Account for legal issues?

[m-mohr]

We had a comment at the PhiWeek workshop that we should inform the user that there's data passed to a third party through openEO, e.g. to GEE or Vito. So we should see to which extent and how we inform the user about legal and property issues (terms of services, ...)...

[edzer]

Suggestions:

• for GUIs: add a check button, by default unchecked, that says "I agree with the terms of service of this backend" for those backends that have a ToS
• for CLI clients: add an argument I_agree_to_terrms_of_service, by default FALSE, that needs to be set to TRUE, as part of the connect command, when existing and required.

[m-mohr]

In addition, we can allow providers to add links to ToS / GDPR / ... with respective rel types (copyright, disclosure, privacy-policy, terms-of-service?) in the capabilities.

[m-mohr]

I added this to the API specification with remarks for clients to handle them properly. Do we need to send the agreement to the back-end at some point or is it fine to just handle it on client-side?

[soxofaan]

for CLI clients: add an argument I_agree_to_terrms_of_service, by default FALSE, that needs to be set to TRUE, as part of the connect command, when existing and required.

as a developer, this feels like a silly approach :)

Couldn't we just tackle it during the "registration" of a user (the first time a backend sees a user): forward to a page to consent/agree. For example:

• user makes API request
• backend detects that user didn't consent yet and throws an "LegalConsentRequired" error, with link to consent page or something alike
• client forwards user to consent page
• when user agrees, backend flags user as "has given consent"

[m-mohr]

@soxofaan It's still up to the back-end to decide. The current draft (see 99e4655) just gives the possibility to define terms of services and privacy policies in the capabilities and obliges the clients to ask for consent (in whatever form) when they are set. If the back-end doesn't set this (because it's part of the registration process) the client doesn't need to promt for consent.

At the moment the client doesn't even send the consent to the back-end, but that may still need to be considered. (I guess we need a lawyer to decide this.)

[m-mohr]

I'll leave it as it is for now. Communicating the consent to the server can be considered again for 1.0-final.

[m-mohr]

As an example, here's the implementation in the Web Editor:

So I just inform the user. I think for client, I'd propose to not actually make parameters, but just show a info with links - like the one above - in the console directly after receiving the capabilities and before any other action.

[m-mohr]

@flahn @bgoesswe @soxofaan @jdries How are you planning or have you implemented the TOS / privacy policy links from the capabilities in the CLI libraries?