Page MenuHomePhabricator
Create Task
Maniphest T64687

Add warning for user on /authorize about privacy policy
Open, HighPublic
Actions

Description

Our privacy policy allows us to share a user's information when they have given consent.

Give the user explicit notice when they authorize the connected app that we may send information to the connected app about the user, and that the data collected is governed by the connected app's privacy policy, not our's.

Michelle suggested, "Allowing Hello World to do these actions means that some of your information may be sent to Hello World and will be used according to their privacy policy."

There is already a message for this iirc, text just needs to be added.

Version: unspecified
Severity: normal

Details

Reference
bz62687
SubjectRepoBranchLines +/-
Note coverage under consumer privacy policymediawiki/extensions/OAuthmaster+3 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:53 AM
bzimport added a project: MediaWiki-extensions-OAuth.
bzimport set Reference to bz62687.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Mar 15 2014, 1:39 AM
csteipp added a parent task: T86869: Support a nice sso experience with MediaWiki's OAuth.Jan 22 2015, 10:53 PM
bd808 added a parent task: T68493: Special:OAuth doesn't provide a grant to access to private info of users.Feb 25 2015, 10:53 PM
bd808 mentioned this in T75062: OAuth permission screen needs redesign for better usability and comprehension.Mar 6 2015, 2:47 AM
bd808 added a parent task: T75062: OAuth permission screen needs redesign for better usability and comprehension.
bd808 moved this task from Backlog to UI/UX on the MediaWiki-extensions-OAuth board.Mar 6 2015, 10:15 PM
bd808 added a project: Reading-Infrastructure-Team-Old (Don't use).Mar 30 2015, 7:33 PM
bd808 subscribed.
MarkTraceur subscribed.Apr 14 2015, 11:01 PM

@csteipp my solution to T59457 actually means we can't add this to an existing message, because I'm using the message(s) in core. In that case, is this just a duplicate of T64686?

csteipp added a comment.Apr 15 2015, 9:33 PM
In T64687#1208264, @MarkTraceur wrote:

@csteipp my solution to T59457 actually means we can't add this to an existing message, because I'm using the message(s) in core. In that case, is this just a duplicate of T64686?

@MarkTraceur, not quite. Michelle's request was that we add another message into the dialog. We already add mwoauth-form-legal to the authorize form, it's just a blank message right now. Adding the app's name as a parameter and defining the message to Michelle's suggested wording would be the minimum implementation. It would be great to get UX input.

Defining the message as is gives,

Screenshot_from_2015-04-15_14:28:36.png (598×1 px, 113 KB)

UX input appreciated.

MarkTraceur added a project: Design.Apr 15 2015, 9:34 PM
MarkTraceur set Security to None.
Tgr removed a parent task: T86869: Support a nice sso experience with MediaWiki's OAuth.May 12 2015, 3:26 PM
Tgr removed a parent task: T75062: OAuth permission screen needs redesign for better usability and comprehension.Jun 23 2015, 12:11 AM
Tgr removed a parent task: T68493: Special:OAuth doesn't provide a grant to access to private info of users.
Tgr added a parent task: T64686: Replace link to WMF privacy policy with link to app's privacy policy on OAuth authorize dialog.
Anomie mentioned this in T68493: Special:OAuth doesn't provide a grant to access to private info of users.Jun 29 2015, 8:06 PM
Ricordisamoa subscribed.Jun 29 2015, 8:10 PM
dpatrick subscribed.Jul 15 2016, 3:01 AM
dpatrick claimed this task.Jul 15 2016, 3:08 AM
gerritbot subscribed.Aug 6 2016, 12:39 AM

Change 303328 had a related patch set uploaded (by Dpatrick):
Note coverage under consumer privacy policy

https://gerrit.wikimedia.org/r/303328

dpatrick added a comment.EditedAug 6 2016, 12:43 AM

So, now the problem is that we don't specifically collect a link to the consumer's privacy policy. And so, the link that appears just below this new message is confusing, and we don't have data to reconcile that (re. T64686).

Tgr subscribed.Aug 8 2016, 9:25 PM

Adding policy links would be a simple change, the problematic part is, what to do with existing consumers? That's T59631: OAuth developers should be able to change some of the parameters they registered an application with instead of having to submit a new application and that does not seem simple.

Tgr added a comment.Aug 17 2016, 3:38 AM
In T64687#2535018, @Tgr wrote:

Adding policy links would be a simple change, the problematic part is, what to do with existing consumers? That's T59631: OAuth developers should be able to change some of the parameters they registered an application with instead of having to submit a new application and that does not seem simple.

I guess we could just special-case adding a privacy policy where one did not exist before.

MarkTraceur unsubscribed.Jan 27 2017, 10:36 PM
NHarateh_WMF added a project: Product-Infrastructure-Team-Backlog-Deprecated.Apr 25 2017, 12:43 PM
NHarateh_WMF moved this task from Needs triage to Backlog on the Product-Infrastructure-Team-Backlog-Deprecated board.Apr 25 2017, 12:46 PM
Tgr removed projects: Product-Infrastructure-Team-Backlog-Deprecated, Reading-Infrastructure-Team-Old (Don't use).May 2 2017, 4:51 PM
Aklapper removed dpatrick as the assignee of this task.Feb 19 2018, 11:20 AM
gerritbot added a comment.Jan 13 2020, 5:14 PM

Change 303328 abandoned by Reedy:
Note coverage under consumer privacy policy

https://gerrit.wikimedia.org/r/303328

Aklapper removed subscribers: dpatrick, Anomie, wikibugs-l-list.Oct 16 2020, 5:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL