This seems to be a bunch of people on Twitter, lead by a security researcher, reading legal documents and coming to conclusions which are being second guessed over the course of the thread.
Some keep quoting this line from the terms of service:
> YOU MUST ACCEPT THE TERMS OF THIS AGREEMENT, INCLUDING THE ARBITRATION AGREEMENT CONTAINED IN SECTION 4 BELOW, BEFORE YOU WILL BE PERMITTED TO REGISTER FOR AND PURCHASE ANY PRODUCT FROM THIS SITE. BY REGISTERING ON THIS SITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.
Whereas others have pointed to the Opt-Out:
> Right to Opt-Out of this Arbitration Provision. IF YOU DO NOT WISH TO BE BOUND BY THE ARBITRATION PROVISION, YOU HAVE THE RIGHT TO EXCLUDE YOURSELF. Opting out of the arbitration provision will have no adverse effect on your relationship with Equifax or the delivery of Products to You by Equifax. In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). If You purchased Your Product other than on the Site, and thus this Agreement was mailed, emailed or otherwise delivered to You, then You must notify Equifax in writing within 30 days of the date that You receive this Agreement. To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration. If You have previously notified Equifax that You wish to opt-out of arbitration, You are not required to do so again. Any opt-out request postmarked after the opt-out deadline or that fails to satisfy the other requirements above will not be valid, and You must pursue your Claim in arbitration or small claims court.
Therefore, I'd take everything with a grain of salt and/or read the full terms for yourself:
The NY AG, like several other lawyers, pointed out that the contract term isn't enforceable. At the very least, it appears to be a contract of adhesion.
The AG is also pissed about the language, but that doesn't mean he's confirmed it's enforceable.
Yes I don't understand attacking one AG at the defense of one of the three main credit bureaus. One has an oversized market power and the others a government official. One seeks profit and power at a scale few humans ever dream of and the others one of 50 such officials.
To be fair an AG does have plenty of power, but it's the power primarily, of the office. That comes with all kinds of oversight and politics, while the Big Three are just... apes.
You violated the site guidelines by taking this thread into just the sort of flamewar we're trying to avoid on HN. Would you please (re-)read them and not do this again?
If you wish to take issue with the fact I called a political figure a douche, fine.
But I will not refrain from using such language in the future when I feel it's appropriate.
Although, if you want to declare I started what can hardly be described as a flame war just by stating an opinion, you should just delete my account now.
I'm not getting into a nitpick over his alliances to left-wing groups I strongly dislike or that he commonly tries to pull high ranking democrats further left than necessary, etc.
> So you just wanted to attack him personally without having any obligation to back up your opinion? Do I understand correctly?
Last time I checked, I posted useful information in this thread and only noted my opinion of Schneiderman after "josefresco" specifically named him in an attempt to divert the conversation. If I wanted to attack him specifically I would have picked a better forum than Hacker News where politically charged discourse is generally frowned upon. And moreover, I owe no one any further explanation of my opinion of Schneiderman; much less you in particular.
Just like Equifax is trying to get out of screwing the public over as cheaply as possible. Don't pretend they are somehow victims or noble exemplars, or that you aren't just complaining about the status quo because it's politically expedient for you. If you haven't been arguing for structural reforms in how we select public officials then your objections don't really carry any weight.
It might if I knew what structural reforms you had been advocating for. But that's the problem with launching ad hominem attacks- people wonder what motive you had to go for the cheap shot.
Thanks for posting that; depending on the site (if you go to equifaxsecurity2017 or trustedidpremer) you see different ToUs.
Equifax has the clause for opting out of arbitration, but Trusted ID Premier's Terms of Use doesn't have it. The enrollment site I've seen is owned by Trusted ID Premier, and it's arguably deceptive that Equifax structured the site as a bat-and-switch to see if their shitstorm exposed you.
Heck, they may have even planned a PR push around telling news outlets to refer readers to that site, omitting that using trustedidpremier.com means that you agree to a ToU that mentions only waiving the right to participate in class-action suits, but not how to opt-out.
It's so phishing-sounding that I want to believe it was chosen after a quick focus group with the "people who are most likely to become fraud victims" demographic.
I had to go check the certificate chain to make sure it was legit, and they're using an amazon-generated certificate that appears legitimate. Definitely looks fishy but I think they're just that bad at making trustworthy websites.
DV certs don't say anything about who the own the website. Just that the website is the URL you are trying to visit. Someone else could have registered the url and created the website, so checking the certificate chain doesn't prove anything.
EV certs on the other hand at least claim to verify who owns the website but even then I would be cautious.
Right, I was mostly looking to see if it was some dodgy cert provider - Amazon is on my mental list of questionable-but-not-obviously-scammy ones. EV certs, to me, just mean 'this cert is intended to secure company x's sites', not 'company x controls this site'. So an obvious on-page-text mismatch to the cert raises red flags, for example.
It sounds like copy/pasted boilerplate that may happen to be overreaching, rather than a conspiracy. Upon what do I base this? Not a legal argument, but a pragmatic one that it simply won't work to discharge them of liability in this case, because they'll be lucky if 5% of the affected people use this form to see if they were affected. (For instance, even before I heard about this legal stuff, I didn't even bother, because I'm just going to assume "yes".) I want to say they'll be lucky if 1% do, but the news story is pretty big.
But there's no way that anything like 100% of the affected people will, which is what it would take to even theoretically get them out of the class action lawsuit(s).
Arguing about the legal details seems pointless, this isn't going to get them out of this scrape even if it was 100% iron-clad and court tested, and I seriously doubt anyone at Equifax ever thought for a second this clause would be used that way.
You don't think Equifax have lawyers? Of course they do, and they know that the clause exists. Just having the clause in the first place is a conspiracy to abuse consumers.
What I mean is that I don't think anybody specifically was thinking "Aha! We can put this clause in there today, and we've got a free out! Hooray!", precisely because even if it did work as putatively designed, it wouldn't work, and they'd completely know it. It isn't even useful as a "throw the spaghetti against the wall and see what sticks" maneuver.
To believe that this clause is related to this matter is to require not merely mendacity (believable), not merely stupidity (believable), but an unbelievably precise combination of mendacity and stupidity that can only be read as constructing a rationalization for a pre-supposed conclusion.
It sounds like copy/pasted boilerplate that may happen to be overreaching, rather than a conspiracy.
Probably, but people and companies should stop doing that. Equifax has the resources to pay lawyers to do things fairly if they want, they're just choosing not to.
How does one prove they wrote and satisfied the requirements within 30 days? I actually currently have a situation where my HOA claims I have violated covenants, but there's an architectural review committee one can write to for exceptions, and the covenants state that if no response is received within 100 days the exception is automatically approved. However the committee members have a habit of cancelling public meetings, ignoring emails, and their other employers are very good at deflecting attempts to contact them on committee business. I'm at their mercy to prove that I qualify for an exception. Same problem. In hindsight, best I could have done is prove I sent some mail to the right address on a certain date. That's it.
That's basically what you do—you send the correspondence via certified mail, and keep the certified mail receipt. That doesn't prove what you mailed, but it gives verification that you sent something. (You purchased something from Equifax on the 1st, sent them a certified letter on the 10th. You claim it was the arbitration opt-out; they had better have some evidence it wasn't, or the judge/jury is probably going to believe you.)
Honestly for this (the Equifax thing), you just keep record of when you sent it—it's only an issue if you litigate, and then I'd expect your record of when you sent it + your testimony would be sufficient. But IANAL, and you should of course talk to one if it matters.
For your HOA, hopefully you have some record of when you sent the request (e.g., you kept a copy of the ARC application with a note that you mailed it on $DATE). (Of course, the HOA should be maintaining records of when applications are received.) Depending on what it is, this is something that may be worth paying for legal advice on.
CertifiedMailLabels.com is what I use -- They send it certified mail, keep a copy of the letter (so there is no disputing what the contents of the letter are) and give you effectively indisputable proof of delivery -- they give you a proof of mailing that they sent the letter that is in .pdf form, and then they provide a .pdf receipt that is your return mail copy.
I've had to use it in the past for creditors who don't have a clue.
You're right about the grain of salt, but offering an opt-out to shitty conditions that they know most people won't read about that most people who read about won't act on, and will those waive their legal rights, is an unconscionable condition.
Personally I think that lawyers ought not to draft agreements and contracts that are likely to be found unconscionable or wildly asymmetric as a matter of professional ethics. Adversarial legalism between private parties tends to yield crappy results for the public. I mean, if you've just created a problem for 140 million people, trying to trick them into waiving their rights of redress basically confirms that you're a Bad Person - a bad corporate person, a bad executive making the decision on behalf of shareholders, and a bad lawyer for agreeing to promulgate such trickery.
I think you're probably right about the intention. The trouble is that the enrollment website (equifaxsecurity2017.com) has a TOS link that goes to the regular Equifax TOS. These TOS claim to apply to several listed websites
> "AND ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES".
So this would mean that the general TOS would apply to the Trusted ID site also.
And while some parts of this TOS make it seem like it would only apply if you purchase and use a product (which is inapplicable to the Trusted ID program, which is free), other parts make it seem like it applies beyond purchases, to any use:
> YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.
So it's a big mess, and probably unintentionally so, from the looks of the legal docs.
"On April 27, 2011, the Court ruled, by a 5–4 margin, that the Federal Arbitration Act of 1925 preempts state laws that prohibit contracts from disallowing class-wide arbitration, such as the law previously upheld by the California Supreme Court in the case of Discover Bank v. Superior Court. As a result, businesses that include arbitration agreements with class action waivers can require consumers to bring claims only in individual arbitrations, rather than in court as part of a class action."
After this decision, tons of click-wrap ("contracts of adhesion") agreements added "oh BTW you can't join a class-action suit against us." They seem to be on very solid legal ground. :-(
I actually use this same method manually with git. I have a .theme folder in my home directory, which is a git repository, containing the directories bin and user. The bin directory houses utility and convenience scripts which are tacked on to my PATH while the user directory holds all my relevant dot files. Then, a setup script in the root .theme directory symlinks the relevant dot files from the user directory to $HOME.
The great part is that I can keep branches for each computer which share my configuration. And being that I consistently use Arch, I also employ an install script with my common packages to speed up new installations.
In the end, it shaves a good hour or so off my installation process.
NGINX allows you to proxy a back-end applications giving you the ability to load balance, handle upstream failures with custom maintenance pages, employ server blocks (virtual hosts), and much more. However, you always need to do the leg work to get your specific application language up and running. This new unit system makes that job easier as you would no longer need to employ separate middleware, like PHP-FPM for PHP applications, or use a separate init system like systemd to run Go or Node applications. Now NGINX would assume those responsibilities and provide you with a consistent interface.
Here you can see the configuration of workers and user/group permissions for a Go application:
That's how my reading of it goes. You provide an "endpoint" for the library to call, configure the Unit framework, and their Manager connects the nginx frontend to that Unit framework.
No real idea if it does so using fcgi or some other socket-based proxying, or if the unit is spun up as a separate process and handed the raw socket and some shared memory after the headers are parsed (closer to how mod_php works).
Yes, you can generally think of it as a replacement for mod_php as Unit would parse requests from NGINX, pass them along to the PHP parser, then return the responses back to NGINX. That's the same job mod_php does for Apache and what PHP-FPM (essentially) does for servers like NGINX.
Upon first reading I thought that Unit needed to be behind NGINX to function. When actually it listens for requests as a separate server, entirely. It only provides an API for configuration purposes.
However, If you want to use the other features of NGINX, like providing static files, you will need to put it in front of Unit.
> I used quite an early beta of Ember to build BugMuncehr’s new feedback interface.
> I wanted to add a full REST API to BugMuncher, even though no-one had asked for it.
> I committed to using Ember before I knew enough about it.
> I didn’t keep it simple, I was stupid.
> Web apps often look complicated from the outsite, but underneath most of what they do is simply Create Read Update Delete, and you really don’t need a fancy JavaScript framework to do that.
So, to summarize, you failed at your first usage of a JavaScript framework due to your own bad decisions. Therefore, all the benefits SPA structure can offer the multitude of other projects is meaningless as, "...most of what they do is simply Create Read Update Delete." Honestly, you've just swapped the bandwagon effect for confirmation bias as you fell back to Rails.
I never said "all the benefits SPA structure can offer the multitude of other projects" were meaningless, in fact I specifically said there's a time and place for them. My point was most web apps, particularly an SaaS control panel, may be better served with a simple CRUD app
> I never said "all the benefits SPA structure can offer the multitude of other projects" were meaningless, in fact I specifically said there's a time and place for them.
No, you said:
> There’s a time and a place for JavaScript frameworks, and whatever it is you’re building probably isn’t it.
Do tell us when a SPA structure is appropriate... Then, explain how that sentiment is any less "arrogant" than Ember.
This seems to be the same idea that Google rolled out over YouTube. Demonetize videos that "may not be appropriate for all advertisers." However, the videos which are usually being demonetized are those simply expressing a dissenting opinion. It's going to be interesting what this system classifies as "fake" or "incorrect" news.
> "It’s racist, far-right violence, and that requires determined and forceful resistance no matter where in the world it appears," Chancellor Angela Merkel said.
Sure. It's not like the growing number of far-left anarcho-socialist and anarcho-communist groups haven't been shutting down non-violent right-wing freedom of speech events for the past two years. It's not like they haven't been broadly labeling anyone with a dissenting opinion a racist, sexist, etc. It's not like they haven't been using violence and black bloc tactics from the beginning.
No, that's all completely beside the point, and in no way does it alienate portions of the population creating more extremists on both sides.
> If you think a 64-bit DIV instruction is a good way to divide by two, then no wonder the compiler's asm output beat your hand-written code...
Compilers employ multitudes of optimizations that will go overlooked in hand-written ASM unless you, as the author, are very knowledgeable. End of story.
Some keep quoting this line from the terms of service:
> YOU MUST ACCEPT THE TERMS OF THIS AGREEMENT, INCLUDING THE ARBITRATION AGREEMENT CONTAINED IN SECTION 4 BELOW, BEFORE YOU WILL BE PERMITTED TO REGISTER FOR AND PURCHASE ANY PRODUCT FROM THIS SITE. BY REGISTERING ON THIS SITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.
Whereas others have pointed to the Opt-Out:
> Right to Opt-Out of this Arbitration Provision. IF YOU DO NOT WISH TO BE BOUND BY THE ARBITRATION PROVISION, YOU HAVE THE RIGHT TO EXCLUDE YOURSELF. Opting out of the arbitration provision will have no adverse effect on your relationship with Equifax or the delivery of Products to You by Equifax. In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). If You purchased Your Product other than on the Site, and thus this Agreement was mailed, emailed or otherwise delivered to You, then You must notify Equifax in writing within 30 days of the date that You receive this Agreement. To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration. If You have previously notified Equifax that You wish to opt-out of arbitration, You are not required to do so again. Any opt-out request postmarked after the opt-out deadline or that fails to satisfy the other requirements above will not be valid, and You must pursue your Claim in arbitration or small claims court.
Therefore, I'd take everything with a grain of salt and/or read the full terms for yourself:
http://www.equifax.com/terms/