- From: Tamir Israel <tisrael@cippic.ca>
- Date: Sun, 17 Jun 2012 15:19:07 -0400
- To: Shane Wiley <wileys@yahoo-inc.com>
- CC: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
Shane -- I am not remotely attempting doing so. As far back as I can see, the spec was going to put conditions on the means by which out of band consent can be sought. Jonathan et al's proposal is: 1. Actual presentation: The choice mechanism MUST be actually presented to the user. It MUST NOT be on a linked page, such as a terms of service or privacy policy. 2. Clear terms: The choice mechanism MUST use clear, non-confusing terminology. 3. Independent choice: The choice mechanism MUST be presented independent of other choices. It MUST NOT be bundled with other user preferences. 4. No default permission: The choice mechanism MUST NOT have the user permission preference selected by default. On 6/17/2012 3:16 PM, Shane Wiley wrote: > Tamir, > > That's up to local laws to determine. Please do not attempt to legislate via W3C tech standard. > > - Shane > > -----Original Message----- > From: Tamir Israel [mailto:tisrael@cippic.ca] > Sent: Sunday, June 17, 2012 12:14 PM > To: Shane Wiley > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft) > Subject: Re: Identity providers as first parties > > Shane -- Out of band consent *does* trump DNT-1. We are now trying to > define the parameters by which out of band consent can be sought. > > Best, > Tamir > > On 6/17/2012 3:11 PM, Shane Wiley wrote: >> Tamir, >> >> Out-of-band consent trumps DNT. We've been repeating this mantra for over a year now - becoming repetitive. >> >> - Shane >> >> -----Original Message----- >> From: Tamir Israel [mailto:tisrael@cippic.ca] >> Sent: Saturday, June 16, 2012 5:23 PM >> To: Shane Wiley >> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft) >> Subject: Re: Identity providers as first parties >> >> Shane -- >> >> Just so we're really clear: if a user authenticates with Yahoo! on site >> A and controls preferences on that site, does the out of band consent >> dialogue Jonathan showed invalidate DNT-1: on site A? in general? >> >> Best, >> Tamir >> >> On 6/15/2012 11:29 PM, Tamir Israel wrote: >>> Ok. >>> >>> On 6/15/2012 2:07 PM, Shane Wiley wrote: >>>> DAA Opt-out and single-sign on are not related. There are some >>>> implementations where the ID is needed beyond the authentication >>>> event and therefore data collection occurs outside of the initial >>>> authentication event. Users do NOT need to choose Yahoo! as their ID >>>> provider if they feel uncomfortable with that outcome. >>>> >>>> - Shane >>>> >>>> -----Original Message----- >>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>> Sent: Friday, June 15, 2012 10:56 AM >>>> To: Shane Wiley >>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>> Subject: Re: Identity providers as first parties >>>> >>>> Shane, >>>> >>>> Maybe we are getting sidetracked. >>>> >>>> Can you please explain the scope of tracking that results from using >>>> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on >>>> the specific authenticated site? If so does this carry across multiple >>>> explicitly authenticated sites? Does it operate in a manner analogous to >>>> single sign-on? How does it interact with the existing DAA opt-out? >>>> >>>> Thanks and best regards, >>>> Tamir >>>> >>>> On 6/15/2012 11:28 AM, Shane Wiley wrote: >>>>> Tamir, >>>>> >>>>> Any service gets to determine its own primary purpose - so if OBA is >>>>> the payment for the service and this is disclosed as a primary >>>>> purpose, then that's the bargain the users can choose to consent to >>>>> or not. >>>>> >>>>> - Shane >>>>> >>>>> -----Original Message----- >>>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>>> Sent: Friday, June 15, 2012 8:21 AM >>>>> To: Shane Wiley >>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>>> Subject: Re: Identity providers as first parties >>>>> >>>>> Shane -- >>>>> >>>>> There are 2 questions here. One is whether you can bundle in the >>>>> obligation to consent to secondary purposes as a condition of >>>>> authentication in an IdM context. The primary service in an IdM context >>>>> is authentication, not OBA. >>>>> >>>>> The second is to what extent the DNT spec should address this. I took >>>>> the 'independent choice' out of band consent criteria as an attempt to >>>>> prevent bundling of choices. >>>>> >>>>> Best, >>>>> Tamir >>>>> >>>>> On 6/15/2012 11:06 AM, Shane Wiley wrote: >>>>>> Tamir, >>>>>> >>>>>> But in the use case we're discussing the service being provided is >>>>>> the primary purpose - a user's online identity. A service >>>>>> determines its primary purpose, discloses this to the user, user >>>>>> consents. Case closed. >>>>>> >>>>>> - Shane >>>>>> >>>>>> -----Original Message----- >>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>>>> Sent: Friday, June 15, 2012 8:02 AM >>>>>> To: Shane Wiley >>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>>>> Subject: Re: Identity providers as first parties >>>>>> >>>>>> Shane, I disagree. Under PIPEDA you should offer users the possibility >>>>>> of opting out of collection, use or disclosure for purposes >>>>>> secondary to >>>>>> the primary service being offered. >>>>>> >>>>>> This is the basis of the opt-out consent scheme being applied to >>>>>> online >>>>>> tracking. >>>>>> >>>>>> Best, >>>>>> Tamir >>>>>> >>>>>> On 6/15/2012 10:58 AM, Shane Wiley wrote: >>>>>>> Tamir, >>>>>>> >>>>>>> I disagree and PIPEDA does as well. As long as you're clear to a >>>>>>> user what a service provides and a user expressly consents to >>>>>>> those practices, the discussion is over. >>>>>>> >>>>>>> Please don't try to raise CA regulatory schemes into conversations >>>>>>> on one hand then completely reverse your stance at whim - this >>>>>>> seriously undermines your credibility. >>>>>>> >>>>>>> - Shane >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca] >>>>>>> Sent: Friday, June 15, 2012 7:54 AM >>>>>>> To: Shane Wiley >>>>>>> Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon >>>>>>> Zorbas; ifette@google.com; JC Cannon (Microsoft) >>>>>>> Subject: Re: Identity providers as first parties >>>>>>> >>>>>>> Shane -- >>>>>>> >>>>>>> The need for independent choice is critical, I think, to the out >>>>>>> of band >>>>>>> consent scheme. You shouldn't be able to force users out of their DNT >>>>>>> choices as a condition of authentication. >>>>>>> >>>>>>> Best, >>>>>>> Tamir >>>>>>> >>>>>>> On 6/15/2012 10:48 AM, Shane Wiley wrote: >>>>>>>> Rigo, >>>>>>>> >>>>>>>> DNT will NEVER trump an out-of-band consent. The user would >>>>>>>> simply withdraw from using the service they had provided prior >>>>>>>> consent to. If the product would like to offer two levels of >>>>>>>> service, it can of course do that, but that would be completely >>>>>>>> outside the scope of DNT. >>>>>>>> >>>>>>>> DNT is not the privacy silver bullet and answer to all privacy >>>>>>>> issues on the Internet - let's stop trying to push it in that >>>>>>>> direction. >>>>>>>> >>>>>>>> Thank you, >>>>>>>> - Shane >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Rigo Wenning [mailto:rigo@w3.org] >>>>>>>> Sent: Friday, June 15, 2012 1:28 AM >>>>>>>> To: public-tracking@w3.org >>>>>>>> Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com; >>>>>>>> Tamir Israel; JC Cannon (Microsoft) >>>>>>>> Subject: Re: Identity providers as first parties >>>>>>>> >>>>>>>> Shane, Kimon, >>>>>>>> >>>>>>>> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote: >>>>>>>>> I’ve used a few others and they appears to do the same so I’m >>>>>>>>> confused as to what real-world identity provider scenario someone >>>>>>>>> is considering where consent wasn’t already obtained? >>>>>>>> I confirm that we agreed that the out-of-band agreement will trump >>>>>>>> the DNT:1 signal. We also agreed that the service has to signal this >>>>>>>> to the client. >>>>>>>> >>>>>>>> I guess, what Rob is trying to achieve is to say, even in this >>>>>>>> context, a service could offer the choice of stopping to track and >>>>>>>> only use information for the login/authentication purpose. This >>>>>>>> could be the meaning of DNT:1 if the Service sends ACK in a >>>>>>>> login/authentication context. If you're looking for medical >>>>>>>> information in a login context, you don't want your login provider >>>>>>>> to spawn that to your insurance. I think this is a very legitimate >>>>>>>> use case. The service could say: "yes, I see your point" and send >>>>>>>> ACK instead of "out-of-band". >>>>>>>> >>>>>>>> We are just defining switches. People will decide whether they >>>>>>>> switch stuff on or off or provide a switch at all. >>>>>>>> >>>>>>>> Rigo
Received on Sunday, 17 June 2012 19:20:11 UTC