RE: Identity providers as first parties

Jonathan,

I ask only to understand their perspectives – nothing more.  Hopefully everyone will speak up in Seattle so we can better understand the various perspectives.  Much like you, we are also working with all of the various viewpoint stakeholders and have support for our proposal from their collective perspectives (at least those shared to date which is why I’m trying to learn more).

To call collaboration to understand one another’s perspectives as possibly “unfair competition” is an amazingly farfetched overreach , even from you (although not unsurprising).  I hope your threats of this nature don’t scare away more open collaboration but perhaps that was your aim.

- Shane

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Sunday, June 17, 2012 2:51 PM
To: Shane Wiley
Cc: Tamir Israel; Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft)
Subject: Re: Identity providers as first parties

Shane,

As I explained in my initial note:
We have received valuable feedback from a number of participant viewpoints, including browser vendors, advertising companies, analytics services, social networks, policymakers, consumer groups, and researchers.  Out of respect for the candid nature of those ongoing conversations, we leave it to stakeholders to volunteer their contributions to and views on this proposal.
I would add that more than one advertising company expressed concern about possible retaliation if they broke away from the industry trade groups.  I'll leave it to regulators to decide if the industry's practices constitute unfair competition.

Jonathan


On Sunday, June 17, 2012 at 1:51 PM, Shane Wiley wrote:

Jonathan,



Continue to disagree (on many levels).  Could you please name those in the online advertising industry that are supportive of the proposal you shared with the WG?



Thank you,

- Shane



From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Sunday, June 17, 2012 1:42 PM
To: Shane Wiley
Cc: Tamir Israel; Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon Zorbas; ifette@google.com<mailto:ifette@google.com>; JC Cannon (Microsoft)
Subject: Re: Identity providers as first parties



Shane,



You and Roy have been vocal in your objections to the EFF/Mozilla/Stanford compromise proposal. I'm disappointed, though given your inflexibility throughout this process, entirely unsurprised.



That said, you do not speak for the online advertising industry. Many companies have been more willing to countenance constructive compromise. Your conclusion that advertising industry participants have "mostly rejected" the proposal is inaccurate.



Jonathan

On Sunday, June 17, 2012 at 12:26 PM, Shane Wiley wrote:

Tamir,



Jonathan's proposal does attempt to address this point but many in the room feel this should be left to local law. Justin Brookman and I took a pass at this language but it shifted to becoming overly prescriptive (legislating via tech standard) so many in the WG asked for local law to determine.



I would suggest this conversation be extracted from Jonathan's proposal to be handled separately as the rest of proposal has been mostly rejected by those in the WG that are intended to implement DNT in the real-world (on the 1st party/3rd party side).



More to come in Seattle...



- Shane



-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Sunday, June 17, 2012 12:19 PM

To: Shane Wiley

Cc: Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon Zorbas; ifette@google.com<mailto:ifette@google.com>; JC Cannon (Microsoft)

Subject: Re: Identity providers as first parties



Shane -- I am not remotely attempting doing so.



As far back as I can see, the spec was going to put conditions on the

means by which out of band consent can be sought.



Jonathan et al's proposal is:



1. Actual presentation: The choice mechanism MUST be actually presented

to the user. It MUST NOT be on a linked page, such as a terms of service

or privacy policy.

2. Clear terms: The choice mechanism MUST use clear, non-confusing

terminology.

3. Independent choice: The choice mechanism MUST be presented

independent of other choices. It MUST NOT be bundled with other user

preferences.

4. No default permission: The choice mechanism MUST NOT have the user

permission preference selected by default.



On 6/17/2012 3:16 PM, Shane Wiley wrote:

Tamir,



That's up to local laws to determine. Please do not attempt to legislate via W3C tech standard.



- Shane



-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Sunday, June 17, 2012 12:14 PM

To: Shane Wiley

Cc: Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon Zorbas; ifette@google.com<mailto:ifette@google.com>; JC Cannon (Microsoft)

Subject: Re: Identity providers as first parties



Shane -- Out of band consent *does* trump DNT-1. We are now trying to

define the parameters by which out of band consent can be sought.



Best,

Tamir



On 6/17/2012 3:11 PM, Shane Wiley wrote:

Tamir,



Out-of-band consent trumps DNT. We've been repeating this mantra for over a year now - becoming repetitive.



- Shane



-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Saturday, June 16, 2012 5:23 PM

To: Shane Wiley

Cc: Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon Zorbas; ifette@google.com<mailto:ifette@google.com>; JC Cannon (Microsoft)

Subject: Re: Identity providers as first parties



Shane --



Just so we're really clear: if a user authenticates with Yahoo! on site

A and controls preferences on that site, does the out of band consent

dialogue Jonathan showed invalidate DNT-1: on site A? in general?



Best,

Tamir



On 6/15/2012 11:29 PM, Tamir Israel wrote:

Ok.



On 6/15/2012 2:07 PM, Shane Wiley wrote:

DAA Opt-out and single-sign on are not related. There are some

implementations where the ID is needed beyond the authentication

event and therefore data collection occurs outside of the initial

authentication event. Users do NOT need to choose Yahoo! as their ID

provider if they feel uncomfortable with that outcome.



- Shane



-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Friday, June 15, 2012 10:56 AM

To: Shane Wiley

Cc: Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon

Zorbas; ifette@google.com<mailto:ifette@google.com>; JC Cannon (Microsoft)

Subject: Re: Identity providers as first parties



Shane,



Maybe we are getting sidetracked.



Can you please explain the scope of tracking that results from using

Yahoo!'s IdM mechanism? Does it mean you can track all my activities on

the specific authenticated site? If so does this carry across multiple

explicitly authenticated sites? Does it operate in a manner analogous to

single sign-on? How does it interact with the existing DAA opt-out?



Thanks and best regards,

Tamir



On 6/15/2012 11:28 AM, Shane Wiley wrote:

Tamir,



Any service gets to determine its own primary purpose - so if OBA is

the payment for the service and this is disclosed as a primary

purpose, then that's the bargain the users can choose to consent to

or not.



- Shane



-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Friday, June 15, 2012 8:21 AM

To: Shane Wiley

Cc: Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon

Zorbas; ifette@google.com<mailto:ifette@google.com>; JC Cannon (Microsoft)

Subject: Re: Identity providers as first parties



Shane --



There are 2 questions here. One is whether you can bundle in the

obligation to consent to secondary purposes as a condition of

authentication in an IdM context. The primary service in an IdM context

is authentication, not OBA.



The second is to what extent the DNT spec should address this. I took

the 'independent choice' out of band consent criteria as an attempt to

prevent bundling of choices.



Best,

Tamir



On 6/15/2012 11:06 AM, Shane Wiley wrote:

Tamir,



But in the use case we're discussing the service being provided is

the primary purpose - a user's online identity. A service

determines its primary purpose, discloses this to the user, user

consents. Case closed.



- Shane



-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Friday, June 15, 2012 8:02 AM

To: Shane Wiley

Cc: Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon

Zorbas; ifette@google.com<mailto:ifette@google.com>; JC Cannon (Microsoft)

Subject: Re: Identity providers as first parties



Shane, I disagree. Under PIPEDA you should offer users the possibility

of opting out of collection, use or disclosure for purposes

secondary to

the primary service being offered.



This is the basis of the opt-out consent scheme being applied to

online

tracking.



Best,

Tamir



On 6/15/2012 10:58 AM, Shane Wiley wrote:

Tamir,



I disagree and PIPEDA does as well. As long as you're clear to a

user what a service provides and a user expressly consents to

those practices, the discussion is over.



Please don't try to raise CA regulatory schemes into conversations

on one hand then completely reverse your stance at whim - this

seriously undermines your credibility.



- Shane



-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Friday, June 15, 2012 7:54 AM

To: Shane Wiley

Cc: Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon

Zorbas; ifette@google.com<mailto:ifette@google.com>; JC Cannon (Microsoft)

Subject: Re: Identity providers as first parties



Shane --



The need for independent choice is critical, I think, to the out

of band

consent scheme. You shouldn't be able to force users out of their DNT

choices as a condition of authentication.



Best,

Tamir



On 6/15/2012 10:48 AM, Shane Wiley wrote:

Rigo,



DNT will NEVER trump an out-of-band consent. The user would

simply withdraw from using the service they had provided prior

consent to. If the product would like to offer two levels of

service, it can of course do that, but that would be completely

outside the scope of DNT.



DNT is not the privacy silver bullet and answer to all privacy

issues on the Internet - let's stop trying to push it in that

direction.



Thank you,

- Shane



-----Original Message-----

From: Rigo Wenning [mailto:rigo@w3.org]

Sent: Friday, June 15, 2012 1:28 AM

To: public-tracking@w3.org<mailto:public-tracking@w3.org>

Cc: Shane Wiley; rob@blaeu.com<mailto:rob@blaeu.com>; Kimon Zorbas; ifette@google.com<mailto:ifette@google.com>;

Tamir Israel; JC Cannon (Microsoft)

Subject: Re: Identity providers as first parties



Shane, Kimon,



On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:

I’ve used a few others and they appears to do the same so I’m

confused as to what real-world identity provider scenario someone

is considering where consent wasn’t already obtained?

I confirm that we agreed that the out-of-band agreement will trump

the DNT:1 signal. We also agreed that the service has to signal this

to the client.



I guess, what Rob is trying to achieve is to say, even in this

context, a service could offer the choice of stopping to track and

only use information for the login/authentication purpose. This

could be the meaning of DNT:1 if the Service sends ACK in a

login/authentication context. If you're looking for medical

information in a login context, you don't want your login provider

to spawn that to your insurance. I think this is a very legitimate

use case. The service could say: "yes, I see your point" and send

ACK instead of "out-of-band".



We are just defining switches. People will decide whether they

switch stuff on or off or provide a switch at all.



Rigo