Skip to content
This repository has been archived by the owner on May 6, 2020. It is now read-only.

Ensure Riot handles the GDPR consent UX well #177

Open
2 of 3 tasks
ara4n opened this issue May 16, 2018 · 4 comments
Open
2 of 3 tasks

Ensure Riot handles the GDPR consent UX well #177

ara4n opened this issue May 16, 2018 · 4 comments

Comments

@ara4n
Copy link
Member

ara4n commented May 16, 2018

The GDPR consent UX is that synapse will invite all users to a personal "Server notices" room, in which they will get spammed a message saying "To continue to use the server, please click this link to read and consent to the privacy policy". The user will not be able to reject the invite, nor leave the room. We would like Riot to handle the room as ergonomically as possible.

  • 1 - Handles users trying to leave an unleaveable room (or reject an unrejectable invite) nicely
  • 2 - Handles error messages issued whilst trying to talk when missing consent prettily (routing them towards the consent tool). Presumably this should be the primary route the users uses to enter the consent tool? We don't want them to have to join the notices room and manually click on the link.
  • 3 - OPTIONAL: Special-case the 'please consent to use this server' event somehow in the notices room; possibly just hide it, given the user will be being forced into the consent tool by all the 40x errors they'll be getting? I don't think we should autoload the consent tool based on this event, as it might be abusable for phishing (e.g. if anyone else sent the right event type we could end up autoloading arbitrary URLs or something horrid).
    • This is now optional as we don't want to mess around setting a custom event type for the 'please consent to use this server' message, given we don't have fallback events yet. So instead Riot users will just get a redundant message.
@richvdh richvdh changed the title Ensure sure Riot (both web & mobile) handles the GDPR consent UX well Ensure Riot (both web & mobile) handles the GDPR consent UX well May 18, 2018
@ara4n ara4n added the gdpr label May 18, 2018
@ara4n ara4n changed the title Ensure Riot (both web & mobile) handles the GDPR consent UX well Ensure Riot handles the GDPR consent UX well May 18, 2018
@ara4n
Copy link
Member Author

ara4n commented May 18, 2018

Proposal for the error API from the server is to return a 40x with json error code of M_CONSENT_NOT_GIVEN, a human readable error message in the error field, and a privacy_policy JSON field that gives the url of the consent tool.

@manuroe
Copy link
Member

manuroe commented May 22, 2018

Every time the app meets a M_CONSENT_NOT_GIVEN error for a request (message post, room creation, etc), it should display a modal to the end user asking them to consent via the consent tool.

The text for this modal is:
To continue using the matrix.org homeserver you must review and agree to the terms and conditions.

where matrix.org should be replaced by the user's homeserver.

The spec for M_CONSENT_NOT_GIVEN is given at https://github.com/matrix-org/matrix-doc/issues/1252#issuecomment-390909705.

This error can be fired on anything that creates an event:

  • message post
  • room creation
  • room join
  • invite, ban, kick...
  • user displayname or avatar change
  • ...

@lampholder
Copy link
Member

@lukebarnard1
Copy link

Riot-web side of this: matrix-org/matrix-react-sdk#1919

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants