Users should be required to accept terms of use upon login

[yaelberger-commits]

Description

Users are not required to accept terms of use upon login, leaving CDS open to liability potentially. Users have questions about how to properly use Notify and end up submitting a support ticket for answers.

WHY are we building? This is a security risk if left unchecked and leaves CDS open to liability. We're updating all of our Notify policy documentation to better align with current state and set expectations with users, and this is part of the suite Terms of Use acts as an information sharing agreement, so this enables organizations to use Notify without needing more authorities and paperwork

WHAT are we building? Implement a system use notification either via banner or landing page upon account creation and require users to click to accept acknowledgement of terms. The notice provided should be supplied or approved by CDS’s legal counsel or other approved party. Update content in our Terms of Use to better align with current state of Notify

VALUE created by our solution User assumes some risk and understands how to properly use Notify safely and securely in line with our Authority to Operate, in tandem with the new Security and Privacy Statements and SLA

Acceptance Criteria** (Definition of done)

Given an individual employee is creating a new account in GC Notify, when they go through the steps, then they must read and acknowledge the Terms of Use before creating their account so they understand their individual responsibilities.

• [x] Yedida to itemize content for terms of use v privacy statement v security statement, so that we can easily see where there's overlap.
• [x] Journey mapping when a user encounters the Terms of Use and how they can get back to them
• [x] Speak with @mtoutloff about which terms need to be agreed to at account creation, trial service creation - before a service goes live.
• [x] Upon new account creation, a user is required to scroll through (and presumably read) and then select a button to acknowledge they have read and understand the Terms of Use
• [x] A new dialogue box for Terms of Use in create account flow with new button
• [x] Terms of Use is short summary, bullet points or structured with Headings in EN/FR
• [x] Terms of use that users agree to upon account creation (and/or when going live - dependent on discussion with Melissa) is the same document linked in Terms of use in footer
• [x] Last updated at the bottom with link to previous version
• [x] Send an email to all current users that we have updated our Terms of Use and other documentation, by continuing to use Notify you accept these new terms of use
• [x] Updated Privacy, Security have been published
• [x] Publish SLA v1.5 (maybe SLO?)
• [x] Designs are translated
• [x] Add a reasonable amount of friction, including when using assistive tech
• [x] Solution is tested with 3-5 real users in Staging or Figma (at least one in Fr)
• [x] Solution is tested with Fable participants
• [ ] Add to Security Statement about how the added friction adds to security
• [ ] Add a post to New Features about the changes

Research checklist

• [x] tested with 6 EN participants (Yael)
• [x] tested with 1 FR participant (Phil)
• [x] Findings analyzed (Yael and Phil)
• [x] Findings presented to the team (Yael)
• [ ] Findings added to the research repo (Yael)

Documentation and artifacts: Research folder for Usability Testing

Analysis https://docs.google.com/document/d/1x_AULftkVhmZ8D4uLKeU3Q9KS_HpGqo3HuMSMrkTukY/edit

[yaelberger-commits]

@YedidaZalik FYI this is the card for the issue you raised today at Notify 101 if you have any comments to add to the card

[adriannelee]

Question: Upon sign in for current users and upon sign up for new users?

[YedidaZalik]

I'm attaching screenshots of the current process to create an account. I only see the terms of use referenced on screenshot 1, in a link at the end of the page. Would it be worthwhile if the terms were a pop-up? Perhaps we could design so that the user would have to scroll through the pop-up and mark their acceptance of the terms as a step in account creation.

[yaelberger-commits]

Hey team! Please add your planning poker estimate with ZenHub @adriannelee @amazingphilippe @sharlychan-cds @YedidaZalik

[yaelberger-commits]

[YedidaZalik]

Suggestions from Content critique Aug 3,2022 Content critique Intention for notify or across websites Standardize

If part of flow, could we have a summary of what they agree to

Content model - basic - what are the parts of each of them - eg first part is who we are, 2nd agreeing, etc

Note stylistic differences- tone, terminology Table not fancy, split up different chunks

Anik's document: https://docs.google.com/presentation/d/1WMqfQpbHT-Uyo2V9Nl166JutJ_tkaWef7tG5Tz0T-AQ/edit#slide=id.g9a63b2221d_0_224

Janice - legality of summary

Consider settings as place to do this

Generator Many use Canada.ca terms

Propose for MVP team

If clear differences between jurisdictions

Follow laws of your own “Department and jurisdiction “

[amazingphilippe]

Accepting terms when going live is a very similar experience to what we're proposing here

[YedidaZalik]

First pass at itemizing content in policy docs. Next, I'll assess/consider other ways to organize this doc. In meantime, attaching in case it's helpful for current thinking around policy docs (the "Notes" column) @yaelberger-commits @sharlychan-cds Pls feel free to edit/change info in this doc, and/or to complete "Compulsory" column if helpful to you In this iteration, Privacy starts at row 5, Security at row 31, Terms of use row 61, SLA row 76

[yaelberger-commits]

Content I would like to see in the Terms of Use

• Prot A data (limits of email/SMS security)

• PB MM

• 7 day retention

• Do not share your API Key with anyone outside your team

• Default limits per service 10 Million emails a year per service 25,000 text message parts a year per service 10,000 daily emails 1,000 daily text message parts 1,000/minute API calls

• Remove pay for SMS above limit.

• Need to have consent for SMS and email (especially for SMS)

[YedidaZalik]

When we design this we could consider alternative to check box suggested by Adam Silver in this video: https://www.youtube.com/watch?v=nhbd6PxcnKc

[yaelberger-commits]

We'll bring this again to Story Refinement to decide details of the user flow and UI

[yaelberger-commits]

Title for Forms for every log in is "Know your responsibilities"

[yaelberger-commits]

3 places where Users will be forced to interact with ToU 1) Account Creation - full terms of use, users must scroll down, select button to agree 2) Every log in - point form headers of ToU, maybe a modal, users much select agree to leave the modal/page 3) (ALREADY EXISTS) At Request to Go-Live - point form step in the go-live process, no changes needed here

[jzbahrai]

@andrewleith to hand off to yedida and phil for content and design

[yaelberger-commits]

Feature was reviewed at Dev/Design review by the whole team Decisions:

• We'll go with a modal/dialogue
• We need to have a way to confirm the terms were accepted (validation/confirmation) for a11y and screen readers, so a visual and non-visual cue
• We'll add the ToU as a page in our code so we can adapt it as needed for various steps

[andrewleith]

• adding UI tests this morning
• still need to add feature flags
• check to see if new content added
• next steps will be some usability testing + fable testing (@yaelberger-commits / @amazingphilippe )

[yaelberger-commits]

Working on setting up research activity with 3-5 users

[YedidaZalik]

FR is back with a note from MSB with some choices FR is below the EN in this document https://docs.google.com/document/d/1Lg5GX8Fu8iPuVSDfMTKmMT2ICmh3cfjQFtAo0Q4sow8/edit

[yaelberger-commits]

I reviewed MSB comments and noted my suggestion in the doc

[YedidaZalik]

Updated/finalized docs with Yael's suggestion.
Content ready to be implemented in both languages: https://docs.google.com/document/d/1Lg5GX8Fu8iPuVSDfMTKmMT2ICmh3cfjQFtAo0Q4sow8/edit

[andrewleith]

• Translations are ready, @andrewleith to add this morning.

[andrewleith]

• @yaelberger-commits drafted documents for research, awaiting comments from team this morning

[yaelberger-commits]

Research materials are with translation

[andrewleith]

• @andrewleith to merge to staging after release this morning

[amazingphilippe]

Élise is working on translations. Hoping to have those back soon. Next: send invites

[amazingphilippe]

Still one PR to merge in admin #1848

[yaelberger-commits]

translations are back. Sending recruitment emails today

[yaelberger-commits]

Invites sent to 8 people

[amazingphilippe]

Waiting for responses

[amazingphilippe]

@andrewleith implementing the translations today

[amazingphilippe]

Merged a PR with a11y and design tweaks.

[amazingphilippe]

PR with translations merged last Friday. I found a few missing pieces and will do a PR to fix those. Also noticed some relative and absolute urls in the content. I will review those too.

Found a few missing pieces on the sign-up form:

[mtoutloff]

Updated the Research Plan to include privacy section

[amazingphilippe]

Yael will send another batch of invites to find some participants.

[yaelberger-commits]

A bit blocked at the moment because I don't have Phil's FR calendly link. Will see if I can find it today and send the second batch

[yaelberger-commits]

Sent to remaining invitees today (27 in total)

[whabanks]

Phil to send some follow up emails with his Service Canada email

[yaelberger-commits]

We have 10 participants signed up for sessions. Next steps:

• schedule sessions with notetakers and facilitator
• Create a notetaking document
• Create a spreadsheet with Participant # (no PII) and dates/times/notetaker/facilitator

[whabanks]

Completed two sessions so far.

[yaelberger-commits]

4 sessions completed so far in EN, 1 in FR

[whabanks]

2 more sessions today + note analysis and presentation. More FR recruitment to occur.

[whabanks]

Final session today - will end the sessions after today.

[yaelberger-commits]

Analysis is underway! Yael will present at Sprint Review Thursday