We will be publishing an updated Subscriber Agreement. I'd like to get feedback from our community on the email that will be sent to all subscribers for whom we have an email address. Please let me know if you have ideas for how to make it more clear!
Title: Let’s Encrypt Subscriber Agreement Update
Recipients: All Let’s Encrypt Subscribers with an email address on file
Dear Let’s Encrypt Subscriber:
We’re writing to you because we’ve updated our Subscriber Agreement, effective X, MONTH 2022. This is the agreement that governs the relationship between you and ISRG with regards to your acquisition and use of SSL/TLS digital certificates issued by ISRG (via Let’ Encrypt). You don’t need to take any action to continue to use the Let’s Encrypt service but we encourage you to review the new agreement.
The main updates are: we now link to instructions on choosing a revocation reason if you revoke a certificate. This is a requirement for Subscriber Agreements from all Certificate Authorities as of this year. Also, we've removed unneeded capitalization, removed a section that is redundant with our Certificate Policy (CP), and tweaked the wording of the requirement to "assure" control of your private key so it matches the Baseline Requirements (BRs).
You can find the updated agreement (v1.3), along with a document that shows the differences between the previous and current agreement and the full text of the previous agreement here:
https://letsencrypt.org/repository/
If you have any questions about the new agreement, please post them in the following thread on our community forum so Let’s Encrypt staff can review.
[Thread link forthcoming]
Let’s Encrypt is a free service because we want to make the Web more secure and privacy-respecting for everyone. We’re able to operate as a nonprofit thanks to corporate sponsorships and donations. Please consider joining our sponsorship program: https://www.abetterinternet.org/sponsor/
Or donate now during our summer fundraising campaign to support this service (and get neat apparel!). https://letsencrypt.org/donate/
Generally seems fine to me. The main things that I see that might have some room for improvement are:
Some words are informal (like "merch") or techy-type-jargon (like "diff"). I'm not sure exactly what tone would be best in general, but particularly whereas this may be going to not-extremely-technical users or people with limited proficiency in English, it may be good to ensure that everything is as clear as possible.
It looks like half of this is actually a plea to get funding rather than being just the notification of the agreement change. (Though some of that may just due to the forum's boxing and formatting of the links that I don't know if would show in an email the same way.) I don't know if that might make people see this as closer to "spam" rather than a "helpful service update".
Thanks for the feedback. I'll spell things out more fully.
The funding part will not include previews as in the forum, but instead will just be plain text links. That will reduce its visual presence significantly. While it does consume a non-trivial amount of space in the email, it seems important to first convey that we are a public benefit nonprofit since many people do not realize that, and then take the opportunity to ask that people give back. We try not to be too pushy, but we do need to raise the money needed for this service.
If I were you, I would include the most important changes in the SA related to the user in the email. Or at least explain what the majority of the changes are and what the implications to the user might be. Without that, I'm missing the entire point of the email a little bit, frankly. I think 99.99999 % of users don't even know what a Subscriber Agreement actually is.
Thanks! I updated the post to include an explanation of the SA's purpose. I hear where you're coming from on describing the changes but we are publishing a document that shows the differences between versions. That seems like the best way for people to determine what's new.
True, I probably can live with that, assuming the difference isn't that major that 50 % of subscribers would stop using Let's Encrypt due to the changes if they actually read them
This diff hasn't happened between previous SA's, so I'm not sure what to expect as a "diff" though. An actual diff or a human-written text? Just curious.
Also, a typo:
It's missing the s from Let's
I also would perhaps change
to:
(…) along with a document with onlyhighlighting the changes between the previous and current agreement (…)
Or something else not using the term diff as mentioned by @petercooperjr earlier.
Yeah. I don't know if we plan to have a more readable version / summary of changes -- the redlined versions is what we've been reviewing internally, though. It's the standard in the legal world for this sort of thing.
Aaah, I see. Wouldn't have thought about that.. Is that also the place where the new diff will be? Maybe mentioning that (if that's the case) in the email might be a good idea.
As a "subscriber" to many services that send notifications about changes to the agreement, I need to emphatically endorse @Osiris's recommendation of providing a change summary in the email. Linking to a "diff" or "redline" is nice, but most of us don't want to be burdened with reviewing a document, especially if the changes are inconsequential. We just want to know if there is any critical action we need to take to remain compliant. If the changes amount to what is effectively a great big nothing burger, don't ask us to go view a website to see the changes.
The informative statement about the organization's status and funding is important. It probably wouldn't hurt to create a minimal version to use as a tagline or footer in certificate notification emails, if there isn't one there already. Something like the classic PBS tagline of "and viewers like you" that followed their sponsor acknowledgement seems grateful and not needy or pushy.
Regardless of how the final version is written, thanks for sharing the feedback request in the community.
Perhaps only partly related, but shouldn't ACME clients ask for renewed permission?
When looking at my Certbot account info, I see that I've agreed to the 1.0.1 version of the SA from July 2015. One would think one should explicitely agree to the newest version of the SA, right? Or is there a clause in the SA that says something like "agree once, agree forever"?
If the changes are inconsequential, one can also argue a email isn't necessary. I have not found any email from Let's Encrypt regarding previous SA updates in my inbox. Now, I may have deleted them, so that's not 100 % reliable, but if this is the first of these kind of emails, one might think: why now? What's so important to send an email now and not the previous updates?
Perhaps that's due to a change of policy. I.e. "from now on, we're sending subscriber updates". Which is fine of course! It might also be a one time email related to the fundraising issue with the SA update as an excuse to send the sponsoring plug, I don't know.
In any case, I think the reason why this email is being send is also important for the contents with a few scenario's, summarised:
If I deleted all my previous SA update email notices and this is just part of a regular thing, sure, no problem.
If this is the first of many to come, it might be a good idea to note that.
If this is a one-time thing only, then the changes in the SA are probably VERY important for the subscribers so it should be highlighted in the email contents too.
Or it's a one time thing used as a plug for the fundraising.
I believe this article from the 2015 SA is applicable:
5.6 Amendment
ISRG may modify this Agreement from time to time. Each modified version of this Agreement will be
posted to ISRG’s Let’s Encrypt website (letsencrypt.org) at least fourteen (14) days before it becomes effective. If such new version contains material changes and You have provided ISRG with an email address, ISRG will send an email to such address notifying You of such new version at least fourteen (14) days before it becomes effective. In addition, major changes will be flagged with a new Subscriber Agreement version number in the ACME protocol, so You may be able to configure Your ACME Client Software to notify You of such changes.
Legally speaking, I think (I'm not a legal person) this enables LE to just modify the SA and have the subscriber check the repository for changes without requiring an explicit agreement from the subscriber.
That said, it also says LE only emails the subscribers if "material changes" are made to the SA. Is that also the case for this 1.2 to 1.3 change? If so, I would go back to my previous recommendation as mentioned by @linkp too to address these material changes in the email contents itself.
I think it's perfect! The flow now goes from least details to most details, which will benefit all readers. Ones that don't care can just delete the email after the first paragraph. More curious readers will also read the second paragraph. There they'll have the most important information. And if they're reaaaally interested, they are provided with a reference to all the info on the LE site.