RE: Issue-17, Issue-51 First party obligations

Karl,

Company size and differentiation is services is far outside the scope of this group.  I appreciate the continued attempts to solve all privacy concerns in a single pass within this group but I will continue to urge the working group back to the core issues we're attempting to solve (not whether the introduction of new services or acquisition modify/nullify the 1st party state).

I agree that OpenAuth/ID should NOT be equated to a 1st party protection (outside of the party being able to record that a login event occurred).  It's this more core issue I believe you're attempting to dive into and I hope we all agree that if www.examplecompany.com leverages the Yahoo! OpenAuth structure to provide authentication services that does NOT mean that Yahoo! can now somehow track a user's activities on www.examplecompany.com under a 1st party protection (irrespective if a DNT signal is present, but definitely not if it is).

- Shane

-----Original Message-----
From: Karl Dubost [mailto:karld@opera.com] 
Sent: Wednesday, November 30, 2011 11:11 AM
To: Shane Wiley
Cc: John Simpson; JC Cannon; <public-tracking@w3.org> (public-tracking@w3.org)
Subject: Re: Issue-17, Issue-51 First party obligations


Le 30 nov. 2011 à 10:47, Shane Wiley a écrit :
> I agree this is a more complex use case when we look at OpenAuth and OpenID scenarios but generally I believe a user logged into their Yahoo! account and engaging with a Yahoo! service (News) understands that Yahoo! is collecting data.  Do you disagree?



A company starts with a small service very precise.
Users have different accounts on different sites. 
Then this company starts to buy all these small services.
The once my eggs in different baskets segmenting my life 
(for a good purpose) gets suddenly in a one big bag. I 
have then two choices. 

* Closing my account (with the hope that the data will be erase)
* Accepting to give up the separation of buckets.

I think we can do better for users. It is important.

1. Flickr started as a canadian company in Vancouver (in fact Ludicorp)
2. Flickr has been bought by Yahoo! keeping separate the login systems
3. Then one day, Yahoo! decided to impose the same login on Flickr users.

I can perfectly imagine that a company is offering different 
types of Web services without necessary tracking users across 
all its properties. In the case of Yahoo!, Microsoft, and 
Google, who have giant maze of Web services, the 1st party/3rd 
parties distinction doesn't make sense anymore, because all 
services have been integrated in one giant thing.

:) I do not see then how DNT: 1 is any useful for the users.


> How would you suggest this works when logged into Facebook?  Twitter?  Gmail?  Etc.?


I think that identity provider is a nice system for helping 
developers creating a smooth experience across sites, but when 
these systems are used as Troy horse for tracking users across 
sites and services (not talking about brand here), I *personally* 
think, we cross a line which is no good for users.


-- 
Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software

Received on Wednesday, 30 November 2011 16:20:58 UTC