Open yaelberger-commits opened 2 months ago
There are several new TOU interventions we could reference in the Security statement. @mtoutloff should we reference all or just some of these:
(Also notice typo in TOU, under "Accept risks when sending text messages" in second bullet "ofinformation" needs a space
@mtoutloff recommends waiting for Yael's return to work on this card and I agree. From Melissa: I had a look at the Security statement this morning and I am still not clear on what was meant by "update security statement to mention TOU interventions". As we discussed yesterday, it's not clear if it means adding a statement that users are required to accept the TOU requirements upon login or to list the TOU interventions from the login screen in the Security statement. My thinking is it's likely some type of statement regarding the former (that users are required to accept the TOU), here's why: While the Security statement is a mix of both our responsibilities and our user's responsibilities (as well as suggestions to users to enhance security on their end), I would be reluctant to repeat what's already in the TOU, mostly because I think it might be impractical. Every time we update the TOU, we'd have to also review the Security statement to check if it also needs updates. And I'm not sure from a content perspective if it makes sense to have the same information appear in two different policy statements. This also made me think whether we might want to consider moving some of the user responsibility content in the Security statement (under the headers "If you suspect a security breach or discover a vulnerability" and "You have security responsibilities") to the TOU. I think it's more helpful for our users to have a clear delineation in our policy statements of what's their responsibility and what's ours and for them to all be in one place.
From me: If we move content to the TOU, we should try hard not to add any new headings, It's our use of the headings that still keeps it scannable and allows for the shortened version on log in.
Update Security Statement to mention ToU interventions