RE: Identity providers as first parties from Shane Wiley on 2012-06-17 (public-tracking@w3.org from June 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Sun, 17 Jun 2012 12:11:10 -0700
To: Tamir Israel <tisrael@cippic.ca>
CC: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
Message-ID: <63294A1959410048A33AEE161379C8023D18786A76@SP2-EX07VS02.ds.corp.yahoo.com>
Tamir,

Out-of-band consent trumps DNT.  We've been repeating this mantra for over a year now - becoming repetitive.

- Shane

-----Original Message-----
From: Tamir Israel [mailto:tisrael@cippic.ca] 
Sent: Saturday, June 16, 2012 5:23 PM
To: Shane Wiley
Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
Subject: Re: Identity providers as first parties

Shane --

Just so we're really clear: if a user authenticates with Yahoo! on site 
A and controls preferences on that site, does the out of band consent 
dialogue Jonathan showed invalidate DNT-1: on site A? in general?

Best,
Tamir

On 6/15/2012 11:29 PM, Tamir Israel wrote:
> Ok.
>
> On 6/15/2012 2:07 PM, Shane Wiley wrote:
>> DAA Opt-out and single-sign on are not related.  There are some 
>> implementations where the ID is needed beyond the authentication 
>> event and therefore data collection occurs outside of the initial 
>> authentication event.  Users do NOT need to choose Yahoo! as their ID 
>> provider if they feel uncomfortable with that outcome.
>>
>> - Shane
>>
>> -----Original Message-----
>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>> Sent: Friday, June 15, 2012 10:56 AM
>> To: Shane Wiley
>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon 
>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>> Subject: Re: Identity providers as first parties
>>
>> Shane,
>>
>> Maybe we are getting sidetracked.
>>
>> Can you please explain the scope of tracking that results from using
>> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on
>> the specific authenticated site? If so does this carry across multiple
>> explicitly authenticated sites? Does it operate in a manner analogous to
>> single sign-on? How does it interact with the existing DAA opt-out?
>>
>> Thanks and best regards,
>> Tamir
>>
>> On 6/15/2012 11:28 AM, Shane Wiley wrote:
>>> Tamir,
>>>
>>> Any service gets to determine its own primary purpose - so if OBA is 
>>> the payment for the service and this is disclosed as a primary 
>>> purpose, then that's the bargain the users can choose to consent to 
>>> or not.
>>>
>>> - Shane
>>>
>>> -----Original Message-----
>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>> Sent: Friday, June 15, 2012 8:21 AM
>>> To: Shane Wiley
>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon 
>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>> Subject: Re: Identity providers as first parties
>>>
>>> Shane --
>>>
>>> There are 2 questions here. One is whether you can bundle in the
>>> obligation to consent to secondary purposes as a condition of
>>> authentication in an IdM context. The primary service in an IdM context
>>> is authentication, not OBA.
>>>
>>> The second is to what extent the DNT spec should address this. I took
>>> the 'independent choice' out of band consent criteria as an attempt to
>>> prevent bundling of choices.
>>>
>>> Best,
>>> Tamir
>>>
>>> On 6/15/2012 11:06 AM, Shane Wiley wrote:
>>>> Tamir,
>>>>
>>>> But in the use case we're discussing the service being provided is 
>>>> the primary purpose - a user's online identity.  A service 
>>>> determines its primary purpose, discloses this to the user, user 
>>>> consents.  Case closed.
>>>>
>>>> - Shane
>>>>
>>>> -----Original Message-----
>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>> Sent: Friday, June 15, 2012 8:02 AM
>>>> To: Shane Wiley
>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon 
>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>> Subject: Re: Identity providers as first parties
>>>>
>>>> Shane, I disagree. Under PIPEDA you should offer users the possibility
>>>> of opting out of collection, use or disclosure for purposes 
>>>> secondary to
>>>> the primary service being offered.
>>>>
>>>> This is the basis of the opt-out consent scheme being applied to 
>>>> online
>>>> tracking.
>>>>
>>>> Best,
>>>> Tamir
>>>>
>>>> On 6/15/2012 10:58 AM, Shane Wiley wrote:
>>>>> Tamir,
>>>>>
>>>>> I disagree and PIPEDA does as well.  As long as you're clear to a 
>>>>> user what a service provides and a user expressly consents to 
>>>>> those practices, the discussion is over.
>>>>>
>>>>> Please don't try to raise CA regulatory schemes into conversations 
>>>>> on one hand then completely reverse your stance at whim - this 
>>>>> seriously undermines your credibility.
>>>>>
>>>>> - Shane
>>>>>
>>>>> -----Original Message-----
>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>>> Sent: Friday, June 15, 2012 7:54 AM
>>>>> To: Shane Wiley
>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon 
>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>>> Subject: Re: Identity providers as first parties
>>>>>
>>>>> Shane --
>>>>>
>>>>> The need for independent choice is critical, I think, to the out 
>>>>> of band
>>>>> consent scheme. You shouldn't be able to force users out of their DNT
>>>>> choices as a condition of authentication.
>>>>>
>>>>> Best,
>>>>> Tamir
>>>>>
>>>>> On 6/15/2012 10:48 AM, Shane Wiley wrote:
>>>>>> Rigo,
>>>>>>
>>>>>> DNT will NEVER trump an out-of-band consent.  The user would 
>>>>>> simply withdraw from using the service they had provided prior 
>>>>>> consent to.  If the product would like to offer two levels of 
>>>>>> service, it can of course do that, but that would be completely 
>>>>>> outside the scope of DNT.
>>>>>>
>>>>>> DNT is not the privacy silver bullet and answer to all privacy 
>>>>>> issues on the Internet - let's stop trying to push it in that 
>>>>>> direction.
>>>>>>
>>>>>> Thank you,
>>>>>> - Shane
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Rigo Wenning [mailto:rigo@w3.org]
>>>>>> Sent: Friday, June 15, 2012 1:28 AM
>>>>>> To: public-tracking@w3.org
>>>>>> Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com; 
>>>>>> Tamir Israel; JC Cannon (Microsoft)
>>>>>> Subject: Re: Identity providers as first parties
>>>>>>
>>>>>> Shane, Kimon,
>>>>>>
>>>>>> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:
>>>>>>> I’ve used a few others and they appears to do the same so I’m
>>>>>>> confused as to what real-world identity provider scenario someone
>>>>>>> is considering where consent wasn’t already obtained?
>>>>>> I confirm that we agreed that the out-of-band agreement will trump
>>>>>> the DNT:1 signal. We also agreed that the service has to signal this
>>>>>> to the client.
>>>>>>
>>>>>> I guess, what Rob is trying to achieve is to say, even in this
>>>>>> context, a service could offer the choice of stopping to track and
>>>>>> only use information for the login/authentication purpose. This
>>>>>> could be the meaning of DNT:1 if the Service sends ACK in a
>>>>>> login/authentication context. If you're looking for medical
>>>>>> information in a login context, you don't want your login provider
>>>>>> to spawn that to your insurance. I think this is a very legitimate
>>>>>> use case. The service could say: "yes, I see your point" and send
>>>>>> ACK instead of "out-of-band".
>>>>>>
>>>>>> We are just defining switches. People will decide whether they
>>>>>> switch stuff on or off or provide a switch at all.
>>>>>>
>>>>>> Rigo
>
Received on Sunday, 17 June 2012 19:12:12 UTC