OpenCRE
OpenCRE copied to clipboard
OWASP
Better inform users on chatbot privacy
Better inform users on chatbot privacy - while users log in, before they get shown the login, and when using it should be clear that: -we only need them to login to maximize the number of queries per minute per unique user -their account is not used to authenticate with the Large Language Model -only their prompt is sent -see the info on the chatbot page on this -maybe we should link to the privacy policy of the PALM LLM -we also need to update our privacy policy to reflect this info. The google SSO refers to it
It's best to first show a page when people arrive at /chatbot and have no session: describing the above, saying welcome to OpenCRE chat, and then a link to login, taking you to google SSO.
So basically a piece of text to show on that landing page, in the privacy policy and on the chatbot page.
Then somehow we need to deal with what google says in the SSO: "To continue, Google will share your name, email address, language preference, and profile picture with opencre.org" Either we need to change some settings, change that text, or refer to it in OUR text: despite that google sends us your name and mail address, we don't store it. Preferably we pick an SSO method that does not send it al all, or rather an alternative to google sso?
If you're just using the email address, you should be able to drop off the profile scope from the SAML, which makes it a touch smoother
You can customise the oauth consent page in the GCS dashboard easily enough too
