User Stipulation
From MgmtWiki
Full Title or Meme
- A statement from a User as to the behavior that the user expects of a Web Site.
- A condition, requirement, or item specified in a legal instrument[1] from, about, or with the consent of the user.
Context
There are at least two important contexts in which a user is required to stipulate their terms of engagement:
- The user is operating a browser on any internet connected device.
- The user is operating on a portable device (e.g. a Smart Phone) with a native app installed by the Web Site that wants to collect their data.
An other option is that the user is on a computer of any sort using an application what interacts with the user's data. If the User Information does not leave the User Device there is no User Stipulation required.
There are at least two sources of User Stipulation:
- The user can create a statement to be send to the correspondent Web Site informing the site as to the expectations of the user. (aka intent casting e.g. Do Not Track)
- The Web Site can provide the user with some sort of document (terms of use, privacy policy, etc.) that the user can accept or reject.
This page does not presently include user settings on a User Device.
Whenever third part access is discussed, there are two distinct types of third party access:
- The third party is allowed to install javascript on the browser on the User Device which can be used to create cookies which can track the user from one site to another.
- The third party is given access to User Information from the second part (i.e. from the Web Site that the user voluntarily accessed.)
Problems
Compliance by the Web Site with the agreed terms will be hard to track.
Solutions
- The wiki page Cookies has some description of user cookies that have been proposed as a source of user stipulations.
- The Best Practice shows one way to track user expressed intent within a Relying Party database.
Intent Casting
This solution covers the projection of user terms onto a correspondent Web Site.
- An existing example is the DNT (Do Not Track) HTTP header.
- The following example assumes a richer format for intent casting that is not yet defined.
- See the page on stalking on Kantara.
Here are the potential terms to be cast
| Name | TBD | Priv Risk | Notes |
| 1st party | yes | 2 | data on the user device that does not leave the user device, for example apps that access the local data. This cast is to access limited (in theory) to the device itself. |
| 2nd party | yes | 3 | The Web Site that the user navigated to and understand through some secure indication of the site identity. |
| 3rd party | yes | 9 | Some other site that is able to access the User Device or User Information which was not the user's intent to access. |
References
- ↑ Merriam Webster, 3rd International Dictionary
