Identity providers as first parties

This email is intended to satisfy ACTION-187 and ISSUE-99

I propose adding to the compliance spec the following:

"If a site offers users the choice to log in with an identity provider, via
means such as OpenID, OAuth, or other conceptually similar mechanisms, the
identity provider is considered a first party for the current transactions
and subsequent transactions for which the user remains authenticated to the
site via the identity provider."

Clearly when the user is logging in, there is a meaningful interaction with
what was previously a third party widget, thus promoting it to a first
party. If all that's being provided is a userid, then the interaction is
basically over at that point. If more info is being provided from the
user's account (such as a friend list, a chat widget, or whatever), I think
one could still assume that the user made a meaningful interaction with
that party and thus the party is still a first party.

-Ian

Received on Wednesday, 13 June 2012 14:14:00 UTC