Re: Identity providers as first parties from Tamir Israel on 2012-06-17 (public-tracking@w3.org from June 2012)

From: Tamir Israel <tisrael@cippic.ca>
Date: Sun, 17 Jun 2012 15:19:07 -0400
To: Shane Wiley <wileys@yahoo-inc.com>
CC: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
Message-ID: <4FDE2DAB.8080503@cippic.ca>
Shane -- I am not remotely attempting doing so.

As far back as I can see, the spec was going to put conditions on the 
means by which out of band consent can be sought.

Jonathan et al's proposal is:

1. Actual presentation: The choice mechanism MUST be actually presented 
to the user. It MUST NOT be on a linked page, such as a terms of service 
or privacy policy.
2. Clear terms: The choice mechanism MUST use clear, non-confusing 
terminology.
3. Independent choice: The choice mechanism MUST be presented 
independent of other choices. It MUST NOT be bundled with other user 
preferences.
4. No default permission: The choice mechanism MUST NOT have the user 
permission preference selected by default.

On 6/17/2012 3:16 PM, Shane Wiley wrote:
> Tamir,
>
> That's up to local laws to determine.  Please do not attempt to legislate via W3C tech standard.
>
> - Shane
>
> -----Original Message-----
> From: Tamir Israel [mailto:tisrael@cippic.ca]
> Sent: Sunday, June 17, 2012 12:14 PM
> To: Shane Wiley
> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
> Subject: Re: Identity providers as first parties
>
> Shane -- Out of band consent *does* trump DNT-1. We are now trying to
> define the parameters by which out of band consent can be sought.
>
> Best,
> Tamir
>
> On 6/17/2012 3:11 PM, Shane Wiley wrote:
>> Tamir,
>>
>> Out-of-band consent trumps DNT.  We've been repeating this mantra for over a year now - becoming repetitive.
>>
>> - Shane
>>
>> -----Original Message-----
>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>> Sent: Saturday, June 16, 2012 5:23 PM
>> To: Shane Wiley
>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
>> Subject: Re: Identity providers as first parties
>>
>> Shane --
>>
>> Just so we're really clear: if a user authenticates with Yahoo! on site
>> A and controls preferences on that site, does the out of band consent
>> dialogue Jonathan showed invalidate DNT-1: on site A? in general?
>>
>> Best,
>> Tamir
>>
>> On 6/15/2012 11:29 PM, Tamir Israel wrote:
>>> Ok.
>>>
>>> On 6/15/2012 2:07 PM, Shane Wiley wrote:
>>>> DAA Opt-out and single-sign on are not related.  There are some
>>>> implementations where the ID is needed beyond the authentication
>>>> event and therefore data collection occurs outside of the initial
>>>> authentication event.  Users do NOT need to choose Yahoo! as their ID
>>>> provider if they feel uncomfortable with that outcome.
>>>>
>>>> - Shane
>>>>
>>>> -----Original Message-----
>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>> Sent: Friday, June 15, 2012 10:56 AM
>>>> To: Shane Wiley
>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon
>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>> Subject: Re: Identity providers as first parties
>>>>
>>>> Shane,
>>>>
>>>> Maybe we are getting sidetracked.
>>>>
>>>> Can you please explain the scope of tracking that results from using
>>>> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on
>>>> the specific authenticated site? If so does this carry across multiple
>>>> explicitly authenticated sites? Does it operate in a manner analogous to
>>>> single sign-on? How does it interact with the existing DAA opt-out?
>>>>
>>>> Thanks and best regards,
>>>> Tamir
>>>>
>>>> On 6/15/2012 11:28 AM, Shane Wiley wrote:
>>>>> Tamir,
>>>>>
>>>>> Any service gets to determine its own primary purpose - so if OBA is
>>>>> the payment for the service and this is disclosed as a primary
>>>>> purpose, then that's the bargain the users can choose to consent to
>>>>> or not.
>>>>>
>>>>> - Shane
>>>>>
>>>>> -----Original Message-----
>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>>> Sent: Friday, June 15, 2012 8:21 AM
>>>>> To: Shane Wiley
>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon
>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>>> Subject: Re: Identity providers as first parties
>>>>>
>>>>> Shane --
>>>>>
>>>>> There are 2 questions here. One is whether you can bundle in the
>>>>> obligation to consent to secondary purposes as a condition of
>>>>> authentication in an IdM context. The primary service in an IdM context
>>>>> is authentication, not OBA.
>>>>>
>>>>> The second is to what extent the DNT spec should address this. I took
>>>>> the 'independent choice' out of band consent criteria as an attempt to
>>>>> prevent bundling of choices.
>>>>>
>>>>> Best,
>>>>> Tamir
>>>>>
>>>>> On 6/15/2012 11:06 AM, Shane Wiley wrote:
>>>>>> Tamir,
>>>>>>
>>>>>> But in the use case we're discussing the service being provided is
>>>>>> the primary purpose - a user's online identity.  A service
>>>>>> determines its primary purpose, discloses this to the user, user
>>>>>> consents.  Case closed.
>>>>>>
>>>>>> - Shane
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>>>> Sent: Friday, June 15, 2012 8:02 AM
>>>>>> To: Shane Wiley
>>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon
>>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>>>> Subject: Re: Identity providers as first parties
>>>>>>
>>>>>> Shane, I disagree. Under PIPEDA you should offer users the possibility
>>>>>> of opting out of collection, use or disclosure for purposes
>>>>>> secondary to
>>>>>> the primary service being offered.
>>>>>>
>>>>>> This is the basis of the opt-out consent scheme being applied to
>>>>>> online
>>>>>> tracking.
>>>>>>
>>>>>> Best,
>>>>>> Tamir
>>>>>>
>>>>>> On 6/15/2012 10:58 AM, Shane Wiley wrote:
>>>>>>> Tamir,
>>>>>>>
>>>>>>> I disagree and PIPEDA does as well.  As long as you're clear to a
>>>>>>> user what a service provides and a user expressly consents to
>>>>>>> those practices, the discussion is over.
>>>>>>>
>>>>>>> Please don't try to raise CA regulatory schemes into conversations
>>>>>>> on one hand then completely reverse your stance at whim - this
>>>>>>> seriously undermines your credibility.
>>>>>>>
>>>>>>> - Shane
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>>>>> Sent: Friday, June 15, 2012 7:54 AM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon
>>>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft)
>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>
>>>>>>> Shane --
>>>>>>>
>>>>>>> The need for independent choice is critical, I think, to the out
>>>>>>> of band
>>>>>>> consent scheme. You shouldn't be able to force users out of their DNT
>>>>>>> choices as a condition of authentication.
>>>>>>>
>>>>>>> Best,
>>>>>>> Tamir
>>>>>>>
>>>>>>> On 6/15/2012 10:48 AM, Shane Wiley wrote:
>>>>>>>> Rigo,
>>>>>>>>
>>>>>>>> DNT will NEVER trump an out-of-band consent.  The user would
>>>>>>>> simply withdraw from using the service they had provided prior
>>>>>>>> consent to.  If the product would like to offer two levels of
>>>>>>>> service, it can of course do that, but that would be completely
>>>>>>>> outside the scope of DNT.
>>>>>>>>
>>>>>>>> DNT is not the privacy silver bullet and answer to all privacy
>>>>>>>> issues on the Internet - let's stop trying to push it in that
>>>>>>>> direction.
>>>>>>>>
>>>>>>>> Thank you,
>>>>>>>> - Shane
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Rigo Wenning [mailto:rigo@w3.org]
>>>>>>>> Sent: Friday, June 15, 2012 1:28 AM
>>>>>>>> To: public-tracking@w3.org
>>>>>>>> Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com;
>>>>>>>> Tamir Israel; JC Cannon (Microsoft)
>>>>>>>> Subject: Re: Identity providers as first parties
>>>>>>>>
>>>>>>>> Shane, Kimon,
>>>>>>>>
>>>>>>>> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:
>>>>>>>>> I’ve used a few others and they appears to do the same so I’m
>>>>>>>>> confused as to what real-world identity provider scenario someone
>>>>>>>>> is considering where consent wasn’t already obtained?
>>>>>>>> I confirm that we agreed that the out-of-band agreement will trump
>>>>>>>> the DNT:1 signal. We also agreed that the service has to signal this
>>>>>>>> to the client.
>>>>>>>>
>>>>>>>> I guess, what Rob is trying to achieve is to say, even in this
>>>>>>>> context, a service could offer the choice of stopping to track and
>>>>>>>> only use information for the login/authentication purpose. This
>>>>>>>> could be the meaning of DNT:1 if the Service sends ACK in a
>>>>>>>> login/authentication context. If you're looking for medical
>>>>>>>> information in a login context, you don't want your login provider
>>>>>>>> to spawn that to your insurance. I think this is a very legitimate
>>>>>>>> use case. The service could say: "yes, I see your point" and send
>>>>>>>> ACK instead of "out-of-band".
>>>>>>>>
>>>>>>>> We are just defining switches. People will decide whether they
>>>>>>>> switch stuff on or off or provide a switch at all.
>>>>>>>>
>>>>>>>> Rigo
Received on Sunday, 17 June 2012 19:20:11 UTC