Difference between revisions of "User Stipulation"

From MgmtWiki
Jump to: navigation, search
(Context)
 
(56 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Full Title or Meme==
 
==Full Title or Meme==
 
#A statement from a [[User]] as to the behavior that the user expects of a [[Web Site]].
 
#A statement from a [[User]] as to the behavior that the user expects of a [[Web Site]].
#A condition, requirement, or item specified in a legal instrument. <ref>Merriam Webster, ''3rd International Dictionary''</ref>
+
#A condition, requirement, or item specified in a legal instrument<ref>Merriam Webster, ''3rd International Dictionary''</ref> from, about, or with the consent of the user. (synonym: condition)
  
 
==Context==
 
==Context==
 +
There are at least two important contexts in which a user is required to stipulate their terms of engagement:
 +
#The user is operating a browser on any internet connected device.
 +
#The user is operating on a portable device (e.g. a Smart Phone) with a [[Native App]] installed by the [[Web Site]] that wants to collect their data.
 +
 +
An other option is that the user is on a computer of any sort using an application what interacts with the user's data. If the [[User Information]] does not leave the [[User Device]] there is no [[User Stipulation]] required.
 +
 
There are at least two sources of [[User Stipulation]]:
 
There are at least two sources of [[User Stipulation]]:
#The user can create a statement to be send to the correspondent [[Web Site]] informing the site as to the expectations of the user, (e.g. [[Do Not Track]])
+
#The user can create a statement to be send to the correspondent [[Web Site]] informing the site as to the expectations of the user. (aka [[Intent Casting]] e.g. [https://wiki.idesg.org/wiki/index.php/Do_Not_Track Do Not Track])
#The [[Web Site]] can provide the user with some sort of document (terms of user, privacy policy) that the user can accept or reject.
+
#The [[Web Site]] can provide the user with some sort of document (terms of use, privacy policy, etc.) that the user can accept or reject.
 +
 
 +
This page does not presently include user settings on a [[User Device]].
 +
 
 +
Whenever third party access is discussed, there are two distinct types of third party access:
 +
#The third party is allowed to install javascript on the browser on the [[User Device]] which can be used to create cookies which can track the user from one site to another, most likely with an ID created for that purpose.
 +
#The third party is given access to [[User Information]] from the second party (i.e. from the [[Web Site]] that the user voluntarily accessed.)
  
 
==Problems==
 
==Problems==
Compliance by the [[Web Site]] with the agreed terms will be hard to track.
+
* Compliance by the [[Web Site]] with the agreed terms will be hard to track.
 +
* In the US a [[Contract of Adhesion]] has been accepted by the courts as binding on the user. There appears to be no such mechanism available to the user.
  
 
==Solutions==
 
==Solutions==
*The page [[Cookies]] has some description of user cookies that have been proposed as a source of user stipulations.
+
*The wiki page [[Cookies]] has some description of user cookies that have been proposed as a source of user stipulations.
 +
*The [[Best_Practice_and_Example_Relying_Party#Site_documents_and_user_expressed_intent|Best Practice shows one way to track user expressed intent]] within a [[Relying Party]] database.
 +
 
 +
===The Intention Economy===
 +
In a book by Doc Searls<ref>Doc Searls, ''The Intention Economy: When Customers Take Charge.'' (2012-05) ISBN 978-1422158524</ref> several new models are described:
 +
#The user can create a request for quote with the terms that they which to be met and publish it for sites to make offers. Searls' example is <blockquote>"A car rental customer should be able to say to the car rental market, 'I'll be skiing in Park City from March 20–25. I want to rent a 4-wheel drive SUV. I belong to Avis Wizard, Budget FastBreak and Hertz 1 Club. I don't want to pay up front for gas or get any insurance. What can any of you companies do for me?</blockquote> The question about whether I could trust any of the responses more than I trust a random advert on the internet today has no adequate explanation.
 +
#The user can install Vendor Relationship Management software and allow that software to act as a mediator with any transaction to known (by the customer) good vendors. This is more likely to direct user queries to trusted vendors and crate privacy stipulations that are specific to each vendor and will apply on any future connection with that vendor.
 +
 
 +
===Intent Casting===
 +
This solution covers the projection of user terms onto a correspondent [[Web Site]].
 +
*An existing example is the DNT (Do Not Track) HTTP header.
 +
*The following example assumes a richer format for intent casting that is not yet defined.
 +
**See the [https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=80053232 page on stalking] on Kantara.
 +
Here are the potential terms to be cast
 +
{|border="1" padding="2" width="799px"
 +
| Name || TBD || [[Privacy Risk]]||  Notes
 +
|-
 +
|Site and App Use|| || ||information will be used for providing and / or enhancing the site or service only. This information seems better a part of the following fields.
 +
|-
 +
|1st party ||yes||2 || data on the user device that does not leave the user device, for example apps that access the local data. This cast is to access limited (in theory) to the device itself.
 +
|-
 +
|2nd party  ||yes ||3 || The [[Web Site]] that the user navigated to and understand through some secure indication of the site identity.
 +
|-
 +
|3rd party|| yes|| 9|| Some other site that is able to access the [[User Device]] or [[User Information]] which was not the user's intent to access.
 +
|-
 +
|tracking || || || not clear that this can give more information that 1,2,3 above.
 +
|-
 +
|session||yes|| 5|| data may not persist beyond completion (may be long for commercial transaction)
 +
|-
 +
|cookie|| || ||the lifetime can be viewed, but the contents might be encrypted by the origin site
 +
|-
 +
|transaction|| || ||The duration of the interaction with the user might be very long based on warrantee
 +
|-
 +
|duration|| yes ||shorter better|| how long can the data be held (default one year)
 +
|-
 +
|data category||yes|| na|| list of permitted categories (optional)
 +
|-
 +
|Purpose||
 +
|}
  
 
==References==
 
==References==
 
<references />
 
<references />
  
 +
*An alternate to proactive [[User Stipulation]]s is [[User Consent]]s as defined by the Kantara Initiative. Current implementations of [[User Consent]]s are focused on the vendor or some [[Trusted Third Party]] giving the user a few options about which data items to collected and where to share them. The user typically has no ability to create their own [[User Stipulation]]s.
  
 
+
[[Category: Privacy]]
[[Category:Glossary]]
+
[[Category: Glossary]]
 +
[[Category: User Experience]]

Latest revision as of 23:36, 24 February 2024

Full Title or Meme

  1. A statement from a User as to the behavior that the user expects of a Web Site.
  2. A condition, requirement, or item specified in a legal instrument[1] from, about, or with the consent of the user. (synonym: condition)

Context

There are at least two important contexts in which a user is required to stipulate their terms of engagement:

  1. The user is operating a browser on any internet connected device.
  2. The user is operating on a portable device (e.g. a Smart Phone) with a Native App installed by the Web Site that wants to collect their data.

An other option is that the user is on a computer of any sort using an application what interacts with the user's data. If the User Information does not leave the User Device there is no User Stipulation required.

There are at least two sources of User Stipulation:

  1. The user can create a statement to be send to the correspondent Web Site informing the site as to the expectations of the user. (aka Intent Casting e.g. Do Not Track)
  2. The Web Site can provide the user with some sort of document (terms of use, privacy policy, etc.) that the user can accept or reject.

This page does not presently include user settings on a User Device.

Whenever third party access is discussed, there are two distinct types of third party access:

  1. The third party is allowed to install javascript on the browser on the User Device which can be used to create cookies which can track the user from one site to another, most likely with an ID created for that purpose.
  2. The third party is given access to User Information from the second party (i.e. from the Web Site that the user voluntarily accessed.)

Problems

  • Compliance by the Web Site with the agreed terms will be hard to track.
  • In the US a Contract of Adhesion has been accepted by the courts as binding on the user. There appears to be no such mechanism available to the user.

Solutions

The Intention Economy

In a book by Doc Searls[2] several new models are described:

  1. The user can create a request for quote with the terms that they which to be met and publish it for sites to make offers. Searls' example is
    "A car rental customer should be able to say to the car rental market, 'I'll be skiing in Park City from March 20–25. I want to rent a 4-wheel drive SUV. I belong to Avis Wizard, Budget FastBreak and Hertz 1 Club. I don't want to pay up front for gas or get any insurance. What can any of you companies do for me?
    The question about whether I could trust any of the responses more than I trust a random advert on the internet today has no adequate explanation.
  2. The user can install Vendor Relationship Management software and allow that software to act as a mediator with any transaction to known (by the customer) good vendors. This is more likely to direct user queries to trusted vendors and crate privacy stipulations that are specific to each vendor and will apply on any future connection with that vendor.

Intent Casting

This solution covers the projection of user terms onto a correspondent Web Site.

  • An existing example is the DNT (Do Not Track) HTTP header.
  • The following example assumes a richer format for intent casting that is not yet defined.

Here are the potential terms to be cast

Name TBD Privacy Risk Notes
Site and App Use information will be used for providing and / or enhancing the site or service only. This information seems better a part of the following fields.
1st party yes 2 data on the user device that does not leave the user device, for example apps that access the local data. This cast is to access limited (in theory) to the device itself.
2nd party yes 3 The Web Site that the user navigated to and understand through some secure indication of the site identity.
3rd party yes 9 Some other site that is able to access the User Device or User Information which was not the user's intent to access.
tracking not clear that this can give more information that 1,2,3 above.
session yes 5 data may not persist beyond completion (may be long for commercial transaction)
cookie the lifetime can be viewed, but the contents might be encrypted by the origin site
transaction The duration of the interaction with the user might be very long based on warrantee
duration yes shorter better how long can the data be held (default one year)
data category yes na list of permitted categories (optional)
Purpose

References

  1. Merriam Webster, 3rd International Dictionary
  2. Doc Searls, The Intention Economy: When Customers Take Charge. (2012-05) ISBN 978-1422158524
  • An alternate to proactive User Stipulations is User Consents as defined by the Kantara Initiative. Current implementations of User Consents are focused on the vendor or some Trusted Third Party giving the user a few options about which data items to collected and where to share them. The user typically has no ability to create their own User Stipulations.