Last year I signed up for a paid subscription to Grammarly...then I read terms of use[1]. I know...it should have been the other way around, but here it goes:
> "By uploading or entering any User Content, you give Grammarly (and those it works with) a nonexclusive, worldwide, royalty-free and fully-paid, transferable and sublicensable, perpetual, and irrevocable license to copy, store and use your User Content in connection with the provision of the Software and the Services and to improve the algorithms underlying the Software and the Services."
First I thought that may be this is just me being paranoid. So I compared their terms of service with Evernote's[2] and summarize the differences for them in the support ticket asking termination of my account. I reproduce that here for reference:
> In Evernote's TOS
> – It's clearly noted that the user retains their Copyright to the content;
> – and the license to Evernote is a limited and they don't "obtain any right, title or > interest" other than they point out;
> – they don't require sublicensable and transferable rights to User Content which is different than having the rights to share the content with other contractual partners
(which they require);
> – the agreement on content is irrevocable as long as the content is stored on the service.
Is the grammarly ToS more than a CYA? I think they may do it that way to protect themselves from being sued after retaining your work. But I don't like the possibility of them owning your work.
I feel like the first thing we should talk about is how this is effectively a keylogger, similar to Windows 10's inking and typing setting, albeit with likely poorer security.
Collecting everything you type into a web browser (or MS Office) and sending it to them seems like a really bad idea.
Why is this story not bigger news? Grammarly is excreting ads into my eyes before nearly every YouTube video I watch, yet I don't see any mainstream sites covering this.
Mostly because cloud-connected keyloggers are mainstream. As I mentioned, Windows does it if you have their "inking and typing" setting enabled. A lot of mobile keyboard apps do it, especially if they say they use the cloud to help correct your typing.
Of course, in the case of Microsoft or Google, you presumably either have disabled the setting or you place your trust in their security practices that it is okay, because they are top tier companies, and most people send them all their private data anyways.
There are a LOT of things out there that collect everything you type these days, and rarely to people want to define them as keyloggers.
When people want privacy they will inevitably have to give up usability. I ditched Swiftkey for an open source Android keyboard that doesn't connect online or asks for any permissions. Its CRAP but it doesn't leak.
I can't speak for GP, but I switched to Hacker's Keyboard[1] which doesn't support gesture typing. I'm pretty happy with it, though it's pretty barebones (it doesn't even turn on the phone's radio). Took a bit getting used to -- the recommendations are different and it felt like the key hitboxes weren't the same as gboard, but it felt pretty familiar after a couple of weeks.
You should check out MessagEase keyboard. It is so accurate for me that I don't even need corrections. It takes a little bit of time to get used to, but once you get the hang of it, it's super fast.
top tier doesn't necessary mean better security. Your data being accessible from the cloud is a security risk by itself and these companies are huge targets for hackers, and will share your data with state actors, or worse advertisers, for-profit data miners et.al.
Keylogging is just the beginning. Any (and many) browser extensions have the ability to record everything you do on every page you visit. All it takes is specifying the <all_urls> permission in the extension’s manifest and adding some event listeners.
It has to work this way or browsers wouldn’t be truly extensible. Be mindful of which extensions you install.
It's ridiculous that we're at this point where using a handful of software applications means keeping up to date with the social life and financial situation of the developer, reading changelogs, etc.
And you only can spare both the time and cognitive load to do this for at most a dozen or two applications, if you really care. The rest, you just have to trust that enough other people are watching carefully.
But the average person isn't going to keep up with even one application. They only bought their computer so they could browse the web and check emails, not so they could learn the details of how it works.
Likewise, most of us don't buy a car in order to spend a lot of time learning about exactly how a combustion engine works. We don't have the time.
Granted, this board is laden with engineers who will make the time to understand how their tools work, but we simply cannot expect this kind of effort from most people.
So, like we have to trust lower-level components to be scrutinized elsewhere, and trust we will be alerted in case of critical issues, the general population must trust the "nerds" to get things right and keep them safe.
This means that typically, the best attack surfaces will be small, widely-distributed, low-level software stacks whose developers can easily be compromised. Not just software either, but hardware.
It does seem like this is ultimately a battle we are going to lose without regulatory legislation in domains that require mass-deployment of software that can potentially breach Constitutional rights. In order to be federally qualified as "privacy-friendly", you have to meet certain guidelines both on a hardware and software level. This would include automatic transmission or collection of certain kinds of data without very express permission.
I completely agree with you. Unfortunately, legislation has been stuck in the 80's for the most part, and while I understand why, it can be frustrating.
On iOS you currently have to explicitly allow network access to third party keyboards in the settings app (the not very clearly named "Allow Full Access" toggle), which as others have pointed out, is disabled by default on all newly installed keyboards. I have no idea how this works on other popular mobile device platforms.
I've not found time to try any of them yet so I can't comment on how they compare to Grammarly, but there are F/OSS alternatives.
https://languagetool.org/ for one supports running your own instance of the server-side portion out-of-the-box. You could run it truly locally assuming your device is appropriate, or your own server which might be more flexible as you can support a greater range of devices and share custom dictionaries between them.
I, for one, don’t really care if someone has written to me in the passive voice. Or is changing tense. The message is still received. If it will mean they are more secure that way, then I will allow it.
It doesn't. How many times haven't colleagues asked, 'how did you do that in vim?' Only for me to stutter and literally having to repeat the command while looking at the keyboard?
Realized this when it wanted to install the plug in. Pretty much installed it. Used it for what I needed then uninstalled. They have a word plugin which I believe needs to be explicitly turned on so that’s a better use.
No. 1Password, as far as I know, doesn't trigger anything until after I've given it the OK to do its thing. It can input passwords when I allow it to and it saves the password only after I've confirmed that it's ok to. It's possible that they're secretly logging everything in the background but that seems to be completely antithetical for a company that requires the trust of its users for its product to sell.
I personally stay far away from password managers, especially as browser extensions. I'd really recommend everyone look at how many of their Chrome extensions have the permission to "access your data on all websites", and consider whether or not they really trust the companies or individuals who made those extensions with that permission.
It's eye-opening to people when I ask them about an extension they have, say "Honey", and they say they like it because it saves them money. And then I point out it can access everything they do online, and ask them if that's a concern or not.
As an open-source extension developer, I wish there was a way to prove that the extension uploaded is generated from a specific git commit. It wouldn't solve everything, but it would make it easier for anyone to audit the code and know that it actually matches the code I've uploaded.
Indeed. I was thinking about this, and would argue this should really not only exist... but be the only way extensions with this level of wide-sweeping access should be permitted to be published.
Chrome team, if they were security-focused, would not permit any closed source extensions which have access to all website data.
People don't seem to understand sometimes that if an extension has this sort of access, you need to be able to trust your browser extensions as much as you trust your browser itself.
Use an out of band password manager, whose key is never transmitted over a network. Or a notebook that is physically secured. There are a number of solutions for password vaults, and you can use a variety of means to synchronize them if needed.
The notion that it's a good idea to trust a browser extension for secrets management is pretty bizarre to me if you're protecting high value assets.
As always, it depends on your threat assessment and what is practically possible. For the vast majority of users, using a password manager browser extension [1] is a large improvement over password re-use over dozens of sites. Most folks will also not want to put in the effort to use an out-of-band password manager.
(Not directed at you personally, but I often hear such comments from people who are then perfectly fine to use a password manager in X11, where in a the default configuration every application can read your keystrokes, screen grabs, clipboard, etc.)
[1] Preferably one that communicates with an out-of-process password manager over an authenticated channel like 1Password.
I love passphrases and mnemonics. There are passwords that I retired out of anywhere they existed several years ago that I will probably never forget as long as I live. And not only is it easy to create memorable passphrases, and they're fairly long, you can then combine your passphrases in interesting combinations to get even more passwords that you probably will never forget.
Beyond that, the "never reuse passwords" adage is horribly oversold. If it handles my money, my email, or my web hosting, it needs to be unique. Passwords for places I comment are commonly reused and not as sophisticated because it is not seriously impactful to me if someone gets a hold of them.
Reuse passwords for sites that can't meaningfully harm you if they get compromised. Minimize how many accounts can harm you by not saving your credit card info in most of them, uncheck that box when you pay for stuff.
I'm also insanely liberal about deploying 2FA. I have it everywhere it's available, even sites with common/stupid passwords. So a lot of sites I don't bother with unique passwords will still be somewhat protected if my password is compromised. I'm also subscribed to haveibeenpwned with every email address I've ever used for anything.
A Chrome extension even with all available permissions doesn't have access to your password manager. (It could record the passwords as they're typed or autofilled into a webpage, but it doesn't make a difference whether you're using your browser's password manager or typing it yourself there.)
I am too paranoid to use them, but, from what I read (regarding the biggest one):
"LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data"
If there is an attack still possible (even using LastPass employees) can you post it here?
At a glance what they have in common is flaws in the scripts that the LastPass extension injects into pages. The injected scripts can communicate with the extension core with a set of RPCs. Each of these issues is a way of tricking the extension into running RPCs from untrusted JavaScript on any web page. The RPCs available allow an attacker to fetch the credentials for any site in the database or even execute arbitrary code on the host.
Not sure if you're using the credential "autofill" feature, but somewhat recently there was an attack in which their autofill extension could be tricked into "autofilling" specific sites' credentials on a malicious webpage. (Not sure if this has been fixed by LastPass)
The fix for that was to not use autofill and revert to manually grabbing your username/password when filling out a login form.
Aside from that, I am not aware of other "hot" attack vectors.
LastPass has been very diligent in fixing issues like the one you list. Usually very quickly (sometimes in hours, not even days.) And most of the issues you've read about with LastPass have been fixed before being disclosed because of how responsive they are.
Users still need to practice skepticism and ultimately it is their responsibility to protect their passwords. But LastPass has been a very good citizen when it comes to being as secure as possible.
I would not say "as secure as possible" since the risks introduced by a browser extension are very real. Though the alternatives lately are impractical for non-technical users
I used LastPass for a while. Then it filled in my username and password (correctly) on a website without my having authenticated... It looks like there's an unencrypted local cache which is not flushed when your authentication expires or you log out. I wasn't able to reproduce it but I was sufficiently spooked to stop using it after that.
Not even close. For instance check out password-store. It's a cli that uses gpg to store passwords. You can install an open source browser extension, but it only allows you to login easily and is manually triggered. It only connects to your local password-store.
You are getting down votes because HN has a policy that the HN Title should match the Title on the link to prevent editorializing in almost all cases.
This prevents users from creating click bait headlines to get that karma tho, the majority of the time. Cases where the actual title is the click bait like this one, are the unintended consequence of that policy.
That's true, except the guideline reads "Please use the original title, unless it is misleading or linkbait" and you can argue that once a vulnerability is fixed, implying it's still there is misleading. So we often edit those titles to past tense once that's more accurate. Same with "$site is down" -> "$site was down".
They probably should have waited to let Google know they fixed it though, as Google releases the bug details immediately when a fix is made rather than waiting to give people a chance to upgrade before it's made public.
Another nice thing about Grammarly is that the plugin just blindly detect contentEditable inputs and start screwing with their content. This very much breaks modern WYSIWYG web editors, which typically expect to have control over the editable content. Which more or less comes down to "move over page scripts, I'm a browser plugin, this is _my_ webpage now".
Yep. I recently had a client that kept having layout problems with an email template I had written for him, after he had edited the content in WYSIWYG.
Turns out Grammarly was injecting HTML into the editor, which in turn was being included in the email body!
As a web developer, setAttribute('data-gramm', 'false') is your friend.
For better or for worse, between browser extensions loaded by the end user, and "tags" injected by your well-meaning business analytics team - see my comment here: https://news.ycombinator.com/item?id=16314501 ), the extension ecosystem has become the new Internet Explorer in terms of compatibility testing. Luckily most of the workarounds are trivial, but it's essential to have good QA on actual client machines if you're doing, well, anything at all.
This will work fine until the next Grammerly decides that when you put data-gramm you meant to disable Grammerly, and their software is better so its fine to ignore that unless you add a data-whoever and on and on.
Or eventually web developers will start putting that stuff in by default, bootstrap will come with it, etc.. and these companies will see less and less traffic, and they'll start coming up with reasons to ignore it.
It was also breaking sites built on JS frameworks like Angular and Ember (probably others, those are the two I saw specifically) where the framework expects to be controlling the DOM (and Grammarly was messing with things causing out of context changes that the frameworks didn't expect)
Yes, after working on a rich-text editor this is now the only thing that I think of when I see things about Grammarly. In our case, we emailed the Grammarly devs, who shortly turned it off for our domains. I prefer this to turning it off on our end with the data-gramm attribute for probably obvious reasons (maintenance, cleanliness).
LastPass does this as well to input fields. Made it unusable for me. Haven't used a password manager since (was a couple of years ago). Has this problem been solved well recently?
I have been a 1Password user since ~2010 and never once has it ever made an input field or login form unusable for me. (I used LastPass briefly before, but vastly preferred 1Password's native apps and more secure architecture, which was completely validated when LastPass was hacked a few years later)
I do not have a problem with LastPass on input fields (including this one), nor do I recall one. Perhaps a setting was amiss or it was a platform-dependent issue. Grammarly, OTOH...
I have no idea if it's still an issue, but ~1.5 years ago, I was sorting through my email, and discovered that a small plain text message was taking up >3MB in my inbox.
I dug in a bit, and it turns out that Grammarly was embedding a gigantic amount of code into the email messages in the form of stylesheets and other things.
Needless to say, after raising it up the chain, we had the extension blocked company-wide.
I uninstalled it a couple of years ago when I realized it was doubling the load times for every single page I visited. That embedded code is probably why.
Although as a non-native speaker I find their service very attractive, I've so far refrained from installing their apps/extension. I was never confident enough about how Grammarly would keep safe every word I type (emails,...). This bug is a confirmation I should not trust them or any similar service.
I tried it and my browsing exeprience was just terrible. It made Chrome so slow that there was a delay in typing and the character appearing. Haven't tried it again.
This was my experience as well. I don't know how anyone is able to use it; it brought my 2017 MacBook pro to its knees every time I would start writing a HN comment. I uninstalled it after about 5 minutes.
With English being my second language I find Grammarly absolutely essential. I dabbled in creative writing in my native language, was a bit proud of my skill and made it a point to use correct grammar, punctuation, and spelling in all kinds of written communication, even on IMs.
To get to this point, I did primarily two things: I read a lot, and I wrote a lot. I then submitted my writing to my peers, similarly interested in creative writing, who would also -
in addition to the story, characters and so on - criticise my word choices and my grammar. It took years, but it was enjoyable, and I acquired my second (and last, after programming) skill that could be of some value.
A couple of years later, when I started working, I had to switch to English. It wouldn't be that big of a deal were it not for my experiences: every time I had to write anything, I felt incredibly constrained, like I'm missing half of my brain. I was used to being able to express myself precisely, clearly and elegantly in writing - all of that stopped working after the switch. It's incredibly frustrating, to the point that for a few years I was in complete denial and refused to write in English wherever I could get away with it.
Well, I thought, I got proficient in Polish, so technically I should be able to get to the same point in English, right? It's easy - I just need to read a lot and have a group of people who'd like to read my writings and correct my mistakes. Easy!
...however, I'm not in high school anymore. Between work and the little social life I have, there's not that much time available for pursuing other matters. I do read a lot, exclusively in English, but these are mostly tech-related articles, blogs, and books, written by people who couldn't care less about beauty and elegance of their writing. It's actually counterproductive if my goal is to get better at writing - such posts are chock-full of both errors and merely weird wordings and constructs. And nobody seems to care.
There is a creative writing StackExchange (and many other places), where I could submit my texts to get the criticism and corrections I need. Unfortunately, I don't have the time - even if I had the skill - to do my part of the deal, that is, to read and comment on writings of others. I'd feel bad exploiting strangers like that.
As you probably already guessed, this is where Grammarly comes up. It gives me a bit of the feedback I need to improve my writing. It's not at the level of other humans, which is obvious, but it does catch some mistakes and some stylistic problems. It doesn't rely on unpaid work of others, so I have no qualms about using it. I'm not worried about following its advice because even if it's wrong, nobody would care. The amount of contempt for the language in the tech community is staggering; average tech-related writing is on such a level that I'd rather chop my hand off than write like that, but it shows just how unimportant correctness and elegance is for people (as long as it gets the point across... right?)
So, to summarize and get back to the topic at hand: Grammarly is non-ideal on so many fronts, that to simply enumerate them would take until Friday (it's Wed today). But it's also the only tool I can rely on, and it does an acceptable job at what it does. It breaks web pages, it's unusable from outside a browser, it's error indicator is frequently displayed 3+ lines from where it should be, it's stupidly dumb and cannot, by itself, tell where the additional "actually" is actually needed, but it's the only help I can get, so I use it.
Of course, if your goal is merely communication you do not need anything other than basic spell-checker and a book on basic grammar. On the other hand, if your goals are similar to mine, then Grammarly is one step above that combo. It isn't, and probably won't ever be, anywhere near the level of human reviewers, but it is something.
PS. For a long time, I wanted a feature in Grammarly that would automatically slurp content of blog posts and articles in, so that I can just click a couple of times and then read the post without all the mistakes and weirdness people so often put in there. Reading the top-voted comment here, about the license, I see why they won't implement it. Similarly, I guess Emacs plugin is not going to emerge anytime soon. Whatever you use Grammarly for, you should assume it's public. It doesn't make it any less usefull for writing comments on some sites or posts for my blog, though.
This, just like Mozilla’s screenshot addon, and all the other examples, shows why it’s an insane idea to mix addon content with the websites, and why it’s important to make sure that addon content can run on the UI layer of the browser, and not within of the content of the sites.
Relying on "best practices" is always a security disaster waiting to happen, if you don’t enforce security and separation in the design of the APIs and languages already, you won’t get security.
Wouldn’t such a restriction eliminate the main selling point of extensions, which is that they can modify content on the page?
The extension permissions API already offers enough restrictions. As a user, I simply do not install extensions that need access to all pages, or I only enable them on pages where I need them.
Some extensions like Google Inbox for Chrome will inject a single `iframe` that points to a `chrome-extension://` page, so while the page might notice the element, it can't access its content.
I think you could use the Shadow DOM in closed mode to prevent any information from leaking. [1]
That only works for extensions that want to show their content in a separate overlay layer from the page. If the extension wants to show its content inline with the page's elements, pushing the page's elements out of the way and freely flowing with the page's elements, then that doesn't exactly work.
An extension can stuff its UI within an iframe that the host page can't manipulate, but that does come with some UI limitations.
As long as the extension UI is rendered where the page can also render something, it will be vulnerable to phishing. E.g. https://www.seancassidy.me/lostpass.html
I think Chrome's (and now Firefox') awkward extension sandboxing is partially to blame, though.
When you add an extension page script, you get access to a page's DOM, but you're completely isolated from the page's own JS: You get your own JS context and window object without any modifications the page may have done to it. That's usually reasonable as a page can mess with the built-in methods of its context, so if an extension were to rely on them, the risk of privilege escalation attacks would be really high.
Except sometimes an extension does want to interact with the page JS, (e.g. for accessing data the page only keeps in JS objects but not in the DOM.)
As far as I know, there is no safe way to do this in Chrome. The recommended (!) way is to inject a script element into the DOM and exchange data with the page script via some makeshift communication channel, e.g. postMessaging yourself. This will of course drop you right back into the hall-of-mirrors of potentially manipulated builtins that the page script isolation was trying to keep you out of. But apparently now it's ok if you have to deal with that by yourself.
From the looks of it, it seems Grammarly tried to open exactly that kind of communication channel and didn't correctly secure it.
Chrome and Firefox have _very_ different behaviors here.
In Chrome, there is no way at all to get hold of the page's JS objects.
In Firefox, the default behavior is that you don't interact with them, but you can explicitly ask for them and once you have them you can work with them. Depending on what you do with them, you may or may not be creating security bugs, of course.
Critically, in Firefox you can have your separate clean builtins _and_ be interacting with actual page JS objects at the same time.
There are arguments for and against both models, of course.
There's no reason to send the grammarly auth token into the page's javascript context to begin with. The ajax connections can be done with the auth token in the extension's protected content script context.
What's the etiquette for disclosure timeline on something like this? It feels like 99.9999% of end users won't see this public disclosure, and waiting enough time for auto-updates to be applied would be ideal. Public disclosure as soon as the patch is available lets bad actors know about it while the vast majority of users are still vulnerable.
Project Zero is very aggressive about releasing exploit details as soon as a patch is available- they don't wait for users to actually have a chance to upgrade. This caused some drama when they were releasing vulnerabilities to password managers.
The bad actors pay people to find these issues. It's prudent to assume that blackhats know about this already anyway. Thus, it's beneficial to push fixes asap in order to minimize the window for the blackhats.
It's a choice between visible pain and invisible weakness. The early disclosure hurts and amplifies the issue. However, the malicious actors you need to worry about would be glad for every day without disclosure, because every day without disclosure is profit to them.
Maybe I'll sound stupid, but is it possible to force an update of a chrome extension without removing it and then adding it again from the store? Is that application-specific?
If a new version is available on the store it will update automatically from time to time. You can trigger the auto-updates from your extensions settings page.
Enable developer mode, and then Update Extensions Now. That forces a manual update (although the version you're referring to appears to be the latest).
So… I of course had no specific idea about this, but in 2014(?) I declined recruiting pursuits from Grammarly after realizing that their developers were almost entirely managed from another hemisphere. It sounded like a very top-down, low-collaboration, anti-engineer environment. I am not at all surprised that major issues like this can and would occur in such an environment.
Between this disclosure and grammarly.com, I've been trying to understand how Gramarly works, and therefore understand the impact of this event. Let me know if i got this right:
1) Grammarly is a fancy grammar/spelling correction tool.
2) You use it by opening an account, and installing their browder extension.
3) As you type text into a web page, the extension sends that input back to Grammarly, where their software analyzes it and provides correction recommendations.
4) The text that was sent back is persisted under your account, and is available for retrieval.
5) A software bug in their extension allowed a script on any site to see your Grammarly auth token.
6) As the result, any malicious site could log into your account, and see what you've been typing.
Is that the rough gist of it? If yes, then how in the world does #4 make any sense? Why store and expose that data, knowing that it's likely to contain troves and troves of sensitive and PII information...
Kind of tangential, but does anyone else worry that systems like these will start to dictate what is "correct" language. Basically pushing narratives subtly through "correcting" totally acceptable speech.
It's an old worry. For years people have complained about microsoft word's hegemonic recommendations. I've read articles where 'real writers' had to turn off the recommendations, it was messing them up. Today we have less of a world wide leader (would google's algorithms be number one?), so there's less chance of one thing winning.
Most people with any writing capability do not use these tools. They are for foreign speakers of English or extremely poorly educated native speakers, they only affect the bottom 50% of written content which is not what affects the development of language.
It's only mentioned in the comment, but the amount of mistakes in tech-related writing, by native English speakers and otherwise, is gargantuan and overwhelming, and I'd wish using something like Grammarly (if safe, open source and so on) was a requirement for putting your writing on the web.
As it is, the quality of writing is so bad, that I (as a foreign speaker) don't improve my English in any way by reading it, and I have to be very careful not to repeat these mistakes in my own writing later.
The day I heard about Grammarly (saw a Youtube ad). Free to use, I thought to myself, this surely monetizes by analysing all my input in their servers, wherever they are.
It looks like a good product. If they offered a true offline version for desktop with 4+ updates a year, I could see myself paying for it.
I blocked Grammarly at my last company, nothing like giving a company tracking access to everything you type or read, and their EULA gives them the rights to everything they track.
Using Grammarly is stupid, paying them is downright insane.
We block extensions, period, on Google Chrome, as it prevents most malware outright. But then we've also discovered Grammarly's Microsoft Office plugin installs to the user folder (without requiring admin rights) as well. I've made a request to our antivirus vendor to add detection and blocking of Grammarly specifically, for the moment we're detecting it a different way.
That's OK, I figured he or she may not want to publicly reveal details, that is understandable in this case imho. As I said I was just curious if it was maybe a simple solution that could be implemented elsewhere.
Yes. Google offers ADMX templates for controlling Chrome which can be deployed through group policy. It includes an extension blacklist, which accepts wildcards. In my case, I put a * in there. It also has an extension whitelist, and a list of "force-installed apps and extensions".
I found a Firefox ADMX template project on GitHub, though it's third party and entails running a VBS file on system startup, so I wouldn't recommend it.
Are there any good open source grammar checkers for English? Spanish? German?
I recently loaded Wordperfect for Win3.1 into a Win3.1+Dosbox instance because I remember it's grammar checker back in the 90s was far superior to what's built into MS Word today. I've been meaning to test it out and do a comparison blog post.
There’s LanguageTool, a wonderful open-source tool. I’ve only used it for English, but it supports a lot of languages. There’s also addons for a lot of editors.
> "By uploading or entering any User Content, you give Grammarly (and those it works with) a nonexclusive, worldwide, royalty-free and fully-paid, transferable and sublicensable, perpetual, and irrevocable license to copy, store and use your User Content in connection with the provision of the Software and the Services and to improve the algorithms underlying the Software and the Services."
First I thought that may be this is just me being paranoid. So I compared their terms of service with Evernote's[2] and summarize the differences for them in the support ticket asking termination of my account. I reproduce that here for reference:
> In Evernote's TOS
> – It's clearly noted that the user retains their Copyright to the content;
> – and the license to Evernote is a limited and they don't "obtain any right, title or > interest" other than they point out;
> – they don't require sublicensable and transferable rights to User Content which is different than having the rights to share the content with other contractual partners (which they require);
> – the agreement on content is irrevocable as long as the content is stored on the service.
[1]: https://www.grammarly.com/terms
[2]: https://evernote.com/legal/tos.php
Edit: Formatting.