User Opt-in consent #2504
User Opt-in consent #2504
Conversation
Add tables consent and consent_type. Projects automatically created with a pre-defined consent_type. When projects update database, pre-defined consent_type will be added as well.
create_account RPC modified to record a user's consent. am_set_info RPC modified to allow for modification of user's consent. Account registration on Web site modified to show terms_of_use.txt file and record user's consent.
Admin may add addiational consent types to the table.
When a user logs in, and they have not yet consented, the user is presented with a form to consent to the Terms of Use. This adds or modifies records in the consent table. Supported logins are: web form, authenticator, email_link, and ldap.
…nsent project config.
…ort' option. Added new preferences sub-class for consent table modification. Added privacy preference form item to record user giving consent to data exports. User's consent is recorded in the consent table.
|
I am going to ask that people start reviewing this code for merging. We especially wanted someone from outside E@H to look at this code. I've done some (alpha) testing on my own. But this was using an 'empty project' with zero users and no Web content. If there are additional unit tests that could be done, please let me know. |
Removed unused code.
… the user, since there is no way for the user to give consent.
| if (!$rc) { | ||
| xml_error(-1, "database error, please contact site administrators"); | ||
| } | ||
| } |
There was a problem hiding this comment.
If consent is required but whoever is creating the account knows nothing of consent then what? I think the code that checks that consent was given should go before make_user call.
There was a problem hiding this comment.
Right now there are multiple ways this Web RPC is called, including simply typing in https://project_url/[email protected]&passwd_hash=ahash&username=name in to a browser URL bar.
This means anyone can create an account without knowledge of a project's terms of use/opt-in consent. The boinc-command line client is another place where you can create an account without ever seeing the terms of use and consenting to it.
Ultimately, projects which really care about GDPR, i.e., located in Europe, should turn off this create_account RPC and only allow users to register via their Web site, which guarantees the user sees the terms of use.
Another way of putting this: It is assumed that the user has already consented to the project's terms of use before this RPC is called.
There was a problem hiding this comment.
I was thinking that Manager and boinccmd would be later enhanced to pass optin and source parameters. A user could be using some third party manager that doesn't show TOU and the user might not know he needs to give consent.
I was under the impression that new (non-anonymous) accounts can't be created unless the user consents to TOU. But that raises the question, if user has not given or revoked consent to TOU at all, then does that make the account automatically anonymous?
html/user/am_set_info.php
Outdated
| $cquery .= "consent_id=$consent_id"; | ||
| if ($consent_settime==1) { | ||
| $cquery .= ",consent_time=$now"; | ||
| } |
There was a problem hiding this comment.
I think it would be better if consent_time is set any time consent is given or changed and account managers have no say in the matter.
As for the rest of the consent parameters I would check that either they are all set or none of them are set. I don't think setting only some of them would work well.
There was a problem hiding this comment.
I agree with you in principle, but I received very little feedback from AM developers on what would be best for them to be able to change, hence a very flexible/open "API" for interaction.
|
About revoking consent. I don't think it's possible to just record the fact and then carry on. Revoking consent requires some more actions. If we require third parties to remove any data about a user after the user deletes their account then I would expect that we need to do the same when the user revokes permission to export data about his account. The As for revoking general terms of use, I don't think it's possible to handle that in |
|
@JuhaSointusalo , could you copy and paste your comment into the Issue ticket #2413. Let's keep discussion about the PR here, and other (good) ideas about the user consent feature in the Issue ticket. This is because I think you have some good points that require discussion. |
@JuhaSointusalo , you asked this a few times and the answer is: it's complicated. The assumption is you are updating a row in the Part of the answer is related to your longer comment. It depends on the design of the user opt-in functionality. |
Changed name of consent function to be more generic. Added translation of ops page text.
Also updated boinc_db.inc to add delete_for_use and reflect new table definitions.
|
One more thing. When the create account process is started by BOINC Manager (and maybe other GUIs), the account is created with user name that is the same as the user's account on their computer. I would imagine this is private information. Can you store the user name without having the user agree to it? So can you store the user name and then wait for the user to log in on the website to agree to terms? |
There is that
This is only when using GUIs. Account managers can still have |
|
Juha is correct, the additional parameters Re: the username, #1929, there is an issue I created. I think this is a client side issue because the username is passed to create_account RPC. No one has worked on it though. |
html/ops/manage_consent_types.php
Outdated
| } | ||
|
|
||
| BoincConsentType::insert( | ||
| "(shortname, description, project_specific) VALUES ('$shortname', '$description', 1)" |
There was a problem hiding this comment.
enabled and privacypref are not-null but do not have default values. Therefore this insert fails. Either give them default values in the db definition or add them with values in this section of the code.
There was a problem hiding this comment.
Fixed in 7d7c187
|
While testing I noticed that db_dump works correctly in these cases:
However, the file tables.xml should reflect the same value without regards to the STATSEXPORT consent type. Since this file is an aggregate field, GDPR restrictions are not a concern. This file will be very important going forward since it will be the only way for sites like BOINCStats to be able to present comparisons of number of users, hosts and total credit between projects. If data vanishes from this aggregate level file then there will be no way to see that total level at projects. |
|
Those are the only two items I found. Once they are resolved, I'll be ready to merge. |
…export consent. If the project does have stats exports consent, and a user does NOT consent to stats. exports: then the total user and host in table.xml should still include the user. This is an aggregate total of the number of users and hosts that use the project. Introduces an additional count query to count the total number of users and hosts regardless of the stats-export consent functionality.
Fixed conflicts and prepare for merge into master.
|
I changed I also merged in master into this branch to resolve merge-conflicts. |
|
@drshawnkwang - two items on the db_dump. 1) If the user or host is deleted, it should not be included (the logic in the db_dump is for the "scrub" option of the delete user code). 2) total credit needs to include all users without regard to the STATSEXPORT setting. |
|
One additional question that I noticed this time testing. If the terms of use file is present, then the manager will show the terms of use without regard to whether the consent_type 'ENROLL' is enabled or not. However, the website only shows the terms of use if the consent_type 'ENROLL' is enabled. I think that it is odd for it to behave differently in different places. I would suggest that either: A) Terms of use on a call to get_project_config.php should only be shown if both terms_of_use.txt exists and the ENROLL consent type is enabled I think A is more consent with the design of the consent_type system - but I don't have a strong opinion. |
RPC checks if consent_type 'ENROLL' is enabled by the project. If this is true and if the terms-of-use file exists, then show the contents of the file in the XML output.
Summary of total_credit, number of users, and number of hosts now are summed first. Users with authenticator 'deleted*' are ignored. Hosts with userid=0 and domain_name 'deleted' are ignored. total_credit summation only uses non-deleted users.
|
Latest changes: db_dump correctly takes into account delete users and hosts. From Kevin's above comment, 'Option A' implemented. - the get_project_config ignores the terms-of-use file if the ENROLL consent type is disabled |
db_dump now builds a SQL statement out of different clauses: JOIN, WHERE, and ORDER BY are separated into different c-strings. Additionally, different clauses are used to build different queries for different tables: host, user, team.
The changes were buggy: this should be fixed with the latest commit: which revamps how the SQL clause is generated. |
|
Maybe it would be good to document that after creating an account with old Manager, |
Admin may not delete consent types after creation. They may still be disabled.
|
Juha, You are correct, the old manager behavior is a bit confusing because it looks like you consented to the terms-of-use, when the database is not changed. I will try to document this in the BOINC wiki. Latest commits: we removed the option for admins to delete a consent_type from the |
|
I've tested and reviewed and I believe that open items have been resolved (with 156 comments, it is hard to be sure so if I missed something, I apologize). Thanks for the contribution @drshawnkwang and everyone for their work reviewing and testing this piece of code! |
|
Well done everyone and a big THANK YOU to Shawn and Kevin for taking on most of the work! |
Resolves GDPR User Opt-in Consent #2413.
This is a work in progress (WIP) merge. I wish to allow people to review what I have done and comment on it. As of this initial PR the following features are present.
consentandconsent_typetables which record a user's consent.create_accountandam_set_infoRPCs modified to record consent.consent_typetable.