Prompt to accept identity server policies before inviting them to a room

[lampholder]

Prompt for accepting IS terms before inviting a user by email address (if you haven't already agreed to that IS's policies)

There's another beat on which we need to capture accepting the IS's policies - before associating a new email address with your account _and choosing to publish that association on the IS - but that's tracked in #10159 (comment)

[lampholder]

This will require a change to sydent and presumably the spec to expose policy documents

[turt2live]

we should try and reuse matrix-org/matrix-spec-proposals#1692 if possible

[lampholder]

Talking this through with Dave yesterday, we identified that it might not be desirable or appropriate for the IS to track users' acceptance of policy terms itself, since it would then need to support Open ID.

It might be preferable for the IS to mandate that calls to its APIs are provided with a 'policy-accepted' header representing the URI(s) of the latest policy documents the user has indicated their acceptance of - if this doesn't match the latest docs the IS has published, it can respond with an error (and the URI(s) of the new docs).

This approach could work for the IM, too.

This approach allows us to state with confidence that either the user accepted the terms, or (worst case scenario) the client they were using made a false attestation on the user's behalf.

[lampholder]

Basically this looks something like this (if the user hasn't yet agreed to the active is'es t's and c's:

[ara4n]

Is there a reason to do this here rather than at registration or when changing IS? I'm worried that we may have other places where we need to talk to ISes (e.g. for displaying bound 3PIDs in settings), and having each UI control prompt for GDPR flows will be cumbersome versus doing them up front.

[ara4n]

also, if we did it at registration via #10167, hasn't the user already agreed?

[hammerandtongs]

Whats the flow if the user hasn't agreed to #10167 (because they dont find the 3PID useful and so opt out)?

They don't expect to suddenly have agreed to a TOS they disagreed with merely because they send an invite.

[nadonomy]

After validating today, latest comps are in Zeplin: https://zpl.io/brMdWo3

In instances like this, we shouldn't add cognitive load to any existing UI (like #10093 (comment)) but instead display T&C's modally, with the option to either continue or go back.

[hammerandtongs]

If someone has disagreed with the TOS originally, you now want to spam them with the TOS?

Instead you could add some programmatic way of sharing a registration link that would direct the invitee into a room once registered?

Or simply stating in human terms some simple steps to take out of band to invite them to a room?

This looks like dark pattern territory as it is.

"Take the terms or nothing"

This is EXACTLY where cognitive load should be added so that you don't submarine people into taking a TOS they disagreed with already.

[nadonomy]

If someone has disagreed with the TOS originally, you now want to spam them with the TOS?

A lot of users will have agreed to the ToS as per #10167, for those who haven't, this lets them review and optionally agree ToS when they need to.

There is absolutely no 'spam' as you put it— users are presented with ToS contextually in order to achieve an action they've initiated, and can review and optionally agree if they like.

Instead you could add some programmatic way of sharing a registration link that would direct the invitee into a room once registered?

Riot URL's can already be shared (e.g. https://riot.im/#/room/#example-room:matrix.org) and https://matrix.to exists also, exposed via 'Share room' UX in the client.

Or simply stating in human terms some simple steps to take out of band to invite them to a room?
This looks like dark pattern territory as it is.
"Take the terms or nothing"

This is polishing the UX for users that have clicked on [Invite to this room] in the member list. We do have plans to improve, polish and then prioritise link based invites in future in the UX, but until then this issue pertains more to iterating on existing features, not greenfield development.

No dark patterns here, just improving existing features before developing or polishing future ones.

This is EXACTLY where cognitive load should be added so that you don't submarine people into taking a TOS they disagreed with already.

Without being able to review the design comps these quips are entirely baseless. Feedback is more productive, and well appreciated, when responding to the full picture, so please wait on that before piling on with unfounded comments.

The privacy work is complex, spanning everything from UX to technical architecture and we're working hard at it.

[jryans]

For this case, we are currently planning to show the generic Terms modal flow when you access an IS for the first time.