Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introducing GDPR compliance checks and policy #10064

Merged
merged 33 commits into from
Aug 28, 2023
Merged

Introducing GDPR compliance checks and policy #10064

merged 33 commits into from
Aug 28, 2023

Conversation

calixtus
Copy link
Member

@calixtus calixtus commented Jul 3, 2023

Fixes #9742

These prefs were already there:
grafik
grafik

new:

grafik
grafik
grafik

Mandatory checks

  • Change in CHANGELOG.md described in a way that is understandable for the average user (if applicable)
  • Tests created for changes (if applicable)
  • Manually tested changed features in running JabRef (always required)
  • Screenshots added in PR description (for UI changes)
  • Checked developer's documentation: Is the information available and up to date? If not, I outlined it in this pull request.
  • Checked documentation: Is the information available and up to date? If not, I created an issue at https://github.com/JabRef/user-documentation/issues or, even better, I submitted a pull request to the documentation repository.

@calixtus calixtus changed the title Introduced gdpr dialog [WIP] Introduced gdpr dialog Jul 3, 2023
@calixtus calixtus marked this pull request as draft July 3, 2023 18:14
@koppor
Copy link
Member

koppor commented Jul 4, 2023

Typical dialogs have this flow:

image

They hide the details.

In the settings, there are details:

image

(Source: https://www.nokia.com/)

Oh, and "Accept all" is really the term used there.

Mercedes-Benz has following popup:

image

Settings scroll down:

image

Source: https://www.mercedes-benz.com/en/


Out of these two, I like the Nokia way the most.

Why not designing the dialog like the second one of Nokia?

  • Dialog title "External services settings"
  • Place the buttons on the left
  • Can we also have first text and then the checkbox?
  • Can we prepare an expansion of an item with details? Like links to the web search help etc?
  • Button labels"Enable all", "Enable selected", "Disable all"

@calixtus
Copy link
Member Author

calixtus commented Jul 4, 2023

As this is not a cookiebanner, I don't think that the examples really apply regarding the UX of a desktop application, but rather the already used design principles we use for dialogs in jabref. Meaning: checkbox on the left, buttons on the right.

Expandable checkboxes are nice, but imply that the dialog must be either very large to provide space for the items to expand and with a lot of empty space, if no item is expanded, or to grow and shrink the dialog with the items. You don't do that.

@koppor
Copy link
Member

koppor commented Jul 4, 2023

If consistency to the existing dialogs (designed more than 8 years ago) is imporant (which I agree, because we won't redesign the whole app), following wishlist items remain:

  • Dialog title "External services settings"
  • Button labels"Enable all", "Enable selected", "Disable all"

We could think about reducing the white space

image

Maybe with aligning the buttons in the middle (and moving the check boxes a bit to the right) - or put the buttons to the left, too.

@koppor
Copy link
Member

koppor commented Jul 4, 2023

I would rename "Web search for references" to "Web search for references and full texts". Alternatively, a second checkbox "Web search for full texts".

Side note: Maybe accept that PDF is the main file format and update the UI to use "Web search for PDFs". And replace in all other places "full text" by "PDFs".

@tobiasdiez
Copy link
Member

Do we really have to show this dialog to every user? I don't know of any other software where one needs to explicitly accept version update checks or other accesses of web services. In particular for our own services (Update check and PDF grobid) I feel this is unnecessary, and for "web search" it is clear from the context that this accesses external services.

I would prefer to have the content of this dialog moved to the preference window, so that users interested in their privacy can easily disable these services.

@calixtus
Copy link
Member Author

calixtus commented Jul 5, 2023

This dialog should only be shown on the first run. And yes, according to the law, even before we send an IP address to the internet, we need to ask for opt in. This includes sadly also the version check.

@tobiasdiez
Copy link
Member

If its only about the legal requirements, then we can put something like the following (from https://code.visualstudio.com/license)

Data Collection. The software may collect information about you and your use of the software, and send that to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may opt-out of many of these scenarios, but not all, as described in the product documentation located at https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting. There may also be some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
Processing of Personal Data. To the extent Microsoft is a processor or subprocessor of personal data in connection with the software, Microsoft makes the commitments in the European Union General Data Protection Regulation Terms of the Online Services Terms to all customers effective May 25, 2018, at https://docs.microsoft.com/legal/gdpr.

in our eula that users agree upon when installing jabref. This seems to be the standard way to handle this.

@calixtus
Copy link
Member Author

calixtus commented Jul 5, 2023

I agree, that could be a solution. It's definitely an opt in solution. Yet, we don't have an eula, just the mit license when installing.

@tobiasdiez
Copy link
Member

tobiasdiez commented Jul 5, 2023

Should be easy to add via license-file option of jpackage: https://docs.oracle.com/en/java/javase/20/docs/specs/man/jpackage.html

@calixtus
Copy link
Member Author

calixtus commented Jul 6, 2023

The technical solution is not the problem. It's the content of the eula, since we have no idea what to put in it. Any examples?

@tobiasdiez
Copy link
Member

I did a bit of research but couldn't find a single open source software that requires a special-opt in for webservices. The most explicit is Firefox which link to their privacy policy under the download button (https://www.mozilla.org/en-US/firefox/channel/desktop/) and have a privacy policy link in their "About" dialog. Other examples such as owncloud don't show anything related to privacy in their installation or on-boarding process. It seems to be consensus that eula are not necessary for open source projects since the main license already specifies all necessary rights and has a warranty/liability clause.

So without being an expert on the legal side, it seems that there is no need for an explicit opt-in. Just add to our privacy policy that the desktop application access certain web services to provide additional features (similar to what I've cited above from the vscode eula) and link this privacy policy from a few places inside the software.

@calixtus
Copy link
Member Author

DevCall discussion

We agree that we want to avoid popups whenever possible. Introducing an eula seems to be a good idea. Drafting one and introducing it to the installer should be investigated.

@calixtus calixtus changed the title [WIP] Introduced gdpr dialog Introducing GDPR compliance checks and policy Aug 19, 2023
Co-authored-by: Oliver Kopp <[email protected]>
PRIVACY.md Outdated Show resolved Hide resolved
PRIVACY.md Outdated Show resolved Hide resolved
Copy link
Member

@tobiasdiez tobiasdiez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reads very nicely, good job! Only a few minor remarks, and please run a final spelling check over everything.

PRIVACY.md Outdated Show resolved Hide resolved
PRIVACY.md Outdated Show resolved Hide resolved
PRIVACY.md Outdated Show resolved Hide resolved
PRIVACY.md Outdated Show resolved Hide resolved
PRIVACY.md Outdated Show resolved Hide resolved
PRIVACY.md Outdated Show resolved Hide resolved
PRIVACY.md Outdated Show resolved Hide resolved
PRIVACY.md Outdated Show resolved Hide resolved
koppor and others added 10 commits August 27, 2023 00:49
Quote of privacy policy of Zotero:

We log requests made to our servers by Zotero or third-party software, including IP address and client information, in order to prevent abuse, diagnose technical issues, and assess usage. We retain these logs for up to 90 days. You can opt out of all requests to our servers.
Co-authored-by: Christoph <[email protected]>
Co-authored-by: Tobias Diez <[email protected]>
Co-authored-by: Tobias Diez <[email protected]>
Co-authored-by: Tobias Diez <[email protected]>
@calixtus calixtus marked this pull request as ready for review August 27, 2023 00:43
@calixtus calixtus added the status: ready-for-review Pull Requests that are ready to be reviewed by the maintainers label Aug 27, 2023
calixtus and others added 7 commits August 27, 2023 13:17
* upstream/main:
  Bump com.puppycrawl.tools:checkstyle from 10.12.2 to 10.12.3
  Bump org.libreoffice:unoloader from 7.5.3 to 7.6.0
  Bump com.dlsc.gemsfx:gemsfx from 1.74.0 to 1.77.0
* upstream/gdpr_checks:
  Update build.gradle
  Rename LICENSE_With_Privacy.md to LICENSE_with_Privacy.md
@Siedlerchr
Copy link
Member

grafik

@github-actions
Copy link
Contributor

Your code currently does not meet JabRef's code guidelines. The tool reviewdog already placed comments on GitHub to indicate the places. See the tab "Files" in you PR. Please carefully follow the setup guide for the codestyle. Afterwards, please run checkstyle locally and fix the issues.

More information on code quality in JabRef is available at https://devdocs.jabref.org/getting-into-the-code/development-strategy.html.

@github-actions
Copy link
Contributor

github-actions bot commented Aug 28, 2023

The build for this PR is no longer available. Please visit https://builds.jabref.org/main/ for the latest build.

@calixtus calixtus merged commit 3e1b7ab into main Aug 28, 2023
13 of 14 checks passed
@calixtus calixtus deleted the gdpr_checks branch August 28, 2023 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
preferences status: ready-for-review Pull Requests that are ready to be reviewed by the maintainers
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update check: opt-out + preferences
5 participants