setTosUrl() only shows a ToS URL in the email SignUp

[nathanvogel]

As mentioned by SUPERCILEX in #483, the Terms of Service URL only shows up in the email sign up flow. This can be problematic from a legal point of view.
(a legal explanation : https://termsfeed.com/blog/add-i-agree-terms-checkbox/ )

I'm creating this issue, because it should at least be clearly explained in the documentation, but I think that it should also appear with other providers, since this can pose actual legal issues.

FirebaseUI version: 1.0.1

[samtstern]

@nathanvogel while I can't discuss legal issues (I am not a lawyer) we can talk about this feature request.

Where else would you like the ToS shown? When using a non-Firebase Identity Provider (such as Google or Facebook) we launch directly into the flow of that provider. In most cases these providers show their own terms of service when appropriate (generally on the first sign-in attempt).

In most Android apps I use I don't see any other ToS links when signing in with a third-party Identity Provider.

[nathanvogel]

Yes we're being extra-cautious on the legal side.

In a test case (creating a new MyApp account from a Google account), after tapping Sign In With Google the only dialog that was shown was the Google Account selection screen. No OAuth dialog, no authorization dialog, nothing. I was logged right into the app with a fresh account. So I see only two possibilities :

• Add a dialog specifically for this
• Add a small text + link below all the "Sign In with..." buttons on the main screen.

Both only if custom ToS are supplied and maybe if a "showTosWithAllProviders" option is set.

I prefer the second option and can't think of another one right now, beside letting the developer handle non-Firebase Providers, but it doesn't feel right in respect to the .setTosUrl() function.

[eirikvaa]

I liked the idea of a showTosWithAllProviders option. Are there any progress on this?

[samtstern]

@eirikvaa there hasn't been any progress on this, mainly because of the questionable UX. A dialog is not ideal, and there are so many paths to sign in with FirebaseUI it would be almost impossible to show a ToS during all of them.

We show a ToS during the email and phone flows because we own the whole UI. For Facebook / Google / etc we just call out to their UI, and they almost always have links to a privacy policy or ToS for their service.

[eirikvaa]

@samtstern Ok, that makes sense. Thanks for the quick reply!

[rostopira]

What about small text below buttons "By signing in you accept our ToS and PP" with clickable links?

I've added my own layout by creating file fui_auth_method_picker_layout.xml

[memjr]

I think it would be a good idea to show both URLs for the privacy policy and TOS in the screen where you get to pick how to log in, like it's done with the setLogo method.

This way the user can check the contents of each of those regardless of which provider they want to use.

[mengoni]

@samtstern

We show a ToS during the email and phone flows because we own the whole UI

I've followed the example code for the Phone Authentication (I do not need email auth), but I cannot see the Tos and privacy. This is my code:

        Bundle params = new Bundle();
        params.putString(AuthUI.EXTRA_DEFAULT_COUNTRY_CODE, "it");
        params.putString(AuthUI.EXTRA_DEFAULT_NATIONAL_NUMBER, "23456789");
        AuthUI.IdpConfig phoneConfigWithDefaultCountryAndNationalNumber =
                new AuthUI.IdpConfig.Builder(AuthUI.PHONE_VERIFICATION_PROVIDER)
                        .setParams(params)
                        .build();

        startActivityForResult(
                AuthUI.getInstance()
                        .createSignInIntentBuilder()
  .setAvailableProviders(Arrays.asList(phoneConfigWithDefaultCountryAndNationalNumber))
                        .setTosUrl("http://www.myurl.com")
                        .setPrivacyPolicyUrl("http://www.myurl.com")
                        .build(),
                RC_SIGN_IN);

Have I missed something?

---- EDIT
Indeed the ToS and Privacy policy links are visible in the second step of authentication (where there's the "Continue" button).

The message say that by tapping on Continue the user accept ToS and PP, but the whole step is automatic and users do not need to tap the button.

[eliotstock]

I use only Google and Facebook providers and used .setPrivacyPolicyUrl(). I considered it a bug that there was no link to my privacy policy on the auth activity that shows the two provider buttons. It makes no sense to me that this would only be shown when using the email provider, if that's what @SUPERCILEX is suggesting. It's the privacy policy of my product, not Google's or Facebook's.

[edvaldeysteinsson]

I just ran in to this issue in an app that I'm working on and my first thought was that the way ToS and PP is handled can't be GDPR compliant and if it isn't then anyone with users in the EU will be in violation and could face some hefty fines

[samtstern]

Ok so there are a few things here:

1. We could provide an option to display the PP and TOS links at the bottom of the authentication method picker screen.
2. It sounds like for Phone Authentication we should move the TOS and PP up to the "enter your phone number" screen due to the possibility of auto-verification skipping the next screen.

I think (1) is a little difficult to do in a visually attractive way as the bottom of the screen is very busy already. (2) seems like an easy win.

[SUPERCILEX]

The Twitter and Facebook logins already show a PP and ToS if you provide it, but Google doesn't. If the Google login could show those, it would make #1 unnecessary and remove the edge case where only one provider doesn't go through the picker activity.

[peterhav]

Note that this is a legal issue. I have just received a mail from Google warning me that my app (using Firebase-UI) is in violation:

You must be transparent in how you handle user data (e.g. information provided by a user, collected about a user, and collected about a user’s use of the app or device), including by disclosing the collection, use, and sharing of the data, and you must limit use of the data to the description in the disclosure.If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.

Note that I do provide a Privacy Policy, but this is shown in the about (not before login).

Therefor this is a welcome feature (that should be independent from the provider type).

[samtstern]

See #1245 for what we're gonna do here. @peterhav thank you for sharing that, I sent your feedback to the team which really accelerated the discussion and helped us reach a conclusion.

[SUPERCILEX]

@samtstern This issue can be closed.

@everyone This was fixed in v4.0 just in time for GDPR.