- From: Tamir Israel <tisrael@cippic.ca>
- Date: Sat, 16 Jun 2012 20:23:03 -0400
- To: Shane Wiley <wileys@yahoo-inc.com>
- CC: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
Shane -- Just so we're really clear: if a user authenticates with Yahoo! on site A and controls preferences on that site, does the out of band consent dialogue Jonathan showed invalidate DNT-1: on site A? in general? Best, Tamir On 6/15/2012 11:29 PM, Tamir Israel wrote: > Ok. > > On 6/15/2012 2:07 PM, Shane Wiley wrote: >> DAA Opt-out and single-sign on are not related. There are some >> implementations where the ID is needed beyond the authentication >> event and therefore data collection occurs outside of the initial >> authentication event. Users do NOT need to choose Yahoo! as their ID >> provider if they feel uncomfortable with that outcome. >> >> - Shane >> >> -----Original Message----- >> From: Tamir Israel [mailto:tisrael@cippic.ca] >> Sent: Friday, June 15, 2012 10:56 AM >> To: Shane Wiley >> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >> Zorbas; ifette@google.com; JC Cannon (Microsoft) >> Subject: Re: Identity providers as first parties >> >> Shane, >> >> Maybe we are getting sidetracked. >> >> Can you please explain the scope of tracking that results from using >> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on >> the specific authenticated site? If so does this carry across multiple >> explicitly authenticated sites? Does it operate in a manner analogous to >> single sign-on? How does it interact with the existing DAA opt-out? >> >> Thanks and best regards, >> Tamir >> >> On 6/15/2012 11:28 AM, Shane Wiley wrote: >>> Tamir, >>> >>> Any service gets to determine its own primary purpose - so if OBA is >>> the payment for the service and this is disclosed as a primary >>> purpose, then that's the bargain the users can choose to consent to >>> or not. >>> >>> - Shane >>> >>> -----Original Message----- >>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>> Sent: Friday, June 15, 2012 8:21 AM >>> To: Shane Wiley >>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>> Subject: Re: Identity providers as first parties >>> >>> Shane -- >>> >>> There are 2 questions here. One is whether you can bundle in the >>> obligation to consent to secondary purposes as a condition of >>> authentication in an IdM context. The primary service in an IdM context >>> is authentication, not OBA. >>> >>> The second is to what extent the DNT spec should address this. I took >>> the 'independent choice' out of band consent criteria as an attempt to >>> prevent bundling of choices. >>> >>> Best, >>> Tamir >>> >>> On 6/15/2012 11:06 AM, Shane Wiley wrote: >>>> Tamir, >>>> >>>> But in the use case we're discussing the service being provided is >>>> the primary purpose - a user's online identity. A service >>>> determines its primary purpose, discloses this to the user, user >>>> consents. Case closed. >>>> >>>> - Shane >>>> >>>> -----Original Message----- >>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>> Sent: Friday, June 15, 2012 8:02 AM >>>> To: Shane Wiley >>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>> Subject: Re: Identity providers as first parties >>>> >>>> Shane, I disagree. Under PIPEDA you should offer users the possibility >>>> of opting out of collection, use or disclosure for purposes >>>> secondary to >>>> the primary service being offered. >>>> >>>> This is the basis of the opt-out consent scheme being applied to >>>> online >>>> tracking. >>>> >>>> Best, >>>> Tamir >>>> >>>> On 6/15/2012 10:58 AM, Shane Wiley wrote: >>>>> Tamir, >>>>> >>>>> I disagree and PIPEDA does as well. As long as you're clear to a >>>>> user what a service provides and a user expressly consents to >>>>> those practices, the discussion is over. >>>>> >>>>> Please don't try to raise CA regulatory schemes into conversations >>>>> on one hand then completely reverse your stance at whim - this >>>>> seriously undermines your credibility. >>>>> >>>>> - Shane >>>>> >>>>> -----Original Message----- >>>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>>> Sent: Friday, June 15, 2012 7:54 AM >>>>> To: Shane Wiley >>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>>> Subject: Re: Identity providers as first parties >>>>> >>>>> Shane -- >>>>> >>>>> The need for independent choice is critical, I think, to the out >>>>> of band >>>>> consent scheme. You shouldn't be able to force users out of their DNT >>>>> choices as a condition of authentication. >>>>> >>>>> Best, >>>>> Tamir >>>>> >>>>> On 6/15/2012 10:48 AM, Shane Wiley wrote: >>>>>> Rigo, >>>>>> >>>>>> DNT will NEVER trump an out-of-band consent. The user would >>>>>> simply withdraw from using the service they had provided prior >>>>>> consent to. If the product would like to offer two levels of >>>>>> service, it can of course do that, but that would be completely >>>>>> outside the scope of DNT. >>>>>> >>>>>> DNT is not the privacy silver bullet and answer to all privacy >>>>>> issues on the Internet - let's stop trying to push it in that >>>>>> direction. >>>>>> >>>>>> Thank you, >>>>>> - Shane >>>>>> >>>>>> -----Original Message----- >>>>>> From: Rigo Wenning [mailto:rigo@w3.org] >>>>>> Sent: Friday, June 15, 2012 1:28 AM >>>>>> To: public-tracking@w3.org >>>>>> Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com; >>>>>> Tamir Israel; JC Cannon (Microsoft) >>>>>> Subject: Re: Identity providers as first parties >>>>>> >>>>>> Shane, Kimon, >>>>>> >>>>>> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote: >>>>>>> I’ve used a few others and they appears to do the same so I’m >>>>>>> confused as to what real-world identity provider scenario someone >>>>>>> is considering where consent wasn’t already obtained? >>>>>> I confirm that we agreed that the out-of-band agreement will trump >>>>>> the DNT:1 signal. We also agreed that the service has to signal this >>>>>> to the client. >>>>>> >>>>>> I guess, what Rob is trying to achieve is to say, even in this >>>>>> context, a service could offer the choice of stopping to track and >>>>>> only use information for the login/authentication purpose. This >>>>>> could be the meaning of DNT:1 if the Service sends ACK in a >>>>>> login/authentication context. If you're looking for medical >>>>>> information in a login context, you don't want your login provider >>>>>> to spawn that to your insurance. I think this is a very legitimate >>>>>> use case. The service could say: "yes, I see your point" and send >>>>>> ACK instead of "out-of-band". >>>>>> >>>>>> We are just defining switches. People will decide whether they >>>>>> switch stuff on or off or provide a switch at all. >>>>>> >>>>>> Rigo >
Received on Sunday, 17 June 2012 00:24:09 UTC