W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Identity providers as first parties

From: Heather West <heatherwest@google.com>
Date: Mon, 18 Jun 2012 13:44:22 -0400
Message-ID: <CA+Z3oOaz4HnjPbYRX8=u2qQ5_QMyc_ko7wEijx=JTr+1g5u3oA@mail.gmail.com>
To: Jonathan Mayer <jmayer@stanford.edu>
Cc: Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel <tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
Jonathan, as someone who has provided feedback on the proposal via EFF, I
can say that while I suggested edits that would, IMHO, move it closer to
the compromise position, giving feedback does not mean that an entity is
supportive - just to clarify. I believe others are in the same position.
Would be interested to know who is supportive, though I suppose we find out
in Seattle.

On Sun, Jun 17, 2012 at 5:51 PM, Jonathan Mayer <jmayer@stanford.edu> wrote:

>  Shane,
>
> As I explained in my initial note:
>
> We have received valuable feedback from a number of participant
> viewpoints, including browser vendors, advertising companies, analytics
> services, social networks, policymakers, consumer groups, and researchers.
>  Out of respect for the candid nature of those ongoing conversations, we
> leave it to stakeholders to volunteer their contributions to and views on
> this proposal.
>
> I would add that more than one advertising company expressed concern about
> possible retaliation if they broke away from the industry trade groups.
>  I'll leave it to regulators to decide if the industry's practices
> constitute unfair competition.
>
> Jonathan
>
>  On Sunday, June 17, 2012 at 1:51 PM, Shane Wiley wrote:
>
> Jonathan,****
>
> ** **
>
> Continue to disagree (on many levels).  Could you please name those in the
> online advertising industry that are supportive of the proposal you shared
> with the WG?****
>
> ** **
>
> Thank you,****
>
> - Shane****
>
> ** **
>
> *From:* Jonathan Mayer [mailto:jmayer@stanford.edu <jmayer@stanford.edu>]
> *Sent:* Sunday, June 17, 2012 1:42 PM
> *To:* Shane Wiley
> *Cc:* Tamir Israel; Rigo Wenning; public-tracking@w3.org; rob@blaeu.com;
> Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
> *Subject:* Re: Identity providers as first parties****
>
> ** **
>
> Shane, ****
>
> ** **
>
> You and Roy have been vocal in your objections to the EFF/Mozilla/Stanford
> compromise proposal. I'm disappointed, though given your inflexibility
> throughout this process, entirely unsurprised.****
>
> ** **
>
> That said, you do not speak for the online advertising industry. Many
> companies have been more willing to countenance constructive compromise.
> Your conclusion that advertising industry participants have "mostly
> rejected" the proposal is inaccurate.****
>
> ** **
>
> Jonathan ****
>
> On Sunday, June 17, 2012 at 12:26 PM, Shane Wiley wrote:****
>
> Tamir,****
>
> ** **
>
> Jonathan's proposal does attempt to address this point but many in the
> room feel this should be left to local law. Justin Brookman and I took a
> pass at this language but it shifted to becoming overly prescriptive
> (legislating via tech standard) so many in the WG asked for local law to
> determine.****
>
> ** **
>
> I would suggest this conversation be extracted from Jonathan's proposal to
> be handled separately as the rest of proposal has been mostly rejected by
> those in the WG that are intended to implement DNT in the real-world (on
> the 1st party/3rd party side).****
>
> ** **
>
> More to come in Seattle...****
>
> ** **
>
> - Shane****
>
> ** **
>
> -----Original Message-----****
>
> From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>] ****
>
> Sent: Sunday, June 17, 2012 12:19 PM****
>
> To: Shane Wiley****
>
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas;
> ifette@google.com; JC Cannon (Microsoft)****
>
> Subject: Re: Identity providers as first parties****
>
> ** **
>
> Shane -- I am not remotely attempting doing so.****
>
> ** **
>
> As far back as I can see, the spec was going to put conditions on the ****
>
> means by which out of band consent can be sought.****
>
> ** **
>
> Jonathan et al's proposal is:****
>
> ** **
>
> 1. Actual presentation: The choice mechanism MUST be actually presented **
> **
>
> to the user. It MUST NOT be on a linked page, such as a terms of service *
> ***
>
> or privacy policy.****
>
> 2. Clear terms: The choice mechanism MUST use clear, non-confusing ****
>
> terminology.****
>
> 3. Independent choice: The choice mechanism MUST be presented ****
>
> independent of other choices. It MUST NOT be bundled with other user ****
>
> preferences.****
>
> 4. No default permission: The choice mechanism MUST NOT have the user ****
>
> permission preference selected by default.****
>
> ** **
>
> On 6/17/2012 3:16 PM, Shane Wiley wrote:****
>
> Tamir,****
>
> ** **
>
> That's up to local laws to determine. Please do not attempt to legislate
> via W3C tech standard.****
>
> ** **
>
> - Shane****
>
> ** **
>
> -----Original Message-----****
>
> From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]****
>
> Sent: Sunday, June 17, 2012 12:14 PM****
>
> To: Shane Wiley****
>
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas;
> ifette@google.com; JC Cannon (Microsoft)****
>
> Subject: Re: Identity providers as first parties****
>
> ** **
>
> Shane -- Out of band consent *does* trump DNT-1. We are now trying to****
>
> define the parameters by which out of band consent can be sought.****
>
> ** **
>
> Best,****
>
> Tamir****
>
> ** **
>
> On 6/17/2012 3:11 PM, Shane Wiley wrote:****
>
> Tamir,****
>
> ** **
>
> Out-of-band consent trumps DNT. We've been repeating this mantra for over
> a year now - becoming repetitive.****
>
> ** **
>
> - Shane****
>
> ** **
>
> -----Original Message-----****
>
> From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]****
>
> Sent: Saturday, June 16, 2012 5:23 PM****
>
> To: Shane Wiley****
>
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas;
> ifette@google.com; JC Cannon (Microsoft)****
>
> Subject: Re: Identity providers as first parties****
>
> ** **
>
> Shane --****
>
> ** **
>
> Just so we're really clear: if a user authenticates with Yahoo! on site***
> *
>
> A and controls preferences on that site, does the out of band consent****
>
> dialogue Jonathan showed invalidate DNT-1: on site A? in general?****
>
> ** **
>
> Best,****
>
> Tamir****
>
> ** **
>
> On 6/15/2012 11:29 PM, Tamir Israel wrote:****
>
> Ok.****
>
> ** **
>
> On 6/15/2012 2:07 PM, Shane Wiley wrote:****
>
> DAA Opt-out and single-sign on are not related. There are some****
>
> implementations where the ID is needed beyond the authentication****
>
> event and therefore data collection occurs outside of the initial****
>
> authentication event. Users do NOT need to choose Yahoo! as their ID****
>
> provider if they feel uncomfortable with that outcome.****
>
> ** **
>
> - Shane****
>
> ** **
>
> -----Original Message-----****
>
> From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]****
>
> Sent: Friday, June 15, 2012 10:56 AM****
>
> To: Shane Wiley****
>
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon****
>
> Zorbas; ifette@google.com; JC Cannon (Microsoft)****
>
> Subject: Re: Identity providers as first parties****
>
> ** **
>
> Shane,****
>
> ** **
>
> Maybe we are getting sidetracked.****
>
> ** **
>
> Can you please explain the scope of tracking that results from using****
>
> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on***
> *
>
> the specific authenticated site? If so does this carry across multiple****
>
> explicitly authenticated sites? Does it operate in a manner analogous to**
> **
>
> single sign-on? How does it interact with the existing DAA opt-out?****
>
> ** **
>
> Thanks and best regards,****
>
> Tamir****
>
> ** **
>
> On 6/15/2012 11:28 AM, Shane Wiley wrote:****
>
> Tamir,****
>
> ** **
>
> Any service gets to determine its own primary purpose - so if OBA is****
>
> the payment for the service and this is disclosed as a primary****
>
> purpose, then that's the bargain the users can choose to consent to****
>
> or not.****
>
> ** **
>
> - Shane****
>
> ** **
>
> -----Original Message-----****
>
> From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]****
>
> Sent: Friday, June 15, 2012 8:21 AM****
>
> To: Shane Wiley****
>
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon****
>
> Zorbas; ifette@google.com; JC Cannon (Microsoft)****
>
> Subject: Re: Identity providers as first parties****
>
> ** **
>
> Shane --****
>
> ** **
>
> There are 2 questions here. One is whether you can bundle in the****
>
> obligation to consent to secondary purposes as a condition of****
>
> authentication in an IdM context. The primary service in an IdM context***
> *
>
> is authentication, not OBA.****
>
> ** **
>
> The second is to what extent the DNT spec should address this. I took****
>
> the 'independent choice' out of band consent criteria as an attempt to****
>
> prevent bundling of choices.****
>
> ** **
>
> Best,****
>
> Tamir****
>
> ** **
>
> On 6/15/2012 11:06 AM, Shane Wiley wrote:****
>
> Tamir,****
>
> ** **
>
> But in the use case we're discussing the service being provided is****
>
> the primary purpose - a user's online identity. A service****
>
> determines its primary purpose, discloses this to the user, user****
>
> consents. Case closed.****
>
> ** **
>
> - Shane****
>
> ** **
>
> -----Original Message-----****
>
> From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]****
>
> Sent: Friday, June 15, 2012 8:02 AM****
>
> To: Shane Wiley****
>
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon****
>
> Zorbas; ifette@google.com; JC Cannon (Microsoft)****
>
> Subject: Re: Identity providers as first parties****
>
> ** **
>
> Shane, I disagree. Under PIPEDA you should offer users the possibility****
>
> of opting out of collection, use or disclosure for purposes****
>
> secondary to****
>
> the primary service being offered.****
>
> ** **
>
> This is the basis of the opt-out consent scheme being applied to****
>
> online****
>
> tracking.****
>
> ** **
>
> Best,****
>
> Tamir****
>
> ** **
>
> On 6/15/2012 10:58 AM, Shane Wiley wrote:****
>
> Tamir,****
>
> ** **
>
> I disagree and PIPEDA does as well. As long as you're clear to a****
>
> user what a service provides and a user expressly consents to****
>
> those practices, the discussion is over.****
>
> ** **
>
> Please don't try to raise CA regulatory schemes into conversations****
>
> on one hand then completely reverse your stance at whim - this****
>
> seriously undermines your credibility.****
>
> ** **
>
> - Shane****
>
> ** **
>
> -----Original Message-----****
>
> From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]****
>
> Sent: Friday, June 15, 2012 7:54 AM****
>
> To: Shane Wiley****
>
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon****
>
> Zorbas; ifette@google.com; JC Cannon (Microsoft)****
>
> Subject: Re: Identity providers as first parties****
>
> ** **
>
> Shane --****
>
> ** **
>
> The need for independent choice is critical, I think, to the out****
>
> of band****
>
> consent scheme. You shouldn't be able to force users out of their DNT****
>
> choices as a condition of authentication.****
>
> ** **
>
> Best,****
>
> Tamir****
>
> ** **
>
> On 6/15/2012 10:48 AM, Shane Wiley wrote:****
>
> Rigo,****
>
> ** **
>
> DNT will NEVER trump an out-of-band consent. The user would****
>
> simply withdraw from using the service they had provided prior****
>
> consent to. If the product would like to offer two levels of****
>
> service, it can of course do that, but that would be completely****
>
> outside the scope of DNT.****
>
> ** **
>
> DNT is not the privacy silver bullet and answer to all privacy****
>
> issues on the Internet - let's stop trying to push it in that****
>
> direction.****
>
> ** **
>
> Thank you,****
>
> - Shane****
>
> ** **
>
> -----Original Message-----****
>
> From: Rigo Wenning [mailto:rigo@w3.org <rigo@w3.org>]****
>
> Sent: Friday, June 15, 2012 1:28 AM****
>
> To: public-tracking@w3.org****
>
> Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com;****
>
> Tamir Israel; JC Cannon (Microsoft)****
>
> Subject: Re: Identity providers as first parties****
>
> ** **
>
> Shane, Kimon,****
>
> ** **
>
> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:****
>
> Iíve used a few others and they appears to do the same so Iím****
>
> confused as to what real-world identity provider scenario someone****
>
> is considering where consent wasnít already obtained?****
>
> I confirm that we agreed that the out-of-band agreement will trump****
>
> the DNT:1 signal. We also agreed that the service has to signal this****
>
> to the client.****
>
> ** **
>
> I guess, what Rob is trying to achieve is to say, even in this****
>
> context, a service could offer the choice of stopping to track and****
>
> only use information for the login/authentication purpose. This****
>
> could be the meaning of DNT:1 if the Service sends ACK in a****
>
> login/authentication context. If you're looking for medical****
>
> information in a login context, you don't want your login provider****
>
> to spawn that to your insurance. I think this is a very legitimate****
>
> use case. The service could say: "yes, I see your point" and send****
>
> ACK instead of "out-of-band".****
>
> ** **
>
> We are just defining switches. People will decide whether they****
>
> switch stuff on or off or provide a switch at all.****
>
> ** **
>
> Rigo****
>
> ** **
>
>
>


-- 

Heather West | Google Policy | heatherwest@google.com | 202-643-6381
Received on Monday, 18 June 2012 17:45:14 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC