search

claucece / draft-celi-ipvc

Other
6 stars 2 forks source link

Notification systems #3

Closed claucece closed 1 year ago

claucece commented 1 year ago

John Curran notes:

""" This is a most excellent document - thanks for all your work on it!

Regarding the Recommendation section, I note that the document doesn’t include any mention of importance of the notification capabilities of authentication systems as a means for mitigation possible abuser use of technology. 

As means of example, I’d refer to the work of the National Network to End Domestic Violence (NNEDV) and Facebook in making clear possible mitigations to technology by abusers, and their publication "A guide for Survivors of Abuse” <https://nnedv.org/wp-content/uploads/2019/07/Library_TH_2018_Privacy_Safety_Facebook_Guide_Survivors_Abuse.pdf>, which calls out the usefulness of notifications in detecting misuse of technology by abusers - 
Login notifications

You can be notified, either by email or text message, if someone tries to access your account from a computer or device that you haven’t used before.

Login approvals

If you are logging into your account from a different web browser or device, you must have a security code to access your account.

Recognized devices

You can manage the devices that are allowed to have access to your account and be notified if an unknown device tries to access your account. This is particularly helpful for a survivor who may have wanted to access their account from their partner’s device, but now no longer wants that device to have access.

Active sessions

This is important to note because it shows sessions that are currently active or logged on. You may have active sessions if you’ve accessed your account or are using an app and forgot to log off. This also will show if someone else might have accessed your account. In that case, you can choose to ‘End Activity,’ which will block that device from continuing to access your account.
This usefulness of such controls echoed in another recent paper "A Domestic Violence Dystopia: Abuse via the Internet of Things and Remedies Under Current Law” <https://californialawreview.org/print/a-domestic-violence-dystopia-abuse-via-the-internet-of-things-and-remedies-under-current-law/#clr-toc-heading-10>. which notes implications of technology design on those facing potential abuse – "Safe design should also include automatic generation of weekly or monthly reports informing users about their data and account logins, a system notification that shows which registered user initiated the controls, and the standard of requiring that users opt into rather than out of data-sharing between members of a household. “

I’d encourage some further discussion on the list of the notification aspects of authentication systems and their potential use in mitigation of abuse via technology, and if found useful, inclusion of additional text in the authentication systems portion of the recommendations.
claucece commented 1 year ago

Seems good to add them to the recommendations section.