551612 - Changes to Weave Sync Client to comply with European Privacy Policy

Status: RESOLVED FIXED

(Firefox :: Sync, defect)

Description

[Pascal Finette [:pfinette]]

Attachment: Sign-up Flow

We need to make some minor changes to the Weave Sync client to ensure we properly comply with European data privacy laws.

1) In the account creation flow: Add "and Weave Privacy Policy" to the currently existing checkbox "I agree to the Terms of Service". Link "Weave Privacy Policy" to http://mozillalabs.com/weave/weave-privacy-policy/

2) In the prefs (if you're not logged in): Add links to both the Terms of Service (at http://mozillalabs.com/weave/tos/) and the Weave Privacy Policy to the bottom of the screen.

3) In the prefs (when you're logged in): Add links to both the Terms of Service and the Weave Privacy Policy to the bottom of the screen.

Screenshots for all three requirements attached.

Comment 1

[Pascal Finette [:pfinette]]

Attachment: Prefs - Not logged in

Comment 2

[Pascal Finette [:pfinette]]

Attachment: Prefs - Logged in

Comment 3

[Mike Connor [:mconnor]]

We're going to do 1 and 3 here, and 3 is only if we're using the Mozilla service.  In the future, we'll want servers to be able to specify their own PP/ToS.  2 is potentially confusing because our ToS/PP do not apply to other server operators, so we're going to omit this piece.

Comment 4

[Julie Martin]

I thought option 2 was for not being logged in, not using a different server.  Can someone explain this to me tomorrow?

Comment 5

[Mike Connor [:mconnor]]

Part 2 is a screen where a user has not set up Weave in any way, and thus hasn't chosen a server.  For users, unless they choose to use a different account, they will only use that screen once.  Except for when they're actually entering existing credentials, there's no way to know whether they're going to use our service or not, so showing links before then creates the possibility that people will associate our terms of service with someone else's service.

FWIW, I talked through this with Pascal last night, and he was good with it, but happy to talk through further if this isn't clear.

Comment 6

[Julie Martin]

I also had the pleasure to talk through this with Pascal and I'm also on board.  It sounds like you put a lot of good thought into how to do this in a user friendly, yet privacy sensitive way.  Thanks, Mike!!

Comment 7

[Mike Connor [:mconnor]]

Attachment: wip

Comment 8

[Mike Connor [:mconnor]]

Attachment: v1

Comment 9

[Ed Lee :Mardak]

Comment on attachment 442241 [details] [diff] [review]
v1

>+++ b/source/chrome/content/preferences/fx-prefs-common.js
>   _openLink: function (url) {
>-    openUILinkIn(url, window.opener.document.documentElement.instantApply ? "tab" : "window");
>+    if (document.documentElement.id == "accountSetup" &&
>+        window.opener &&
>+        window.opener.document.documentElement.id == "BrowserPreferences" &&
>+        !window.opener.document.documentElement.instantApply)
>+      openUILinkIn(url, "window");
>+    else if (document.documentElement.id == "BrowserPreferences" &&
>+             document.documentElement.instantApply)
>+      openUILinkIn(url, "window");
>+    else
>+      openUILinkIn(url, "tab");
Why not just pass in another argument to force it to open in a window? Either an explicit target "window" or maybe true. Perhaps same for the openPP/openToS functions.

>+++ b/source/defaults/preferences/sync.js.in
>-pref("extensions.weave.termsURL", "https://mozillalabs.com/weave/tos/");
>+pref("extensions.weave.termsURL", "http://mozillalabs.com/weave/tos/");
No more https? The site has a cert but it serves content from http as well..

Comment 10

[Mike Connor [:mconnor]]

(In reply to comment #9)
> (From update of attachment 442241 [details] [diff] [review])
> >+++ b/source/chrome/content/preferences/fx-prefs-common.js
> >   _openLink: function (url) {
> >-    openUILinkIn(url, window.opener.document.documentElement.instantApply ? "tab" : "window");
> >+    if (document.documentElement.id == "accountSetup" &&
> >+        window.opener &&
> >+        window.opener.document.documentElement.id == "BrowserPreferences" &&
> >+        !window.opener.document.documentElement.instantApply)
> >+      openUILinkIn(url, "window");
> >+    else if (document.documentElement.id == "BrowserPreferences" &&
> >+             document.documentElement.instantApply)
> >+      openUILinkIn(url, "window");
> >+    else
> >+      openUILinkIn(url, "tab");
> Why not just pass in another argument to force it to open in a window? Either
> an explicit target "window" or maybe true. Perhaps same for the openPP/openToS
> functions.

Because I want callers to just call this and let it figure out the Right Thing To Do.  Opening a second window always is not what we want, is it?

> >+++ b/source/defaults/preferences/sync.js.in
> >-pref("extensions.weave.termsURL", "https://mozillalabs.com/weave/tos/");
> >+pref("extensions.weave.termsURL", "http://mozillalabs.com/weave/tos/");
> No more https? The site has a cert but it serves content from http as well..

https for this is unnecessary overhead, really.  Also, it's serving some content over http anyway, so meh.

Comment 11

[Mike Connor [:mconnor]]

http://hg.mozilla.org/labs/weave/rev/65f7a51ffd91