- From: Tamir Israel <tisrael@cippic.ca>
- Date: Sun, 17 Jun 2012 15:13:31 -0400
- To: Shane Wiley <wileys@yahoo-inc.com>
- CC: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
Shane -- Out of band consent *does* trump DNT-1. We are now trying to define the parameters by which out of band consent can be sought. Best, Tamir On 6/17/2012 3:11 PM, Shane Wiley wrote: > Tamir, > > Out-of-band consent trumps DNT. We've been repeating this mantra for over a year now - becoming repetitive. > > - Shane > > -----Original Message----- > From: Tamir Israel [mailto:tisrael@cippic.ca] > Sent: Saturday, June 16, 2012 5:23 PM > To: Shane Wiley > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft) > Subject: Re: Identity providers as first parties > > Shane -- > > Just so we're really clear: if a user authenticates with Yahoo! on site > A and controls preferences on that site, does the out of band consent > dialogue Jonathan showed invalidate DNT-1: on site A? in general? > > Best, > Tamir > > On 6/15/2012 11:29 PM, Tamir Israel wrote: >> Ok. >> >> On 6/15/2012 2:07 PM, Shane Wiley wrote: >>> DAA Opt-out and single-sign on are not related. There are some >>> implementations where the ID is needed beyond the authentication >>> event and therefore data collection occurs outside of the initial >>> authentication event. Users do NOT need to choose Yahoo! as their ID >>> provider if they feel uncomfortable with that outcome. >>> >>> - Shane >>> >>> -----Original Message----- >>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>> Sent: Friday, June 15, 2012 10:56 AM >>> To: Shane Wiley >>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>> Subject: Re: Identity providers as first parties >>> >>> Shane, >>> >>> Maybe we are getting sidetracked. >>> >>> Can you please explain the scope of tracking that results from using >>> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on >>> the specific authenticated site? If so does this carry across multiple >>> explicitly authenticated sites? Does it operate in a manner analogous to >>> single sign-on? How does it interact with the existing DAA opt-out? >>> >>> Thanks and best regards, >>> Tamir >>> >>> On 6/15/2012 11:28 AM, Shane Wiley wrote: >>>> Tamir, >>>> >>>> Any service gets to determine its own primary purpose - so if OBA is >>>> the payment for the service and this is disclosed as a primary >>>> purpose, then that's the bargain the users can choose to consent to >>>> or not. >>>> >>>> - Shane >>>> >>>> -----Original Message----- >>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>> Sent: Friday, June 15, 2012 8:21 AM >>>> To: Shane Wiley >>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>> Subject: Re: Identity providers as first parties >>>> >>>> Shane -- >>>> >>>> There are 2 questions here. One is whether you can bundle in the >>>> obligation to consent to secondary purposes as a condition of >>>> authentication in an IdM context. The primary service in an IdM context >>>> is authentication, not OBA. >>>> >>>> The second is to what extent the DNT spec should address this. I took >>>> the 'independent choice' out of band consent criteria as an attempt to >>>> prevent bundling of choices. >>>> >>>> Best, >>>> Tamir >>>> >>>> On 6/15/2012 11:06 AM, Shane Wiley wrote: >>>>> Tamir, >>>>> >>>>> But in the use case we're discussing the service being provided is >>>>> the primary purpose - a user's online identity. A service >>>>> determines its primary purpose, discloses this to the user, user >>>>> consents. Case closed. >>>>> >>>>> - Shane >>>>> >>>>> -----Original Message----- >>>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>>> Sent: Friday, June 15, 2012 8:02 AM >>>>> To: Shane Wiley >>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>>> Subject: Re: Identity providers as first parties >>>>> >>>>> Shane, I disagree. Under PIPEDA you should offer users the possibility >>>>> of opting out of collection, use or disclosure for purposes >>>>> secondary to >>>>> the primary service being offered. >>>>> >>>>> This is the basis of the opt-out consent scheme being applied to >>>>> online >>>>> tracking. >>>>> >>>>> Best, >>>>> Tamir >>>>> >>>>> On 6/15/2012 10:58 AM, Shane Wiley wrote: >>>>>> Tamir, >>>>>> >>>>>> I disagree and PIPEDA does as well. As long as you're clear to a >>>>>> user what a service provides and a user expressly consents to >>>>>> those practices, the discussion is over. >>>>>> >>>>>> Please don't try to raise CA regulatory schemes into conversations >>>>>> on one hand then completely reverse your stance at whim - this >>>>>> seriously undermines your credibility. >>>>>> >>>>>> - Shane >>>>>> >>>>>> -----Original Message----- >>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>>>> Sent: Friday, June 15, 2012 7:54 AM >>>>>> To: Shane Wiley >>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>>>> Subject: Re: Identity providers as first parties >>>>>> >>>>>> Shane -- >>>>>> >>>>>> The need for independent choice is critical, I think, to the out >>>>>> of band >>>>>> consent scheme. You shouldn't be able to force users out of their DNT >>>>>> choices as a condition of authentication. >>>>>> >>>>>> Best, >>>>>> Tamir >>>>>> >>>>>> On 6/15/2012 10:48 AM, Shane Wiley wrote: >>>>>>> Rigo, >>>>>>> >>>>>>> DNT will NEVER trump an out-of-band consent. The user would >>>>>>> simply withdraw from using the service they had provided prior >>>>>>> consent to. If the product would like to offer two levels of >>>>>>> service, it can of course do that, but that would be completely >>>>>>> outside the scope of DNT. >>>>>>> >>>>>>> DNT is not the privacy silver bullet and answer to all privacy >>>>>>> issues on the Internet - let's stop trying to push it in that >>>>>>> direction. >>>>>>> >>>>>>> Thank you, >>>>>>> - Shane >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Rigo Wenning [mailto:rigo@w3.org] >>>>>>> Sent: Friday, June 15, 2012 1:28 AM >>>>>>> To: public-tracking@w3.org >>>>>>> Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com; >>>>>>> Tamir Israel; JC Cannon (Microsoft) >>>>>>> Subject: Re: Identity providers as first parties >>>>>>> >>>>>>> Shane, Kimon, >>>>>>> >>>>>>> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote: >>>>>>>> I’ve used a few others and they appears to do the same so I’m >>>>>>>> confused as to what real-world identity provider scenario someone >>>>>>>> is considering where consent wasn’t already obtained? >>>>>>> I confirm that we agreed that the out-of-band agreement will trump >>>>>>> the DNT:1 signal. We also agreed that the service has to signal this >>>>>>> to the client. >>>>>>> >>>>>>> I guess, what Rob is trying to achieve is to say, even in this >>>>>>> context, a service could offer the choice of stopping to track and >>>>>>> only use information for the login/authentication purpose. This >>>>>>> could be the meaning of DNT:1 if the Service sends ACK in a >>>>>>> login/authentication context. If you're looking for medical >>>>>>> information in a login context, you don't want your login provider >>>>>>> to spawn that to your insurance. I think this is a very legitimate >>>>>>> use case. The service could say: "yes, I see your point" and send >>>>>>> ACK instead of "out-of-band". >>>>>>> >>>>>>> We are just defining switches. People will decide whether they >>>>>>> switch stuff on or off or provide a switch at all. >>>>>>> >>>>>>> Rigo
Received on Sunday, 17 June 2012 19:14:41 UTC