and not at all useful for small projects. If myself and 4 other engineers are always posting on the same related topics, and I want to e-mail one of them in relation to a short-term commercial project I'm working on, and they have willingly published their e-mail address, why shouldn't I be able to do that? If they don't want to be contacted they can either not reply, or not publish their info in the first place. Again, I've been on both sides of this, being hired and doing the hiring, and I've found it to be very beneficial. Almost everyone I've ever e-mailed replies... because I'm not spamming them, I'm sending relevant courteous e-mails from a real person. (Maybe ~5 times a year in total, not to the same person.) There is no way that a weekend project with less than $2,000 at stake is going to end up on Stack Overflow Jobs.

We believe that developers should have full control over how their personal information is used

You have already given us that full control by allowing us to choose what to publish.

In Summary

  • This new policy casts too wide of a net if you truly are going after the spammers in you outlined in your example.
  • Stack Overflow has a social aspect that will be damaged by this new policy.
  • A new policy is not needed as we can already control our personal information.
16
  • 21
    For your information, the part: Under no circumstances will Subscriber use the Network or the Service to (a) send unsolicited e-mails… is already present in the current ToS. The one you agreed to comply with. Also, you can specifically allow them to send you emails: [...] without explicit permission from [...] or the user.
    – wythagoras
    Commented Mar 27, 2016 at 6:35
  • 13
    Also, regarding: If you don't want someone to have your e-mail address, don't publish your e-mail address.. There are problems where people who didn't publish their e-mail address were mailed anyway, because the e-mail address can be found through Gravatar. See meta.stackexchange.com/questions/44717/…
    – wythagoras
    Commented Mar 27, 2016 at 6:41
  • 16
    @wythagoras According to the comments on the main post, Stack Exchange is providing no standardized way to provide explicit permission to allow someone to contact me. Therefore, no one will use it. Perhaps this can all be resolved by simply saying, "if you list your e-mail address as public, you agree that people can e-mail you".
    – Brad
    Commented Mar 27, 2016 at 6:54
  • 6
    Why doesn't a simple sentence in the About Me section satisfy?
    – wythagoras
    Commented Mar 27, 2016 at 6:56
  • 12
    @wythagoras I think that satisfies the requirements in the ToS, but not the usage in practice. Without some sort of standard opt-in checkbox or something that prompts users to choose to opt-in to share information, I think that almost nobody will add such a sentence. If almost nobody does, then I think that recruiters will stop using profile information as a source since they will almost never actually be able to use it.
    – Brad
    Commented Mar 27, 2016 at 6:59
  • 9
    Why do you presume that I would even want for SO to be used as a recruiting tool outside of the available normal channels? Contacting people via email even for a "small project" is already against the current ToS, and I would consider that spamming. I (and I assume the majority of devs here) do not use SO as a linked-in like way to get my name out. I don't believe there is a critical mass of people okay with that so that SO should allow it by default.
    – Magisch
    Commented Mar 30, 2016 at 9:19
  • 2
    The recruiters that are currently using SO profiles to aquire leads on candidates are imo all spammers and need to be dealt with harshly. SO is not and should not be used like linked in and especially not without my expressed consent.
    – Magisch
    Commented Mar 30, 2016 at 9:20
  • 16
    @Magisch That's your opinion and you already control your info. Don't publish your e-mail address. Nothing else needs to be done. Also, if you do ever receive an e-mail you think is spam, I bet your e-mail client has a spam button to help train your spam filter. I think you're wrong too about folks thinking all messages about jobs/projects are spam because almost all of the few people I've contacted have replied positively. Even if you were right about the broader audience not wanting to be contacted, the policy damages everyone and is too broad. Don't publish what you don't want out there.
    – Brad
    Commented Mar 30, 2016 at 16:20
  • 3
    This answer is obviously correct. SO is a advertising agency. It is nothing more than an ad agency. If you take every single quark composing every single being who founded, runs or works at SO, what you have is "advertising". Every single person at SO and every system at SO is "advertising". That's all it is. And theres nothing wrong with that. What's with the weird self-hate towards "spam" (aka "advertising").
    – Fattie
    Commented Apr 6, 2016 at 12:51
  • 3
    I see a big difference between "scraping" and personally going through profiles to see if someone matches a job need you have. If you send one email to someone you personally picked out why is that spam?
    – Betty Mock
    Commented Apr 21, 2016 at 15:47
  • For those considering emailing a single person or small group of people about a commercial opportunity, as you describe, it's not at all unreasonable to read his or her profile to see if consent was given. I am not a lawyer, but I'd argue that's not unsolicited and hence not prohibited by the ToS. Those who are emailing many people, to the point that it's inconvenient to read their profiles, are by definition bulk emailers. They are doing it wrong.
    – jerry
    Commented Apr 21, 2016 at 19:29
  • The OP's use of SO to communicate with other profiles is so obscure, and presumably rare that I don't think it warrants cancelling the new policy. It's a humanist thing (benefit to the most people etc.), and I'd argue you can use other sites to do the contacting you need to do.
    – Pete855217
    Commented Jun 20, 2016 at 16:29
  • @jerry The issue I'm getting at is that people won't provide consent for this. They won't even know about it. This is a policy change only, and doesn't provide a checkbox that says, "Yes, people can contact me." I would argue that the very fact that you're publicly sharing your e-mail address should be that consent. Sharing your e-mail address publicly is optional, and serves no other purpose other than to allow you to be contacted.
    – Brad
    Commented Jun 26, 2016 at 18:24
  • I think the idea is that they aren't going to use this to actively stop you from doing anything where you wouldn't have been actively stopped previously. They are going to use it to ignore the people who complain about being actively stopped from doing shady things. Is it against the ToS? I'm sure countless people smarter than me could argue just as convincingly for as against that. Is anyone going to put any effort into stopping you from doing what you describe in your answer? That is very unlikely. They're doing this to save man hours, not spend more. Commented Jan 6, 2017 at 5:32
  • 1
    +1, Brad's points are realistic and very compelling.
    – Joe R.
    Commented Jun 5, 2017 at 23:38
91

Thanks for the way this is brought to us! You really learned from previous posts with hard deadlines and lack of clarity.

A few points.

  1. I really think it is good to protect our content here. I receive numerous emails, LinkedIn requests, etc., some of them that seem to be related to what I post and share here.

  2. My bad

  3. I quote:

    without the explicit consent of the author of such Personal Profile Content or the explicit consent of Stack Exchange

    So that means SE can grant third parties access to the profile content. Can we make explicit what this profile content is? Which fields or pages are we talking about? Is there any sensitive information that could be shared? What has changed in that regard?

  4. Please remove 'minor' from the post title. It seems out of place here: either the subject is not important enough to be called 'major' or you think the change isn't that big. Both not true in my opinion.

11
  • 1
    re: 2: This is already 100% explicit. This is an amendment to the TOS, which already defines "Stack Exchange" as an alias of "Stack Exchange Inc.", which has been and AFAIK will remain the official company name.
    – Jeremy
    Commented Mar 24, 2016 at 20:54
  • 1
    The official name StackOverflow Inc. That adds to the confusion. Commented Mar 24, 2016 at 20:54
  • 19
    There has never been a "Stack Overflow Inc.". There used to be a "Stack Overflow Internet Services, Inc.", and there is now a "Stack Exchange Inc.". Their primary customer-facing brand name has changed back to Stack Overflow, but the company name is still "Stack Exchange Inc.", as is made clear by the footer of ever page. (If this is changed, I'm sure their lawyers can do a replace-all in the TOS, but that hasn't happened yet.)
    – Jeremy
    Commented Mar 24, 2016 at 20:56
  • 4
    That is not how I read it. Commented Mar 24, 2016 at 20:59
  • Removed that point though. Commented Mar 24, 2016 at 20:59
  • 5
    @PatrickHofman, 1) thanks for the kind words. Sometimes we learn slowly, but it's nice to confirm we're not too old to learn at all :)...
    – Jaydles Staff
    Commented Mar 24, 2016 at 21:03
  • 9
    3) This does NOT give us new rights to share more of your info than we had before. It simply makes it a violation to use some content without either our or your consent. But that doesn't give us the ability to grant consent in any way we couldn't before. And it has no bearing on non-public or sensitive info, which is still protected by the privacy policy.
    – Jaydles Staff
    Commented Mar 24, 2016 at 21:06
  • 8
    4) "Minor" was intended to convey that this essentially has no impact on users rights, unless they're running a scrape & spam business. Didn't want it to feel like you've got to figure out what happens to you, since it's nothing for almost everyone. You think it's undercutting the importance of stopping the harassment, or am I not hearing you there?
    – Jaydles Staff
    Commented Mar 24, 2016 at 21:09
  • Yes. It seems something is minor. It might be in the total ToS, but to some people it is important. Calling it minor makes it sound less important. Commented Mar 24, 2016 at 21:11
  • 1
    The actual change to the copy in the TOS is pretty minor (or, we're not rewriting it, adding a lot more too it, etc). That's what we wanted to convey there. The effects of the changes, however, make life much easier for us when it comes to dealing with these automatic programmer grocery stores that love to scrape your info. So in essence, the update is actually small (speaking only to size, not might, like mighty mouse)
    – user50049
    Commented Mar 25, 2016 at 6:02
  • 3
    @PatrickHofman The official name is still Stack Exchange, Inc. It is just the brand name that changed from Stack Exchange to Stack Overflow. See: meta.stackexchange.com/questions/270037/…
    – wythagoras
    Commented Mar 25, 2016 at 15:50
43

I do not understand this proposed change to the Terms of Service (ToS).

Stack Exchange cannot revoke Creative Commons licensing rights that have already been granted. Therefore, they cannot "un-license" any existing user profile web page content or other user-contributed content that has already been published under CC BY-SA.

However, that appears to be exactly the intention of this proposed ToS change. Hence my confusion.

In short, the intention seems to be to use the ToS to impose terms that directly contradict the license under which the data was published.

If I have misunderstood, please correct me.

If I haven't misunderstood, then the proposed new ToS amount to little more than an expression of vicarious licensor remorse, at least in the case of all existing profiles. By being inconsistent with the perpetual terms of the existing license, the new ToS would probably be unenforceable in this regard and therefore somewhat pointless.

26
  • 5
    @404, thanks for this. The new ToS should definitely be clearer about precisely which kinds of (new) contributions will be covered by the new provisions, so that SE users will be able to tell in advance which licensing terms any new content they license to SE will fall under. The new ToS should also be far clearer that published content pre-dating the new ToS remains under its existing license, regardless of whether it SE makes it available via the API or the websites or any other means.
    – user136089
    Commented Apr 3, 2016 at 1:33
  • 15
    @sampablokuper, you've misunderstood. The terms apply legal requirements to use of the site, not the content. Think of it like this: If a book is in the public domain, you can reasonably copy it, reproduce its words, take photos of every page in it and sell them as art, etc. And a library that has that book can't change the books license. But it can have a "no photographs" policy that visitors must agree to. And if you violate it by taking photos of public domain books, they can pretty surely stop you from profiting by selling those photos, charging others to see them etc.
    – Jaydles Staff
    Commented Apr 4, 2016 at 12:51
  • 8
    @Jaydles, I don't think that's a valid analogy, primarily because the material under contention isn't public domain, it's under CC BY-SA 3.0, which has very different effects. See the CC BY-SA 3.0 human-readable summary: "You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits."
    – user136089
    Commented Apr 4, 2016 at 18:49
  • @sampablokuper, okay, let's stick with CC-SA then. Are you suggesting that if the library contains CC-SA materials, they couldn't enforce the rules above?
    – Jaydles Staff
    Commented Apr 4, 2016 at 19:03
  • 4
    @Jaydles, I'm not sure what CC-SA is, but I assume you mean CC BY-SA 3.0. The terms of CC BY-SA 3.0 are pretty clear about what licensees are allowed to do in relation to material they receive under that license. If you want to speculate on the licence's implications for "no photos" policies in libraries, then you're welcome to, but I'm also not going to participate in your reasoning by analogy, because the analogy is irrelevant. My "answer" isn't about libraries or "no photo" policies, it's about SE and the licenses and terms applicable therein.
    – user136089
    Commented Apr 4, 2016 at 19:18
  • 1
    @sampablokuper - Are you certain that user profile data & personal information is published under CC-BY-SA?
    – Robotnik
    Commented Apr 5, 2016 at 17:22
  • 8
    @Robotnik, here's your profile page, which contains information that you, as a user of the Stack Exchange service, have contributed. At the bottom of that page, you will find the text "user contributions licensed under cc by-sa 3.0 with attribution required".
    – user136089
    Commented Apr 5, 2016 at 17:36
  • 2
    My other question is: what license will the dumps be under? Will the profiles be dumped at all?
    – Nemo
    Commented Apr 7, 2016 at 6:38
  • 2
    @sampablokuper All copyright licences provide protection for the specific embodiment of the idea. If you burn a painting and the artist paints a new one different in even the smallest detail he gets to pick the new licence type he wants to use for the new painting. The same will hold for member data. Adding some forced capitals or punctuation might be enough. Also copyrighting data is contentious enough and I think a users name cannot be directly equated with a posting (his bio might be) and as such should be afforded personal privacy measures unless user means otherwise and not CC BY-SA.
    – KalleMP
    Commented Apr 19, 2016 at 21:24
  • 1
    What I am trying to say is that delete the users data and have them republish under new licence. Change the field captions and variables if it will help but I don't think it is possible to CC a user name and as such I don't think CC can waive decency limits on the use of personal data that is displayed on a web form (laid out page) unless it is a published collection perhaps. Not a lawyer, just irritated by need for so much hoo haa.
    – KalleMP
    Commented Apr 19, 2016 at 21:29
  • 1
    "What I am trying to say is that delete the users data..." There are two things wrong with this. (1) It would mean starting (those parts of) all Stack Exchange sites over from scratch, which I don't think (m)any users would tolerate. (2) Anyone who had already legitimately received copies of the data under the terms of CC BY-SA 3.0 would still be able to retain that data and to re-use and redistribute it according to the terms of that license, in perpetuity.
    – user136089
    Commented Apr 19, 2016 at 22:57
  • 1
    @sampablokuper, regarding point (2) in the above comment—who really cares? If they already got the data, they're welcome to it. That doesn't allow them to run a scraping business anyway, because for that they need fresh data. Regarding license changes, regardless of the license, the original author of a work can create a new copy under any license he likes. He may not be able to prevent people from using the older copy under the terms of the original license, but he doesn't have to give them access to the new copy, even if it's identical.
    – Wildcard
    Commented Apr 19, 2016 at 23:38
  • 1
    @Wildcard, "If they already got the data, they're welcome to it." I don't think that this view is universally shared. In particular, I think KalleMP disagrees with it. KalleMP seemed to think that deleting a contribution from SE would rightly render it inaccessible to everyone, unless it was re-created by its original contributor: hence the example of burning a painting. (N.B. My perspective is different to KalleMP's.) "[The] original author of a work can create a new copy under any license he likes." Yes, of course. I've never suggested otherwise.
    – user136089
    Commented Apr 20, 2016 at 0:15
  • 1
    Data cannot be copyrighted, at least not in USA. Most of the content on profiles is data. So it is not under CC-BY-SA license. I think that is the content SE wants to protect from spammers. Your free-form essays about yourself probably they can leave to be scrapped, if that is what you care about?
    – Mitar
    Commented Apr 20, 2016 at 1:13
  • 5
    @Mitar, "Data cannot be copyrighted, at least not in USA." Citation needed ;)
    – user136089
    Commented Apr 20, 2016 at 11:55
29

Small suggestion for the text:

Under no circumstances will Subscriber use the Network or the Service to [...] person, or (d) knowingly post any false, inaccurate or incomplete material, or (e) copy, download, or scrape any Personal Profile Content for the purpose of [...]

Emphasis mine and also left out two pieces denoted by [...].

I suggest to remove the emphasized or. Between (a), (b) and (c) there are only commas. The word or is absent there. Therefore it is inconsistent to have this between part (c) and (d), because now part (e) was added. (In the current ToS, this part is present, just without part (e))

Disclaimer: I am not a lawyer and this is not legal advice, nor has it ever been legal advice.


However, I think that this update is a very good idea, even though I have never had any such emails. I've seen several meta posts complaining about emails.

23

Key point here:

Additionally, no Profile Content, including API Profile Content, may be used in any way that implies a user is affiliated with, signs up for, or is in any way associated with a third party without explicit permission from Stack Exchange or the user.

In other words, Stack Exchange takes upon itself the burden of associating my account with American Society for the Promotion of Elf Welfare (ASPEW) or PETA or Boston Lockpickers' Guild without my knowledge or permission.

I'm sure I don't want that to happen.


Another point worth making: the linked post (Recruiter claims to have gotten my email address from Stack Overflow) and answers thereto specifically state that the e-mail address wasn't scraped from Stack Overflow Profiles. I'm baffled why it is quoted as the reason for ToS change.

12
  • This is more or less my point 3. SE has the power itself to allow access to it, but it isn't quite explicit what it is. If it is just the public profile info available to everyone (as it is to Google), it doesn't matter that much. Else it should be clarified. Commented Mar 25, 2016 at 8:31
  • 1
    Did you read the answer by Joel Spolsky on that question? It explains why it is related to this change.
    – animuson StaffMod
    Commented Mar 25, 2016 at 12:44
  • 26
    There's actually a misunderstanding here. The language here does NOT give us the right to grant the National Phrenology Consortium the ability to claim you belong to it. It simply states that without permission from either you or us, it's definitively a violation. We still can't grant them rights we don't have in the first place.
    – Jaydles Staff
    Commented Mar 25, 2016 at 12:58
  • @animuson - it is an inference, but not a proof (or sufficiently large chunk of a proof). Commented Mar 25, 2016 at 12:59
  • 6
    @Jaydles - would be nice if that piece could be made clearer. Commented Mar 25, 2016 at 13:01
  • 6
    @Jaydles That's probably true, but Deer Hunter is right that the language can sound that way. Or is there some other part of the ToS that says nay?
    – E.P.
    Commented Mar 25, 2016 at 16:19
  • 3
    @E.P., deer hunter, not sure how widespread that confusion might be, but I edited in a clarification in case. Thanks for highlighting.
    – Jaydles Staff
    Commented Mar 25, 2016 at 19:29
  • 2
    @Jaydles - the whole change looks like a futile albeit quixotic endeavor. You can't ban Google Cache, and scrapers can access cached profile versions. I'm not sure if you're apportioning the blame correctly. I've seen a few complaints in chat rooms that users' old profile e-mails are being spammed. There's still a possibility that somebody is quietly selling addresses, maybe a disgruntled underpaid employee at three letter outfits whom you've supplied with the full database under a gag order... Commented Mar 26, 2016 at 20:49
  • 5
    @DeerHunter "You can't ban Google Cache" - actually we can. I'm not sure what we'll do here (and haven't discussed it with anyone), I'm just clarifying our abilities from a technical standpoint. There's a "noarchive" directive for exactly this purpose, it looks like this: <meta name="robots" content="noarchive">. I'll bring it up Monday with Jay and the team working on this as an option.
    – Nick Craver Mod
    Commented Mar 27, 2016 at 18:15
  • @nick any feedback on the discussion on Monday? Commented Apr 3, 2016 at 21:39
  • @Jaydles Just to be clear as I'm no lawyer. Doesn't the or imply that if SO wanted to they could release the info. Shouldn't it be an and so the user must sign off/be involved on the release also? This would truly involve the user and give them power to protect their data.
    – Dan
    Commented Apr 19, 2016 at 16:07
  • @NickCraver that "noarchive" option should be a last resort. It blocks the practical access to archive data and threads in the case of down time or future perma-link changes. I know of sites that have gone dark are gone for good because they used that option carelessly thinking that the competition cared about their old webpage layout.
    – KalleMP
    Commented Apr 19, 2016 at 20:11
23

Under no circumstances will Subscriber use the Network or the Service to [...] (d) knowingly post any false, inaccurate or incomplete material

Does this mean that it's now technically against the terms of service to post an not-fully-complete response to an answer, even if it's helpful? Obviously that's not the intent of that statement, but as written it looks like that's disallowed.

2
  • 4
    I think this has been part of the ToS for a while. (At least it was brought up on the Hint paradise of Mathematics before this change.)
    – user642796
    Commented Apr 19, 2016 at 17:40
  • 5
    For instance, this incomplete comment would be against the terms of servi
    – M. Justin
    Commented Jun 7, 2017 at 21:38
15

So what if I do not agree with the new Terms of Service? The current ToS provisions state:

Use of the Services by Subscriber following such modification constitutes Subscriber's acceptance of the terms and conditions of this Agreement as modified.

where Services is defined via:

Please read these terms of service (“Agreement”) carefully before using the Network or any services provided on the Network (collectively, “Services”).

If I am not mistaken, then the act of reading the new Terms and Conditions already constitutes use of the Network. Therefore, the Terms and Conditions require me to agree to the changes before I can read what the changes are.

Am I misinterpreting this policy? Or can this policy be clarified to allow disagreeing with Terms of Service, such as by opting out of sites for which I do not agree?

Alternatively, we can have 30 days' notice before the new ToS comes into effect.

10
  • 9
    You're mistaken. If you don't agree, stop using the sites. Commented Apr 19, 2016 at 18:36
  • I think that is the main purpose of a ToS.
    – eQ19
    Commented Apr 20, 2016 at 17:54
  • @NathanTuggy I think I will agree; that's why I'm using SE right now. However, if there's a change, there's no way for me to know without agreeing to the new ToS.
    – Alex
    Commented Apr 21, 2016 at 1:23
  • 3
    Also, note that this post was first featured a solid 25 days before being implemented. That's not exactly 30 days' notice, but it's awfully close. Commented Apr 21, 2016 at 1:26
  • @NathanTuggy How would I know it was featured 25 days? It showed up in my message center already after it went live...
    – Alex
    Commented May 4, 2016 at 13:21
  • @Alex: So, during those 25 days, you never looked at the Community Bulletin prominently displayed on every single site? Commented May 4, 2016 at 18:26
  • @NathanTuggy Sorry, where is it displayed? I think if I saw the Community Bulletin, then I probably would have never made this post... Too bad I don't remember it from newbie tutorial...
    – Alex
    Commented May 21, 2016 at 16:27
  • @Alex: Yes, featured posts are displayed at the top of the Community Bulletin with a separate header. Commented May 21, 2016 at 18:46
  • 1
    @NathanTuggy I think you're not understanding what I'm asking. I asked you where the Community Bulletin was located.
    – Alex
    Commented May 21, 2016 at 19:38
  • @Alex Ah, sorry. It's at the top of the right sidebar on most pages. Commented May 21, 2016 at 19:47
13

SE's TOS should also explain how to report abuses of user profiles, and that could be done in the edit suggested in this question. The only use of noun "report" on that page is about reporting abuses to the "Digital Millennium Copyright Act".

As a minimal edit, I suggest that that page could link to A site (or scraper) is copying content from Stack Exchange. What should I do?, or to another relevant page.

The standard "attribution required" page also doesn't explain how to report abuses.

9
  • 1
    I think that is not a part of the ToS. It is a follow up on how we work here, which is not the goal of the ToS. Commented Mar 30, 2016 at 8:37
  • 1
    @Patrick Hofman: If it should not be in the ToS, where do you suggest reporting could be explained ? Commented Mar 30, 2016 at 8:39
  • 1
    The help center? The FAQ? Commented Mar 30, 2016 at 8:39
  • 1
    At least not the FAQ which currently redirects to the newbye's tour: because it starts with things only newbies do not know very well; people wanting to report abuses are no more newbies. Commented Mar 30, 2016 at 8:44
  • 1
    What about these? meta.stackexchange.com/questions/tagged/faq Commented Mar 30, 2016 at 8:49
  • 1
    I would personnaly not have searched for that info in meta (and I did not know about the keyword faq), because it is like asking to talk to god or to santa. My bad. Commented Mar 30, 2016 at 9:00
  • 1
    I will switch my edit suggestion to the help center. And delete that answer after a day. Commented Mar 30, 2016 at 9:01
  • 1
    Ahh... This is a provocation! Internet is from all of as. And stackoverflow is on time, and that's worth..
    – GJ.
    Commented Apr 19, 2016 at 21:46
  • 1
    I miss a chapter like What do users have to do?, somehow it's not clear
    – basZero
    Commented Apr 20, 2016 at 6:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .