<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://consumerrights.wiki/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Galomi04</id>
	<title>Consumer Rights Wiki - User contributions [en]</title>
	<link rel="self" type="application/atom+xml" href="https://consumerrights.wiki/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Galomi04"/>
	<link rel="alternate" type="text/html" href="https://consumerrights.wiki/w/Special:Contributions/Galomi04"/>
	<updated>2026-07-08T18:21:14Z</updated>
	<subtitle>User contributions</subtitle>
	<generator>MediaWiki 1.44.0</generator>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59229</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59229"/>
		<updated>2026-06-28T08:24:33Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Post-installation */ used actual roman numeral chars&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2026-05-02 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=2026-03-03 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=2026-06-24 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=2026-06-24}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (2026-04-08 ToS version)|Forced arbitration (2026-04-08 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (2022-11-22 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=2026-06-19 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (2022-11-22 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (2026-04-08 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 2026-04-08, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab and try to resolve matters &amp;quot;informally&amp;quot;, before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_pc |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_mac |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (not the same thing as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Steps 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(Ⅰ) Welcome dialog post installation|right|(Ⅰ) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(Ⅱ) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(Ⅱ) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(Ⅲ)&amp;quot;Home&amp;quot; tab|right|(Ⅲ) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(Ⅳ) Settings -- general -- part 1|right|(Ⅳ) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (Ⅰ) and (Ⅱ) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (Ⅲ) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (Ⅱ) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 2026-04-08 as of 2026-06-27);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=2022-04-08 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 2026-06-27) from 2022-11-22.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (Ⅳ) and (Ⅴ) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59228</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59228"/>
		<updated>2026-06-28T08:19:50Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Quiet changes (2026) */ replaced with actual roman numerals&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu, https://passwordless.dev&lt;br /&gt;
}}&lt;br /&gt;
[[wikipedia:Bitwarden|Bitwarden]] is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
The autofill feature in Bitwarden&#039;s browser extension contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |archive-date=2022-06-25 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(Ⅰ) Bitwarden product page Wayback machine on 2026-04-14|right|(Ⅰ) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(Ⅱ) Bitwarden product page Wayback machine on 2026-04-18|right|(Ⅱ) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(Ⅲ) Bitwarden product page Wayback machine on 2026-05-15|right|(Ⅲ) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(Ⅳ) Bitwarden product page Wayback machine on 2026-05-19|right|(Ⅳ) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |url-status=live |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (Ⅰ) and (Ⅱ), reveal that the phrase disappeared sometime between 2026-04-14 (left on image Ⅰ) and 2026-04-18 (bottom on image Ⅱ). The archives from May, (Ⅲ) and (Ⅳ) ,reveal that it came back sometime between 2026-05-15 (bottom left on image Ⅲ) and 2026-05-19 (bottom left on image Ⅳ).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-04-14 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-04-18 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-05-15 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-05-19 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt; A Reddit user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |archive-date=2026-03-14 |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |archive-url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
*Passwordless.dev&lt;br /&gt;
*Bitwarden Secrets Manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Google password manager overrides third-party autofill]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59227</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59227"/>
		<updated>2026-06-28T08:11:08Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: added a wikipedia link&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu, https://passwordless.dev&lt;br /&gt;
}}&lt;br /&gt;
[[wikipedia:Bitwarden|Bitwarden]] is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
The autofill feature in Bitwarden&#039;s browser extension contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |archive-date=2022-06-25 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |url-status=live |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-04-14 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-04-18 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-05-15 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-05-19 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt; A Reddit user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |archive-date=2026-03-14 |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |archive-url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
*Passwordless.dev&lt;br /&gt;
*Bitwarden Secrets Manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Google password manager overrides third-party autofill]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59226</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59226"/>
		<updated>2026-06-28T08:09:17Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: added &amp;quot;|url-status=live&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu, https://passwordless.dev&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
The autofill feature in Bitwarden&#039;s browser extension contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |archive-date=2022-06-25 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |url-status=live |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-04-14 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-04-18 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-05-15 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-05-19 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt; A Reddit user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |archive-date=2026-03-14 |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |archive-url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
*Passwordless.dev&lt;br /&gt;
*Bitwarden Secrets Manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Google password manager overrides third-party autofill]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59225</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59225"/>
		<updated>2026-06-28T08:05:39Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Quiet changes (2026) */ fixed archive.org sources&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu, https://passwordless.dev&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
The autofill feature in Bitwarden&#039;s browser extension contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |archive-date=2022-06-25 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-04-14 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-04-18 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-05-15 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |archive-date=2026-05-19 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt; A Reddit user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |archive-date=2026-03-14 |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |archive-url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=bitwarden.com}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
*Passwordless.dev&lt;br /&gt;
*Bitwarden Secrets Manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Google password manager overrides third-party autofill]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59224</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59224"/>
		<updated>2026-06-28T07:51:40Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: added a url, removed Reddit link because it&amp;#039;s linked elsewhere&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu, https://passwordless.dev&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
The autofill feature in Bitwarden&#039;s browser extension contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A Reddit user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
*Passwordless.dev&lt;br /&gt;
*Bitwarden Secrets Manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Google password manager overrides third-party autofill]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59223</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59223"/>
		<updated>2026-06-28T07:50:00Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Products */ added more products&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
The autofill feature in Bitwarden&#039;s browser extension contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A [[Reddit]] user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
*Passwordless.dev&lt;br /&gt;
*Bitwarden Secrets Manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Google password manager overrides third-party autofill]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=LastPass&amp;diff=59222</id>
		<title>LastPass</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=LastPass&amp;diff=59222"/>
		<updated>2026-06-28T07:47:32Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* See also */ added more links to &amp;#039;see also&amp;#039;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{ProductCargo&lt;br /&gt;
|ReleaseYear=2008&lt;br /&gt;
|ArticleType=Service&lt;br /&gt;
|Category=Password Managers, Browser extension, Software, Security&lt;br /&gt;
|Logo=LastPass logo.svg&lt;br /&gt;
|Website=https://www.lastpass.com/&lt;br /&gt;
|Description=LastPass is a password manager application that allows users to store passwords and notes securely using one master password.&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
&#039;&#039;&#039;{{Wplink|LastPass}}&#039;&#039;&#039; is a {{Wplink|password manager}} application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers.&lt;br /&gt;
&lt;br /&gt;
In 2015 LastPass was acquired by {{Wplink|GoTo (US company)|GoTo}} (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into its own company being acquired by {{Wplink|private equity firm}}s Francisco Partners and Elliott Management in 2024.&amp;lt;ref&amp;gt;{{Cite web |url=https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7 |title=LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team |date=1 May 2024 |website=LastPass |access-date=2 Nov 2025 |archive-url=http://web.archive.org/web/20260211035211/https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7 |archive-date=11 Feb 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.&amp;lt;ref&amp;gt;{{Cite web|url=https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks |title=Feds Link $150 Million CyberHeist to 2022 LastPass Hacks |date=7 Mar 2025 |website=KrebsonSecurity |access-date=2 Nov 2025 |archive-url=http://web.archive.org/web/20260221112713/https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/ |archive-date=21 Feb 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Consumer impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
*&#039;&#039;&#039;User privacy:&#039;&#039;&#039; LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on its users trusting it to safely handle this information and have it be accessible. &lt;br /&gt;
&lt;br /&gt;
*&#039;&#039;&#039;User freedom:&#039;&#039;&#039; Use of a [[subscription service]] for more device types allows LastPass to restrict where users can view their passwords.&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
&lt;br /&gt;
===Free tier device type restrictions (&#039;&#039;2021&#039;&#039;)===&lt;br /&gt;
{{See also|Post-purchase EULA modification}}&lt;br /&gt;
&lt;br /&gt;
On February 16, 2021 LastPass changed its free tier to restrict users to only one device type. After March 16, 2021, if a user was using LastPass on their computer, they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass&#039;s userbase out of their passwords.&amp;lt;ref&amp;gt;{{Cite web|title=Changes to LastPass free tier|url=https://blog.lastpass.com/posts/changes-to-lastpass-free|date=2021-02-16|work=LastPass Blog|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260217211201/https://blog.lastpass.com/posts/changes-to-lastpass-free |archive-date=17 Feb 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Data breach (&#039;&#039;2022&#039;&#039;)===&lt;br /&gt;
In August 2022 and November 2022, LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted user names, passwords and secure notes. It was also discovered that URLs, IP addresses, phone numbers and some emails were unencrypted.&amp;lt;ref&amp;gt;{{Cite web |url=https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security |title=What did the lastpass breach reveal about password manager security? |date=13 Jun 2025 |website=SecurityScorecard |author=Learning Center |access-date=2 Nov 2025 |archive-url=http://web.archive.org/web/20260108033555/https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security/ |archive-date=8 Jan 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Aftermath====&lt;br /&gt;
=====ICO fine=====&lt;br /&gt;
In December 2025, the {{Wplink|Information Commissioner&#039;s Office |ICO}} announced that it had fined LastPass UK Ltd £1.2 million based on their findings following the data breach. They concluded that &#039;&#039;&amp;quot;LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database.&amp;quot;&#039;&#039; The ICO also added that there was &#039;&#039;&amp;quot;no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.&amp;quot;&#039;&#039;&amp;lt;ref&amp;gt;{{Cite web |date=11 Dec 2025 |title=Password manager provider fined £1.2m by ICO for data breach |author=ICO |url=https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/ |url-status=live |website=ico.org.uk |archive-url=https://web.archive.org/web/20260613214400/https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/ |archive-date=13 Jun 2026 |access-date=23 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Stolen cryptocurrency and settlement=====&lt;br /&gt;
Also in December 2025, [https://www.trmlabs.com/ TRM] reported that their analysts had been able to &#039;&#039;&amp;quot;trace the stolen funds through mixers and ultimately to two high-risk Russian exchanges frequently used by cybercriminals as fiat off-ramps — with one of them receiving LastPass-linked funds as recently as October.&amp;quot;&#039;&#039; This was reportedly the result of analyzing clusters of wallet drains that occurred after the breach, with waves of them surfacing as late as 2024 and 2025.&amp;lt;ref&amp;gt;{{Cite web |author=TRM Team |title=TRM Traces Stolen Crypto from 2022 LastPass Breach — On-chain Indicators Suggest Russian Cybercriminal Involvement |date=24 Dec 2025 |url=https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement |url-status=live |website=trmlabs.com |archive-url=https://web.archive.org/web/20260604104239/https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement |archive-date=4 Jun 2026 |access-date=23 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Stolen LastPass backups enable crypto theft through 2025 |date=28 Dec 2025 |first=Pierluigi |last=Paganini |url=https://securityaffairs.com/186191/digital-id/stolen-lastpass-backups-enable-crypto-theft-through-2025.html |url-status=live |website=securityaffairs.com |archive-url=https://web.archive.org/web/20260611133236/https://securityaffairs.com/186191/digital-id/stolen-lastpass-backups-enable-crypto-theft-through-2025.html |archive-date=11 Jun 2026 |access-date=23 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
After multiple class action lawsuits were consolidated into a single lawsuit in Massachusetts, LastPass settled but admitted no misconduct. A representative of theirs stated:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&#039;&#039;&amp;quot;While we continue to deny the alleged claims, we have agreed to a settlement to avoid the ongoing distraction and uncertainty of protracted litigation. Our focus remains on serving our customers, and over the last three years we have made substantial investments across our people, processes and technology, so that we can continue to build and keep trust in LastPass.&amp;quot;&#039;&#039;&amp;lt;ref&amp;gt;{{Cite web |first=Alaina |last=Yee |date=1 Apr 2026 |title=The LastPass breach settlement is real. Here’s what you should know |url=https://www.pcworld.com/article/3102935/the-lastpass-breach-settlement-is-real-heres-what-you-should-know.html |url-status=live |website=pcworld.com |archive-url=https://web.archive.org/web/20260519185841/https://www.pcworld.com/article/3102935/the-lastpass-breach-settlement-is-real-heres-what-you-should-know.html |archive-date=19 May 2026 |access-date=23 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===&#039;create backup&#039; phishing campaign (&#039;&#039;2026&#039;&#039;)===&lt;br /&gt;
On or around January 19th 2026, phishing emails were sent out from multiple email and ip addresses. The emails claimed that maintenance was to be conducted and that LastPass users needed to backup their vaults within 24 hours. They also contained links which took users to a website which allowed them to perform vault &amp;quot;backups.&amp;quot; LastPass seems to have detected this relatively quickly as a threat intel blog post was already published on their website by January 20th.&amp;lt;ref&amp;gt;{{Cite web |title=New Phishing Campaign Targeting LastPass Customers |author=Threat Intelligence, Mitigation, and Escalation (TIME) team |date=20 Jan 2026 |url=https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers |url-status=live |website=blog.lastpass.com |archive-url=https://web.archive.org/web/20260212173304/https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers |archive-date=12 Feb 2026 |access-date=23 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |first=Vlad |last=Constantinescu |date=22 Jan 2026 |title=LastPass ‘create backup’ email is a phishing scam targeting your master password |url=https://www.bitdefender.com/en-us/blog/hotforsecurity/lastpass-create-backup-email-is-a-phishing-scam-targeting-your-master-password |url-status=live |website=bitdefender |archive-url=https://web.archive.org/web/20260217135934/https://www.bitdefender.com/en-us/blog/hotforsecurity/lastpass-create-backup-email-is-a-phishing-scam-targeting-your-master-password |archive-date=17 Feb 2026 |access-date=23 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Data lock-in]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Bitwarden]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{Reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=1Password&amp;diff=59221</id>
		<title>1Password</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=1Password&amp;diff=59221"/>
		<updated>2026-06-28T07:46:18Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* See also */ added links to &amp;#039;see also&amp;#039;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{ProductCargo&lt;br /&gt;
|Company=Agilebits&lt;br /&gt;
|ProductLine=1Password&lt;br /&gt;
|InProduction=Yes&lt;br /&gt;
|ArticleType=Product&lt;br /&gt;
|Category=Software,Password Managers&lt;br /&gt;
|Website=https://1password.com/&lt;br /&gt;
|Description=1Password is a secure password manager that stores and encrypts passwords, login details, and other sensitive information in a digital vault&lt;br /&gt;
|Logo=1Password logo.svg|ReleaseYear=2006}}&lt;br /&gt;
&lt;br /&gt;
&#039;&#039;&#039;{{wplink|1Password|1Password}}&#039;&#039;&#039; is a multi-platform subscription-based password manager developed by AgileBits Inc. It is often used due to the combination of a master password with a second secret key generated on-device (i.e., not in the cloud). Unlocking a user&#039;s vault therefore requires &#039;&#039;&#039;both&#039;&#039;&#039; pieces of information to decrypt and access. It also supports conventional two factor authentication using either software tokens or hardware-based tokens (e.g., Yubikey, Google Titan), which can be added to further secure a vault. 1Password is closed-source and is not self-hostable.&lt;br /&gt;
&lt;br /&gt;
1Password, in addition to passwords, is capable of storing myriad site credentials including one-time codes, emails / user names, and additional notes.&amp;lt;ref&amp;gt;{{Cite web |title=Password Manager for Individuals &amp;amp; Families |url=https://1password.com/product/password-manager |url-status=live |archive-url=https://web.archive.org/web/20251030021958/https://1password.com/product/password-manager |archive-date=2025-10-30 |access-date=2025-10-21 |website=1Password}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Consumer impact summary==&lt;br /&gt;
&lt;br /&gt;
===Freedom===&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&amp;quot;You can export your 1Pasword information at any time. If you discontinue payment, your account will enter a frozen (read-only) state that still allows you to retrieve and export your information. Your export will be limited to the information you saved in 1Password. We can’t guarantee that vault permissions, group structures, and other details about relationships between people and information are included.&amp;quot;&amp;lt;ref name=&amp;quot;privacy&amp;quot;&amp;gt;{{Cite web |date=2025-02-27 |title=About 1Password and your privacy |url=https://support.1password.com/1password-privacy/ |url-status=live |archive-url=https://web.archive.org/web/20250905085406/https://support.1password.com/1password-privacy/ |archive-date=2025-09-05 |access-date=2025-09-05 |work=1Password Support}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;Users can import existing passwords from other managers and export passwords and other content in formats suitable for importing into other managers. 1Password is not a walled-garden. Allowing the subscription to expire places an account in a read-only state, where the user can still download their passwords and other saved content.&lt;br /&gt;
&lt;br /&gt;
===Privacy===&lt;br /&gt;
From &amp;quot;Your Rights&amp;quot; section of the privacy policy:&amp;lt;blockquote&amp;gt;&amp;quot;&#039;&#039;&#039;You have the right to your information.&#039;&#039;&#039; We&#039;ll never lock you out of your 1Password account, but we&#039;re unable to decrypt it for you.&amp;quot;&amp;lt;ref name=&amp;quot;privacy&amp;quot; /&amp;gt; &amp;lt;/blockquote&amp;gt;This implies anything inside it is hidden from the company, which is great as it is a password manager.&amp;lt;blockquote&amp;gt;&amp;quot;&#039;&#039;&#039;You have the right to know what we know.&#039;&#039;&#039; You have the right to know what we know about you and see how we handle that information. If you make such a request, you&#039;ll receive a screenshot of what we can see about you in our systems. To protect customer privacy, these requests will be carefully authenticated beyond demonstrating control of the registered email address.&amp;quot;&amp;lt;ref name=&amp;quot;privacy&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Possibly, such a request will need to contain identifying information you have to provide in order to use the service such as email, name, address, and payment information.&lt;br /&gt;
&lt;br /&gt;
===User security===&lt;br /&gt;
Users should be aware that using password manager browser extensions increases their vulnerability to clickjacking&amp;lt;ref name=&amp;quot;:0&amp;quot;&amp;gt;{{Cite web |last=Toulas |first=Bill |date=2025-08-20 |title=Major password managers can leak logins in clickjacking attacks |url=https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/ |url-status=live |archive-url=https://web.archive.org/web/20250929091759/https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/ |archive-date=2025-09-29 |access-date=2025-09-05 |work=Bleeping Computer}}&amp;lt;/ref&amp;gt; where the autofill feature of password managers is abused to trick the password manager into leaking user credentials and other sensitive details.&amp;lt;ref name=&amp;quot;:1&amp;quot;&amp;gt;{{Cite web |last=Naprys |first=Ernestas |date=2025-08-21 |title=Major flaw affecting password managers: they autofill credentials for attackers |url=https://cybernews.com/security/password-managers-autofill-credentials-for-attackers/ |url-status=live |archive-url=https://web.archive.org/web/20251019001532/https://cybernews.com/security/password-managers-autofill-credentials-for-attackers/ |archive-date=2025-10-19 |access-date=2025-09-05 |work=Cybernews}}&amp;lt;/ref&amp;gt; It is considered best practice to copy in these elements on trusted pages manually. &amp;lt;ref name=&amp;quot;:0&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;:1&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |last=Tóth |first=Marek |date=2025-09-11 |title=DOM-based Extension Clickjacking: Your Password Manager Data at Risk |url=https://marektoth.com/blog/dom-based-extension-clickjacking/ |url-status=live |archive-url=https://web.archive.org/web/20251020074626/https://marektoth.com/blog/dom-based-extension-clickjacking/ |archive-date=2025-10-20 |access-date=2025-10-21 |website=marektóth}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Business model===&lt;br /&gt;
Subscription based, has a strong emphasis on enterprise credential management,&amp;lt;ref&amp;gt;{{Cite web |title=1Password Device Trust |url=https://1password.com/product/device-trust |url-status=live |archive-url=https://web.archive.org/web/20251030021959/https://1password.com/product/device-trust |archive-date=2025-10-30 |access-date=2025-10-21 |website=1Password}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=XAM: Extended Access Management |url=https://1password.com/extended-access-management |url-status=live |archive-url=https://web.archive.org/web/20251020062352/https://1password.com/extended-access-management |archive-date=2025-10-20 |access-date=2025-10-21 |website=1Password}}&amp;lt;/ref&amp;gt;  especially for enterprise secret management (e.g., SSH keys, authentication tokens, API keys, etc.).&amp;lt;ref&amp;gt;{{Cite web |title=1Password for SSH &amp;amp; Git {{!}} 1Password Developer |url=https://developer.1password.com/docs/ssh/ |url-status=live |archive-url=https://web.archive.org/web/20260202024518/https://developer.1password.com/docs/ssh/ |archive-date=2026-02-02 |access-date=2026-02-10 |website=1Password Developer}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=1Password for VS Code {{!}} 1Password Developer |url=https://developer.1password.com/docs/vscode/ |url-status=live |archive-url=https://web.archive.org/web/20260208113329/https://developer.1password.com/docs/vscode/ |archive-date=2026-02-08 |access-date=2026-02-10 |website=1Password Developer}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=1Password Developer Watchtower {{!}} 1Password Developer |url=https://developer.1password.com/docs/watchtower/ |url-status=live |archive-url=https://web.archive.org/web/20260126204826/https://developer.1password.com/docs/watchtower/ |archive-date=2026-01-26 |access-date=2026-02-10 |website=1Password Developer}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=1Password SDKs {{!}} 1Password Developer |url=https://developer.1password.com/docs/sdks/ |url-status=live |archive-url=https://web.archive.org/web/20260126204850/https://developer.1password.com/docs/sdks/ |archive-date=2026-01-26 |access-date=2026-02-10 |website=1Password Developer}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=1Password Developer |url=https://developer.1password.com/ |url-status=live |archive-url=https://web.archive.org/web/20260126204759/https://developer.1password.com/ |archive-date=2026-01-26 |access-date=2026-02-10 |website=1Password Developer}}&amp;lt;/ref&amp;gt; &amp;lt;!-- A skim through the product pages, I couldn&#039;t find this particular mention. It&#039;s probably somewhere, though and that the problem is I don&#039;t understand the technology to know where to look --&amp;gt;&amp;lt;!-- I&#039;ve Given a bunch of citations which could fit. Cut out what you think is irrelevant or keep it all. - L4C --&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Market control===&lt;br /&gt;
&amp;lt;!-- This still kinda sucks, but I did technically delete what I felt was placeholder text -Raster --&amp;gt; &lt;br /&gt;
1Password claims on its website front page that it is industry leading, although it does not cite any public market researches or 3rd party audits. However, a bug bounty program exists on HackerOne.&amp;lt;ref&amp;gt;{{Cite web |date=2024-12-09 |title=1Password - CTF {{!}} Bug Bounty Program Policy |url=https://hackerone.com/1password_ctf?type=team |url-status=live |archive-url=https://web.archive.org/web/20251004161711/https://hackerone.com/1password_ctf?type=team |archive-date=2025-10-04 |access-date=2025-10-21 |website=HackerOne}}&amp;lt;/ref&amp;gt; Market studies and reviews (as of October 2025) show that it has significant competitive control.&amp;lt;ref&amp;gt;{{Cite web |title=Password Management Market Size &amp;amp; Share Analysis - Growth Trends &amp;amp; Forecasts (2025 - 2030) |url=https://www.mordorintelligence.com/industry-reports/password-management-market |url-status=live |archive-url=https://web.archive.org/web/20250907113812/https://www.mordorintelligence.com/industry-reports/password-management-market |archive-date=2025-09-07 |access-date=2025-10-21 |website=Mordor Intelligence}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |last=Bouman |first=Amber |last2=Spadafora |first2=Anthony |date=2025-09-11 |title=The best password managers in 2025 |url=https://www.tomsguide.com/us/best-password-managers,review-3785.html |url-status=live |archive-url=https://web.archive.org/web/20251012224159/https://www.tomsguide.com/us/best-password-managers,review-3785.html |archive-date=2025-10-12 |access-date=2025-10-21 |website=Tom&#039;s Guide}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |last=Key |first=Kim |last2=Henry |first2=Alan |date=2025-10-14 |title=The Best Password Managers for 2025 |url=https://www.pcmag.com/picks/the-best-password-managers |url-status=live |archive-url=https://web.archive.org/web/20251017061423/https://www.pcmag.com/picks/the-best-password-managers |archive-date=2025-10-17 |access-date=2025-10-21 |website=PCMag}}&amp;lt;/ref&amp;gt; &amp;lt;!-- These are by no means amazing sources, I just skimmed through with Ctrl + F to see what they said about 1Password. Generally it&#039;s like 5 star reviews with &amp;quot;it&#039;s okay&amp;quot; as the actual review -raster --&amp;gt; &lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
This is a list of all consumer protection incidents related to this product. Any incidents not mentioned here can be found in the [[:Category:{{PAGENAME}}|{{PAGENAME}} category]].&lt;br /&gt;
&lt;br /&gt;
===1Password Okta instance breach, discovered (&#039;&#039;29 Sept 2023&#039;&#039;)===&lt;br /&gt;
On September 28, 2023, the Okta Help Center suffered a security incident. During the breach, the attackers were able to extract sensitive data from the customer support system.&amp;lt;ref&amp;gt;{{Cite web |last=Bradbury |first=David |date=2023-11-29 |title=October Customer Support Security Incident - Update and Recommended Actions |url=https://sec.okta.com/articles/october-security-incident-recommended-actions/ |url-status=live |archive-url=https://web.archive.org/web/20240720042135/sec.okta.com/articles/october-security-incident-recommended-actions/ |archive-date=2024-07-20 |access-date=2026-01-05 |website=Okta Security}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
1Password, which uses an Okta instance, published a blog post disclosing an internal investigation of the breach.&amp;lt;ref&amp;gt;{{Cite web |last=Canahuati |first=Pedro |date=2023-10-23 |title=Okta Support System incident and 1Password |url=https://blog.1password.com/okta-incident/ |url-status=live |archive-url=https://web.archive.org/web/20250905070945/https://blog.1password.com/okta-incident/ |archive-date=2025-09-05 |access-date=2025-09-05 |work=1Password Blog}}&amp;lt;/ref&amp;gt; According to their disclosure, the attackers&#039; actions triggered an email to a member of the IT team who acted swiftly to contain the breach. The company reported that no user data was exfiltrated or decrypted.&amp;lt;ref&amp;gt;{{Cite web |date=2023-10-27 |title=Security incident report |url=https://blog.1password.com/files/okta-incident/okta-incident-report.pdf |archive-url=https://web.archive.org/web/20250920201057if_/https://blog.1password.com/files/okta-incident/okta-incident-report.pdf |archive-date=2025-09-20 |access-date=2026-01-23 |website=1Password Blog}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===1Password License Controversy===&lt;br /&gt;
&lt;br /&gt;
1Password’s so-called “lifetime license” (i.e., standalone license) was a perpetual license for a specific major version, not unlimited future upgrades: 1Password 7 for Windows launched with standalone licensing on May 29, 2018&amp;lt;ref&amp;gt;{{Cite web |title=1Password for Windows Release Notes |url=https://app-updates.agilebits.com/product_history/OPW6 |url-status=live |access-date=2026-04-30 |website=1Password}}&amp;lt;/ref&amp;gt;, however, after the release of 1Password 8, previous licenses would not be offered and previous versions would no longer be supported &amp;lt;ref&amp;gt;{{Cite web |title=Upgrading to version 8 from 7 |url=https://www.1password.community/discussions/1password/upgrading-to-version-8-from-7/159414 |url-status=live |access-date=2026-04-30 |website=1Password Community}}&amp;lt;/ref&amp;gt;, making 1Password effectively membership-only and pushing users toward a 1Password account. While existing 1Password 7 licenses did not expire, their end-of-life meant that users would likely bump on vulnerabilities (see comment by 1P_SimonH&amp;lt;ref&amp;gt;{{Cite web |title=Upgrading to version 8 from 7 |url=https://www.1password.community/discussions/1password/upgrading-to-version-8-from-7/159414 |url-status=live |access-date=2026-04-30 |website=1Password Community}}&amp;lt;/ref&amp;gt;).&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[Bitwarden]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=NordVPN&amp;diff=59220</id>
		<title>NordVPN</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=NordVPN&amp;diff=59220"/>
		<updated>2026-06-28T07:45:05Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* See also */ added more links to &amp;#039;see also&amp;#039;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{StubNotice}}&lt;br /&gt;
{{CompanyCargo&lt;br /&gt;
|Description=Lithuanian virtual private network provider.&lt;br /&gt;
|Founded=2012&lt;br /&gt;
|Industry=Cybersecurity, Virtual Private Networks&lt;br /&gt;
|Logo=NordVPN logo.svg&lt;br /&gt;
|ParentCompany=Nord Security&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Website=https://nordvpn.com&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
&#039;&#039;&#039;{{wplink|NordVPN}}&#039;&#039;&#039; is a {{wplink|virtual private network}} (VPN) service provider owned by Nord Security. NordVPN heavily advertises their products on popular YouTube channels. NordVPN operates worldwide, with offices in the United Kingdom, the Netherlands, Poland, Germany, the United States, Lithuania, Switzerland, and Panama.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
&lt;br /&gt;
*&#039;&#039;&#039;User freedom:&#039;&#039;&#039; A class action lawsuit was proposed accusing NordVPN of unlawful subscription renewal practices.&lt;br /&gt;
*&#039;&#039;&#039;User privacy:&#039;&#039;&#039; Internet traffic that exits the US border is subject to interception by US intelligence agencies (not limited to NordVPN); tracking services have been found within NordVPN&#039;s mobile app; has suffered a breach of one of their data centers that was only disclosed more than a year after the incident.&lt;br /&gt;
*&#039;&#039;&#039;Business model:&#039;&#039;&#039; Sells subscription services that mainly include their VPN product, but higher tiers can also have add-ons such as their identity protection service &#039;&#039;NordProtect&#039;&#039;, their cloud storage service &#039;&#039;NordLocker&#039;&#039; and their password manager &#039;&#039;NordPass&#039;&#039; as well as others.&lt;br /&gt;
*&#039;&#039;&#039;Market competition:&#039;&#039;&#039; Plenty of popular brands (i.e. [https://protonvpn.com/ ProtonVPN], [https://mullvad.net/en Mullvad], ...).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
&lt;br /&gt;
===Subscription Renewal Practices===&lt;br /&gt;
&lt;br /&gt;
A class action lawsuit has been proposed on November 19, 2024 accusing NordVPN and its developer Nord Security of using deceptive and illegal subscription renewal practices.&amp;lt;ref&amp;gt;Rizzi, C. (2024, November 20). NordVPN lawsuit filed over allegedly illegal automatic subscription renewal practices. ClassAction.org. Retrieved May 24, 2025, from https://www.classaction.org/news/nordvpn-lawsuit-filed-over-allegedly-illegal-automatic-subscription-renewal-practices ([http://web.archive.org/web/20250720090038/https://www.classaction.org/news/nordvpn-lawsuit-filed-over-allegedly-illegal-automatic-subscription-renewal-practices Archived])&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Privacy concerns===&lt;br /&gt;
&lt;br /&gt;
Due to current laws, United States intelligence agencies are prohibited from spying on American citizens&#039; communications, including internet traffic (with some expanding exceptions).&amp;lt;ref&amp;gt;{{Cite web |title=Electronic Communications Privacy Act of 1986 (ECPA) |url=https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285 |url-status=live |access-date=2025-03-25 |website=Office of Justice Programs |archive-url=http://web.archive.org/web/20260124102522/https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285 |archive-date=24 Jan 2026}}&amp;lt;/ref&amp;gt; However, internet traffic that exits the country is legally subject to interception and decryption. This includes VPN providers that route traffic outside the United States. As a result, using a VPN may inadvertently expose users to surveillance by U.S. intelligence agencies. No international VPN providers disclose this risk to their customers. It is entirely legal for U.S. intelligence agencies to break encryption, perform man-in-the-middle attacks, or employ other methods to weaken encryption on data crossing international borders.&lt;br /&gt;
&lt;br /&gt;
If data passes international borders it is subject to &amp;quot;bulk collection&amp;quot; by the Intelligence Community because of Executive Order 12333.&amp;lt;ref&amp;gt;{{Cite web |last=Goitein |first=Elizabeth |date=2022-02-15 |title=How the CIA Is Acting Outside the Law to Spy on Americans |url=https://www.brennancenter.org/our-work/analysis-opinion/how-cia-acting-outside-law-spy-americans |url-status=live |access-date=2025-03-26 |website=Brennan Center |archive-url=http://web.archive.org/web/20251210020204/https://www.brennancenter.org/our-work/analysis-opinion/how-cia-acting-outside-law-spy-americans |archive-date=10 Dec 2025}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Tracking inside App===&lt;br /&gt;
An analysis by German privacy blogger and activist Mike Kuketz found third party tracking services embedded into the apps of five different VPN services, including three in NordVPN&#039;s app (AppsFlyer, Google Crashlytics, and Google Firebase Analytics).&amp;lt;ref&amp;gt;{{Cite web |last=Kuketz |first=Mike |date=2025-09-29 |title=VPN-Apps: Wenn »Sicherheits-Apps« selbst zum Risiko werden [VPN-Apps: When &amp;quot;Security-Apps&amp;quot; themselves become a risk] |url=https://www.kuketz-blog.de/vpn-apps-wenn-sicherheits-apps-selbst-zum-risiko-werden/ |url-status=live |archive-url=https://megalodon.jp/2026-0408-0210-36/https://www.kuketz-blog.de:443/vpn-apps-wenn-sicherheits-apps-selbst-zum-risiko-werden/ |archive-date=7 Apr 2026 |access-date=2025-10-27 |website=Kuketz IT-Security}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When confronted with the allegations, NordVPN denied the allegations, answering with statements about the website instead of the smarphone app. Kuketz then conducted his own in-depth analysis of the app&#039;s traffic (his initial analysis was based on data from the [https://exodus-privacy.eu.org/en/ Exodus Privacy Project]), revealing that at least two of the trackers were indeed present.&lt;br /&gt;
&lt;br /&gt;
Confronted with the results, the company spoke of a &amp;quot;misunderstanding&amp;quot;, which Kuketz describes as &amp;quot;not very convincing&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
He further notes that NordVPN&#039;s PR manager is using a NordVPN e-mail address which is hosted by Google, meaning any e-mail communication with the company over the same channels would be fully exposed to the advertising giant&#039;s data collection.&amp;lt;ref&amp;gt;{{Cite web |last=Kuketz |first=Mike |date=2025-10-20 |title=NordVPN bestreitet den Einsatz von Trackern – Doch ein App-Mitschnitt zeigt ein anderes Bild [NordVPN denies use of trackers – but an analysis of the app&#039;s traffic paints a different picture] |url=https://www.kuketz-blog.de/nordvpn-bestreitet-den-einsatz-von-trackern-doch-ein-app-mitschnitt-zeigt-ein-anderes-bild/ |url-status=live |archive-url=https://megalodon.jp/2026-0408-0210-39/https://www.kuketz-blog.de:443/nordvpn-bestreitet-den-einsatz-von-trackern-doch-ein-app-mitschnitt-zeigt-ein-anderes-bild/ |archive-date=7 Apr 2026 |access-date=2025-10-27 |website=Kuketz IT-Security}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Data center breach===&lt;br /&gt;
In March 2018 one of NordVPN&#039;s third party servers located in Finland was breached. According to official accounts&amp;lt;ref name=&amp;quot;:0&amp;quot;&amp;gt;{{Cite web |date=2019-10-21 |title=Why the NordVPN network is safe after a third-party provider breach |url=https://nordvpn.com/blog/official-response-datacenter-breach/ |url-status=live |archive-url=https://megalodon.jp/2026-0408-0206-55/https://nordvpn.com:443/blog/official-response-datacenter-breach/ |archive-date=7 Apr 2026 |access-date=2026-02-22 |website=NordVPN}}&amp;lt;/ref&amp;gt; the attacker gained access to the server thanks to poor management on the data center part, which shortly after patched the issue but failed to make NordVPN aware of the breach until April 13, 2018.&lt;br /&gt;
&lt;br /&gt;
No sensitive user data was stolen, but the attacker did get access to TLS keys which &#039;&#039;&amp;quot;under extraordinary circumstances, could be used to attack a single user on the web using a specifically targeted and highly sophisticated MITM attack&amp;quot;&#039;&#039;.&amp;lt;ref name=&amp;quot;:0&amp;quot; /&amp;gt;  Said TLS keys were made public by the attacker on the website 8chan together with information relating to breaches of other VPN providers such as TorGuard and VikingVPN.&amp;lt;ref&amp;gt;{{Cite web |date=2019-10-23 |title=NordVPN Hack – Everything You Need to Know |url=https://cyberinsider.com/nordvpn-hack/ |access-date=2026-02-22 |website=Cyber Insider |archive-url=http://web.archive.org/web/20260131112151/https://cyberinsider.com/nordvpn-hack/ |archive-date=31 Jan 2026}}&amp;lt;/ref&amp;gt; &lt;br /&gt;
&lt;br /&gt;
NordVPN released an official statement more than a year later, only after a researcher on [https://x.com/ X] revealed that NordVPN &#039;&#039;&amp;quot;was compromised at some point&amp;quot;&#039;&#039;.&amp;lt;ref&amp;gt;{{Cite web |first= |date=2019-10-20 |title=So apparently NordVPN was compromised at some point |url=https://nitter.catsarch.com/hexdefined/status/1185864801261477891 |url-status=live |archive-url=https://web.archive.org/web/20260407180621/https://nitter.catsarch.com/hexdefined/status/1185864801261477891 |archive-date=7 Apr 2026 |access-date=2026-02-22 |website=x.com}}&amp;lt;/ref&amp;gt; This was followed by significant turmoil within the community, as individuals remained uninformed for all of this time. According to NordVPN, the delay was justified by an internal audit they were executing of all of their servers which they wanted to complete before notifying the public, making sure that the attack could not be replicated.&amp;lt;ref name=&amp;quot;:0&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
NordVPN has since taken down the affected server and terminated the contract with the data center. A security plan was later announced as well.&amp;lt;ref&amp;gt;{{Cite web |first= |date=2019-10-26 |title=How NordVPN will become more secure than ever |url=https://nordvpn.com/blog/security-plan/ |url-status=live |archive-url=https://megalodon.jp/2026-0408-0209-06/https://nordvpn.com:443/blog/security-plan/ |archive-date=7 Apr 2026 |access-date=2026-02-22 |website=NordVPN}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
&lt;br /&gt;
*NordVPN&lt;br /&gt;
*NordPass&lt;br /&gt;
*NordLocker&lt;br /&gt;
*NordProtect&lt;br /&gt;
*Saily&lt;br /&gt;
&lt;br /&gt;
==Consumer friendly alternatives==&lt;br /&gt;
&lt;br /&gt;
===&#039;&#039;&#039;VPN:&#039;&#039;&#039;===&lt;br /&gt;
*[https://mullvad.net/vpn Mullvad VPN]&lt;br /&gt;
*[https://protonvpn.com/ ProtonVPN]&lt;br /&gt;
&lt;br /&gt;
===&#039;&#039;&#039;Password manager:&#039;&#039;&#039;===&lt;br /&gt;
&lt;br /&gt;
*[https://bitwarden.com/ Bitwarden]&lt;br /&gt;
&lt;br /&gt;
===Cloud storage:===&lt;br /&gt;
&lt;br /&gt;
*&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[VPN Secure]]&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Bitwarden]]&lt;br /&gt;
*[[Mullvad]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
&amp;lt;references /&amp;gt;&lt;br /&gt;
[[Category:NordVPN]]&lt;br /&gt;
[[Category:Cybersecurity companies]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59219</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59219"/>
		<updated>2026-06-28T07:41:13Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* See also */ added more links to &amp;#039;see also&amp;#039;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
The autofill feature in Bitwarden&#039;s browser extension contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A [[Reddit]] user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
*[[1Password]]&lt;br /&gt;
*[[Google password manager overrides third-party autofill]]&lt;br /&gt;
*[[NordVPN]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59218</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59218"/>
		<updated>2026-06-28T07:37:10Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Autofill vulnerability (2018-2023) */ added context&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
The autofill feature in Bitwarden&#039;s browser extension contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A [[Reddit]] user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59217</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59217"/>
		<updated>2026-06-28T07:35:40Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Consumer-impact summary */ added content&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
In 2026, Bitwarden&#039;s long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase &amp;quot;Always free&amp;quot;, which had been on the company&#039;s products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they&#039;d start looking for alternative password managers. In addition, the company&#039;s acronym, GRIT, which had been used to describe &amp;quot;company culture for years&amp;quot; had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].)&lt;br /&gt;
&lt;br /&gt;
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been &amp;quot;very low&amp;quot;). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].)&lt;br /&gt;
&lt;br /&gt;
In April 2026, Bitwarden&#039;s CLI NPM package, was found to have included a &amp;quot;credential-stealing payload.&amp;quot; Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].)&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
Bitwarden&#039;s autofill feature contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A [[Reddit]] user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59216</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59216"/>
		<updated>2026-06-28T07:13:45Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Incidents */ added an incident&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Autofill vulnerability (2018-2023)===&lt;br /&gt;
Bitwarden&#039;s autofill feature contained &amp;quot;risky-behavior&amp;quot; that could &amp;quot;allow malicious iframes embedded in trusted websites to steal people&#039;s credentials and send them to an attacker.&amp;quot;&amp;lt;ref name=&amp;quot;bc&amp;quot;&amp;gt;{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt; (&amp;quot;According to the Mozilla HTML documentation the &amp;lt;iframe&amp;gt; HTML element represents a nested browsing context, embedding another HTML page into the current one.&amp;quot;)&amp;lt;ref name=&amp;quot;fp&amp;quot;&amp;gt;{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)&amp;lt;ref name=&amp;quot;fp&amp;quot; /&amp;gt;), but tolerated it to &amp;quot;accommodate legitimate sites that use iframes.&amp;quot; It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden&#039;s web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;blockquote&amp;gt;&#039;While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,&#039; explains Flashpoint.&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&amp;lt;/blockquote&amp;gt;Reportedly, the &amp;quot;number of risky cases was very low.&amp;quot; While investigating this, it was also discovered that autofill filled in credentials &amp;quot;on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.&amp;quot;&amp;lt;ref name=&amp;quot;bc /&amp;gt; In 2023, it was reported that Bitwarden&amp;lt;blockquote&amp;gt;decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;bc&amp;quot; /&amp;gt;&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a {{Wplink|computer worm}}.&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A [[Reddit]] user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee,&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59184</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59184"/>
		<updated>2026-06-27T19:45:49Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Malicious @bitwarden/cli (NPM) package (2026) */ removed duplicate reference&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s [[wikipedia:Command-line interface|CLI]] package, distributed via [[wikipedia:npm|npm]], included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a [[wikipedia:Computer worm|computer worm]].&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A [[Reddit]] user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;, made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Category:Bitwarden&amp;diff=59183</id>
		<title>Category:Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Category:Bitwarden&amp;diff=59183"/>
		<updated>2026-06-27T19:38:25Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: Created page with &amp;quot;This is the Bitwarden category.  Category:Software companies&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;This is the Bitwarden category.&lt;br /&gt;
&lt;br /&gt;
[[Category:Software companies]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59182</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59182"/>
		<updated>2026-06-27T19:36:49Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Incidents */ added an incident&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Malicious @bitwarden/cli (NPM) package (2026)===&lt;br /&gt;
In April 2026, it was revealed that Bitwarden&#039;s [[wikipedia:Command-line interface|CLI]] package, distributed via [[wikipedia:npm|npm]], included a &amp;quot;credential-stealing payload.&amp;quot; Reportedly, only the only affected users were the CLI package&#039;s users, not all Bitwarden users in general.&amp;lt;ref&amp;gt;{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The package also reportedly contained the string &amp;quot;Shai-Hulud: The Third Coming&amp;quot;, &amp;quot;Shai-Hulud&amp;quot; referring to a [[wikipedia:Computer worm|computer worm]].&amp;lt;ref&amp;gt;{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title=&amp;quot;Shai-Hulud&amp;quot; Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; It was also reported that: &amp;lt;blockquote&amp;gt;OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.&amp;lt;ref name=&amp;quot;ox&amp;quot;&amp;gt;{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;ox&amp;quot; /&amp;gt;&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A [[Reddit]] user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;, made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59181</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59181"/>
		<updated>2026-06-27T19:02:22Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Always free */ added content from ryan_bw&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt; A [[Reddit]] user by the name of &amp;quot;Ryan_BW&amp;quot;, reportedly a Bitwarden employee&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;, made a post addressing the issue on 2026-05-15, stating that:&amp;lt;blockquote&amp;gt;I would like to share that &amp;quot;always free&amp;quot; has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).&amp;lt;/blockquote&amp;gt;The comment was met with several negative replies from other Redditors.&amp;lt;ref&amp;gt;{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59180</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59180"/>
		<updated>2026-06-27T18:46:25Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Quiet changes (2026) */ added content about GRIT&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
====Always free====&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====GRIT====&lt;br /&gt;
&amp;lt;blockquote&amp;gt;Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.&amp;lt;/blockquote&amp;gt;On the Wayback machine&#039;s archive from 2026-03-14, they were still unchanged on Bitwarden&#039;s blog.&amp;lt;ref&amp;gt;{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |date=2026-03-14 |url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;blockquote&amp;gt;At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; The original blog post was also updated, so that it now includes the new version of the acronym.&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59179</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59179"/>
		<updated>2026-06-27T18:23:29Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Quiet changes (2026) */ added a reference&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&amp;lt;ref&amp;gt;{{Cite web |title=The Bitwarden Password Manager |date=2022-06-25 |url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59178</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59178"/>
		<updated>2026-06-27T18:21:07Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Incidents */ added a reference to paragraph&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot;&amp;lt;ref name=&amp;quot;souray&amp;quot; /&amp;gt; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref name=&amp;quot;souray&amp;quot;&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59177</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59177"/>
		<updated>2026-06-27T18:19:20Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* See also */ added link to see also&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[LastPass]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59176</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59176"/>
		<updated>2026-06-27T18:18:08Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Incidents */ added an incident&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Quiet changes (2026)===&lt;br /&gt;
The longtime CEO, Michael Crandell is in an &amp;quot;advisory role&amp;quot; since February. In addition, Bitwarden&#039;s CFO was replaced in April. There weren&#039;t any official announcements for either of these changes. Bitwarden&#039;s free plan on their product page included the phrases &amp;quot;Free Forever&amp;quot; and &amp;quot;Always free.&amp;quot; These phrases are present even on the Wayback machine&#039;s oldest archive (2022-06-25) of Bitwarden&#039;s product site.&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Bitwarden20260414.webp|alt=(I) Bitwarden product page Wayback machine on 2026-04-14|right|(I) Bitwarden product page Wayback machine on 2026-04-14&lt;br /&gt;
File:Bitwarden20260418.webp|alt=(II) Bitwarden product page Wayback machine on 2026-04-18|right|(II) Bitwarden product page Wayback machine on 2026-04-18&lt;br /&gt;
File:Bitwarden20260515.webp|alt=(III) Bitwarden product page Wayback machine on 2026-05-15|right|(III) Bitwarden product page Wayback machine on 2026-05-15&lt;br /&gt;
File:Bitwarden20260519.webp|alt=(IV) Bitwarden product page Wayback machine on 2026-05-19|right|(IV) Bitwarden product page Wayback machine on 2026-05-19&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
&amp;quot;Always free&amp;quot; reportedly disappeared from the site in April.&amp;lt;ref&amp;gt;{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-14 |url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-04-18 |url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-15 |url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Best Free &amp;amp; Premium Password Manager |date=2026-05-19 |url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=archive.org}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
{{Ph-C-SA}}&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=File:Bitwarden20260414.webp&amp;diff=59175</id>
		<title>File:Bitwarden20260414.webp</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=File:Bitwarden20260414.webp&amp;diff=59175"/>
		<updated>2026-06-27T17:53:01Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: Bitwarden product page on the wayback machine in april 2026&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Summary ==&lt;br /&gt;
Bitwarden product page on the wayback machine in april 2026&lt;br /&gt;
== Licensing ==&lt;br /&gt;
{{Fairuse}}&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=File:Bitwarden20260418.webp&amp;diff=59174</id>
		<title>File:Bitwarden20260418.webp</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=File:Bitwarden20260418.webp&amp;diff=59174"/>
		<updated>2026-06-27T17:52:39Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: Bitwarden product page on the wayback machine in april 2026&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Summary ==&lt;br /&gt;
Bitwarden product page on the wayback machine in april 2026&lt;br /&gt;
== Licensing ==&lt;br /&gt;
{{Fairuse}}&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=File:Bitwarden20220625.webp&amp;diff=59172</id>
		<title>File:Bitwarden20220625.webp</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=File:Bitwarden20220625.webp&amp;diff=59172"/>
		<updated>2026-06-27T17:36:48Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: An screenshot of bitwarden&amp;#039;s product page on the wayback machine (oldest archive for page).&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Summary ==&lt;br /&gt;
An screenshot of bitwarden&#039;s product page on the wayback machine (oldest archive for page).&lt;br /&gt;
== Licensing ==&lt;br /&gt;
{{Fairuse}}&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=File:Bitwarden20260519.webp&amp;diff=59171</id>
		<title>File:Bitwarden20260519.webp</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=File:Bitwarden20260519.webp&amp;diff=59171"/>
		<updated>2026-06-27T17:36:18Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: An screenshot of bitwarden&amp;#039;s product page on the wayback machine.&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Summary ==&lt;br /&gt;
An screenshot of bitwarden&#039;s product page on the wayback machine.&lt;br /&gt;
== Licensing ==&lt;br /&gt;
{{Fairuse}}&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=File:Bitwarden20260515.webp&amp;diff=59170</id>
		<title>File:Bitwarden20260515.webp</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=File:Bitwarden20260515.webp&amp;diff=59170"/>
		<updated>2026-06-27T17:35:57Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: An screenshot of bitwarden&amp;#039;s product page on the wayback machine.&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Summary ==&lt;br /&gt;
An screenshot of bitwarden&#039;s product page on the wayback machine.&lt;br /&gt;
== Licensing ==&lt;br /&gt;
{{Fairuse}}&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59168</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59168"/>
		<updated>2026-06-27T17:00:46Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Products */ added a product&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
{{Ph-C-Inc}}&lt;br /&gt;
&lt;br /&gt;
This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].&lt;br /&gt;
===Example incident one (&#039;&#039;date&#039;&#039;)===&lt;br /&gt;
{{Main|link to the main CR Wiki article}}&lt;br /&gt;
Short summary of the incident (could be the same as the summary preceding the article).&lt;br /&gt;
===Example incident two (&#039;&#039;date&#039;&#039;)===&lt;br /&gt;
...&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Bitwarden password manager&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
{{Ph-C-SA}}&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59167</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59167"/>
		<updated>2026-06-27T16:59:30Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: added logo&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Logo=Bitwarden logo.webp&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
{{Ph-C-Inc}}&lt;br /&gt;
&lt;br /&gt;
This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].&lt;br /&gt;
===Example incident one (&#039;&#039;date&#039;&#039;)===&lt;br /&gt;
{{Main|link to the main CR Wiki article}}&lt;br /&gt;
Short summary of the incident (could be the same as the summary preceding the article).&lt;br /&gt;
===Example incident two (&#039;&#039;date&#039;&#039;)===&lt;br /&gt;
...&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
{{Ph-C-P}}&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
{{Ph-C-SA}}&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=File:Bitwarden_logo.webp&amp;diff=59166</id>
		<title>File:Bitwarden logo.webp</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=File:Bitwarden_logo.webp&amp;diff=59166"/>
		<updated>2026-06-27T16:57:54Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: Bitwarden&amp;#039;s logo. Rasterized at low res due to fair use rationale. Source: https://upload.wikimedia.org/wikipedia/commons/thumb/c/cc/Bitwarden_logo.svg/330px-Bitwarden_logo.svg.png&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Summary ==&lt;br /&gt;
Bitwarden&#039;s logo. Rasterized at low res due to fair use rationale. Source: https://upload.wikimedia.org/wikipedia/commons/thumb/c/cc/Bitwarden_logo.svg/330px-Bitwarden_logo.svg.png&lt;br /&gt;
== Licensing ==&lt;br /&gt;
{{Fairuse}}&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59165</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59165"/>
		<updated>2026-06-27T16:51:59Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: added basic info&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|CompanyAlias=Bitwarden, Inc.&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.&amp;lt;ref&amp;gt;{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}&amp;lt;/ref&amp;gt; Its main product is the eponymous password manager.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
{{Ph-C-Inc}}&lt;br /&gt;
&lt;br /&gt;
This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].&lt;br /&gt;
===Example incident one (&#039;&#039;date&#039;&#039;)===&lt;br /&gt;
{{Main|link to the main CR Wiki article}}&lt;br /&gt;
Short summary of the incident (could be the same as the summary preceding the article).&lt;br /&gt;
===Example incident two (&#039;&#039;date&#039;&#039;)===&lt;br /&gt;
...&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
{{Ph-C-P}}&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
{{Ph-C-SA}}&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59164</id>
		<title>Bitwarden</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Bitwarden&amp;diff=59164"/>
		<updated>2026-06-27T16:35:54Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: created a page on bitwarden&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2019-10-28&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Website=https://bitwarden.com, https://bitwarden.eu&lt;br /&gt;
}}&lt;br /&gt;
{{Ph-C-Int}}&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
{{Ph-C-CIS}}&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
{{Ph-C-Inc}}&lt;br /&gt;
&lt;br /&gt;
This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].&lt;br /&gt;
===Example incident one (&#039;&#039;date&#039;&#039;)===&lt;br /&gt;
{{Main|link to the main CR Wiki article}}&lt;br /&gt;
Short summary of the incident (could be the same as the summary preceding the article).&lt;br /&gt;
===Example incident two (&#039;&#039;date&#039;&#039;)===&lt;br /&gt;
...&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
{{Ph-C-P}}&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
{{Ph-C-SA}}&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59160</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59160"/>
		<updated>2026-06-27T14:26:36Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Forced arbitration (2026-04-08 ToS version) */ expanded sentence&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2026-05-02 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=2026-03-03 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=2026-06-24 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=2026-06-24}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (2026-04-08 ToS version)|Forced arbitration (2026-04-08 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (2022-11-22 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=2026-06-19 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (2022-11-22 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (2026-04-08 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 2026-04-08, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab and try to resolve matters &amp;quot;informally&amp;quot;, before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_pc |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_mac |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (not the same thing as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Steps 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 2026-04-08 as of 2026-06-27);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=2022-04-08 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 2026-06-27) from 2022-11-22.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59159</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59159"/>
		<updated>2026-06-27T14:17:52Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Privacy policy (22 Nov 2022 version) */ changed date to iso format&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2026-05-02 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=2026-03-03 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=2026-06-24 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=2026-06-24}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (2026-04-08 ToS version)|Forced arbitration (2026-04-08 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (2022-11-22 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=2026-06-19 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (2022-11-22 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (2026-04-08 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 2026-04-08, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_pc |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_mac |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (not the same thing as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Steps 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 2026-04-08 as of 2026-06-27);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=2022-04-08 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 2026-06-27) from 2022-11-22.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59158</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59158"/>
		<updated>2026-06-27T14:16:49Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Consumer-impact summary */ changed dates to iso format&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2026-05-02 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=2026-03-03 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=2026-06-24 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=2026-06-24}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (2026-04-08 ToS version)|Forced arbitration (2026-04-08 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=2026-06-19 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (2022-11-22 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (2026-04-08 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 2026-04-08, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_pc |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_mac |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (not the same thing as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Steps 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 2026-04-08 as of 2026-06-27);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=2022-04-08 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 2026-06-27) from 2022-11-22.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59157</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59157"/>
		<updated>2026-06-27T14:15:27Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: changed dates to iso format&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2026-05-02 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=2026-03-03 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=2026-06-24 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=2026-06-24}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (8 Apr 2026 ToS version)|Forced arbitration (8 Apr 2026 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=2026-06-19 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (2022-11-22 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=2022-11-22 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=2026-06-17 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (2026-04-08 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 2026-04-08, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_pc |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=2026-02-24 |title=installer_thorium_mac |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=2026-06-25}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (not the same thing as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Steps 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 2026-04-08 as of 2026-06-27);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=2022-04-08 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=2026-06-27}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 2026-06-27) from 2022-11-22.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Readium&amp;diff=59154</id>
		<title>Readium</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Readium&amp;diff=59154"/>
		<updated>2026-06-27T13:59:19Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: changed dates to iso format&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2013-01-29&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|Logo=Readium-logo.png&lt;br /&gt;
|CompanyAlias=Readium Foundation&lt;br /&gt;
|Website=https://readium.org/&lt;br /&gt;
}}&lt;br /&gt;
[[wikipedia:Readium LCP|Readium Foundation]] is a non profit that produces &amp;quot;reading system toolkits&amp;quot;, that can be deployed across multiple platforms and digital publishing formats. According to its Certificate of incorporation, it was incorporated in Delaware, USA in 2013. It has multiple members including:&lt;br /&gt;
{{columns-list|colwidth=35em|&lt;br /&gt;
*The European Digital Reading Lab ([[EDRLab]])&lt;br /&gt;
*BiblioVault (University of Chicago Press)&lt;br /&gt;
*Columbia University Library&lt;br /&gt;
*eKitabu&lt;br /&gt;
*New York Public Library&lt;br /&gt;
*New York University Library&lt;br /&gt;
*DRM Inside Co., Ltd.}}&amp;lt;ref name=&amp;quot;membership&amp;quot;&amp;gt;{{Cite web |title=Membership Overview |website=readium.org |url=https://readium.org/membership/overview/ |url-status=live |archive-url=https://web.archive.org/web/20260623133413/https://readium.org/membership/overview/ |archive-date=2026-06-23}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=READIUM FOUNDATION CERTIFICATE OF INCORPORATION |url=https://readium.org/documents/READIUM-FOUNDATION-CERTIFICATE-OF-INCORPORATION.pdf |url-status=live |website=readium.org |archive-url=https://web.archive.org/web/20240801153456/https://readium.org/documents/READIUM-FOUNDATION-CERTIFICATE-OF-INCORPORATION.pdf |archive-date=2024-08-01 |access-date=2026-06-23}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Readium Project Goals |url=https://readium.org/about/project_goals.html/ |url-status=live |website=readium.org |archive-url=https://web.archive.org/web/20260311013954/https://readium.org/about/project_goals.html/ |archive-date=2026-03-11 |access-date=2026-06-23}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
One of its main products is the Readium LCP [[Digital rights management |DRM]] system.&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
While it is commendable that Readium and its partners (like EDRLab) promote open source code and wished to design a DRM system that aimed to avoid vendor lock-in (which could have caused a lack of innovation, diversity, features and would have handed one vendor total control), aimed to be more interoperable, simpler, secure and ensuring that: &amp;lt;blockquote&amp;gt;The solution is designed to be minimally intrusive for end-users, who don’t need to create a third-party account. User can share their ebooks with their family or close friends&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;rlcp&amp;quot;&amp;gt;{{Cite web |title=Readium LCP |website=edrlab.org |url=https://www.edrlab.org/readium-lcp/ |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/readium-lcp/ |archive-date=2026-06-17 |access-date=2026-06-23}}&amp;lt;/ref&amp;gt; it can be argued that DRM in itself is negatively affecting consumers (see: [[Digital rights management#Why it is a problem|DRM]]). Moreover, the Readium SDK was reportedly developed so that it would support multiple DRM technologies, allowing other DRM vendors to easily integrate their systems with Readium.&lt;br /&gt;
&lt;br /&gt;
Readium has also filed DMCA takedown requests to force tools which circumvented Readium LCP to remove code from their repositories. As a result, it is currently not possible for users to archive their own ebooks without Readium LCP DRM in an easy way (or perhaps any way). Though some users claim they were able to do it with methods such as [[Readium#Response to a published circumvention method (2025)|Terence Eden&#039;s method]], the consensus seems to be that many suggested tools do not work. And as it turns out, there are several examples of users complaining or asking for help with the exact issue of being stuck with DRM on something they paid for ([[Right to own]]). (Refer to [[Readium#External links|External links]] for examples.)&lt;br /&gt;
&lt;br /&gt;
A [[Mastodon]] user named Terence Eden, who circumvented LCP and made some really good points in a reply to a person who was reportedly from the Readium Foundation (see: [[Readium#Response to a published circumvention method (2025)|Response to a published circumvention method]]):&amp;lt;blockquote&amp;gt;Because Readium doesn&#039;t freely licence its DRM, it has an adverse effect on me and other readers like me.&lt;br /&gt;
&lt;br /&gt;
*My eReader hardware is out of support from the manufacturer - it will never receive an update for LCP support.&lt;br /&gt;
*My reading software (KOReader) have publicly stated that they cannot afford the fees you charge and will not be certified by you.&lt;br /&gt;
*Kobo hardware cannot read LCP protected books.&lt;br /&gt;
*There is no guarantee that LCP compatible software will be released for future platforms.&lt;br /&gt;
&lt;br /&gt;
In short, I want to read my books on my choice of hardware and software; not yours.&lt;br /&gt;
&lt;br /&gt;
I believe that everyone deserves the right to read on their platform of choice without having to seek permission from a 3rd party.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;eden&amp;quot;&amp;gt;{{Cite web |title=Extracting content from an LCP &amp;quot;protected&amp;quot; ePub |author=Terence Eden |date=2025-03-16 |url=https://shkspr.mobi/blog/2025/03/towards-extracting-content-from-an-lcp-protected-epub/ |website=shkspr.mobi |url-status=live |archive-url=https://web.archive.org/web/20260624090702/https://shkspr.mobi/blog/2025/03/towards-extracting-content-from-an-lcp-protected-epub/ |archive-date=2026-06-24}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].&lt;br /&gt;
===DMCA takedown (2022-01-04)===&lt;br /&gt;
Readium filed a [[Digital Millennium Copyright Act |DMCA]] takedown notice with [[GitHub|GitHub]] in 2022. The notice stated that: &amp;lt;blockquote&amp;gt;The user &amp;quot;noDRM&amp;quot; has published on GitHub software which specifically allows the decryption of ebooks protected by the LCP Profile 1.0 and allows saving them as non-protected ebooks. This infringement violates our legal business and affects authors and publishers’ IP. This codebase is presented as a plug-in of the well-known Calibre software, an open-source ebook manager.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As well as that the explicit circumvention of Readium LCP was in a file called &amp;quot;lcpdedrm.py.&amp;quot; And that: &amp;lt;blockquote&amp;gt;The user noDRM is actively promoting the activity of cracking both library loans and one-off purchases&amp;lt;/blockquote&amp;gt;followed by a link to a GitHub Issue to substantiate the claim.&amp;lt;ref&amp;gt;{{Cite web |title=2022-01-04-readium |author=[private] |date=2022-01-04 |url=https://github.com/github/dmca/blob/master/2022/01/2022-01-04-readium.md |url-status=live |archive-url=https://web.archive.org/web/20260604153156/https://github.com/github/dmca/blob/master/2022/01/2022-01-04-readium.md |archive-date=2026-06-04 |access-date=2026-06-23}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
As a result, the relevant files as well as relevant [[wikipedia:Git|Git]] history was removed from the repository.&amp;lt;ref&amp;gt;{{Cite web |author=captn3m0 |date=2025-03-17 |title=Extracting content from an LCP “protected” ePub |url=https://news.ycombinator.com/item?id=43378627 |url-status=live |website=news.ycombinator.com |archive-url=https://web.archive.org/web/20260616102133/https://news.ycombinator.com/item?id=43378627 |archive-date=16 Jun 2026 |access-date=2026-06-24}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Response to a published circumvention method (2025)===&lt;br /&gt;
[[File:Llemeur.webp|alt=Mastodon comment by @llemeur|thumb|Mastodon comment by @llemeur]]&lt;br /&gt;
In March 2025, a Mastodon user called Terence Eden (@Edent@mastodon.social) made a post about circumventing Readium LCP, and later described his method in a blog post. Shortly after, he reportedly received a [[LinkedIn]] message from somebody at the Readium Foundation.&lt;br /&gt;
There is also a comment on Eden&#039;s Mastodon post by a user named &amp;quot;llemeur&amp;quot; (llemeur@mastodon.social), stating, &amp;quot;@Edent, that would be disappointing. PM on LinkedIn.&amp;quot; While the username is similar to the initials of &amp;quot;Laurent Le Meur&amp;quot;- a Readium board member&amp;lt;ref name=&amp;quot;membership&amp;quot; /&amp;gt; as well as Director and CTO of EDRLab&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2026-05-02 |access-date=2026-06-26}}&amp;lt;/ref&amp;gt;, it is unclear who the commenter actually was.&lt;br /&gt;
The person &amp;quot;congratulated&amp;quot; Eden and mentioned that:&amp;lt;blockquote&amp;gt;We managed to convince publishers (even big US publishers) to adopt a solution that is flexible for readers and appreciated by public libraries and booksellers.&lt;br /&gt;
&lt;br /&gt;
Our gains are re-injected in open-source software and open standards (work on EPUB and Web Publications).&lt;br /&gt;
&lt;br /&gt;
If the DRM does not succeed, harder DRMs (for users) will be tested.&lt;br /&gt;
&lt;br /&gt;
I let you think about that aspect&amp;lt;/blockquote&amp;gt;In a response, Eden stated that the his method was basic, used the app&#039;s built-in debugging functionality and that he had not reverse engineered their app or decrypted their secret keys. He stated that he would publish his research and the correspondence, but that he wouldn&#039;t publish any of their intellectual property. Their reply included what Eden, in his blog, described as a &amp;quot;crude attempt at emotional manipulation.&amp;quot;&amp;lt;blockquote&amp;gt;We were planning to now focus on new accessibility features on our open-source Thorium Reader, better access to annotations for blind users and an advanced reading mode for dyslexic people. Too bad; disturbances around LCP will force us to focus on a new round of security measures, ensuring the technology stays useful for ebook lending (stop reading after some time) and as a protection against oversharing.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
You can, for sure, publish information relative to your discoveries to the extent UK laws allow. After study, we&#039;ll do our best to make the technology more robust. If your discourse represents a circumvention of this technical protection measure, we&#039;ll command a take-down as a standard procedure.&amp;lt;/blockquote&amp;gt;The correspondence came to a close after Eden&#039;s reply:&amp;lt;blockquote&amp;gt;As you have raised the possibility of legal action, I think it is best that we terminate this conversation.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;eden&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;mastodon&amp;quot;&amp;gt;{{Cite web |author=Terence Eden |date=Mar 2025 |title=114155981621627317 |url=https://mastodon.social/@Edent/114155981621627317 |url-status=live |website=mastodon.social |archive-date=2026-06-24 |archive-url=https://web.archive.org/web/20260624093517/https://mastodon.social/@Edent/114155981621627317}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
(Refer to [[Readium#External links|External links]] for the entire correspondence.)&lt;br /&gt;
&lt;br /&gt;
==Company background==&lt;br /&gt;
&amp;lt;blockquote&amp;gt;The Readium project was started by the IDPF in 2012 because the EPUB 3.0 specification had been released late in 2011, but no implementation yet existed (or, at least, had been publicly released). So IDPF provided some funding and encouragement and two firms, Evident Point and Bluefire, took the lead in developing a JavaScript implementation of a significant part of the EPUB 3 spec.&amp;lt;/blockquote&amp;gt; The [[wikipedia:JavaScript|JavaScript]] implementation lacked features and was written as a [[Google Chrome]] extension. It also didn&#039;t provide native implementations for devices and &amp;quot;it couldn’t support DRM securely.&amp;quot; After additional development, they released the open source Readium SDK Core.&amp;lt;blockquote&amp;gt;The SDK was designed from the beginning to support DRM ( Digital Rights Management ), a mandatory feature for digital library lending, and also required by many publisher for anti-piracy matters. It was moreover designed to be DRM-agnostic, able to support multiple DRM implementations. However, while that capability existed in the SDK, there was also an increasing perception over time that the existing DRM implementations (Adobe, Kobo, Sony) were too heavyweight and proprietary and there existed a need for a new open-source DRM specification and implementation. The result was the Readium LCP (Licensed Content Protection) specification and implementation, which is rolling out in 2017.&amp;lt;/blockquote&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=A Bit of History |website=readium.org |url=https://readium.org/about/history.html/ |url-status=live |archive-url=https://web.archive.org/web/20260623141903/https://readium.org/about/history.html/ |archive-date=2026-06-23}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Readium LCP==&lt;br /&gt;
===Preliminary===&lt;br /&gt;
Readium LCP is Readium&#039;s DRM system. Readium Foundation is responsible for maintenance of the Readium LCP specification, while: &amp;lt;blockquote&amp;gt;management of the Readium LCP ecosystem is handled by EDRLab, acting as Certification Authority.&amp;lt;/blockquote&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Readium Projects |website=readium.org |url=https://readium.org/development/projects |url-status=live |archive-url=https://web.archive.org/web/20260527112832/https://readium.org/development/projects |archive-date=2026-05-27 |access-date=2026-06-23}}&amp;lt;/ref&amp;gt;(EDRLab is also a member of the Readium Foundation)&amp;lt;ref name=&amp;quot;membership&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The design of Readium Licensed Content Protection (LCP) was influenced by a 2012 paper called &amp;quot;EPUB Lightweight Content Protection: Use Cases &amp;amp; Requirements&amp;quot; by Bill Rosenblatt (link in the External Links section). &lt;br /&gt;
It is also an international standard, referenced as: ISO/IEC 23078-2:2024.&lt;br /&gt;
&lt;br /&gt;
===Basics===&lt;br /&gt;
&lt;br /&gt;
One of the most important concepts in Readium LCP is the &#039;&#039;&#039;LCP license file&#039;&#039;&#039;. It is generated by a &#039;&#039;&#039;Readium LCP License Server&#039;&#039;&#039; and contains: &amp;lt;blockquote&amp;gt;&lt;br /&gt;
*A set of rights; standard rights are:&lt;br /&gt;
**A start and end access date and time, especially useful for library lending;&lt;br /&gt;
**The number of pages the user is allowed to print;&lt;br /&gt;
**The number of characters the user is allowed to copy/paste;&lt;br /&gt;
*The passphrase hint; this information is important; more details below, in section “Interaction with the Reading System”;&lt;br /&gt;
*The content key, encrypted; the reading system will use the user passphrase in order to get this data in clear;&lt;br /&gt;
*The provider certificate and a digital signature; this information will be used by the reading system for checking that the license has not been modified by anyone other than the provider;&lt;br /&gt;
Optional:&lt;br /&gt;
*Some limited personal data; LCP can act as a “social DRM”; such information is encrypted for privacy protection, and the License Server does not store this information.&lt;br /&gt;
*Optionally, the URL of the protected content associated with this license, used if the license is delivered as a stand-alone file (.lcpl).&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
(The following summarizes what is referred to as the “Interaction with the Reading System” section in the quote above, as well as a few other sections.)&lt;br /&gt;
&lt;br /&gt;
A license file can either be distributed as a standalone file or embedded into an [[wikipedia:EPUB|EPUB]] file.&amp;lt;blockquote&amp;gt;A protected EPUB file is simply the association of protected content with a license.&amp;lt;/blockquote&amp;gt; Users can buy ebooks from the reading system and receive license a license file. The reading system then automatically downloads the appropriate EPUB file and embeds the license into it. With this arrangement: &amp;lt;blockquote&amp;gt;the EPUB file with its included license can be opened by the reading system, archived, exported to another reading system etc. and the user has only one file to care about.&amp;lt;/blockquote&amp;gt; In an alternative arrangement, the distributor can embed license files into EPUB files, before sending them to the reading system.&lt;br /&gt;
&lt;br /&gt;
===Encryption and decryption===&lt;br /&gt;
&lt;br /&gt;
Its encryption is based on [[wikipedia:Advanced Encryption Standard |AES]]. Keys that unlock files are referred to as passphrases. These can either be generated or chosen by the user. Users have one passphrase for each bookstore or library. LCP licenses also include password hints in case a user forgets their password. &amp;lt;blockquote&amp;gt;The software transforms the passphrase into a user key (h = hash(pp) then uk = userkey(h), with “userkey” a simple string transfom). The user key can decrypt the content key provided in the user license. The content key can decrypt the content.&lt;br /&gt;
&lt;br /&gt;
The Readium LCP library software is mostly open-source, only uk = userkey(h) isn’t (in the open-source version it is void). Only trusted licence providers and trusted app developers know what this string transform is. Therefore one cannot take the open-source software and simply add a “save as clear epub” feature applied on ebooks provided by certified servers.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&amp;lt;ref&amp;gt;{{Cite web |title=LCP principles |website=edrlab.org |url=https://www.edrlab.org/readium-lcp/principles/ |url-status=live |archive-url=https://web.archive.org/web/20260623162817/https://www.edrlab.org/readium-lcp/principles/ |archive-date=2026-06-23}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Readium LCP&lt;br /&gt;
*Readium Mobile&lt;br /&gt;
*Readium Desktop&lt;br /&gt;
*Readium Web&lt;br /&gt;
*Readium Web Publication Manifest&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Digital Millennium Copyright Act]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
*[[EDRLab]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Readium===&lt;br /&gt;
{{columns-list|colwidth=35em|1=&lt;br /&gt;
*[https://www.youtube.com/watch?v=rEa3K_l1bCM Readium LCP Introduction Video] ([https://preservetube.com/watch?v=rEa3K_l1bCM archived])&lt;br /&gt;
*[https://readium.org/lcp-specs/releases/lcp/latest.html Readium LCP v1.0 Specification] ([https://web.archive.org/web/20260623151601/https://readium.org/lcp-specs/releases/lcp/latest.html archived])&lt;br /&gt;
*[https://github.com/github/dmca/blob/master/2022/01/2022-01-04-readium.md Readium&#039;s DMCA Request] ([https://web.archive.org/web/20260604153156/https://github.com/github/dmca/blob/master/2022/01/2022-01-04-readium.md archived])&lt;br /&gt;
*[https://idpf.org/epub-content-protection Conceptual Basis for Readium LCP] ([https://ghostarchive.org/archive/9qKNi archived])&lt;br /&gt;
*[https://copyrightandtechnology.com/2016/04/27/readium-lcp-and-open-source-drm/ Readium LCP and Open Source DRM] ([https://ghostarchive.org/archive/SUe2W archived])&lt;br /&gt;
*[https://readium.org/architecture/ Readium Architecture] ([https://ghostarchive.org/archive/Mchnm archived])&lt;br /&gt;
*[https://www.slideshare.net/slideshow/brosenblatt-presentation-of-lcp-epub-summit/61080670 Readium LCP Slideshare] ([https://ghostarchive.org/archive/RgoLP archived])&lt;br /&gt;
}}&lt;br /&gt;
&lt;br /&gt;
===Eden&#039;s posts===&lt;br /&gt;
*[https://shkspr.mobi/blog/2025/03/towards-extracting-content-from-an-lcp-protected-epub/ Eden&#039;s Blog Post] ([https://web.archive.org/web/20260624090702/https://shkspr.mobi/blog/2025/03/towards-extracting-content-from-an-lcp-protected-epub/ archived]) (See [https://shkspr.mobi/blog/2025/03/towards-extracting-content-from-an-lcp-protected-epub/#ethics Ethics] for correspondence.)&lt;br /&gt;
*[https://shkspr.mobi/blog/2025/03/some-thoughts-on-lcp-ebook-drm/ Another Blog Post on LCP by Eden] ([https://ghostarchive.org/archive/XAOP1 archived])&lt;br /&gt;
*[https://mastodon.social/@Edent/114155981621627317 Eden&#039;s Mastodon Posts] ([https://web.archive.org/web/20260624093517/https://mastodon.social/@Edent/114155981621627317 archived])&lt;br /&gt;
&lt;br /&gt;
===User thread examples===&lt;br /&gt;
{{columns-list|colwidth=20em|1=&lt;br /&gt;
*[https://www.reddit.com/r/Calibre/comments/1ivun15/is_there_a_plugin_that_can_remove_the_drm_from_25/ Example 1] ([https://web.archive.org/web/20250801022457/https://www.reddit.com/r/Calibre/comments/1ivun15/is_there_a_plugin_that_can_remove_the_drm_from_25/ archived])&lt;br /&gt;
*[https://news.ycombinator.com/item?id=43378627 Example 2] ([https://web.archive.org/web/20260616102133/https://news.ycombinator.com/item?id=43378627 archived])&lt;br /&gt;
*[https://www.reddit.com/r/Calibre/comments/1mx8mft/how_can_i_read_lcpl_ebooks_with_readium_lcp_and/ Example 3] ([https://ghostarchive.org/archive/4cv7t archived])&lt;br /&gt;
*[https://www.reddit.com/r/Calibre/comments/1iitfkm/calibre_dedrm_plugin_to_remove_readium_25/ Example 4] ([https://ghostarchive.org/archive/mPUxh archived])&lt;br /&gt;
*[https://www.reddit.com/r/Calibre/comments/17oj5dt/is_it_possible_to_unprotect_a_fixed_layout_lcp/ Example 5] ([https://ghostarchive.org/archive/xQPaK archived])&lt;br /&gt;
*[https://www.reddit.com/r/Calibre/comments/1ozmb19/i_bought_a_drm_lcp_locked_book_and_cant_transfer/ Example 6] ([https://ghostarchive.org/archive/2XV5x archived])&lt;br /&gt;
*[https://www.reddit.com/r/Calibre/comments/1tmd9w4/lcpl_files_drm_kindle_and_calibre/ Example 7] ([https://ghostarchive.org/archive/TtP0F archived])&lt;br /&gt;
*[https://www.reddit.com/r/Piracy/comments/1irt6ax/how_do_i_remove_lcp_lcpl_drm/ Example 8] ([https://ghostarchive.org/archive/NxFGP archived])&lt;br /&gt;
*[https://www.reddit.com/r/ereader/comments/1tm5han/current_state_ebooksdrmereader/ Example 9] ([https://ghostarchive.org/archive/MFshl archived])&lt;br /&gt;
}}&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=FTDI&amp;diff=59153</id>
		<title>FTDI</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=FTDI&amp;diff=59153"/>
		<updated>2026-06-27T13:48:34Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: changed dates to iso format&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=1992-03-13&lt;br /&gt;
|CompanyAlias=Future Technology Devices International Limited&lt;br /&gt;
|Logo=Logo_of_FTDI.png&lt;br /&gt;
|Industry=Semiconductors&lt;br /&gt;
|Type=Private&lt;br /&gt;
|Website=https://ftdichip.com/&lt;br /&gt;
|Description=FTDI is a Scottish semiconductor company.&lt;br /&gt;
}}&lt;br /&gt;
[[File:FT232R USB UART IC (SSOP).jpg|alt=An FT232R chip|thumb|An FT232R chip]]&lt;br /&gt;
[[wikipedia:FTDI|Future Technology Devices International Limited]] is a Scottish fabless semiconductor company. It has facilities Singapore, Oregon and China in addition to the UK.&amp;lt;ref&amp;gt;{{Cite web |title=Corporate Profile |url=https://ftdichip.com/corporate-profile/ |url-status=live |website=ftdi |archive-url=https://web.archive.org/web/20260621171519/https://ftdichip.com/corporate-profile/?__cf_chl_rt_tk=xx_mHq514bihUr.xCKRLH9bmtwvYu73_hY1atdHbGsQ-1782062119-1.0.1.1-WQOwQlZgtyn1B0PmjBZ6oqeoSu1iN0Jo0I3rCR5t8XA |archive-date=2026-06-21}}&amp;lt;/ref&amp;gt; It specializes in USB and manufactures various integrated circuits ranging from USB host controllers to USB-to-UART converter chips, multipurpose converters with support for FIFO, JTAG, SPI etc. in addition to UART. It also manufactures various cables and adapters, mainly for USB, RS232, UART and RS422.&amp;lt;ref&amp;gt;{{Cite web |title=Products |url=https://ftdichip.com/product-category/products/ |url-status=live |website=ftdi |archive-url=https://web.archive.org/web/20260621174420/https://ftdichip.com/product-category/products/?__cf_chl_rt_tk=Jx8.q6zAQBniNudpDDnV_jub4em4fnCp2__nEfG8Lnk-1782063860-1.0.1.1-OnsX3G.YXR45KXaY7pY6UbubVffzAUjkwKwz.i4f8v4 |archive-date=2026-06-21}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
FTDI has employed aggressive measures such as bricking or injecting garbage data (undocumented feature) into users&#039; chips that were determined to be clones or counterfeits by FTDI&#039;s drivers. This led to backlash and [[Microsoft]] removing FTDI&#039;s driver from [[Microsoft Windows]]. Eventually, FTDI backed down.&amp;lt;ref name=&amp;quot;brick&amp;quot;&amp;gt;{{Cite web |date=2014-10-25 |first=James |last=Sanders |title=FTDI uses Microsoft Windows Update to disable devices using counterfeit chips |website=techrepublic |url=https://www.techrepublic.com/article/ftdi-abuses-windows-update-pushing-driver-that-breaks-counterfeit-chips/ |url-status=usurped |archive-url=https://web.archive.org/web/20230307174533/https://www.techrepublic.com/article/ftdi-abuses-windows-update-pushing-driver-that-breaks-counterfeit-chips/ |archive-date=2023-03-07 |access-date=2026-06-21}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;inject&amp;quot;&amp;gt;{{Cite web |date=2016-02-01 |first=Brian |last=Benchoff |title=FTDI Drivers Break Fake Chips, Again |url=https://hackaday.com/2016/02/01/ftdi-drivers-break-fake-chips-again/ |url-status=live |website=Hackaday |archive-url=https://web.archive.org/web/20260621180710/https://hackaday.com/2016/02/01/ftdi-drivers-break-fake-chips-again/ |archive-date=2026-06-21}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
&lt;br /&gt;
===Drivers bricking chips (2014)===&lt;br /&gt;
FTDI pushed an automated driver update via Windows Update that targeted the FT232 chipset. The update bricked chips it detected to be counterfeits or clones by setting their PID to 0. Because the chip itself is not something users usually purchase by itself, but rather buy devices which include it, many users were not aware their chip was counterfeit, yet were still affected. The update&#039;s INF file included a disclaimer which mentioned that the driver &amp;quot;MAY IRRETRIEVABLY DAMAGE THAT COMPONENT&amp;quot; referring to non genuine components. However, since it was installed through Windows Update, users were not able to see this file. &lt;br /&gt;
Moreover even standalone chips, are reportedly difficult to tell apart from counterfeits and ensure you&#039;re getting genuine chips.&amp;lt;ref name=&amp;quot;inject&amp;quot;&amp;gt;&amp;lt;/ref&amp;gt; &lt;br /&gt;
This sets a dangerous precedent, because if users start avoiding updates due to mistrust, they may end up vulnerable because of missed security updates.&amp;lt;ref name=&amp;quot;brick&amp;quot;&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Injecting garbage data (2016)===&lt;br /&gt;
A functionality was added the FTDI driver through Windows Update that injected unwanted garbage data into the device&#039;s serial stream. The stream read &amp;quot;NON GENUINE DEVICE FOUND!” Because this was an undocumented functionality and because it is difficult to tell whether or not a chip is genuine, this may have caused issues in chips in all kinds of devices such as medical and industrial equipment as well as [[Arduino]].&amp;lt;ref name=&amp;quot;inject&amp;quot;&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*FT232&lt;br /&gt;
*TTL-232R&lt;br /&gt;
*FT230X&lt;br /&gt;
*FT234XD&lt;br /&gt;
*FT600/FT601&lt;br /&gt;
*FT800/FT801&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{Reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
*[https://www.eevblog.com/forum/reviews/ftdi-driver-kills-fake-ftdi-ft232/msg535270/#msg535270 eevblog] ([https://web.archive.org/web/20260622071446/https://www.eevblog.com/forum/reviews/ftdi-driver-kills-fake-ftdi-ft232/msg535270/#msg535270 archived])&lt;br /&gt;
&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Adobe_Digital_Editions%27_ebook_DRM&amp;diff=59152</id>
		<title>Adobe Digital Editions&#039; ebook DRM</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Adobe_Digital_Editions%27_ebook_DRM&amp;diff=59152"/>
		<updated>2026-06-27T13:36:43Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: added a merge request&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{IncidentCargo&lt;br /&gt;
|Company=Adobe&lt;br /&gt;
|StartDate= &lt;br /&gt;
|EndDate= &lt;br /&gt;
|Status=Active &lt;br /&gt;
|ProductLine= &lt;br /&gt;
|Product=Adobe Digital Editions&lt;br /&gt;
|ArticleType=Product&lt;br /&gt;
|Type= Ownership, False Advertising&lt;br /&gt;
|Description= Adobe limits downloads of bought books through their apps despite unlimited downloads advertised&lt;br /&gt;
}}&lt;br /&gt;
{{MergeRequest|Adobe has transferred Digital editions and related ip to Wipro Engineering for management (https://helpx.adobe.com/ie/enterprise/kb/eol-faq-adobe-digital-editions.html). This article has a IncidentCargo, so it&#039;s not even describing a product (technically). The name is also very specific- doesn&#039;t show up in searches easily. The name is also bound to the current vendor ie Adobe. However, the transition to Wipro includes a new platform called Bytebooks and within that ecosystem, the product is called Bytebooks Digital Editions (https://dtsbytebooks.com/products/digital-edition/about). Therefore, I&#039;d ask that this article be merged with [[Digital Editions]] which is now essentially the common name between the two vendors, as well as it has an actual product template, so that it will describe the actual Digital Editions Software. This article addresses DRM, but before I edited it, it was claiming that Digital Editions was the name of the actual DRM. The name is in fact Adobe ADEPT. Perhaps this page this could be a separate page for ADEPT- maybe this? But as of right now, this article is trying to describe multiple things at the same time.|[[Digital Editions]]}}&lt;br /&gt;
{{See also|Adobe}}&lt;br /&gt;
[[File:ADE.png|alt=Screenshot of Adobe Digital Editions&#039; interface as of 2026|thumb|Screenshot of Adobe Digital Editions&#039; interface as of 2026]]&lt;br /&gt;
Modern-day ebook publishers have been utilizing various forms of [[Digital rights management|digital-rights management]] (DRM) to protect the books they sell to make sure that &amp;quot;copyright laws are respected and that authors and publishers are fairly compensated&amp;quot;.&amp;lt;ref name=&amp;quot;:1&amp;quot;&amp;gt;{{Cite web |title=DRM for NOOK Content |url=https://help.barnesandnoble.com/hc/en-us/articles/5445106302107-DRM-for-NOOK-Content |url-status=live |archive-url=http://web.archive.org/web/20251112084413/https://help.barnesandnoble.com/hc/en-us/articles/5445106302107-DRM-for-NOOK-Content |archive-date=12 Nov 2025|access-date=29 Mar 2025 |website=Barnes &amp;amp; Noble}}&amp;lt;/ref&amp;gt; However, the end user who purchases the content legally ends up being restricted in what they are able to do with the ebook once they have purchased it. Adobe&#039;s ebook DRM system is called ADEPT (Adobe Digital Experience Protection Technology). The client users use to read their ebooks is called Adobe Digital Editions.&amp;lt;ref name=&amp;quot;xot&amp;quot;&amp;gt;{{Cite web |title=Analysing ADEPT (Adobe Digital Experience Protection Technology) |date=12 April 2012 |url=https://blog.xot.nl/2012/04/12/analysing-adept-adobe-digital-experience-protection-technology/ |website=blog.xot.nl |archive-url=https://web.archive.org/web/20231004001330/http://blog.xot.nl/2012/04/12/analysing-adept-adobe-digital-experience-protection-technology/ |archive-date=4 Oct 2023}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&#039;&#039;&#039;[[Adobe]] eBook Platform&#039;&#039;&#039; is a platform for publishers to leverage when selling ebooks. This includes the following software suite: Adobe InDesign® CC software, Adobe Content Server software, the Adobe Reader® Mobile Software Development Kit (SDK), and Adobe Digital Editions.&amp;lt;ref name=&amp;quot;:0&amp;quot;&amp;gt;{{cite web|url=https://www.adobe.com/content/dam/cc/us/en/solutions/ebook/adobe_ebook_platform_whitepaper.pdf |title=Adobe® eBook Platform: Authoring and delivering eBooks across devices |website=Adobe |year=2014 |access-date=6 Feb 2026 |archive-url=https://web.archive.org/web/20260206103948/https://www.adobe.com/content/dam/cc/us/en/solutions/ebook/adobe_ebook_platform_whitepaper.pdf |archive-date=6 Feb 2026}}&amp;lt;/ref&amp;gt; A summary of the software is outlined below at a high level (mostly extracted from the Adobe white paper on the platform):&lt;br /&gt;
&lt;br /&gt;
*Adobe Content Server - &amp;quot;Adobe Content Server allows publishers, retailers, distributors, and libraries to host and manage eBook distribution. This server software encrypts PDF and EPUB eBook files and allows publishers and retailers to manage the rights on the eBook files they distribute.&amp;lt;ref name=&amp;quot;:0&amp;quot; /&amp;gt;&amp;quot;&lt;br /&gt;
*Adobe Reader Mobile SDK - The SDK &amp;quot; allows e-reader device manufacturers and eBook application developers to support EPUB and PDF files protected by Content Server in their products. It enables tethered and over-the-air downloads so that consumers can order eBooks directly through their devices or “side-load” them by copying files from their desktops to their mobile devices&amp;quot;.&amp;lt;ref name=&amp;quot;:0&amp;quot; /&amp;gt;&lt;br /&gt;
*Adobe InDesign - InDesign allows the publishers to export EPUB and EPUB3 files from print layouts. This also allows publishers to export ebooks to hardware such as the &amp;quot;Sony Reader, the Barnes &amp;amp; Noble nook, and smartphones, as well as personal computers using Microsoft® Windows® or Mac OS&amp;quot;.&amp;lt;ref name=&amp;quot;:0&amp;quot; /&amp;gt;&lt;br /&gt;
*Adobe Digital Editions (ADE) - &amp;quot;Adobe Digital Editions is a free, lightweight desktop reading application for PC and Mac that allows eBook consumers to easily download and organize their eBooks easily. Consumers can read their eBooks online and offline, transfer copy-protected eBooks from their personal computers to other devices, organize eBooks into a custom library, and annotate page&amp;quot;.&amp;lt;ref name=&amp;quot;:0&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*Adobe ADEPT - The DRM technology used to protect ebooks.&amp;lt;ref name=&amp;quot;xot&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*ACSM File - A type of file which contains information about a publication. ACSM stands for Adobe Content Server Message. These files do not contain publications themselves, but are used by Adobe Digital Editions (ADE) when contacting Adobe Content Server and to identify the download directory. ADE verifies user ID authorization. If successful, the user can then download the publication.&amp;lt;ref&amp;gt;{{Cite web |first=Julia |last=Hertler |date=13 Sep 2019 |title=Opening and converting ACSM files |url=https://www.ionos.com/digitalguide/online-marketing/online-sales/converting-acsm-files/ |url-status=live |website=ionos.com |archive-url=https://web.archive.org/web/20260524102431/https://www.ionos.com/digitalguide/online-marketing/online-sales/converting-acsm-files/ |archive-date=24 May 2026 |access-date=23 Jun 2026}}&amp;lt;/ref&amp;gt; &lt;br /&gt;
&lt;br /&gt;
All these solutions come together to give publishers control over their ebook content. The main product discussed on this page is Adobe Digital Editions (ADE). ADE allows for the following benefits:&amp;lt;ref&amp;gt;{{Cite web |title=Optimize your reading experience with the best eBook reader across formats. |url=https://www.adobe.com/solutions/ebook/digital-editions.html |url-status=live |archive-url=http://web.archive.org/web/20260118163309/https://www.adobe.com/solutions/ebook/digital-editions.html |archive-date=18 Jan 2026|access-date=29 Mar 2025 |website=[[Adobe]]}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*Download and transfer of books between devices&lt;br /&gt;
*EPUB3 support&lt;br /&gt;
*Keyword search across ebooks&lt;br /&gt;
*Voiceover accessibility&lt;br /&gt;
*Multi-language support&lt;br /&gt;
*Bookmarking, highlighting, and note support&lt;br /&gt;
*Support for borrowing ebooks from libraries&lt;br /&gt;
*ebook printing (publishers decide whether they opt-in for allowing printing or not)&lt;br /&gt;
*EPUB, EPUB3 and PDF support&lt;br /&gt;
&lt;br /&gt;
ADE also has system requirements, as it is an application running on your system:&amp;lt;ref&amp;gt;{{Cite web |title=System requirements |url=https://www.adobe.com/solutions/ebook/digital-editions/tech-specs.html |url-status=live |archive-url=http://web.archive.org/web/20251016100218/https://www.adobe.com/solutions/ebook/digital-editions/tech-specs.html |archive-date=16 Oct 2025|access-date=29 Mar 2025 |website=[[Adobe]]}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[Microsoft Windows | Windows]]:&lt;br /&gt;
&lt;br /&gt;
*Intel® Pentium® 4 processor or later&lt;br /&gt;
*Windows® 7 (32 or 64 bit running in 32-bit mode) or later&lt;br /&gt;
*512MB of RAM (1GB recommended)&lt;br /&gt;
*40MB of available hard-disk space&lt;br /&gt;
&lt;br /&gt;
[[MacOS | Mac OS]]:&lt;br /&gt;
&lt;br /&gt;
*Intel Core™ Duo or faster processor&lt;br /&gt;
*Mac OS X v10.8 or later&lt;br /&gt;
*Compatible with Apple Retina Display&lt;br /&gt;
*512MB of RAM (1GB recommended)&lt;br /&gt;
*75MB of available hard-disk space&lt;br /&gt;
&lt;br /&gt;
[[IOS | iOS]]:&lt;br /&gt;
&lt;br /&gt;
*Minimum requirement 9.0 or later.&lt;br /&gt;
*Compatible with iPhone and iPad.&lt;br /&gt;
&lt;br /&gt;
[[Android | Android]]:&lt;br /&gt;
&lt;br /&gt;
*Minimum requirement 4.4 or later.&lt;br /&gt;
*Compatible with the Mobile and Tablet.&lt;br /&gt;
&lt;br /&gt;
===Short Description of Adobe ADEPT===&lt;br /&gt;
It works by encrypting books with book keys and allowing access to authorized accounts and devices through Adobe Digital Editions. User keys are generated for users and sent to Adobe. Book keys are encrypted with user keys and sent back. The result is a license which is stored locally alongside the encrypted book that the license is for. This way, users can access content without needing an internet connection. When Digital Edition attempts to obtain a license for an ebook it sends a fulfillment token to the distributor, which forwards it to Adobe. Because the token is unencrypted at this stage, and because it includes the user id and information about which book is being requested, Adobe can see exactly who is requesting what.&amp;lt;ref name=&amp;quot;xot&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Adobe Digital Edition&#039;s Consumer Effects==&lt;br /&gt;
With the release of the platform and specifically the Adobe Digital Edition application, consumers have been restricted on what they are allowed to do with ebooks that they have purchased. Although unlimited downloads are mentioned by publishers and ebook sites, those are tied to an account.&amp;lt;ref name=&amp;quot;:1&amp;quot; /&amp;gt; This means that if access to an account is lost, then the access to those ebooks is lost as well. eBooks.com is one of the various e-bookstores that sells both non-DRM and DRM books leveraging ADE. When purchasing an ebook from them, you get a .acsm file. This format only works with the Adobe Digital Editions application. The user needs to create an Adobe account (after already creating an ebooks.com account) in order to add the book to their account. ADE (pertaining to purchases from ebooks.com) allows for authorization of up to 10 devices with a single Adobe ID, but only one computer.&amp;lt;ref name=&amp;quot;:2&amp;quot;&amp;gt;{{Cite web |last=Turvey |first=Alex |title=What is DRM? (DRM FAQs) |url=https://support.ebooks.com/hc/en-gb/articles/360000726656-What-is-DRM-DRM-FAQs |url-status=live |archive-url=http://web.archive.org/web/20251119124351/https://support.ebooks.com/hc/en-gb/articles/360000726656-What-is-DRM-DRM-FAQs |archive-date=19 Nov 2025|access-date=29 Mar 2025 |website=eBooks.com}}&amp;lt;/ref&amp;gt; The end user would not be able to read a book on a home computer and then later on a laptop simultaneously due to this limitation. Barnes and Noble uses ADE as well for their ebooks, with their limitations being a bit different in comparison to ebooks.com&#039;s. They have 4 versions of DRM types they leverage for the books sold on their site:&amp;lt;ref name=&amp;quot;:1&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
#Consumer DRM (eBook)&lt;br /&gt;
##Unlimited downloads&lt;br /&gt;
##Up to six (6) devices/computers&lt;br /&gt;
##No copying and printing&lt;br /&gt;
#Business DRM (eBook)&lt;br /&gt;
##One (1) download&lt;br /&gt;
##Up to one (1) device/computer&lt;br /&gt;
##No copying and printing&lt;br /&gt;
#Education DRM (eTextbook)&lt;br /&gt;
##Two (2) downloads&lt;br /&gt;
##Up to two (2) devices/computers&lt;br /&gt;
##Limited copying and printing&lt;br /&gt;
#Hard DRM&lt;br /&gt;
##Six (6) downloads&lt;br /&gt;
##Up to six (6) devices/computers&lt;br /&gt;
##Used for Case Studies made available by professors and specific courses&lt;br /&gt;
&lt;br /&gt;
In both cases, the user is limited to only a certain number of devices and has to constantly authorize and un-authorize readers in order to be in compliance. This leads to a lack of autonomy for the user who has purchased the book. In addition, with the Barnes and Noble &amp;quot;Consumer DRM&amp;quot; section, a user is not able to print the ebook they have purchased either. Going back to the ebooks.com example, ebooks.com has a bit more control on the consumer stating that due to DRM: &amp;quot;the amount of printing or copying and pasting you can do may be restricted, or prevented entirely. It will also determine whether the read aloud functionality is enabled for the ebook or not&amp;quot;.&amp;lt;ref name=&amp;quot;:2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
With ADE, a consumer will always need to download the application to access books that they have purchased. This is under the assumption that the user is able to have the technical know-how to do all the ADE overhead in order to finally read the book they have purchased. In addition, individuals who do not have access to the most modern technology, thus not being able to download ADE on their system, are also then prevented from reading ebooks they have purchased.&lt;br /&gt;
&lt;br /&gt;
If a user were to be able to remove DRM from a ebook purchased from an e-bookstore leveraging ADE, they would then be breaching the compliance with an end-user license agreement or a customer license. On ebook.com&#039;s customer license page, they mention the following: &amp;quot;You promise to keep any eBook in the form in which it was supplied to you. We may include other information (including information identifying the author, the copyright owner, or the terms upon which the eBook is supplied) to any eBook supplied to you. You promise not to circumvent any measures that we have taken to protect the rights in the eBook that we have supplied, including removing this information or otherwise facilitating an infringement of copyright&amp;quot;.&amp;lt;ref&amp;gt;{{Cite web |title=Customer License |url=https://www.ebooks.com/en-us/information/customerlicense/ |url-status=live |archive-url=http://web.archive.org/web/20250612001054/https://www.ebooks.com/en-us/information/customerlicense/ |archive-date=12 Jun 2025|access-date=29 Mar 2025 |website=eBooks.com}}&amp;lt;/ref&amp;gt; Although no lawsuits have been found being documented (as of writing this article), the door for this kind of consumer abuse is still present.&lt;br /&gt;
&lt;br /&gt;
In 2014, the Electronic Frontier Foundation had published an article regarding how Adobe Digital Edition was tracking its end users by logging what the end-user reads and what happens to those files.&amp;lt;ref&amp;gt;{{Cite web |last=McSherry |first=Corynne |date=7 Oct 2014 |title=Adobe Spyware Reveals (Again) the Price of DRM: Your Privacy and Security |url=https://www.eff.org/deeplinks/2014/10/adobe-spyware-reveals-again-price-drm-your-privacy-and-security |url-status=live |archive-url=http://web.archive.org/web/20260222203055/https://www.eff.org/deeplinks/2014/10/adobe-spyware-reveals-again-price-drm-your-privacy-and-security |archive-date=22 Feb 2026|access-date=29 Mar 2025 |website=EFF}}&amp;lt;/ref&amp;gt; This data was also being sent in plain-text undermining the privacy of the users.&lt;br /&gt;
&lt;br /&gt;
==Consumer response==&lt;br /&gt;
On Reddit, consumers are constantly inquiring about steps to remove the Adobe DRM, as it is obstructing the end-users method of being able to comfortably read the ebooks they have purchased.&amp;lt;ref&amp;gt;{{Cite web |title=Adobe Digital Editions &amp;amp; DRM |url=https://www.reddit.com/r/DataHoarder/comments/xvct89/adobe_digital_editions_drm/ |url-status=live |archive-url=http://web.archive.org/web/20221005145404/https://old.reddit.com/r/DataHoarder/comments/xvct89/adobe_digital_editions_drm/ |archive-date=5 Oct 2022|access-date=29 Mar 2025 |website=[[Reddit]]}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Adobe Ebook DRM Removal==&lt;br /&gt;
In the Abbey House Media v. Apple Inc ruling on an ebookstore notifying users of how to remove ebook DRM, a judge has ruled that telling users to remove DRM from books they have legally purchased is &amp;quot;not contributory copyright infringement&amp;quot;.&amp;lt;ref&amp;gt;{{Cite web |date=21 Nov 2014 |title=Abbey House Media v. Apple Inc |url=https://www.eff.org/document/abbey-house-media-v-apple-inc |url-status=live |archive-url=http://web.archive.org/web/20251010154102/https://www.eff.org/document/abbey-house-media-v-apple-inc |archive-date=10 Oct 2025|access-date=29 Mar 2025 |website=EFF}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;:3&amp;quot;&amp;gt;{{Cite web |last=Higgins |first=Parker |date=10 Dec 2014 |title=Pointing Users to DRM-Stripping Software Isn&#039;t Copyright Infringement, Judge Rules |url=https://www.eff.org/deeplinks/2014/12/pointing-users-drm-stripping-software-isnt-copyright-infringement-judge-rules?language=en |url-status=live |archive-url=http://web.archive.org/web/20250708194122/https://www.eff.org/deeplinks/2014/12/pointing-users-drm-stripping-software-isnt-copyright-infringement-judge-rules?language=en |archive-date=8 Jul 2025|access-date=29 Mar 2025 |website=EFF}}&amp;lt;/ref&amp;gt; The summary of this case being that the removal of DRM protection on books in non-infringing cases of the Digital Millennium Copyright Act (DMCA) does not necessarily lead to the piracy of digital books.&amp;lt;ref name=&amp;quot;:3&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
An online persona known as ApprenticeAlf, has also gone ahead to create a tool to remove DRM as well from multiple forms of ebook DRM, not only Adobe&#039;s.&amp;lt;ref&amp;gt;{{Cite web |last= |first= |date=10 Sep 2012 |title=DRM Removal Tools for eBooks |url=https://apprenticealf.wordpress.com/2012/09/10/drm-removal-tools-for-ebooks/ |url-status=live |archive-url=http://web.archive.org/web/20260222203220/https://apprenticealf.wordpress.com/2012/09/10/drm-removal-tools-for-ebooks/ |archive-date=22 Feb 2026|access-date=29 Mar 2025 |website=Apprentice Alf&#039;s Blog}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The tool linked on Apprentice Alf&#039;s blog is DeDRM_tools which can be used with [[wikipedia:Calibre (software) |Calibre]] as well as with its DeACSM extension. DeDRM_tools&#039; [[wikipedia:GitHub |GitHub]] repository has 15.2k stars as of June 2026 and belongs to a user called apprenticeharper (Apprentice Harper). According to the repository&#039;s [[wikipedia:README |README]] however, the tool is no longer maintained.&amp;lt;ref&amp;gt;{{Cite web |author=apprenticeharper |title=DeDRM_tools |website=github.com |url=https://github.com/apprenticeharper/DeDRM_tools |url-status=live |archive-url=https://web.archive.org/web/20260616095441/https://github.com/apprenticeharper/DeDRM_tools |archive-date=16 Jun 2026 |access-date=23 Jun 2026}}&amp;lt;/ref&amp;gt;An eponymous fork of DeDRM_tools also exists. It belongs to a user called noDRM and is intended to be a continuation of the original. However there has been no new stable release since 13 Jul 2022.&amp;lt;ref&amp;gt;{{Cite web |author=noDRM |title=DeDRM_tools |website=github.com |url=https://github.com/noDRM/DeDRM_tools |url-status=live |archive-url=https://web.archive.org/web/20260623063527/https://github.com/noDRM/DeDRM_tools/ |archive-date=23 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Transition to Bytebooks==&lt;br /&gt;
Ongoing support and development of Adobe eBook Platform Components were transferred by Adobe to [[wikipedia:Wipro|Wipro]] Engineering as of July 2025. As of 2026, the transition will also affect users more directly, since access is to be provided through [https://dtsbytebooks.com/ Bytebooks] (by Wipro). Bytebooks will ensure continued access to users&#039; existing ebook libraries. Users can continue using Adobe Digital Edition apps and will only be asked to create a Bytebooks ID whenever a sign-in will be required (like on a new device).&amp;lt;ref&amp;gt;{{Cite web |title=Transition of Adobe eBook platform to Wipro Engineering- FAQs |date=11 May 2026 |url=https://helpx.adobe.com/enterprise/kb/eol-faq-adobe-digital-editions.html |website=helpx.adobe.com |url-status=live |archive-url=https://web.archive.org/web/20260622181311/https://helpx.adobe.com/enterprise/kb/eol-faq-adobe-digital-editions.html |archive-date=22 Jun 2026}}&amp;lt;/ref&amp;gt; The change is to take effect by June 23rd 2026.&amp;lt;ref&amp;gt;{{Cite web |title=ADE Sign-in Updates for Adobe ID Users |date=April 2026 |url=https://dtsbytebooks.com/pub/bytebooks-account-creation-help.pdf |url-status=live |website=dtsbytebooks.com |archive-url=http://web.archive.org/web/20260622180843/https://dtsbytebooks.com/pub/bytebooks-account-creation-help.pdf |archive-date=22 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==External Links==&lt;br /&gt;
===DeDRM Extensions===&lt;br /&gt;
*[https://github.com/apprenticeharper/DeDRM_tools apprenticeharper DeDRM]&lt;br /&gt;
*[https://github.com/noDRM/DeDRM_tools noDRM DeDRM]&lt;br /&gt;
===Help with Transition to Bytebooks===&lt;br /&gt;
*[https://dtsbytebooks.com/transition-help Bytebooks]&lt;br /&gt;
*[https://helpx.adobe.com/enterprise/kb/eol-faq-adobe-digital-editions.html Adobe]&lt;br /&gt;
*[https://support.ebooks.com/hc/en-gb/articles/16119178985359-Adobe-Digital-Editions-sign-in-is-changing-what-eBooks-com-customers-need-to-know ebooks.com]&lt;br /&gt;
*[https://dtsbytebooks.com/pub/bytebooks-account-creation-help.pdf Bytebooks PDF]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
[[Category:Digital rights management]]&lt;br /&gt;
[[Category:Adobe]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Category:CS1_dansk-language_sources_(da)&amp;diff=59150</id>
		<title>Category:CS1 dansk-language sources (da)</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Category:CS1_dansk-language_sources_(da)&amp;diff=59150"/>
		<updated>2026-06-27T12:56:44Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: added __HIDDENCAT__&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__HIDDENCAT__&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=Category:CS1_dansk-language_sources_(da)&amp;diff=59149</id>
		<title>Category:CS1 dansk-language sources (da)</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=Category:CS1_dansk-language_sources_(da)&amp;diff=59149"/>
		<updated>2026-06-27T12:55:29Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: Created page with &amp;quot;This is the CS1 dansk-language sources (da) category.  Category:Hidden categories&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;This is the CS1 dansk-language sources (da) category.&lt;br /&gt;
&lt;br /&gt;
[[Category:Hidden categories]]&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59148</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59148"/>
		<updated>2026-06-27T12:54:36Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* User not clearly presented with terms */ added &amp;quot;|language=da&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2 May 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=3 Mar 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=24 Jun 2026 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (8 Apr 2026 ToS version)|Forced arbitration (8 Apr 2026 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=19 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (22 Nov 2022 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (8 Apr 2026 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 8 Apr 2026, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_pc |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_mac |author=Stine Kjær Kappel |language=da |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (not the same thing as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Steps 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 8 Apr 2026 as of 27 Jun 2026);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=8 Apr 2022 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 27 Jun 2026) from 22 Nov 2022.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59147</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59147"/>
		<updated>2026-06-27T12:52:09Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Microsoft Store */ clarification&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2 May 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=3 Mar 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=24 Jun 2026 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (8 Apr 2026 ToS version)|Forced arbitration (8 Apr 2026 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=19 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (22 Nov 2022 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (8 Apr 2026 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 8 Apr 2026, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_pc |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_mac |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (not the same thing as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Steps 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 8 Apr 2026 as of 27 Jun 2026);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=8 Apr 2022 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 27 Jun 2026) from 22 Nov 2022.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59146</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59146"/>
		<updated>2026-06-27T12:48:23Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Step 2 &amp;amp; 3 */ grammar&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2 May 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=3 Mar 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=24 Jun 2026 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (8 Apr 2026 ToS version)|Forced arbitration (8 Apr 2026 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=19 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (22 Nov 2022 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (8 Apr 2026 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 8 Apr 2026, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_pc |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_mac |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (which is not the same as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Steps 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 8 Apr 2026 as of 27 Jun 2026);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=8 Apr 2022 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 27 Jun 2026) from 22 Nov 2022.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59145</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59145"/>
		<updated>2026-06-27T12:44:16Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: added &amp;#039;www&amp;#039;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://www.thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2 May 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=3 Mar 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=24 Jun 2026 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (8 Apr 2026 ToS version)|Forced arbitration (8 Apr 2026 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=19 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (22 Nov 2022 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (8 Apr 2026 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 8 Apr 2026, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_pc |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_mac |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (which is not the same as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Step 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 8 Apr 2026 as of 27 Jun 2026);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=8 Apr 2022 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 27 Jun 2026) from 22 Nov 2022.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59144</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59144"/>
		<updated>2026-06-27T12:41:52Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: turned website field into a comma separated list&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org, https://thoriumreader.com&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2 May 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=3 Mar 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=24 Jun 2026 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (8 Apr 2026 ToS version)|Forced arbitration (8 Apr 2026 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=19 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (22 Nov 2022 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (8 Apr 2026 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 8 Apr 2026, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_pc |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_mac |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (which is not the same as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Step 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 8 Apr 2026 as of 27 Jun 2026);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=8 Apr 2022 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 27 Jun 2026) from 22 Nov 2022.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59120</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59120"/>
		<updated>2026-06-27T09:43:36Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Consumer-impact summary */ added another link&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org/ and https://thoriumreader.com (Thorium)&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2 May 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=3 Mar 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=24 Jun 2026 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the ToS. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause (see: [[EDRLab#Forced arbitration (8 Apr 2026 ToS version)|Forced arbitration (8 Apr 2026 ToS version)]]).&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=19 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (22 Nov 2022 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (8 Apr 2026 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 8 Apr 2026, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_pc |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_mac |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (which is not the same as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Step 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 8 Apr 2026 as of 27 Jun 2026);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=8 Apr 2022 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 27 Jun 2026) from 22 Nov 2022.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59119</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59119"/>
		<updated>2026-06-27T09:40:48Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Consumer-impact summary */ moved link, changed &amp;#039;p&amp;#039; to &amp;#039;P&amp;#039;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org/ and https://thoriumreader.com (Thorium)&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2 May 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=3 Mar 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=24 Jun 2026 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] (ToS) or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the Privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the Terms of service. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; The 2026 ToS also contains a [[Forced arbitration]] clause.&lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=19 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (22 Nov 2022 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (8 Apr 2026 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 8 Apr 2026, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_pc |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_mac |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (which is not the same as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Step 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 8 Apr 2026 as of 27 Jun 2026);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=8 Apr 2022 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 27 Jun 2026) from 22 Nov 2022.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
	<entry>
		<id>https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59118</id>
		<title>EDRLab</title>
		<link rel="alternate" type="text/html" href="https://consumerrights.wiki/index.php?title=EDRLab&amp;diff=59118"/>
		<updated>2026-06-27T09:38:27Z</updated>

		<summary type="html">&lt;p&gt;Galomi04: /* Forced arbitration (8 Apr 2026 ToS version) */ removed link, will link elsewhere&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{CompanyCargo&lt;br /&gt;
|Founded=2015-07-17&lt;br /&gt;
|Industry=Software&lt;br /&gt;
|Logo=Edrlab.png&lt;br /&gt;
|Type=Non-profit&lt;br /&gt;
|CompanyAlias=European Digital Reading Lab&lt;br /&gt;
|Website=https://www.edrlab.org/ and https://thoriumreader.com (Thorium)&lt;br /&gt;
}}&lt;br /&gt;
EDRLab is a &amp;quot;non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.&amp;quot; It has over 100 members, but some of its founding members are: [[wikipedia:Editis|Editis]], [[wikipedia:Hachette Livre|Hachette]], [[wikipedia:Centre national du livre|Centre National du livre]], [[wikipedia:Groupe Madrigall|Groupe Madrigall]] and the French State. EDRLab is a member of [[wikipedia:World Wide Web Consortium|W3C]] and [[Readium|Readium Foundation]]. It is one of the main contributors to Readium toolkits and the manager of Readium LCP [[Digital rights management|DRM]]. They are also the creators of Thorium Reader, an EPUB reading application.&amp;lt;ref&amp;gt;{{Cite web |title=About |url=https://www.edrlab.org/about/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260502070949/https://www.edrlab.org/about/ |archive-date=2 May 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=EDRLab members directory |url=https://members.edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260303083006/https://members.edrlab.org/ |archive-date=3 Mar 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |language=fr |title=SITUATION AU REPERTOIRE SIRENE |date=24 Jun 2026 |url=https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |url-status=live |website=insee.fr |archive-url=https://web.archive.org/web/20260624170714/https://api-avis-situation-sirene.insee.fr/identification/pdf/81344547500029 |archive-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; They also focus on accessibility in order to increase the number of books available to people with disabilities.&amp;lt;ref&amp;gt;{{Cite web |title=Accessibility |url=https://www.edrlab.org/accessibility/ |url-status=live |website=edrlab.org |archive-url=https://ghostarchive.org/archive/EMoqh |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
==Consumer-impact summary==&lt;br /&gt;
EDRLab is one of the main contributors to [[Readium]] LCP DRM. Their EPUB reader application, Thorium Reader, which uses &amp;lt;abbr title=&amp;quot;Licensed Content Protection&amp;quot;&amp;gt;LCP&amp;lt;/abbr&amp;gt;, claims to be private, yet it has &amp;quot;non-personal&amp;quot; data collection that the user cannot opt out of. It also contacts EDRLab&#039;s servers every time the application is started. &lt;br /&gt;
&lt;br /&gt;
This is not apparent, since Thorium&#039;s installer doesn&#039;t inform the user of this, there are no &amp;quot;agree/disagree&amp;quot; options and Thorium&#039;s interface does not directly link to either the [[Terms of service]] or the Privacy policy (see: [[EDRLab#User not clearly presented with terms|User not clearly presented with terms]]. Users also wouldn&#039;t be notified if the privacy policy were to change, since that would require them to manually check the Privacy policy page for updates. &lt;br /&gt;
&lt;br /&gt;
The Terms of service also mentions that the user agrees to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for &amp;quot;alleged&amp;quot; breaches by the user of the Terms of service. It is also stated that &amp;quot;EDRLab Parties have the right to monitor the use of the Application.&amp;quot; &lt;br /&gt;
&lt;br /&gt;
The application is also deceptively marketed as open source as it is stated in the privacy policy that it is in fact not entirely open source, but rather has a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;quot; This requires users to trust the company on their word, since users cannot inspect the application, as they may not &amp;quot;rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part&amp;quot;, according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph. The Terms of service as well as the Privacy policy are discussed in more detail in the &amp;quot;Incidents&amp;quot; section (see: [[EDRLab#Thorium Reader privacy policy and terms of use|Thorium Reader privacy policy and terms of use]]).&lt;br /&gt;
&lt;br /&gt;
==Incidents==&lt;br /&gt;
===Thorium Reader privacy policy and terms of use===&lt;br /&gt;
====Privacy policy (22 Nov 2022 version)====&lt;br /&gt;
Despite Thorium&#039;s homepage stating that:&amp;lt;blockquote&amp;gt;This application is free, with no ads and no private data leaks.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;thorium-home&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.edrlab.org/software/thorium-reader/ |url-status=live |website=edrlab.org |archive-url=https://web.archive.org/web/20260619033750/https://www.edrlab.org/software/thorium-reader/ |archive-date=19 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;There is data collection, but it is stated that it is &amp;quot;non-personal.&amp;quot; The application calling itself private might give some users the wrong impression, if they take that to mean &amp;quot;no phoning home.&amp;quot; The reader sends this &amp;quot;non-personal&amp;quot; data to EDRLab&#039;s servers. &lt;br /&gt;
&lt;br /&gt;
It is impossible to opt out of &amp;quot;notifications&amp;quot; that are sent to a server every time the application is started. They state that this information &amp;lt;blockquote&amp;gt;is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.&amp;lt;/blockquote&amp;gt;And:&amp;lt;blockquote&amp;gt;Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a timestamp,&lt;br /&gt;
*the version of Thorium Reader,&lt;br /&gt;
*the operating system of the device and its version,&lt;br /&gt;
*the locale of the application at the time it is started,&lt;br /&gt;
*if this is the first start of Thorium Reader after a fresh install.&lt;br /&gt;
&lt;br /&gt;
The IP address of the device is not stored along with the above information.&lt;br /&gt;
&lt;br /&gt;
It is not possible to opt-out from this notification.&amp;lt;/blockquote&amp;gt;Also:&amp;lt;blockquote&amp;gt;a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.&lt;br /&gt;
&lt;br /&gt;
Parameters of such notification are:&lt;br /&gt;
&lt;br /&gt;
*a device identifier, automatically generated at the install of the application.&lt;br /&gt;
*a device name, automatically generated at the install of the application.&lt;br /&gt;
&lt;br /&gt;
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather: &amp;lt;blockquote&amp;gt;We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.&amp;lt;/blockquote&amp;gt;So users would have to periodically check this site to know whether any terms have changed.&lt;br /&gt;
&lt;br /&gt;
====Terms of service (22 Nov 2022 version)====&lt;br /&gt;
Moving on to the Terms of service, there are several interesting things. First:&amp;lt;blockquote&amp;gt;You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.&amp;lt;/blockquote&amp;gt;Especially:&amp;lt;blockquote&amp;gt;any actual or alleged breach by you of these Terms of Use&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
As per this, one is agreeing to &amp;quot;indemnify and hold harmless the EDRLab Parties&amp;quot; even for alleged breaches of the terms of service.&lt;br /&gt;
&lt;br /&gt;
In one of the quotes above, it is mentioned that due to Thorium&#039;s open source nature, one can inspect its source code apart from a &amp;quot;small software library used as core for the Readium LCP DRM, which does not store or send any data&amp;quot; Which, one cannot verify that part, since:&amp;lt;blockquote&amp;gt;In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.&amp;lt;/blockquote&amp;gt;So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:&amp;lt;blockquote&amp;gt; However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Terms of Use |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/terms-of-use/ |website=edrlab.org |url-status=live |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/terms-of-use/ |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;privacy-policy&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader – Privacy Policy |date=22 Nov 2022 |url=https://www.edrlab.org/software/thorium-reader/privacy-policy/ |website=edrlab.org |archive-url=https://web.archive.org/web/20260617083801/https://www.edrlab.org/software/thorium-reader/privacy-policy/ |url-status=live |archive-date=17 Jun 2026 |access-date=24 Jun 2026}}&amp;lt;/ref&amp;gt; The above summarizes and discusses Thorium&#039;s Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.&lt;br /&gt;
=====Forced arbitration (8 Apr 2026 ToS version)=====&lt;br /&gt;
In the updated Terms of service (see [[EDRLab#External links|External links]]), from 8 Apr 2026, there is a Forced arbitration clause.&amp;lt;blockquote&amp;gt;To the fullest extent permitted by applicable law, any dispute, claim or controversy between you and EDRLab that relates in any way to or arises from your use of the Application or these Terms of Use (a “Dispute”) shall be resolved on an individual basis and, except as provided below, exclusively through binding arbitration. A Dispute will be submitted to arbitration, whether it is based on contract, statute, regulation, court order, tort or any other legal or equitable theory. You understand that in arbitration, there is no judge or jury and that judicial review of an arbitral award is limited. Unless otherwise required by mandatory law, the arbitration shall be administered by a recognised arbitration institution (for example, the ICC in Paris, or, for consumers in the United States, the American Arbitration Association) under its applicable rules for consumer or commercial disputes, as modified by this clause. The arbitration shall be conducted by a single arbitrator, in French or English, and, unless the arbitrator decides that an in‑person hearing is necessary, may be held by videoconference. The arbitrator shall apply the applicable governing law set out below and may award any remedies available at law or in equity. The arbitrator’s award shall be final and binding and may be entered in any court of competent jurisdiction.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
And:&amp;lt;blockquote&amp;gt;You agree that any arbitration or court proceeding will be conducted only on an individual basis, not as a class, collective, or representative action. To the fullest extent permitted by applicable law, you and EDRLab each waive any right to a jury trial in any court proceedings. Notwithstanding the foregoing, either you or EDRLab may: (a) bring an individual action in a court of competent jurisdiction for claims that fall within the jurisdiction of a small‑claims or equivalent court, or (b) seek provisional or injunctive relief in a court of competent jurisdiction to protect intellectual property rights or prevent unauthorised access to or use of the Application. You and we agree to submit to the exclusive jurisdiction of Paris, France. Unless prohibited by applicable law, and without regard to its conflict of laws principles, you and we agree that any Dispute between you and us will be governed by and construed in accordance with the laws of France. ​In all cases, nothing in these Terms of Use is intended to waive any sovereign immunity, governmental immunity or other mandatory legal protection that cannot be contractually waived under applicable law.&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
You also agree to first contact EDRLab before initiating any proceedings:&amp;lt;blockquote&amp;gt;If you have any concern or dispute regarding the Application or these Terms of Use, you agree first to contact EDRLab at contact@edrlab.org and to make a good‑faith effort to resolve the dispute informally for at least thirty (30) days before initiating arbitration or court proceedings.&amp;lt;/blockquote&amp;gt;&amp;lt;ref name=&amp;quot;tos2&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===User not clearly presented with terms===&lt;br /&gt;
During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree to the terms and the privacy policy, nor are they directly linked in the app (see: [[EDRLab#Installation|Installation]] and [[EDRLab#Post-installation|Post-installation]]). While it is not possible to opt out, the user doesn&#039;t know that during installation, unless they&#039;d scrolled on Thorium&#039;s webpage to find the Terms of use and the Privacy policy, or unless they&#039;d found them wherever they&#039;re installing the app from (e.g. [[Microsoft|Microsoft]] Store). See [[EDRLab#External links|External links]] for installation videos of Thorium.&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_pc |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_dadiw6fi/480184 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/3IlBv |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot;&amp;gt;{{Cite web |date=24 Feb 2026 |title=installer_thorium_mac |author=Stine Kjær Kappel |url=https://edumedia.dk/media/t/0_1j7nppt4 |url-status=live |website=edumedia.dk |archive-url=https://ghostarchive.org/archive/ILix8 |archive-date=25 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
====Installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:Thorium-website.webp|alt=Installation step: 1 (installation page)|right|Installation step: 1 (installation page)&lt;br /&gt;
File:F1.webp|alt=Installation step: 1 (alternative on Windows: Microsoft Store)|right|Installation step: 1 (alternative on Windows: Microsoft Store)&lt;br /&gt;
File:F2.webp|alt=Installation step: 2 (Thorium being installed)|right|Installation step: 2 (Thorium being installed)&lt;br /&gt;
File:F3.webp|alt=Installation step: 3 (Thorium&#039;s welcome page upon first launch)|right|Installation step: 3 (Thorium&#039;s welcome page upon first launch)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy during installation (example on Windows).&lt;br /&gt;
=====Step 0=====&lt;br /&gt;
The Terms of use and the Privacy policy can be located on the homepage by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section.&amp;lt;ref name=&amp;quot;thorium-home&amp;quot; /&amp;gt;&lt;br /&gt;
=====Step 1=====&lt;br /&gt;
On the installation page (step 1), the user would have to click on &amp;quot;Support&amp;quot; on the top right (or &amp;quot;Minimum system requirement&amp;quot; in the center-left) and then locate the &amp;quot;About Thorium Reader&amp;quot; section on the bottom left. This is not the same page as the &amp;quot;About&amp;quot; located next to &amp;quot;Support.&amp;quot;&amp;lt;ref name=&amp;quot;homepage&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://thorium.edrlab.org/en/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/BI26o |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&amp;lt;ref&amp;gt;{{Cite web |title=Thorium 3 support |url=https://thorium.edrlab.org/en/th3/ |url-status=live |website=thorium.edrlab.org |archive-url=https://ghostarchive.org/archive/eHOlo |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
======Microsoft Store======&lt;br /&gt;
On the Microsoft Store (alternative step 1 for Windows), the &amp;quot;Additional information&amp;quot; section contains links to the Privacy policy and the &amp;quot;Terms of transaction.&amp;quot; The former leads to EDRLab&#039;s &amp;quot;Legal Information&amp;quot; page, not the actual privacy policy on the site that the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; opens (it is also in French, even with the computer&#039;s language set to English)&amp;lt;ref&amp;gt;{{Cite web |title=Legal Information |url=https://www.edrlab.org/legal-information/ |url-status=live |website=edrlab.org |language=fr |archive-url=https://ghostarchive.org/archive/NvQtI |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The latter link leads to a &amp;quot;Microsoft Store Terms of Sale&amp;quot; (which is not the same as the app&#039;s Terms of use). There is also a website link, but it opens a different website&amp;lt;ref name=&amp;quot;altsite&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader |url=https://www.thoriumreader.com/en/ |url-status=live |website=thoriumreader.com |archive-url=https://ghostarchive.org/archive/ZjTqS |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; than the one Thorium Reader opens when clicking &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; (see [[EDRLab#External links|External links]]).&amp;lt;ref&amp;gt;{{Cite web |title=Thorium Reader |url=https://apps.microsoft.com/detail/9nfzp1g7m2sc?hl=en-US |website=apps.microsoft.com |url-status=live |archive-url=https://ghostarchive.org/archive/ukmly |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; That site site has a &amp;quot;Legal Notices&amp;quot; (not to be confused with the aforementioned &amp;quot;Legal Information&amp;quot; page) link, through which users can locate the Terms of service and the Privacy policy.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;conformance&amp;quot;&amp;gt;{{Cite web |title=Thorium Reader Conformance Reports |url=https://conformance.thoriumreader.com/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/Y4JlV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=====Step 2 &amp;amp; 3=====&lt;br /&gt;
The installer does not have a link to the Privacy policy or the Terms of service, but after installation (after getting past the welcome screen in image 3), one can use the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link to go to the app&#039;s website and locate the documents (see [[EDRLab#Step 0|Step 0]]).&amp;lt;ref name=&amp;quot;thorium-home /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
====Post-installation====&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
File:S1.webp|alt=(I) Welcome dialog post installation|right|(I) Welcome dialog post installation&lt;br /&gt;
File:S2.webp|alt=(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog |right|(II) &amp;quot;Resources &amp;amp; Community&amp;quot; section of the dialog&lt;br /&gt;
File:S0.webp|alt=(III)&amp;quot;Home&amp;quot; tab|right|(III) &amp;quot;Home&amp;quot; tab&lt;br /&gt;
File:S3.webp|alt=(IV) Settings -- general -- part 1|right|(IV) Settings -- general (part 1)&lt;br /&gt;
File:S4.webp|alt=(V) Settings -- general -- part 2|right|(V) Settings -- general (part 2)&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
No direct presentation of the Terms of use or the Privacy policy. The dialog in images (I) and (II) only contains information about the app&#039;s version and links, one of which is the website.&amp;lt;ref name=&amp;quot;altsite&amp;quot; /&amp;gt; This webpage includes a &amp;quot;Legal Notices&amp;quot; link, through which users can find the relevant documentation. &lt;br /&gt;
&lt;br /&gt;
Image (III) contains depicts the app&#039;s &amp;quot;Home&amp;quot; tab. The user would have to click the &amp;quot;&#039;&#039;About Thorium (Online)&#039;&#039;&amp;quot; link (visible on the bottom right of the images), which would open the app&#039;s website in the browser. This, however, is not the same website as the one that the link from image (II) leads to.&amp;lt;ref name=&amp;quot;homepage&amp;quot; /&amp;gt; In fact, via the former (through &amp;quot;Legal Notices&amp;quot;),&amp;lt;ref name=&amp;quot;conformance&amp;quot; /&amp;gt; users can access a more recent version of the Terms of use (the version from 8 Apr 2026 as of 27 Jun 2026);&amp;lt;ref name=&amp;quot;tos2&amp;quot;&amp;gt;{{Cite web |title=Conformance Reports - Terms of use |date=8 Apr 2022 |url=https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ |url-status=live |website=conformance.thoriumreader.com |archive-url=https://ghostarchive.org/archive/bRGDV |archive-date=27 Jun 2026}}&amp;lt;/ref&amp;gt; whereas via the latter, users can access (by scrolling down to the &amp;quot;Terms of Use, Privacy Policy&amp;quot; section, where they&#039;d find the link) Terms of service (as of 27 Jun 2026) from 22 Nov 2022.&amp;lt;ref name=&amp;quot;tos&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Image (IV) and (V) depict the settings tab, where any links can&#039;t be found either. This is also seen in the installation videos in [[EDRLab#External links|External links]].&amp;lt;ref name=&amp;quot;install-thorium-win&amp;quot; /&amp;gt;&amp;lt;ref name=&amp;quot;install-thorium-mac&amp;quot; /&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Products==&lt;br /&gt;
*Thorium Reader&lt;br /&gt;
*Readium LCP (main contributor)&lt;br /&gt;
*Lis mon Livre&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
*[[Digital rights management]]&lt;br /&gt;
*[[Forced arbitration]]&lt;br /&gt;
*[[Readium]]&lt;br /&gt;
*[[Adobe Digital Editions&#039; ebook DRM]]&lt;br /&gt;
&lt;br /&gt;
==References==&lt;br /&gt;
{{reflist}}&lt;br /&gt;
&lt;br /&gt;
==External links==&lt;br /&gt;
===Installation videos===&lt;br /&gt;
*[https://edumedia.dk/media/t/0_dadiw6fi/480184 Thorium PC installation video]&lt;br /&gt;
*[https://edumedia.dk/media/t/0_1j7nppt4 Thorium Mac installation video]&lt;br /&gt;
===ToS===&lt;br /&gt;
*[https://conformance.thoriumreader.com/documents/desktop3/terms-of-use/ 2026 ToS] ([https://ghostarchive.org/archive/bRGDV archived])&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/terms-of-use/ 2022 ToS] ([https://ghostarchive.org/archive/O61SS archived])&lt;br /&gt;
[[Category:{{PAGENAME}}]]&lt;br /&gt;
===Privacy Policy===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/privacy-policy/ Privacy policy] ([https://ghostarchive.org/archive/cemKI archived]); [https://conformance.thoriumreader.com/documents/desktop3/privacy-policy/ Same policy but on &amp;quot;conformance.thoriumreader.com&amp;quot;] ([https://ghostarchive.org/archive/ye7GZ archived])&lt;br /&gt;
===Websites===&lt;br /&gt;
*[https://www.edrlab.org/software/thorium-reader/ edrlab.org/software/thorium-reader/] ([https://ghostarchive.org/archive/mqQkB archived])&lt;br /&gt;
*[https://www.thoriumreader.com/en/ thoriumreader.com] ([https://ghostarchive.org/archive/ZjTqS archived])&lt;/div&gt;</summary>
		<author><name>Galomi04</name></author>
	</entry>
</feed>