W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Identity providers as first parties

From: Peter Cranstone <peter.cranstone@gmail.com>
Date: Mon, 18 Jun 2012 10:49:19 -0600
To: <ifette@google.com>, Jeffrey Chester <jeff@democraticmedia.org>
CC: Alan Chapell <achapell@chapellassociates.com>, Jonathan Mayer <jmayer@stanford.edu>, Mike Zaneis <mike@iab.net>, Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel <tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
Message-ID: <CC04B7B1.3ABB%peter.cranstone@gmail.com>
It seems awfully late to be discussing what constitutes a common objective.

How about we define and agree on a definition of privacy? With that out of
the way the objective will hopefully become a lot easier. What about
starting with the CDT definition? Anything wrong with that?


Peter
___________________________________
Peter J. Cranstone
720.663.1752


From:  "Ian Fette   (イアンフェッティ)" <ifette@google.com>
Reply-To:  <ifette@google.com>
Date:  Monday, June 18, 2012 10:44 AM
To:  Jeffrey Chester <jeff@democraticmedia.org>
Cc:  Alan Chapell <achapell@chapellassociates.com>, Jonathan Mayer
<jmayer@stanford.edu>, Mike Zaneis <mike@iab.net>, Shane Wiley
<wileys@yahoo-inc.com>, Tamir Israel <tisrael@cippic.ca>, Rigo Wenning
<rigo@w3.org>, W3 Tracking <public-tracking@w3.org>, "rob@blaeu.com"
<rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "JC Cannon (Microsoft)"
<jccannon@microsoft.com>
Subject:  Re: Identity providers as first parties
Resent-From:  W3 Tracking <public-tracking@w3.org>
Resent-Date:  Mon, 18 Jun 2012 16:44:52 +0000

> Jeff,
> 
> I think we all want to see a spec come out that is meaningful and can see
> broad adoption by websites while providing a meaningful benefit to consumers
> over the current status-quo. That said, I don't appreciate being
> misrepresented to press. On that call we were discussing defaults, IE10, and
> choice. What I expressed on that call was that, as we have agreed since the
> beginning in this WG, DNT is a voluntary mechanism that we are hoping people
> will opt-in to. Sites have an option as to whether or not they will support
> DNT, and whether they will support it uniformly for all requests or, for
> instance, decline the request from user agents known to set it by default, and
> ideally have some mechanism in the spec to provide notice to that effect to
> the user.
> 
> That's a far cry from saying "we will be able to do whatever [we] want
> anyways."
> 
> As to your last point, I continue to feel that the biggest obstacle this
> working group faces is that we still have not yet agreed on a common purpose
> that we are working towards. We came to the table intending to provide a
> mechanism through the browser with which users could opt-out of receiving
> online behavioural advertisements. Others came to the table with the aim of
> solving the Article 29 "opt-in" issues. Others still have come to the table
> with the objective of stopping all data collection by "third parties". Until
> we can agree on a common objective for this WG, I fear we may continue to
> operate in a less-than-optimal manner.
> 
> -Ian
> 
> On Mon, Jun 18, 2012 at 9:36 AM, Jeffrey Chester <jeff@democraticmedia.org>
> wrote:
>> I hadn't seen this.  But I think Jonathan was correct in his
>> characterization.  Many privacy advocates hope that Google will provide
>> greater leadership to adopt meaningful DNT standard.    We are waiting to see
>> its plans to ensure the spec protects privacy.
>> 
>> Jeff
>> 
>> 
>> 
>> On Jun 18, 2012, at 12:31 PM, Ian Fette (イアンフェッティ) wrote:
>> 
>>> Jeff,
>>> 
>>> With respect, 
>>> 
>>> 
>>> "It's not clear to what extent we'll get an agreement on this," Mayer told
>>> CNNMoney. "One of Google's representatives said on the call that the company
>>> will be able to do whatever it wants anyways. I'm stunned at how transparent
>>> some of these companies were -- they just want to minimize the number of Do
>>> Not Track users, period."
>>> 
>>> http://money.cnn.com/2012/06/07/technology/do-not-track/index.htm
>>> 
>>> That type of behaviour is not something one would expect from someone who
>>> bills themselves as being a "tough-but-fair negotiator."
>>> 
>>> -Ian
>>> 
>>> On Mon, Jun 18, 2012 at 9:27 AM, Jeffrey Chester <jeff@democraticmedia.org>
>>> wrote:
>>>> Ian:  I suggest that what reporters are doing is merely reading the texts
>>>> posted.  That what's been written says a great deal about both personal
>>>> views and--one assumes--the position taken by the CEO and board on DNT and
>>>> the spec.  There hasn't been anything taken out of context I know about.
>>>> See you soon.
>>>> 
>>>> Jeff
>>>> 
>>>> 
>>>> 
>>>> On Jun 18, 2012, at 12:24 PM, Ian Fette (イアンフェッティ) wrote:
>>>> 
>>>>> Jeff, 
>>>>> 
>>>>> That's precisely the problem. Certain people from this working group seem
>>>>> to have no problem taking statements made on calls and feeding warped
>>>>> versions of those statements to reporters; such tactics do not typically
>>>>> go far when one is trying to be a "negotiator" to reach a "grand
>>>>> compromise". (Also, most "negotiators" whom I have seen be successful in
>>>>> the past, hostage negotiators excepted, have been neutral uninterested
>>>>> third parties, not someone with a clear axe to grind.)
>>>>> 
>>>>> -Ian
>>>>> 
>>>>> On Mon, Jun 18, 2012 at 9:21 AM, Jeffrey Chester
>>>>> <jeff@democraticmedia.org> wrote:
>>>>>> Alan:  I find your language and tone troubling.  I hope you know that
>>>>>> many people are looking at this thread.  Our communications say a great
>>>>>> deal about ourselves, inc to the EU, FTC and media watching this thread
>>>>>> closely.  Maybe even Fox News!
>>>>>> 
>>>>>> Jeff
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Jun 18, 2012, at 12:17 PM, Alan Chapell wrote:
>>>>>> 
>>>>>>> I have no issue with your personality. My issue is with your tactics.
>>>>>>> Assuming you can cease utilizing tactics that seem unproductive at best,
>>>>>>> then I think you will see fewer emails directed at you; criticizing
>>>>>>> those tactics.
>>>>>>> 
>>>>>>> This will be my last note on this matter – I'm hopeful and optimistic
>>>>>>> that we can move forward productively from here….
>>>>>>> 
>>>>>>> 
>>>>>>> Alan
>>>>>>> 
>>>>>>> 
>>>>>>> From:  Jonathan Mayer <jmayer@stanford.edu>
>>>>>>> Date:  Monday, June 18, 2012 12:08 PM
>>>>>>> To:  Jeffrey Chester <jeff@democraticmedia.org>
>>>>>>> Cc:  Alan Chapell <achapell@chapellassociates.com>, Mike Zaneis
>>>>>>> <mike@iab.net>, Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel
>>>>>>> <tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>,
>>>>>>> "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com"
>>>>>>> <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com"
>>>>>>> <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
>>>>>>> Subject:  Re: Identity providers as first parties
>>>>>>> 
>>>>>>>  
>>>>>>>  This thread has devolved into a Fox News-esque referendum on my
>>>>>>> personality. It's both a distraction and ineffectual—those who have
>>>>>>> collaborated with me over the past year know I'm a tireless,
>>>>>>> tough-but-fair negotiator.
>>>>>>> 
>>>>>>> Enough. Back to substance.
>>>>>>> 
>>>>>>> Jonathan 
>>>>>>>  
>>>>>>> On Monday, June 18, 2012 at 5:33 AM, Jeffrey Chester wrote:
>>>>>>>  
>>>>>>>  
>>>>>>> Jonathan has played an extraordinary productive role, with insights,
>>>>>>> urging compromise (when people like  me looked with dismay about the
>>>>>>> lack of progress in achieving real privacy safeguards so far), and
>>>>>>> leadership.  As I have explained to officials, we have not yet seen
>>>>>>> serious compromise from industry to ensure DNT is a spec that protects
>>>>>>> privacy.  Jonathan wants us to all do better, as do I.   We all know--or
>>>>>>> should--that what we are doing is being closely watched on both sides of
>>>>>>> the Atlantic by the press and policymakers.  It would be a serious loss
>>>>>>> if we don't make progress in Seattle.
>>>>>>> 
>>>>>>> Jeff Chester
>>>>>>> Center for Digital Democracy
>>>>>>> Washington DC
>>>>>>> www.democraticmedia.org <http://www.democraticmedia.org/>
>>>>>>> Jeff@democraticmedia.org
>>>>>>> 
>>>>>>> On Jun 18, 2012, at 5:19 AM, Alan Chapell
>>>>>>> <achapell@chapellassociates.com> wrote:
>>>>>>> 
>>>>>>> Jonathan,
>>>>>>> 
>>>>>>> Taking you at your word that your goal is to attain consensus, I would
>>>>>>> humbly suggest that the tactics you are using – particularly over the
>>>>>>> past several weeks – seem at odds with that goal. I'm hopeful that your
>>>>>>> latest email is an indication that we'll see more compromise and fewer
>>>>>>> juvenile barbs when we arrive in Bellevue.
>>>>>>> 
>>>>>>> And for the record, as someone from industry – I strongly favor the
>>>>>>> proposal proffered by Shane et al.
>>>>>>> 
>>>>>>> Cheers,
>>>>>>> 
>>>>>>> Alan Chapell
>>>>>>> Chapell & Associates
>>>>>>> 917 318 8440 <tel:917%20318%208440>
>>>>>>> 
>>>>>>> 
>>>>>>> From:  Jonathan Mayer <jmayer@stanford.edu>
>>>>>>> Date:  Monday, June 18, 2012 2:06 AM
>>>>>>> To:  Mike Zaneis <mike@iab.net>
>>>>>>> Cc:  Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel
>>>>>>> <tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>,
>>>>>>> "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com"
>>>>>>> <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com"
>>>>>>> <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
>>>>>>> Subject:  Re: Identity providers as first parties
>>>>>>> Resent-From:  <public-tracking@w3.org>
>>>>>>> Resent-Date:  Mon, 18 Jun 2012 06:07:15 +0000
>>>>>>> 
>>>>>>>  
>>>>>>> Shane and Mike,
>>>>>>> 
>>>>>>> As the Bellevue meeting approaches, this group's sole focus must be
>>>>>>> attaining consensus on a moderate compromise.  I'm doing everything I
>>>>>>> can to facilitate that goal.  I have neither the time nor patience to
>>>>>>> swap puerile barbs for cheap political points.  There's far too much at
>>>>>>> stake.
>>>>>>> 
>>>>>>> Jonathan
>>>>>>> On Sunday, June 17, 2012 at 6:58 PM, Mike Zaneis wrote:
>>>>>>> 
>>>>>>>  
>>>>>>> Jonathan,
>>>>>>> 
>>>>>>> Can you please elaborate on these very serious claims you have made in
>>>>>>> back to back posts?  First, you attack two of the most engaged,
>>>>>>> productive members of the working group (Shane and Roy who are both
>>>>>>> editors) and claim they do not speak for the online advertising
>>>>>>> industry, yet you did not point to any companies or public statements of
>>>>>>> support for your position. As someone who DOES speak for the industry, I
>>>>>>> know that Shane and Roy raise issues that THE industry shares. Please
>>>>>>> provide substantiation for your claims.
>>>>>>> 
>>>>>>> As for the unfair competition claims, that is laughable. The only legal
>>>>>>> claim we should be discussing is one of liable for such ridiculous
>>>>>>> statements.
>>>>>>> 
>>>>>>> Mike Zaneis
>>>>>>> SVP & General Counsel, IAB
>>>>>>> (202) 253-1466 <tel:%28202%29%20253-1466>
>>>>>>> 
>>>>>>> On Jun 17, 2012, at 5:52 PM, "Jonathan Mayer" <jmayer@stanford.edu>
>>>>>>> wrote:
>>>>>>> 
>>>>>>> Shane, 
>>>>>>> 
>>>>>>> As I explained in my initial note:
>>>>>>> We have received valuable feedback from a number of participant
>>>>>>> viewpoints, including browser vendors, advertising companies, analytics
>>>>>>> services, social networks, policymakers, consumer groups, and
>>>>>>> researchers.  Out of respect for the candid nature of those ongoing
>>>>>>> conversations, we leave it to stakeholders to volunteer their
>>>>>>> contributions to and views on this proposal.
>>>>>>> I would add that more than one advertising company expressed concern
>>>>>>> about possible retaliation if they broke away from the industry trade
>>>>>>> groups.  I'll leave it to regulators to decide if the industry's
>>>>>>> practices constitute unfair competition.
>>>>>>> 
>>>>>>> Jonathan
>>>>>>> 
>>>>>>> 
>>>>>>> On Sunday, June 17, 2012 at 1:51 PM, Shane Wiley wrote:
>>>>>>> 
>>>>>>> Jonathan,
>>>>>>>  
>>>>>>> Continue to disagree (on many levels).  Could you please name those in
>>>>>>> the online advertising industry that are supportive of the proposal you
>>>>>>> shared with the WG?
>>>>>>>  
>>>>>>> Thank you,
>>>>>>> - Shane
>>>>>>>  
>>>>>>> From: Jonathan Mayer [ <mailto:jmayer@stanford.edu>
>>>>>>> mailto:jmayer@stanford.edu]
>>>>>>> Sent: Sunday, June 17, 2012 1:42 PM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Tamir Israel; Rigo Wenning;  <mailto:public-tracking@w3.org>
>>>>>>> public-tracking@w3.org;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon
>>>>>>> Zorbas;  <mailto:ifette@google.com> ifette@google.com; JC Cannon
>>>>>>> (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane, 
>>>>>>>  
>>>>>>> You and Roy have been vocal in your objections to the
>>>>>>> EFF/Mozilla/Stanford compromise proposal. I'm disappointed, though given
>>>>>>> your inflexibility throughout this process, entirely unsurprised.
>>>>>>>  
>>>>>>> That said, you do not speak for the online advertising industry. Many
>>>>>>> companies have been more willing to countenance constructive compromise.
>>>>>>> Your conclusion that advertising industry participants have "mostly
>>>>>>> rejected" the proposal is inaccurate.
>>>>>>>  
>>>>>>> Jonathan 
>>>>>>> On Sunday, June 17, 2012 at 12:26 PM, Shane Wiley wrote:
>>>>>>> Tamir,
>>>>>>>  
>>>>>>> Jonathan's proposal does attempt to address this point but many in the
>>>>>>> room feel this should be left to local law. Justin Brookman and I took a
>>>>>>> pass at this language but it shifted to becoming overly prescriptive
>>>>>>> (legislating via tech standard) so many in the WG asked for local law to
>>>>>>> determine.
>>>>>>>  
>>>>>>> I would suggest this conversation be extracted from Jonathan's proposal
>>>>>>> to be handled separately as the rest of proposal has been mostly
>>>>>>> rejected by those in the WG that are intended to implement DNT in the
>>>>>>> real-world (on the 1st party/3rd party side).
>>>>>>>  
>>>>>>> More to come in Seattle...
>>>>>>>  
>>>>>>> - Shane
>>>>>>>  
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [ <mailto:tisrael@cippic.ca>
>>>>>>> mailto:tisrael@cippic.ca]
>>>>>>> Sent: Sunday, June 17, 2012 12:19 PM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Rigo Wenning;  <mailto:public-tracking@w3.org>
>>>>>>> public-tracking@w3.org;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon
>>>>>>> Zorbas;  <mailto:ifette@google.com> ifette@google.com; JC Cannon
>>>>>>> (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane -- I am not remotely attempting doing so.
>>>>>>>  
>>>>>>> As far back as I can see, the spec was going to put conditions on the
>>>>>>> means by which out of band consent can be sought.
>>>>>>>  
>>>>>>> Jonathan et al's proposal is:
>>>>>>>  
>>>>>>> 1. Actual presentation: The choice mechanism MUST be actually presented
>>>>>>> to the user. It MUST NOT be on a linked page, such as a terms of service
>>>>>>> or privacy policy.
>>>>>>> 2. Clear terms: The choice mechanism MUST use clear, non-confusing
>>>>>>> terminology.
>>>>>>> 3. Independent choice: The choice mechanism MUST be presented
>>>>>>> independent of other choices. It MUST NOT be bundled with other user
>>>>>>> preferences.
>>>>>>> 4. No default permission: The choice mechanism MUST NOT have the user
>>>>>>> permission preference selected by default.
>>>>>>>  
>>>>>>> On 6/17/2012 3:16 PM, Shane Wiley wrote:
>>>>>>> Tamir,
>>>>>>>  
>>>>>>> That's up to local laws to determine. Please do not attempt to legislate
>>>>>>> via W3C tech standard.
>>>>>>>  
>>>>>>> - Shane
>>>>>>>  
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [ <mailto:tisrael@cippic.ca>
>>>>>>> mailto:tisrael@cippic.ca]
>>>>>>> Sent: Sunday, June 17, 2012 12:14 PM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Rigo Wenning;  <mailto:public-tracking@w3.org>
>>>>>>> public-tracking@w3.org;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon
>>>>>>> Zorbas;  <mailto:ifette@google.com> ifette@google.com; JC Cannon
>>>>>>> (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane -- Out of band consent *does* trump DNT-1. We are now trying to
>>>>>>> define the parameters by which out of band consent can be sought.
>>>>>>>  
>>>>>>> Best,
>>>>>>> Tamir
>>>>>>>  
>>>>>>> On 6/17/2012 3:11 PM, Shane Wiley wrote:
>>>>>>> Tamir,
>>>>>>>  
>>>>>>> Out-of-band consent trumps DNT. We've been repeating this mantra for
>>>>>>> over a year now - becoming repetitive.
>>>>>>>  
>>>>>>> - Shane
>>>>>>>  
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [ <mailto:tisrael@cippic.ca>
>>>>>>> mailto:tisrael@cippic.ca]
>>>>>>> Sent: Saturday, June 16, 2012 5:23 PM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Rigo Wenning;  <mailto:public-tracking@w3.org>
>>>>>>> public-tracking@w3.org;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon
>>>>>>> Zorbas;  <mailto:ifette@google.com> ifette@google.com; JC Cannon
>>>>>>> (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane --
>>>>>>>  
>>>>>>> Just so we're really clear: if a user authenticates with Yahoo! on site
>>>>>>> A and controls preferences on that site, does the out of band consent
>>>>>>> dialogue Jonathan showed invalidate DNT-1: on site A? in general?
>>>>>>>  
>>>>>>> Best,
>>>>>>> Tamir
>>>>>>>  
>>>>>>> On 6/15/2012 11:29 PM, Tamir Israel wrote:
>>>>>>> Ok.
>>>>>>>  
>>>>>>> On 6/15/2012 2:07 PM, Shane Wiley wrote:
>>>>>>> DAA Opt-out and single-sign on are not related. There are some
>>>>>>> implementations where the ID is needed beyond the authentication
>>>>>>> event and therefore data collection occurs outside of the initial
>>>>>>> authentication event. Users do NOT need to choose Yahoo! as their ID
>>>>>>> provider if they feel uncomfortable with that outcome.
>>>>>>>  
>>>>>>> - Shane
>>>>>>>  
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [ <mailto:tisrael@cippic.ca>
>>>>>>> mailto:tisrael@cippic.ca]
>>>>>>> Sent: Friday, June 15, 2012 10:56 AM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Rigo Wenning;  <mailto:public-tracking@w3.org>
>>>>>>> public-tracking@w3.org;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon
>>>>>>> Zorbas;  <mailto:ifette@google.com> ifette@google.com; JC Cannon
>>>>>>> (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane,
>>>>>>>  
>>>>>>> Maybe we are getting sidetracked.
>>>>>>>  
>>>>>>> Can you please explain the scope of tracking that results from using
>>>>>>> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on
>>>>>>> the specific authenticated site? If so does this carry across multiple
>>>>>>> explicitly authenticated sites? Does it operate in a manner analogous to
>>>>>>> single sign-on? How does it interact with the existing DAA opt-out?
>>>>>>>  
>>>>>>> Thanks and best regards,
>>>>>>> Tamir
>>>>>>>  
>>>>>>> On 6/15/2012 11:28 AM, Shane Wiley wrote:
>>>>>>> Tamir,
>>>>>>>  
>>>>>>> Any service gets to determine its own primary purpose - so if OBA is
>>>>>>> the payment for the service and this is disclosed as a primary
>>>>>>> purpose, then that's the bargain the users can choose to consent to
>>>>>>> or not.
>>>>>>>  
>>>>>>> - Shane
>>>>>>>  
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [ <mailto:tisrael@cippic.ca>
>>>>>>> mailto:tisrael@cippic.ca]
>>>>>>> Sent: Friday, June 15, 2012 8:21 AM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Rigo Wenning;  <mailto:public-tracking@w3.org>
>>>>>>> public-tracking@w3.org;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon
>>>>>>> Zorbas;  <mailto:ifette@google.com> ifette@google.com; JC Cannon
>>>>>>> (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane --
>>>>>>>  
>>>>>>> There are 2 questions here. One is whether you can bundle in the
>>>>>>> obligation to consent to secondary purposes as a condition of
>>>>>>> authentication in an IdM context. The primary service in an IdM context
>>>>>>> is authentication, not OBA.
>>>>>>>  
>>>>>>> The second is to what extent the DNT spec should address this. I took
>>>>>>> the 'independent choice' out of band consent criteria as an attempt to
>>>>>>> prevent bundling of choices.
>>>>>>>  
>>>>>>> Best,
>>>>>>> Tamir
>>>>>>>  
>>>>>>> On 6/15/2012 11:06 AM, Shane Wiley wrote:
>>>>>>> Tamir,
>>>>>>>  
>>>>>>> But in the use case we're discussing the service being provided is
>>>>>>> the primary purpose - a user's online identity. A service
>>>>>>> determines its primary purpose, discloses this to the user, user
>>>>>>> consents. Case closed.
>>>>>>>  
>>>>>>> - Shane
>>>>>>>  
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [ <mailto:tisrael@cippic.ca>
>>>>>>> mailto:tisrael@cippic.ca]
>>>>>>> Sent: Friday, June 15, 2012 8:02 AM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Rigo Wenning;  <mailto:public-tracking@w3.org>
>>>>>>> public-tracking@w3.org;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon
>>>>>>> Zorbas;  <mailto:ifette@google.com> ifette@google.com; JC Cannon
>>>>>>> (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane, I disagree. Under PIPEDA you should offer users the possibility
>>>>>>> of opting out of collection, use or disclosure for purposes
>>>>>>> secondary to
>>>>>>> the primary service being offered.
>>>>>>>  
>>>>>>> This is the basis of the opt-out consent scheme being applied to
>>>>>>> online
>>>>>>> tracking.
>>>>>>>  
>>>>>>> Best,
>>>>>>> Tamir
>>>>>>>  
>>>>>>> On 6/15/2012 10:58 AM, Shane Wiley wrote:
>>>>>>> Tamir,
>>>>>>>  
>>>>>>> I disagree and PIPEDA does as well. As long as you're clear to a
>>>>>>> user what a service provides and a user expressly consents to
>>>>>>> those practices, the discussion is over.
>>>>>>>  
>>>>>>> Please don't try to raise CA regulatory schemes into conversations
>>>>>>> on one hand then completely reverse your stance at whim - this
>>>>>>> seriously undermines your credibility.
>>>>>>>  
>>>>>>> - Shane
>>>>>>>  
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [ <mailto:tisrael@cippic.ca>
>>>>>>> mailto:tisrael@cippic.ca]
>>>>>>> Sent: Friday, June 15, 2012 7:54 AM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Rigo Wenning;  <mailto:public-tracking@w3.org>
>>>>>>> public-tracking@w3.org;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon
>>>>>>> Zorbas;  <mailto:ifette@google.com> ifette@google.com; JC Cannon
>>>>>>> (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane --
>>>>>>>  
>>>>>>> The need for independent choice is critical, I think, to the out
>>>>>>> of band
>>>>>>> consent scheme. You shouldn't be able to force users out of their DNT
>>>>>>> choices as a condition of authentication.
>>>>>>>  
>>>>>>> Best,
>>>>>>> Tamir
>>>>>>>  
>>>>>>> On 6/15/2012 10:48 AM, Shane Wiley wrote:
>>>>>>> Rigo,
>>>>>>>  
>>>>>>> DNT will NEVER trump an out-of-band consent. The user would
>>>>>>> simply withdraw from using the service they had provided prior
>>>>>>> consent to. If the product would like to offer two levels of
>>>>>>> service, it can of course do that, but that would be completely
>>>>>>> outside the scope of DNT.
>>>>>>>  
>>>>>>> DNT is not the privacy silver bullet and answer to all privacy
>>>>>>> issues on the Internet - let's stop trying to push it in that
>>>>>>> direction.
>>>>>>>  
>>>>>>> Thank you,
>>>>>>> - Shane
>>>>>>>  
>>>>>>> -----Original Message-----
>>>>>>> From: Rigo Wenning [ <mailto:rigo@w3.org> mailto:rigo@w3.org]
>>>>>>> Sent: Friday, June 15, 2012 1:28 AM
>>>>>>> To:  <mailto:public-tracking@w3.org> public-tracking@w3.org
>>>>>>> Cc: Shane Wiley;  <mailto:rob@blaeu.com> rob@blaeu.com; Kimon Zorbas;
>>>>>>> <mailto:ifette@google.com> ifette@google.com;
>>>>>>> Tamir Israel; JC Cannon (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>  
>>>>>>> Shane, Kimon,
>>>>>>>  
>>>>>>> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:
>>>>>>> I’ve used a few others and they appears to do the same so I’m
>>>>>>> confused as to what real-world identity provider scenario someone
>>>>>>> is considering where consent wasn’t already obtained?
>>>>>>> I confirm that we agreed that the out-of-band agreement will trump
>>>>>>> the DNT:1 signal. We also agreed that the service has to signal this
>>>>>>> to the client.
>>>>>>>  
>>>>>>> I guess, what Rob is trying to achieve is to say, even in this
>>>>>>> context, a service could offer the choice of stopping to track and
>>>>>>> only use information for the login/authentication purpose. This
>>>>>>> could be the meaning of DNT:1 if the Service sends ACK in a
>>>>>>> login/authentication context. If you're looking for medical
>>>>>>> information in a login context, you don't want your login provider
>>>>>>> to spawn that to your insurance. I think this is a very legitimate
>>>>>>> use case. The service could say: "yes, I see your point" and send
>>>>>>> ACK instead of "out-of-band".
>>>>>>>  
>>>>>>> We are just defining switches. People will decide whether they
>>>>>>> switch stuff on or off or provide a switch at all.
>>>>>>>  
>>>>>>> Rigo
>>>>>>>  
>>>>>>> 
>>>>>>>  
>>>>>>>  
>>>>>>>  
>>>>>>>  
>>>>>>>  
>>>>>>>  
>>>>>>>  
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> 
Received on Monday, 18 June 2012 16:50:09 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC