Nick Alexander :nalexander [he/him] (PTO until Montreallhands August 21, 2023) Assignee
	Description • 11 years ago

We have a strong requirement to make sure that Firefox Accounts created on Android devices follow the COPPA legal framework.

We have discussed asking for age verification at sign up time and at account verification time.  Current thinking is that we will age verify at sign up time because we want to keep the invariant

"existance of FxA === passed COPPA"

	Richard Newman [:rnewman]
	Comment 2 • 11 years ago

Do we have final wording etc. for this?

	Nick Alexander :nalexander [he/him] (PTO until Montreallhands August 21, 2023) Assignee
	Comment 3 • 11 years ago

https://hg.mozilla.org/services/services-central/rev/74a7243332cd

	Nick Alexander :nalexander [he/him] (PTO until Montreallhands August 21, 2023) Assignee
	Comment 4 • 11 years ago

Comment on attachment 8362044 [details]
github PR

Reviewed on github.

	Richard Newman [:rnewman]
	Comment 5 • 11 years ago

https://hg.mozilla.org/mozilla-central/rev/74a7243332cd

	Nick Alexander :nalexander [he/him] (PTO until Montreallhands August 21, 2023) Assignee
	Comment 6 • 11 years ago

QA:

If a user tries to create an account and is too young (defined as 13 or younger, i.e., born 2001 or younger), this implements a 15 minute lockout period.  Attempts to create an account during that period should hard redirect to a "no can do" screen.  The lockout is stored in process memory; killing the process, or uninstalling the Android package, etc, will forget the lockout.

There is extensive debug log output about the age check that will be killed before the Aurora merge (Bug 962126) but that will be helpful when testing.

	ewong
	Comment 7 • 11 years ago

Doesn't a 15 min lockout seem a bit heavy handed?  What if I accidentally tapped the wrong year.  If I get 'locked' out, I should at least be informed of the timeout, and provided a way to resolve this myself.  I don't want users to just give up on using FxA. 

Bottom line is we should minimize support emails and user frustration.

	Nick Alexander :nalexander [he/him] (PTO until Montreallhands August 21, 2023) Assignee
	Comment 8 • 11 years ago

(In reply to ewong from comment #7)
> Doesn't a 15 min lockout seem a bit heavy handed?  What if I accidentally
> tapped the wrong year.  If I get 'locked' out, I should at least be informed
> of the timeout, and provided a way to resolve this myself.  I don't want
> users to just give up on using FxA. 
> 
> Bottom line is we should minimize support emails and user frustration.

Decision came to me via rfeeley, who got it from legal.  I assume we'll sign off before Aurora merge, which gives us an opportunity to revisit.  I don't care what we do but changing it (in a way other than adjusting the lockout length) is work.

	Aaron Train [:aaronmt]
	Comment 9 • 11 years ago

(Fuel to fire, this wireframe has it at 10 http://is.gd/Sync_FxA_Latest_Android_UX_PDF)

	Aaron Train [:aaronmt]
	Comment 10 • 11 years ago

QA Test-Note:

* Signed up with a birth year of 2005
* Tapped create and hit the age limit check
* Backed out and attempted to access Firefox Accounts in Android settings again; hit the age limit check
* After 15 minutes; I was able to access Firefox Accounts in Android settings once again
* Verified that the Learn More link opened an FTC COPPA blurb

I/FxAccounts( 6120): fennec :: FxAccountAgeLockoutHelper :: $$FxA PII$$: Checking if locked out: it's been 916312ms since last lockout, so no.

I/ActivityManager(  704): Displayed org.mozilla.fennec/org.mozilla.gecko.fxa.activities.FxAccountGetStartedActivity: +88ms

Works for me.

@TeoVemesan mentioned in #androidsync of the inevitable circumvention with clearing all data/cache from org.mozilla.fennec to circumvent the timer.

	James Bonacci [:jbonacci]
	Comment 11 • 11 years ago

That last line is really important, but I am not even sure how/where we would document document this...