Hi ! I am seeking opinions on the terms of service for Taguette (free/open source qualitative analysis tool)

We have a hosted version of Taguette that people can use for free and I took a crack at writing TOS for that:

If anyone wants to give me an opinion about this, I would *very* much appreciate it -- it's my first time doing anything like this and I basically just riffed off the Open Source Institute & Glitch TOS

@vickysteeves Under "Privacy Policy" you might want to make clear how you'd respond to, say, a government search warrant

@darius @vickysteeves +1. Warrants, subpoenas, DMCA, etc.

This "privacy policy" section would definitely not be enough for me to be comfortable putting research subject data there, in case that is a use case.

Is data encrypted at rest and in transit? Are there any service providers that have access to the data at rest and what is their privacy policy? What guarantees are provided for deleting data? ("for a short period" seems vague, and tied to the backup length, which shouldn't be short?)

@npd @darius

Good point RE: warrant -- do other research tools have this, do either of you happen to know? Would be interested in template-ish lang.

None of the materials on Taguette are publicly viewable, so not sure when/how people would make a DMCA claim in the first place -- do you think the stuff under "Content" is enough for that?

People can put IRB-exempt data in Taguette, but we do not want/recommend people to put sensitive data in there -- does that go in TOS or FAQ, in your view?

@vickysteeves @npd re: warrants, I'd ask a lawyer. It's possible you may be able to get some help from your institution; for example, I've had good experiences working with Berkman Law Lab on open source projects where students do the work supervised by a licensed legal professional

@vickysteeves @darius I would make explicit notes about what kind of data is and isn't appropriate in multiple places, including at least both the TOS/privacy-policy and FAQ. And explicitly excluding sensitive research data puts a lot less pressure on these exceptional access questions.

In general, I recommend separating privacy policies from terms of service, since Terms of Service are generally legalese that people have been actively discouraged from reading.

@vickysteeves if no user content is made public, you probably don't need the DMCA contact/info or much process there, I just raised it since you had all those disclaimers about rights to the uploaded data.

@vickysteeves I would include a point of contact and a process to follow for disclosure of security vulnerabilities. And if you're collecting/logging usage information, that would be good to disclose. I've tried to do that in plain language here (but of course this isn't a similar service):

I don't know of any good policies on online services for research data, and as a result I feel constrained from using online services for research data, which is a pity.

@npd @vickysteeves I think this is what I want people to understand. If you have sensitive data and need privacy guarantees, is *not* a good place to put it. They should run it locally or on their institution's infrastructure.

I'm just a guy running this out of my personal server. I'm pretty good at it, but I'm not HIPAA compliant 😉

Sign in to participate in the conversation

Octodon is a nice general purpose instance. more