Re: Identity providers as first parties from Tamir Israel on 2012-06-17 (public-tracking@w3.org from June 2012)

From: Tamir Israel <tisrael@cippic.ca>
Date: Sun, 17 Jun 2012 15:13:31 -0400
To: Shane Wiley <wileys@yahoo-inc.com>
CC: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
Message-ID: <4FDE2C5B.70500@cippic.ca>
Shane -- Out of band consent *does* trump DNT-1. We are now trying to 
define the parameters by which out of band consent can be sought.

Best,
Tamir

On 6/17/2012 3:11 PM, Shane Wiley wrote:
> Tamir,
>
> Out-of-band consent trumps DNT.  We've been repeating this mantra for over a year now - becoming repetitive.
>
> - Shane
>
> -----Original Message-----
> From: Tamir Israel [mailto:tisrael@cippic.ca]
> Sent: Saturday, June 16, 2012 5:23 PM
> To: Shane Wiley
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
> Subject: Re: Identity providers as first parties
>
> Shane --
>
> Just so we're really clear: if a user authenticates with Yahoo! on site
> A and controls preferences on that site, does the out of band consent
> dialogue Jonathan showed invalidate DNT-1: on site A? in general?
>
> Best,
> Tamir
>
> On 6/15/2012 11:29 PM, Tamir Israel wrote:
>> Ok.
>>
>> On 6/15/2012 2:07 PM, Shane Wiley wrote:
>>> DAA Opt-out and single-sign on are not related.  There are some
>>> implementations where the ID is needed beyond the authentication
>>> event and therefore data collection occurs outside of the initial
>>> authentication event.  Users do NOT need to choose Yahoo! as their ID
>>> provider if they feel uncomfortable with that outcome.
>>>
>>> - Shane
>>>
>>> -----Original Message-----
>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>> Sent: Friday, June 15, 2012 10:56 AM
>>> To: Shane Wiley
>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon
>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>> Subject: Re: Identity providers as first parties
>>>
>>> Shane,
>>>
>>> Maybe we are getting sidetracked.
>>>
>>> Can you please explain the scope of tracking that results from using
>>> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on
>>> the specific authenticated site? If so does this carry across multiple
>>> explicitly authenticated sites? Does it operate in a manner analogous to
>>> single sign-on? How does it interact with the existing DAA opt-out?
>>>
>>> Thanks and best regards,
>>> Tamir
>>>
>>> On 6/15/2012 11:28 AM, Shane Wiley wrote:
>>>> Tamir,
>>>>
>>>> Any service gets to determine its own primary purpose - so if OBA is
>>>> the payment for the service and this is disclosed as a primary
>>>> purpose, then that's the bargain the users can choose to consent to
>>>> or not.
>>>>
>>>> - Shane
>>>>
>>>> -----Original Message-----
>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>> Sent: Friday, June 15, 2012 8:21 AM
>>>> To: Shane Wiley
>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon
>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>> Subject: Re: Identity providers as first parties
>>>>
>>>> Shane --
>>>>
>>>> There are 2 questions here. One is whether you can bundle in the
>>>> obligation to consent to secondary purposes as a condition of
>>>> authentication in an IdM context. The primary service in an IdM context
>>>> is authentication, not OBA.
>>>>
>>>> The second is to what extent the DNT spec should address this. I took
>>>> the 'independent choice' out of band consent criteria as an attempt to
>>>> prevent bundling of choices.
>>>>
>>>> Best,
>>>> Tamir
>>>>
>>>> On 6/15/2012 11:06 AM, Shane Wiley wrote:
>>>>> Tamir,
>>>>>
>>>>> But in the use case we're discussing the service being provided is
>>>>> the primary purpose - a user's online identity.  A service
>>>>> determines its primary purpose, discloses this to the user, user
>>>>> consents.  Case closed.
>>>>>
>>>>> - Shane
>>>>>
>>>>> -----Original Message-----
>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>>> Sent: Friday, June 15, 2012 8:02 AM
>>>>> To: Shane Wiley
>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon
>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>>> Subject: Re: Identity providers as first parties
>>>>>
>>>>> Shane, I disagree. Under PIPEDA you should offer users the possibility
>>>>> of opting out of collection, use or disclosure for purposes
>>>>> secondary to
>>>>> the primary service being offered.
>>>>>
>>>>> This is the basis of the opt-out consent scheme being applied to
>>>>> online
>>>>> tracking.
>>>>>
>>>>> Best,
>>>>> Tamir
>>>>>
>>>>> On 6/15/2012 10:58 AM, Shane Wiley wrote:
>>>>>> Tamir,
>>>>>>
>>>>>> I disagree and PIPEDA does as well.  As long as you're clear to a
>>>>>> user what a service provides and a user expressly consents to
>>>>>> those practices, the discussion is over.
>>>>>>
>>>>>> Please don't try to raise CA regulatory schemes into conversations
>>>>>> on one hand then completely reverse your stance at whim - this
>>>>>> seriously undermines your credibility.
>>>>>>
>>>>>> - Shane
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>>>> Sent: Friday, June 15, 2012 7:54 AM
>>>>>> To: Shane Wiley
>>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon
>>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>>>> Subject: Re: Identity providers as first parties
>>>>>>
>>>>>> Shane --
>>>>>>
>>>>>> The need for independent choice is critical, I think, to the out
>>>>>> of band
>>>>>> consent scheme. You shouldn't be able to force users out of their DNT
>>>>>> choices as a condition of authentication.
>>>>>>
>>>>>> Best,
>>>>>> Tamir
>>>>>>
>>>>>> On 6/15/2012 10:48 AM, Shane Wiley wrote:
>>>>>>> Rigo,
>>>>>>>
>>>>>>> DNT will NEVER trump an out-of-band consent.  The user would
>>>>>>> simply withdraw from using the service they had provided prior
>>>>>>> consent to.  If the product would like to offer two levels of
>>>>>>> service, it can of course do that, but that would be completely
>>>>>>> outside the scope of DNT.
>>>>>>>
>>>>>>> DNT is not the privacy silver bullet and answer to all privacy
>>>>>>> issues on the Internet - let's stop trying to push it in that
>>>>>>> direction.
>>>>>>>
>>>>>>> Thank you,
>>>>>>> - Shane
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Rigo Wenning [mailto:rigo@w3.org]
>>>>>>> Sent: Friday, June 15, 2012 1:28 AM
>>>>>>> To: public-tracking@w3.org
>>>>>>> Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com;
>>>>>>> Tamir Israel; JC Cannon (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>
>>>>>>> Shane, Kimon,
>>>>>>>
>>>>>>> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:
>>>>>>>> I’ve used a few others and they appears to do the same so I’m
>>>>>>>> confused as to what real-world identity provider scenario someone
>>>>>>>> is considering where consent wasn’t already obtained?
>>>>>>> I confirm that we agreed that the out-of-band agreement will trump
>>>>>>> the DNT:1 signal. We also agreed that the service has to signal this
>>>>>>> to the client.
>>>>>>>
>>>>>>> I guess, what Rob is trying to achieve is to say, even in this
>>>>>>> context, a service could offer the choice of stopping to track and
>>>>>>> only use information for the login/authentication purpose. This
>>>>>>> could be the meaning of DNT:1 if the Service sends ACK in a
>>>>>>> login/authentication context. If you're looking for medical
>>>>>>> information in a login context, you don't want your login provider
>>>>>>> to spawn that to your insurance. I think this is a very legitimate
>>>>>>> use case. The service could say: "yes, I see your point" and send
>>>>>>> ACK instead of "out-of-band".
>>>>>>>
>>>>>>> We are just defining switches. People will decide whether they
>>>>>>> switch stuff on or off or provide a switch at all.
>>>>>>>
>>>>>>> Rigo
Received on Sunday, 17 June 2012 19:14:41 UTC