Location: The Couchsurfing Project >> We are upset that CS has become a for-profit corporation
Login for full access to Couchsurfing Groups. Not a member yet? Join our community!

new terms of use in effect - "More information" blog post
Posted September 22nd, 2012 - 9:11 am by from Paris, France (Permalink)
Despite the harsh criticism from users, Germany's Commissioner for Data Protection and the media, the new terms of use and privacy policy replaced the previous ones on the website late September 21st, 2012, California time.

Meredith Hutcheson, Communications & Community Manager at CouchSurfing, has published a blog post to which I have responded with the questions I will post separately.


http://www.couchsurfing.org/news/cs-organization/more-information-on-our-new-privacy-policy-and-terms-of-use


"CS Organization


More information on our new Privacy Policy and Terms of Use


Sep 21, 2012 by Meredith Hutcheson - 9 Comments


Recently, we announced that we’re updating

our Privacy Policy and Terms of Use to bring them up to date with our

new services, such as the mobile apps, and US privacy law. Since then,

we’ve seen that, of members who have concerns, many of them are centered

around the same topics. Privacy is very important to us, and we

recognize that policies like these have a lot of information to wade

through.


The primary comments and concerns that we’ve received are about our

license to use member data. After discussing this with many community

members, it’s clear that it’s necessary to provide some more clarity on

what the license does, how it’s limited, and how we can and can’t use

data.


Our license provides us:


1. The right to use content for our services


The top question by far is about why we have the type of license that

we do, as mentioned in our Terms of Use. Licenses are standard legal

terms that are needed for a company such as ours to do things like

display member content on our website, www.couchsurfing.com,

and store it on our servers. Members own and continue to own all of the

information they upload to the website. Therefore, in order to display

that content to other people (for example, a member profile page), we

need permission to do so. That’s what this license accomplishes.


2. The ability to retain data for safety purposes


Although the wording of our license is not uncommon, it differs from

some others. The reason for this is that, being a unique type of

community, we have different needs from most other websites. For

example, it is our policy that members can only have one profile, ever,

to be sure that people stand by the reputation they build. When a repeat

profile is reported to us, we are only able to verify that information

by checking against deleted data. Having the broad member license allows

us to do this to support the integrity of our reputation system. This

isn’t a need that many websites have.


3. A broad platform to innovate


Another unique aspect of CouchSurfing, which anyone who’s been around

for a bit knows all too well, is that we have a backlog of years’ worth

of great ideas from the community that we have yet to implement. We’re

expanding our team, moving faster, and want to get new things out there.

Our plan changes all the time as we assess the community’s interests

and our own capabilities. We want to be able to do something as big as

rideshare or as small as a hosting calendar — whatever would be the best

thing at the time — without needing to go through a new legal process

each time.


Our privacy policies, and the legal system they operate within, limit our use of your information to protect your privacy:


That said, it is important to note that this member license does not mean that we can do whatever we want with member information.

We are very committed to protecting member privacy, and our stance on

user protection and experience has not changed. It’s important to

understand that our use of your information is constrained by our

Privacy Policy, and also by US privacy law.


Participation in the EU-US Safe Harbor Privacy Principles


We have now also finished the process required to participate in the EU-US Safe Harbor Privacy Principles.

This optional step holds us legally responsible to the guiding

principles of the European Data Protection Directive. Although it would

be impossible for us to take similar steps in every country where we

have members, the EU is well known for having very well-developed

privacy law. We are applying these principles across the board, even to

members in other regions of the world.


Your data is not for sale


As a result of these different layers of compliance and interaction

between our policies, it is easy to reach the conclusion that we can use

individual data far more freely than we actually a can. A few

clarifications on what is and is not legally possible:




We have committed in our Privacy Policy not to sell or

transfer individual data to advertisers or marketers without first

notifying members and allowing them to opt out. Different

regulatory agencies in the US and Europe hold us legally responsible for

upholding our policy. We think it would be ethically wrong for us to

sell or transfer your data to advertisers or similar commercial

interests without your knowledge, which is why we’ve made this

commitment.




We can’t use your individual data for our own or others’

promotional/marketing without giving you the tools and options to

control that. For example, at some points we may want to send

you marketing emails. And in the past, we have featured members’ photos

on the homepage. For uses like that, which may be considered

promotional, we will give you the tools to control that. For any use

outside of our services (such as if we decided to advertise CouchSurfing

on other websites) we would need your express consent.




We can transfer your data to third parties who help us provide our services.

For example, if you get verified, we transfer your address to the

company that sends our verification postcards. Or if you buy a

CouchSurfing T-shirt, you do that using our gear shop partner. When this

happens, these third parties have signed agreements to safeguard your

data, and not to use it for any other purpose or share it with anyone

else.




We can share anonymized, amalgamated data with third parties.

For example, we’ve worked in the past with researchers who investigated

the development of trust amongst strangers; for their work, we shared

anonymized information about member behavior.


Designed for transparency


These policies have been in the works for over six months; or, around

the time we began developing our mobile apps. The new platforms meant

that an update was necessary. Our legal team, working with many

advisors, took the opportunity to give both policies a full and detailed

evaluation to be sure that we included everything that we should.


It is crucial that these policies be as detailed as possible so that

individuals can choose their own comfort level in regards to their

online behavior.


At the same time, we recognize that it’s a lot of information to go over and digest. If you have questions, please feel free to contact us."

Posted September 22nd, 2012 - 9:13 am by from Paris, France (Permalink)
My questions to Meredith Hutcheson/CouchSurfing:


"Thanks for communicating on these important issues, Meredith. As they say, better late than never.

What you have written above leaves several questions, among others because it seems to conflict with the written terms of use.




1. Is what you have a) written above, b) replied to comments, the official, binding CS position, or just your personal opinion?




2. In case of conflict between what you are writing here and the official terms of use and privacy policy, which prevails?




3. I would have thought that the extra week from September 14th to 21st

which CS gave itself to put the terms of use into effect would be used

to get things right, but it looks like another rushed job. Could you

please actually link to the current privacy policy from the terms of use

since at 10 a.m. Paris time September 22nd, 2012, that link returns the

following message: "Hmm... Nope! That page ain't here! I bet you're all

"Whatever!" I am too." No, I am not "whatever". I am just shaking my

head at how unprofessional CouchSurfing International, Inc. is when it

comes to such important and controversial issues. The same reason why it

is so difficult for many to trust that company, with their data and

otherwise.




4. I understand "We have now also finished the process required to

participate in the EU-US Safe Harbor Privacy Principles." to mean that

as of 9/21/2012 CouchSurfing adheres to these principles. Is this

correct and has this been achieved through a self-assessment to verify

that it complies with these principles, or through a third-party which

has performed the assessment?




5. Are you certain that the entire terms of use and privacy policy

comply with the Safe Harbor Privacy Principles, and if they didn't,

would Safe Harbor prevail, and the terms of use and CS policies be made

compliant?




6. The Safe Harbor Principles stipulate that "Data must be relevant and

reliable for the purpose it was collected for.". CouchSurfing collects

extensive data which does not all seem relevant and reliable for the

purpose of providing the services. One such example is the tracking of

the last login location of users, about which CouchSurfing states:

"While this works for the vast majority of members, some Internet

Service Providers will provide inaccurate data that show an inaccurate

login location. This could be the nearest large city, or someplace

completely unrelated to the person's actual location. Unfortunately this

is due to the ISP's settings and we can't prevent it from happening

from time to time." Will you cease such data collection and publication

in order to fully comply with the Safe Harbor Principles?




7. How can I access the complete information held about me, and correct

or delete it if it is inaccurate, as required by the Safe Harbor

Principles?




8. Certification requires ensuring that appropriate employee training

and an effective dispute mechanism are in place. What employee training

and dispute mechanism are in place at CouchSurfing International, Inc.?




9. You said "For uses like that, which may be considered promotional, we

will give you the tools to control that.". Where can I find these

tools?




10. On September 13th, in his press release at

http://www.bfdi.bund.de/DE/Oeffentlichkeitsarbeit/Pressemitteilungen/2012/18_CouchSurfing.html?nn=408920,

Germany's Commissionner for Data Protection harshly criticized the CS

terms of use and privacy policy and filed a complaint with the U.S.

Federal Trade Commission, saying "The changes are unacceptable. They

would not be permissible under German and European data protection law.

Users are forced by the new terms of use to waive all control over their

data if they want to continue to use the services.". Why did CS decide

to put these terms and policies into effect anyway?




11. Will CS agree to adapt its written notification policy and to notify

users of all future changes, clearly identifying what the changes are

rather than force users to read the entire terms of use and policies to

detect any changes hidden in them, knowing that the vast majority of

users won't be able to do so?




12. Will you provide foreign language versions of the terms of use and

privacy policy, at least in German, French and Spanish, for the hundreds

of thousands of users who lack the (legal) English language skills

required to understand what they are agreeing with?




One final question: Do you have to force CS members to open an account

on another website in order to communicate with you or would it be

possible to communicate with you on this and other topics logged in as a

member of CouchSurfing?"

Posted September 22nd, 2012 - 11:49 am by from Paris, France (Permalink)
My above questions (and 13 other comments) were removed from the blog by CouchSurfing.

Could someone please repost them?

Post removed.
This post has been removed by an administrator.

Deleted Post - Reason: Spam
Posted September 22nd, 2012 - 3:21 pm from Buenos Aires, Argentina
This member has chosen to allow only Couchsurfing members to see their group posts. To see this full converstion, sign up or log in.

Posted September 22nd, 2012 - 3:49 pm from Paris, France
This member profile has been deactivated

Posted September 22nd, 2012 - 5:30 pm by from Paris, France (Permalink)
"What question were remove? Can you provide a link to them?

For the future, it might be a good idea to post such crucial information
also on some other web page and provide a link to it on several
discussion groups in C$ portal. This way you will make censorship more
difficult."


Which part of "My above questions" is hard to understand?
If I posted them here, that was also to make censorship more difficult as hundreds of group members will have received an email copy.

Since nobody else reposted to the blog, I ended up creating a Yahoo account and reposting the questions myself an hour ago, and now we will have to see how long they remain there and if they will eventually receive an answer.

The link to the blog is http://www.couchsurfing.org/news/cs-organization/more-information-on-our-new-privacy-policy-and-terms-of-use. It is at the bottom right of every group page at the moment.

Post removed.
This post has been removed by an administrator.

Deleted Post - Reason: Spam
Posted September 23rd, 2012 - 10:46 am by from Paris, France (Permalink)
To my knowledge the terms delayed to September 21st are identical to those planned for September 14th. The only difference is that before they linked to the privacy policy, and now they link to an error message, which probably makes the whole new terms of use even more non-binding...

Posted September 23rd, 2012 - 4:39 pm by from Florence, Italy (Permalink)
there is just a small difference ion the privacy policy, that is sait _will_be_ certified safe harbour.
but that one is not the one that is under scrutiny.
the complaint mostly are on 5.3 of ToU ....

Posted September 23rd, 2012 - 8:44 pm by from Paris, France (Permalink)
Here's Merediths reply to my questions:


"I will try to answer in brief. First: no comments have been deleted.
I've emailed the team to ask if there could be a bug of some kind,
because we strictly do not censor comments (unless they are spam).


1. The above post has been checked by our lawyers. My comments have not
been, but they are as official as it gets outside of legally binding
statements.


2. Obviously a spokesperson's remarks do not override legal documents, at any company, ever.


3. Not sure what's going on there. I can report it as a bug. There are
many reasons we're switching our website's code base, and one of them is
that no one on the outreach team can directly edit text or links on the
website.


4. We submitted our paperwork to the US Department of Commerce on Thursday. You can learn more here: http://export.gov/safeharbor/index.asp It is a s elf-assessment but it is legally binding.


5. Our lawyers have spent several months on this process, and in their
estimation, we are compliant. Having formally opted in, we're now
legally responsible to uphold those principles.


6, 7, 8. You're welcome to contact the legal team via the contact form on the site for specific questions.


9. Under your privacy settings, you can use "Disable informational
updates?" to opt out of non-system messages from CS. You can use "Only
seen by members" to do just that. At the moment we don't have any other
use cases; if we did, then privacy settings would be developed to go
along with them.


10. I think the post above addresses this question.


11. We are required by law to notify members of 'material changes'.
Although that definition can vary, we've committed to notifying members
if any change impacts how data is used.


12. Unfortunately, no. Translating a legal document is not just a matter
of translating the language, it's a matter of translating the law. Most
websites that are based in only one country provide their TOU in only
their native language for this reason. However, we are getting
translations of the post above in French, German, and Spanish; those
will hopefully be available early next week.


Last - This blog is brand new and my coworker is still working on it.
One of the things that I've been very clear with him about is the need
for a better commenting system. He's working on it, but in the meantime
some commenting is better than no commenting.


Meredith"


and the response which I posted (but again cannot see):


"Thanks for your response, Meredith. I was only able to view it 21 hours
later, and the same goes for everyone I asked and who had not posted to
the blog. The only way to view my original comment, and your replies to
any comment, is by being logged in via Facebook. Even logged into
Yahoo, which I used to repost the post gone missing, I cannot see the
very post I made via Yahoo, nor obviously the responses. And this is the
same in Firefox, Chrome and IE. Perhaps this helps your tech people
figure out a solution to the problem beyond the one that people cannot
see their posts nor the replies even when they went through the trouble
of creating accounts on third party websites. Now to the main points:


I realize that much of this discussion doesn’t have any real value,
because as you say none of it is legally binding and therefore only the
interpretation of the terms and policies by a competent court would
provide useful answers to most. But at least people may become aware of
some of the various questions and concerns.


1. and 2. I take that response to mean that they would need to check
with a lawyer if they wanted to have a more reliable answer. Fair
enough. I believe, though, that if the terms of use need to be
explained, that explanation should be part of the terms of use
themselves.


3. I find it worrying that nobody proof reads such an important document
and that 48 hours later, and more than 24 hours after the problem has
been pointed out, the link to the privacy policy is still missing. My
interpretation is that at the moment the changes to the terms of use and
privacy policy are invalid, as if they had not been made. Your response
does not reassure me that CS can be trusted to get important things
right.


9. CouchSurfing uses members for the several purposes which could be
considered promotional. Two of these are the regular “Some couchsurfers
looking for a host in …” email messages and the publication of activity
attendee list on the internet. What are the tools for posting an Open
Couch Request and for officially participating in a CS activity without
being used by CS for these additional purposes?


10. You seem to believe that opting into the Safe Harbor Principles
addresses all concerns. However, the Safe Harbor Principles are mainly
designed to prevent accidental information disclosure or loss. They do
not address the unrestricted waivers and licenses requested in the terms
of use, way beyond what is required to provide the services, which has
been criticized by many, including Germany’s commissioner for data
protection.


11. What law precisely requires you to notify members of 'material
changes’? U.S. Federal law? California law? Can you provide a reference,
please, so that we can see how this notification needs to occur? By
changing the date on the document, as written in the privacy policy
which was linked from the terms of use until September 21st, or by
having users agree to the changes on login?


12. Can you see how translating your non-binding interpretation of the
terms of use but not the terms of use themselves, which are all that
counts, can be problematic? If you are not translating the terms of use
and privacy policy into the same languages, I would recommend not
translating your non-binding interpretation, which in case of conflict
would be superseded by the written terms, either.


Thanks for your time. I’ll try to get answers to questions 5, 6 7 and 8 from the Legal department.


As a final comment: I don’t understand why CouchSurfing, which is based
on what mostly volunteers have created while it was a non-profit
organization before it was taken away from the community under very
obscure circumstances and which still today lives on trust, would write
terms of use which in terms of unrestricted content licenses and waivers
go way beyond what even companies like Google and Facebook ask for, for
the sole purpose of providing their services. If the reason is that CS
really has no clue where it is heading and it is desperate to have all
imaginable situations covered, just in case, this still doesn’t seem
like a good way to deal with the issue. A better approach would seem to
be to ask what is needed to provide the intended services, and ask for
more only if it is actually needed. This just makes look CouchSurfing
very bad, worse than any other website out there, including the
greediest ones."

Posted September 25th, 2012 - 1:23 pm by from Paris, France (Permalink)
Still no privacy policy linked from the terms of use. At this point I must assume intent. Not very compliant with anything.


An interesting comment on the blog 4 hours ago:

"Hi Meredith,

I've looked up CS's Safe Harbor certification: http://
safeharbor.export.gov/companyinfo.aspx?id=16408.

I found a couple points of it interesting, and was wondering how CS responds to these points?

1. Do You Agree to Cooperate and Comply with the EU and/or Swiss Data Protection Authorities? No

If you are not agreeing to cooperate and comply with EU or Swiss DPAs,
then who is to enforce your participation and liability for Safe Harbor
principles?

2. Regulated By: Federal Trade Commission.

I decided to partially answer #1 above. The FTC is not truly going to
hold you accountable for EU regulations. You've essentially created a
Safe Harbor "certification" with no teeth. If you don't comply, no one
will hold you to it -- that is to say, I don't trust the FTC to hold you
to it and the EU/Swiss DPAs cannot since
you don't agree to comply/cooperate.

3. Please read this question as I am not discussing (AFAIK) a previous
issue with German authorities :) How does CS respond to the point raised
by the German DPAs regarding Safe Harbor Self-Certification: "The
Düsseldorfer Kreis has maintained that, as a result, corporations can no
longer take a US organization’s Safe Harbor self-certification as
conclusive proof of adequate protection of personal data."
http://www.martindale.com/internet-e-commerce/article_Duane-Morris_1044558.htm.

I've chosen to post this as a comment rather than send it privately to
CS legal as I believe that the questions above about the legitimacy and
enforceability of the Safe Harbor certification are relevant to the
community, and I think the questions need to be answered publicly, since
CS is touting that Safe Harbor Self-Certification is a legally-binding
way to assure data protection and privacy.

I look forward to your answers."

Posted September 25th, 2012 - 9:29 pm from Aachen, Germany
This member profile has been deactivated

Post removed.
This post has been removed by an administrator.

Deleted Post - Reason: Spam
Posted September 29th, 2012 - 11:48 am by from Issy-les-Moulineaux, France (Permalink)
The arrival of serious new players may be a bit of an explanation of all this mess; although greediness is always around...

https://www.tripping.com/about/ourteam
http://www.crunchbase.com/person/jen-oneal

Posted September 29th, 2012 - 4:07 pm from Newcastle upon Tyne, England
This member has chosen to allow only Couchsurfing members to see their group posts. To see this full converstion, sign up or log in.

Posted September 29th, 2012 - 9:50 pm by from Florence, Italy (Permalink)
we should also note that the "certification" apply to privacy policy, while most concerns were on ToU .....

Posted October 1st, 2012 - 7:34 am by from Paris, France (Permalink)
It has been a week since I sent these questions to the CS legal department:

"Regarding the changes to the terms of use and the privacy policy, as well as the blog post intended to explain them, I have the following questions:

1. The Safe Harbor Principles stipulate that "Data must be relevant and reliable for the purpose it was collected for.". CouchSurfing collects extensive data which does not all seem relevant and reliable for the purpose of providing the services. One such example is the tracking of the last login location of users, about which CouchSurfing states:

"While this works for the vast majority of members, some Internet Service Providers will provide inaccurate data that show an inaccurate login location. This could be the nearest large city, or someplace completely unrelated to the person's actual location. Unfortunately this is due to the ISP's settings and we can't prevent it from happening
from time to time." Will you cease such data collection and publication in order to fully comply with the Safe Harbor Principles?

2. How can I access the complete information held about me, and correct or delete it if it is inaccurate, as required by the Safe Harbor Principles?

3. Certification requires ensuring that appropriate employee training and an effective dispute mechanism are in place. What employee training and dispute mechanism are in place at CouchSurfing International, Inc.?

4. CouchSurfing uses members for the several purposes which could be considered promotional. Two of these are the regular “Some couchsurfers looking for a host in …” email messages and the publication of activity attendee list on the internet. What are the tools for posting an Open Couch Request and for officially participating in a CS activity without being used by CS for these additional purposes?

5. The seems to be a contradiction between the privacy policy and statements made by Meredith: What law precisely requires you to notify members of 'material changes’? U.S. Federal law? California law? Can you provide a reference, please, so that we can see how this notification needs to occur? By changing the date on the document, as written in the privacy policy which was linked from the terms of use until September 21st, or by having users agree to the changes on login?

I look forward to your reply. Thank you for your time, ..."

And it has been 10 days since the missing link to the Privacy Policies has been pointed out. They don't seem to have good answers or believe the Privacy Policy is not important. The court will know to appreciate that when these terms and policies are challenged.

Post removed.
Posted October 1st, 2012 - 7:54 am by from Paris, France (Permalink)
This post has been removed by the user.

Deleted Post
Posted September 22nd, 2012 - 11:30 am by from Florence, Italy (Permalink)
I put some more question, but first two observations:
Privacy policy refer only to data that you submit to CS at registration, or that are collected by them, and is well known that except for verified members, can be completely unreliable.
The Safe harbour certification (could be that is traveling, but anyway is not there now) is NOT listed in the official list of department of commerce where CS site point.
The most controversial point is 5.3.
if is is as the spokesperson says, why they do not make 5.3 symmetrical to 7 , that is removing from 5.3 "irrevocable" and changing "any purpose" with "the intended purposes" ?
This would not change anything if their intention would be really what she wrote and would make hanppy many people.

There is only one thing that could be controversial:
use of data in couch request and couch description to form a public calendar: the calendar if public should be "fed" by the member, not automatically.

incidentally: The new tou, with the "any", would render invalid the "group only" label on groups, since the would have the license to change it to public at any time.
same for private correspondence.


What happens to that personal content (i have in my mind the idea of a specific one, i leave to CS lawyers to found what is) that was legally posted according the old ToU (without the "any") and now (with the "any") would not be longer legal to be posted and kept (since the poster had the right to post publicly only for certain purposes)?
(could be set a cluse on ToU that say that the toU that can be applied are the ones in effect at the date of posting a content)

Posted October 1st, 2012 - 10:46 am by from London, England (Permalink)
I just found out yesterday and find it creepy.
Does this mean there is no way out?
How can I delete my profile permanently? I am an active user, currently hosting 3 people but I rather change to a website under German law.

And where do I sign to collaborate against these crazy laws?

Thanks for the battling and the updates :)
This should go hard on the news - Facebook is just socializing but here we go far more personal and full profiles are needed - however how can we create full profiles if the information will be sold out?


Posted October 1st, 2012 - 11:26 am by from Paris, France (Permalink)
You cannot delete your CS account and content, only deactivate it.

The petition against the terms of use is here:

http://www.couchsurfing.org/group_read.html?gid=45507&post=13172828

The most democratic, user friendly hospitality website for most is www.BeWelcome.org (French non-profit laws).