User Stipulation
From MgmtWiki
Contents
Full Title or Meme
- A statement from a User as to the behavior that the user expects of a Web Site.
- A condition, requirement, or item specified in a legal instrument[1] from, about, or with the consent of the user. (synonym: condition)
Context
There are at least two important contexts in which a user is required to stipulate their terms of engagement:
- The user is operating a browser on any internet connected device.
- The user is operating on a portable device (e.g. a Smart Phone) with a Native App installed by the Web Site that wants to collect their data.
An other option is that the user is on a computer of any sort using an application what interacts with the user's data. If the User Information does not leave the User Device there is no User Stipulation required.
There are at least two sources of User Stipulation:
- The user can create a statement to be send to the correspondent Web Site informing the site as to the expectations of the user. (aka Intent Casting e.g. Do Not Track)
- The Web Site can provide the user with some sort of document (terms of use, privacy policy, etc.) that the user can accept or reject.
This page does not presently include user settings on a User Device.
Whenever third party access is discussed, there are two distinct types of third party access:
- The third party is allowed to install javascript on the browser on the User Device which can be used to create cookies which can track the user from one site to another, most likely with an ID created for that purpose.
- The third party is given access to User Information from the second party (i.e. from the Web Site that the user voluntarily accessed.)
Problems
- Compliance by the Web Site with the agreed terms will be hard to track.
- In the US a Contract of Adhesion has been accepted by the courts as binding on the user. There appears to be no such mechanism available to the user.
Solutions
- The wiki page Cookies has some description of user cookies that have been proposed as a source of user stipulations.
- The Best Practice shows one way to track user expressed intent within a Relying Party database.
The Intention Economy
In a book by Doc Searls[2] several new models are described:
- The user can create a request for quote with the terms that they which to be met and publish it for sites to make offers. Searls' example is
"A car rental customer should be able to say to the car rental market, 'I'll be skiing in Park City from March 20–25. I want to rent a 4-wheel drive SUV. I belong to Avis Wizard, Budget FastBreak and Hertz 1 Club. I don't want to pay up front for gas or get any insurance. What can any of you companies do for me?
The question about whether I could trust any of the responses more than I trust a random advert on the internet today has no adequate explanation. - The user can install Vendor Relationship Management software and allow that software to act as a mediator with any transaction to known (by the customer) good vendors. This is more likely to direct user queries to trusted vendors and crate privacy stipulations that are specific to each vendor and will apply on any future connection with that vendor.
Intent Casting
This solution covers the projection of user terms onto a correspondent Web Site.
- An existing example is the DNT (Do Not Track) HTTP header.
- The following example assumes a richer format for intent casting that is not yet defined.
- See the page on stalking on Kantara.
Here are the potential terms to be cast
Name | TBD | Privacy Risk | Notes |
Site and App Use | information will be used for providing and / or enhancing the site or service only. This information seems better a part of the following fields. | ||
1st party | yes | 2 | data on the user device that does not leave the user device, for example apps that access the local data. This cast is to access limited (in theory) to the device itself. |
2nd party | yes | 3 | The Web Site that the user navigated to and understand through some secure indication of the site identity. |
3rd party | yes | 9 | Some other site that is able to access the User Device or User Information which was not the user's intent to access. |
tracking | not clear that this can give more information that 1,2,3 above. | ||
session | yes | 5 | data may not persist beyond completion (may be long for commercial transaction) |
cookie | the lifetime can be viewed, but the contents might be encrypted by the origin site | ||
transaction | The duration of the interaction with the user might be very long based on warrantee | ||
duration | yes | shorter better | how long can the data be held (default one year) |
data category | yes | na | list of permitted categories (optional) |
Purpose |
References
- ↑ Merriam Webster, 3rd International Dictionary
- ↑ Doc Searls, The Intention Economy: When Customers Take Charge. (2012-05) ISBN 978-1422158524
- An alternate to proactive User Stipulations is User Consents as defined by the Kantara Initiative. Current implementations of User Consents are focused on the vendor or some Trusted Third Party giving the user a few options about which data items to collected and where to share them. The user typically has no ability to create their own User Stipulations.