RE: Identity providers as first parties

DAA Opt-out and single-sign on are not related.  There are some implementations where the ID is needed beyond the authentication event and therefore data collection occurs outside of the initial authentication event.  Users do NOT need to choose Yahoo! as their ID provider if they feel uncomfortable with that outcome.

- Shane

-----Original Message-----
From: Tamir Israel [mailto:tisrael@cippic.ca] 
Sent: Friday, June 15, 2012 10:56 AM
To: Shane Wiley
Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
Subject: Re: Identity providers as first parties

Shane,

Maybe we are getting sidetracked.

Can you please explain the scope of tracking that results from using 
Yahoo!'s IdM mechanism? Does it mean you can track all my activities on 
the specific authenticated site? If so does this carry across multiple 
explicitly authenticated sites? Does it operate in a manner analogous to 
single sign-on? How does it interact with the existing DAA opt-out?

Thanks and best regards,
Tamir

On 6/15/2012 11:28 AM, Shane Wiley wrote:
> Tamir,
>
> Any service gets to determine its own primary purpose - so if OBA is the payment for the service and this is disclosed as a primary purpose, then that's the bargain the users can choose to consent to or not.
>
> - Shane
>
> -----Original Message-----
> From: Tamir Israel [mailto:tisrael@cippic.ca]
> Sent: Friday, June 15, 2012 8:21 AM
> To: Shane Wiley
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
> Subject: Re: Identity providers as first parties
>
> Shane --
>
> There are 2 questions here. One is whether you can bundle in the
> obligation to consent to secondary purposes as a condition of
> authentication in an IdM context. The primary service in an IdM context
> is authentication, not OBA.
>
> The second is to what extent the DNT spec should address this. I took
> the 'independent choice' out of band consent criteria as an attempt to
> prevent bundling of choices.
>
> Best,
> Tamir
>
> On 6/15/2012 11:06 AM, Shane Wiley wrote:
>> Tamir,
>>
>> But in the use case we're discussing the service being provided is the primary purpose - a user's online identity.  A service determines its primary purpose, discloses this to the user, user consents.  Case closed.
>>
>> - Shane
>>
>> -----Original Message-----
>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>> Sent: Friday, June 15, 2012 8:02 AM
>> To: Shane Wiley
>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
>> Subject: Re: Identity providers as first parties
>>
>> Shane, I disagree. Under PIPEDA you should offer users the possibility
>> of opting out of collection, use or disclosure for purposes secondary to
>> the primary service being offered.
>>
>> This is the basis of the opt-out consent scheme being applied to online
>> tracking.
>>
>> Best,
>> Tamir
>>
>> On 6/15/2012 10:58 AM, Shane Wiley wrote:
>>> Tamir,
>>>
>>> I disagree and PIPEDA does as well.  As long as you're clear to a user what a service provides and a user expressly consents to those practices, the discussion is over.
>>>
>>> Please don't try to raise CA regulatory schemes into conversations on one hand then completely reverse your stance at whim - this seriously undermines your credibility.
>>>
>>> - Shane
>>>
>>> -----Original Message-----
>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>> Sent: Friday, June 15, 2012 7:54 AM
>>> To: Shane Wiley
>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>> Subject: Re: Identity providers as first parties
>>>
>>> Shane --
>>>
>>> The need for independent choice is critical, I think, to the out of band
>>> consent scheme. You shouldn't be able to force users out of their DNT
>>> choices as a condition of authentication.
>>>
>>> Best,
>>> Tamir
>>>
>>> On 6/15/2012 10:48 AM, Shane Wiley wrote:
>>>> Rigo,
>>>>
>>>> DNT will NEVER trump an out-of-band consent.  The user would simply withdraw from using the service they had provided prior consent to.  If the product would like to offer two levels of service, it can of course do that, but that would be completely outside the scope of DNT.
>>>>
>>>> DNT is not the privacy silver bullet and answer to all privacy issues on the Internet - let's stop trying to push it in that direction.
>>>>
>>>> Thank you,
>>>> - Shane
>>>>
>>>> -----Original Message-----
>>>> From: Rigo Wenning [mailto:rigo@w3.org]
>>>> Sent: Friday, June 15, 2012 1:28 AM
>>>> To: public-tracking@w3.org
>>>> Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com; Tamir Israel; JC Cannon (Microsoft)
>>>> Subject: Re: Identity providers as first parties
>>>>
>>>> Shane, Kimon,
>>>>
>>>> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:
>>>>> I’ve used a few others and they appears to do the same so I’m
>>>>> confused as to what real-world identity provider scenario someone
>>>>> is considering where consent wasn’t already obtained?
>>>> I confirm that we agreed that the out-of-band agreement will trump
>>>> the DNT:1 signal. We also agreed that the service has to signal this
>>>> to the client.
>>>>
>>>> I guess, what Rob is trying to achieve is to say, even in this
>>>> context, a service could offer the choice of stopping to track and
>>>> only use information for the login/authentication purpose. This
>>>> could be the meaning of DNT:1 if the Service sends ACK in a
>>>> login/authentication context. If you're looking for medical
>>>> information in a login context, you don't want your login provider
>>>> to spawn that to your insurance. I think this is a very legitimate
>>>> use case. The service could say: "yes, I see your point" and send
>>>> ACK instead of "out-of-band".
>>>>
>>>> We are just defining switches. People will decide whether they
>>>> switch stuff on or off or provide a switch at all.
>>>>
>>>> Rigo

Received on Friday, 15 June 2012 18:07:56 UTC