- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Mon, 18 Jun 2012 10:37:46 -0700
- To: Jeffrey Chester <jeff@democraticmedia.org>
- Cc: ifette@google.com, Alan Chapell <achapell@chapellassociates.com>, Mike Zaneis <mike@iab.net>, Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel <tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
- Message-ID: <6A7E0F43F4BB486484BE4EEEF5E7B44D@gmail.com>
Ian, I stand by that quote in its entirety. You have frequently expressed the view that companies, including Google, are under no obligation to implement Do Not Track. And if a company does implement Do Not Track, it is free to deviate from the W3C standard so long as it is transparent. You have reaffirmed this view on the mailing list a number of times. Here are snippets from five separate emails: > There's other people in the working group, myself included, who feel that since you are under no obligation to honor DNT in the first place (it is voluntary and nothing is binding until you tell the user "Yes, I am honoring your DNT request") that you already have an option to reject a DNT:1 request (for instance, by sending no DNT response headers). > With all due respect, I think you've already heard from a number of companies that they will not honor such a signal. The question at hand is not whether or not that should be allowed -- the W3C has no power to force a company to honor DNT -- but rather how that company's decision should be signaled. > A site is already under no obligation to conform to DNT. > From the beginning, I thought everyone understood that no one could force a website to implement DNT. . . . I'm trying to take a pragmatic view here, and merely ask the question "If a website chooses to implement DNT for a subset of users, what is the best way for the website to signal that." > If the site says "I support DNT under the following circumstances" and is clear about that, and you are outside of those circumstances, I don't think you have any reason to be surprised. While the minutes of the call are (as usual) a bit thin, here are a three instances where you appear to have expressed the same view: > <ifette> no one requires a site to implement DNT > ifette: nothing requiring site to honor DNT, site can just say 'nope, not compliant'. > <ifette> the site then has to decide whether to accept that expression of your preference or not. It shouldn't lie to you about what it's doing, but it's under no obligation -- you don't get to dictate terms ;-) As for the latter part of the quote: while it is no secret to members of this group that economic considerations are a leading cause of objections to Do Not Track, many advertising companies had been quite reluctant to publicly note as much following the White House festivities. Arguments tended instead to be couched in terms of user empowerment and choice. The renewed focus on defaults changed that. Many advertising companies began emphasizing the possible negative economic effects of large numbers of DNT users. You yourself got into a lengthy, contentious debate of the topic with Lorrie Cranor on a CMU mailing list. (I'm not going to post that conversation since, as I understand it, the list is closed.) Let me wrap by explaining how these press interactions work. I don't solicit media coverage; reporters call me. They ask what's going on with Do Not Track. Given the premium I place on public transparency in this process, I answer candidly. I make every effort to ensure that I am accurate and fair. And I direct reporters to other members of the group to confirm details. I've now burned a couple hours on a take-home exam responding to Do Not Track emails. I don't expect I'll be able to chime in again before the Bellevue meeting. If you or anyone else would like to discuss this further, I'd be glad to chat during a break. Jonathan On Monday, June 18, 2012 at 9:36 AM, Jeffrey Chester wrote: > I hadn't seen this. But I think Jonathan was correct in his characterization. Many privacy advocates hope that Google will provide greater leadership to adopt meaningful DNT standard. We are waiting to see its plans to ensure the spec protects privacy. > > Jeff > > > On Jun 18, 2012, at 12:31 PM, Ian Fette (イアンフェッティ) wrote: > > Jeff, > > > > With respect, > > > > > > "It's not clear to what extent we'll get an agreement on this," Mayer told CNNMoney. "One of Google's representatives said on the call that the company will be able to do whatever it wants anyways. I'm stunned at how transparent some of these companies were -- they just want to minimize the number of Do Not Track users, period." > > > > http://money.cnn.com/2012/06/07/technology/do-not-track/index.htm > > > > That type of behaviour is not something one would expect from someone who bills themselves as being a "tough-but-fair negotiator." > > > > -Ian > > > > On Mon, Jun 18, 2012 at 9:27 AM, Jeffrey Chester <jeff@democraticmedia.org (mailto:jeff@democraticmedia.org)> wrote: > > > Ian: I suggest that what reporters are doing is merely reading the texts posted. That what's been written says a great deal about both personal views and--one assumes--the position taken by the CEO and board on DNT and the spec. There hasn't been anything taken out of context I know about. See you soon. > > > > > > Jeff > > > > > > > > > > > > On Jun 18, 2012, at 12:24 PM, Ian Fette (イアンフェッティ) wrote: > > > > Jeff, > > > > > > > > That's precisely the problem. Certain people from this working group seem to have no problem taking statements made on calls and feeding warped versions of those statements to reporters; such tactics do not typically go far when one is trying to be a "negotiator" to reach a "grand compromise". (Also, most "negotiators" whom I have seen be successful in the past, hostage negotiators excepted, have been neutral uninterested third parties, not someone with a clear axe to grind.) > > > > > > > > -Ian > > > > > > > > On Mon, Jun 18, 2012 at 9:21 AM, Jeffrey Chester <jeff@democraticmedia.org (mailto:jeff@democraticmedia.org)> wrote: > > > > > Alan: I find your language and tone troubling. I hope you know that many people are looking at this thread. Our communications say a great deal about ourselves, inc to the EU, FTC and media watching this thread closely. Maybe even Fox News! > > > > > > > > > > Jeff > > > > > > > > > > > > > > > > > > > > On Jun 18, 2012, at 12:17 PM, Alan Chapell wrote: > > > > > > I have no issue with your personality. My issue is with your tactics. Assuming you can cease utilizing tactics that seem unproductive at best, then I think you will see fewer emails directed at you; criticizing those tactics. > > > > > > > > > > > > This will be my last note on this matter – I'm hopeful and optimistic that we can move forward productively from here…. > > > > > > > > > > > > > > > > > > Alan > > > > > > > > > > > > > > > > > > From: Jonathan Mayer <jmayer@stanford.edu (mailto:jmayer@stanford.edu)> > > > > > > Date: Monday, June 18, 2012 12:08 PM > > > > > > To: Jeffrey Chester <jeff@democraticmedia.org (mailto:jeff@democraticmedia.org)> > > > > > > Cc: Alan Chapell <achapell@chapellassociates.com (mailto:achapell@chapellassociates.com)>, Mike Zaneis <mike@iab.net (mailto:mike@iab.net)>, Shane Wiley <wileys@yahoo-inc.com (mailto:wileys@yahoo-inc.com)>, Tamir Israel <tisrael@cippic.ca (mailto:tisrael@cippic.ca)>, Rigo Wenning <rigo@w3.org (mailto:rigo@w3.org)>, "public-tracking@w3.org (mailto:public-tracking@w3.org)" <public-tracking@w3.org (mailto:public-tracking@w3.org)>, "rob@blaeu.com (mailto:rob@blaeu.com)" <rob@blaeu.com (mailto:rob@blaeu.com)>, Kimon Zorbas <vp@iabeurope.eu (mailto:vp@iabeurope.eu)>, "ifette@google.com (mailto:ifette@google.com)" <ifette@google.com (mailto:ifette@google.com)>, "JC Cannon (Microsoft)" <jccannon@microsoft.com (mailto:jccannon@microsoft.com)> > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > This thread has devolved into a Fox News-esque referendum on my personality. It's both a distraction and ineffectual—those who have collaborated with me over the past year know I'm a tireless, tough-but-fair negotiator. > > > > > > > > > > > > Enough. Back to substance. > > > > > > > > > > > > Jonathan > > > > > > > > > > > > On Monday, June 18, 2012 at 5:33 AM, Jeffrey Chester wrote: > > > > > > > > > > > > > Jonathan has played an extraordinary productive role, with insights, urging compromise (when people like me looked with dismay about the lack of progress in achieving real privacy safeguards so far), and leadership. As I have explained to officials, we have not yet seen serious compromise from industry to ensure DNT is a spec that protects privacy. Jonathan wants us to all do better, as do I. We all know--or should--that what we are doing is being closely watched on both sides of the Atlantic by the press and policymakers. It would be a serious loss if we don't make progress in Seattle. > > > > > > > > > > > > > > Jeff Chester > > > > > > > Center for Digital Democracy > > > > > > > Washington DC > > > > > > > www.democraticmedia.org (http://www.democraticmedia.org/) > > > > > > > Jeff@democraticmedia.org (mailto:Jeff@democraticmedia.org) > > > > > > > > > > > > > > > > > > > > > On Jun 18, 2012, at 5:19 AM, Alan Chapell <achapell@chapellassociates.com (mailto:achapell@chapellassociates.com)> wrote: > > > > > > > > > > > > > > > Jonathan, > > > > > > > > > > > > > > > > Taking you at your word that your goal is to attain consensus, I would humbly suggest that the tactics you are using – particularly over the past several weeks – seem at odds with that goal. I'm hopeful that your latest email is an indication that we'll see more compromise and fewer juvenile barbs when we arrive in Bellevue. > > > > > > > > > > > > > > > > And for the record, as someone from industry – I strongly favor the proposal proffered by Shane et al. > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > Alan Chapell > > > > > > > > Chapell & Associates > > > > > > > > 917 318 8440 (tel:917%20318%208440) > > > > > > > > > > > > > > > > > > > > > > > > From: Jonathan Mayer <jmayer@stanford.edu (mailto:jmayer@stanford.edu)> > > > > > > > > Date: Monday, June 18, 2012 2:06 AM > > > > > > > > To: Mike Zaneis <mike@iab.net (mailto:mike@iab.net)> > > > > > > > > Cc: Shane Wiley <wileys@yahoo-inc.com (mailto:wileys@yahoo-inc.com)>, Tamir Israel <tisrael@cippic.ca (mailto:tisrael@cippic.ca)>, Rigo Wenning <rigo@w3.org (mailto:rigo@w3.org)>, "public-tracking@w3.org (mailto:public-tracking@w3.org)" <public-tracking@w3.org (mailto:public-tracking@w3.org)>, "rob@blaeu.com (mailto:rob@blaeu.com)" <rob@blaeu.com (mailto:rob@blaeu.com)>, Kimon Zorbas <vp@iabeurope.eu (mailto:vp@iabeurope.eu)>, "ifette@google.com (mailto:ifette@google.com)" <ifette@google.com (mailto:ifette@google.com)>, "JC Cannon (Microsoft)" <jccannon@microsoft.com (mailto:jccannon@microsoft.com)> > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > Resent-From: <public-tracking@w3.org (mailto:public-tracking@w3.org)> > > > > > > > > Resent-Date: Mon, 18 Jun 2012 06:07:15 +0000 > > > > > > > > > > > > > > > > Shane and Mike, > > > > > > > > > > > > > > > > As the Bellevue meeting approaches, this group's sole focus must be attaining consensus on a moderate compromise. I'm doing everything I can to facilitate that goal. I have neither the time nor patience to swap puerile barbs for cheap political points. There's far too much at stake. > > > > > > > > > > > > > > > > Jonathan > > > > > > > > > > > > > > > > On Sunday, June 17, 2012 at 6:58 PM, Mike Zaneis wrote: > > > > > > > > > > > > > > > > > Jonathan, > > > > > > > > > > > > > > > > > > Can you please elaborate on these very serious claims you have made in back to back posts? First, you attack two of the most engaged, productive members of the working group (Shane and Roy who are both editors) and claim they do not speak for the online advertising industry, yet you did not point to any companies or public statements of support for your position. As someone who DOES speak for the industry, I know that Shane and Roy raise issues that THE industry shares. Please provide substantiation for your claims. > > > > > > > > > > > > > > > > > > As for the unfair competition claims, that is laughable. The only legal claim we should be discussing is one of liable for such ridiculous statements. > > > > > > > > > > > > > > > > > > Mike Zaneis > > > > > > > > > SVP & General Counsel, IAB > > > > > > > > > (202) 253-1466 (tel:%28202%29%20253-1466) > > > > > > > > > > > > > > > > > > > > > > > > > > > On Jun 17, 2012, at 5:52 PM, "Jonathan Mayer" <jmayer@stanford.edu (mailto:jmayer@stanford.edu)> wrote: > > > > > > > > > > > > > > > > > > > Shane, > > > > > > > > > > > > > > > > > > > > As I explained in my initial note: > > > > > > > > > > > We have received valuable feedback from a number of participant viewpoints, including browser vendors, advertising companies, analytics services, social networks, policymakers, consumer groups, and researchers. Out of respect for the candid nature of those ongoing conversations, we leave it to stakeholders to volunteer their contributions to and views on this proposal. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I would add that more than one advertising company expressed concern about possible retaliation if they broke away from the industry trade groups. I'll leave it to regulators to decide if the industry's practices constitute unfair competition. > > > > > > > > > > > > > > > > > > > > Jonathan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Sunday, June 17, 2012 at 1:51 PM, Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > Jonathan, > > > > > > > > > > > > > > > > > > > > > > Continue to disagree (on many levels). Could you please name those in the online advertising industry that are supportive of the proposal you shared with the WG? > > > > > > > > > > > > > > > > > > > > > > Thank you, > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > From: Jonathan Mayer [mailto:jmayer@stanford.edu] > > > > > > > > > > > Sent: Sunday, June 17, 2012 1:42 PM > > > > > > > > > > > To: Shane Wiley > > > > > > > > > > > Cc: Tamir Israel; Rigo Wenning; public-tracking@w3.org (mailto:public-tracking@w3.org); rob@blaeu.com (mailto:rob@blaeu.com); Kimon Zorbas; ifette@google.com (mailto:ifette@google.com); JC Cannon (Microsoft) > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > Shane, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > You and Roy have been vocal in your objections to the EFF/Mozilla/Stanford compromise proposal. I'm disappointed, though given your inflexibility throughout this process, entirely unsurprised. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > That said, you do not speak for the online advertising industry. Many companies have been more willing to countenance constructive compromise. Your conclusion that advertising industry participants have "mostly rejected" the proposal is inaccurate. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Jonathan > > > > > > > > > > > > > > > > > > > > > > On Sunday, June 17, 2012 at 12:26 PM, Shane Wiley wrote: > > > > > > > > > > > > Tamir, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Jonathan's proposal does attempt to address this point but many in the room feel this should be left to local law. Justin Brookman and I took a pass at this language but it shifted to becoming overly prescriptive (legislating via tech standard) so many in the WG asked for local law to determine. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I would suggest this conversation be extracted from Jonathan's proposal to be handled separately as the rest of proposal has been mostly rejected by those in the WG that are intended to implement DNT in the real-world (on the 1st party/3rd party side). > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > More to come in Seattle... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > > > > > > > > From: Tamir Israel [mailto:tisrael@cippic.ca] > > > > > > > > > > > > > > > > > > > > > > > > Sent: Sunday, June 17, 2012 12:19 PM > > > > > > > > > > > > > > > > > > > > > > > > To: Shane Wiley > > > > > > > > > > > > > > > > > > > > > > > > Cc: Rigo Wenning; public-tracking@w3.org (mailto:public-tracking@w3.org); rob@blaeu.com (mailto:rob@blaeu.com); Kimon Zorbas; ifette@google.com (mailto:ifette@google.com); JC Cannon (Microsoft) > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Shane -- I am not remotely attempting doing so. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > As far back as I can see, the spec was going to put conditions on the > > > > > > > > > > > > > > > > > > > > > > > > means by which out of band consent can be sought. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Jonathan et al's proposal is: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 1. Actual presentation: The choice mechanism MUST be actually presented > > > > > > > > > > > > > > > > > > > > > > > > to the user. It MUST NOT be on a linked page, such as a terms of service > > > > > > > > > > > > > > > > > > > > > > > > or privacy policy. > > > > > > > > > > > > > > > > > > > > > > > > 2. Clear terms: The choice mechanism MUST use clear, non-confusing > > > > > > > > > > > > > > > > > > > > > > > > terminology. > > > > > > > > > > > > > > > > > > > > > > > > 3. Independent choice: The choice mechanism MUST be presented > > > > > > > > > > > > > > > > > > > > > > > > independent of other choices. It MUST NOT be bundled with other user > > > > > > > > > > > > > > > > > > > > > > > > preferences. > > > > > > > > > > > > > > > > > > > > > > > > 4. No default permission: The choice mechanism MUST NOT have the user > > > > > > > > > > > > > > > > > > > > > > > > permission preference selected by default. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 6/17/2012 3:16 PM, Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Tamir, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > That's up to local laws to determine. Please do not attempt to legislate via W3C tech standard. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > > > > > > > > > > From: Tamir Israel [mailto:tisrael@cippic.ca] > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Sunday, June 17, 2012 12:14 PM > > > > > > > > > > > > > > > > > > > > > > > > > > To: Shane Wiley > > > > > > > > > > > > > > > > > > > > > > > > > > Cc: Rigo Wenning; public-tracking@w3.org (mailto:public-tracking@w3.org); rob@blaeu.com (mailto:rob@blaeu.com); Kimon Zorbas; ifette@google.com (mailto:ifette@google.com); JC Cannon (Microsoft) > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Shane -- Out of band consent *does* trump DNT-1. We are now trying to > > > > > > > > > > > > > > > > > > > > > > > > > > define the parameters by which out of band consent can be sought. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 6/17/2012 3:11 PM, Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Out-of-band consent trumps DNT. We've been repeating this mantra for over a year now - becoming repetitive. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Tamir Israel [mailto:tisrael@cippic.ca] > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Saturday, June 16, 2012 5:23 PM > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: Shane Wiley > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cc: Rigo Wenning; public-tracking@w3.org (mailto:public-tracking@w3.org); rob@blaeu.com (mailto:rob@blaeu.com); Kimon Zorbas; ifette@google.com (mailto:ifette@google.com); JC Cannon (Microsoft) > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Shane -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Just so we're really clear: if a user authenticates with Yahoo! on site > > > > > > > > > > > > > > > > > > > > > > > > > > > > A and controls preferences on that site, does the out of band consent > > > > > > > > > > > > > > > > > > > > > > > > > > > > dialogue Jonathan showed invalidate DNT-1: on site A? in general? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 6/15/2012 11:29 PM, Tamir Israel wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Ok. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 6/15/2012 2:07 PM, Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > DAA Opt-out and single-sign on are not related. There are some > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > implementations where the ID is needed beyond the authentication > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > event and therefore data collection occurs outside of the initial > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > authentication event. Users do NOT need to choose Yahoo! as their ID > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > provider if they feel uncomfortable with that outcome. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Tamir Israel [mailto:tisrael@cippic.ca] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Friday, June 15, 2012 10:56 AM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: Shane Wiley > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cc: Rigo Wenning; public-tracking@w3.org (mailto:public-tracking@w3.org); rob@blaeu.com (mailto:rob@blaeu.com); Kimon > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zorbas; ifette@google.com (mailto:ifette@google.com); JC Cannon (Microsoft) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Shane, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Maybe we are getting sidetracked. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Can you please explain the scope of tracking that results from using > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Yahoo!'s IdM mechanism? Does it mean you can track all my activities on > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the specific authenticated site? If so does this carry across multiple > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > explicitly authenticated sites? Does it operate in a manner analogous to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > single sign-on? How does it interact with the existing DAA opt-out? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks and best regards, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 6/15/2012 11:28 AM, Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any service gets to determine its own primary purpose - so if OBA is > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the payment for the service and this is disclosed as a primary > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > purpose, then that's the bargain the users can choose to consent to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > or not. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Tamir Israel [mailto:tisrael@cippic.ca] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Friday, June 15, 2012 8:21 AM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: Shane Wiley > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cc: Rigo Wenning; public-tracking@w3.org (mailto:public-tracking@w3.org); rob@blaeu.com (mailto:rob@blaeu.com); Kimon > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zorbas; ifette@google.com (mailto:ifette@google.com); JC Cannon (Microsoft) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Shane -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > There are 2 questions here. One is whether you can bundle in the > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > obligation to consent to secondary purposes as a condition of > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > authentication in an IdM context. The primary service in an IdM context > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > is authentication, not OBA. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The second is to what extent the DNT spec should address this. I took > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the 'independent choice' out of band consent criteria as an attempt to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > prevent bundling of choices. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 6/15/2012 11:06 AM, Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > But in the use case we're discussing the service being provided is > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the primary purpose - a user's online identity. A service > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > determines its primary purpose, discloses this to the user, user > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > consents. Case closed. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Tamir Israel [mailto:tisrael@cippic.ca] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Friday, June 15, 2012 8:02 AM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: Shane Wiley > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cc: Rigo Wenning; public-tracking@w3.org (mailto:public-tracking@w3.org); rob@blaeu.com (mailto:rob@blaeu.com); Kimon > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zorbas; ifette@google.com (mailto:ifette@google.com); JC Cannon (Microsoft) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Shane, I disagree. Under PIPEDA you should offer users the possibility > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > of opting out of collection, use or disclosure for purposes > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > secondary to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the primary service being offered. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is the basis of the opt-out consent scheme being applied to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > online > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > tracking. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 6/15/2012 10:58 AM, Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I disagree and PIPEDA does as well. As long as you're clear to a > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > user what a service provides and a user expressly consents to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > those practices, the discussion is over. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Please don't try to raise CA regulatory schemes into conversations > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > on one hand then completely reverse your stance at whim - this > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > seriously undermines your credibility. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Tamir Israel [mailto:tisrael@cippic.ca] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Friday, June 15, 2012 7:54 AM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: Shane Wiley > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cc: Rigo Wenning; public-tracking@w3.org (mailto:public-tracking@w3.org); rob@blaeu.com (mailto:rob@blaeu.com); Kimon > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zorbas; ifette@google.com (mailto:ifette@google.com); JC Cannon (Microsoft) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Shane -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The need for independent choice is critical, I think, to the out > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > of band > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > consent scheme. You shouldn't be able to force users out of their DNT > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > choices as a condition of authentication. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 6/15/2012 10:48 AM, Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rigo, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > DNT will NEVER trump an out-of-band consent. The user would > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > simply withdraw from using the service they had provided prior > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > consent to. If the product would like to offer two levels of > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > service, it can of course do that, but that would be completely > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > outside the scope of DNT. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > DNT is not the privacy silver bullet and answer to all privacy > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > issues on the Internet - let's stop trying to push it in that > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > direction. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Shane > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Rigo Wenning [mailto:rigo@w3.org] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sent: Friday, June 15, 2012 1:28 AM > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To: public-tracking@w3.org (mailto:public-tracking@w3.org) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cc: Shane Wiley; rob@blaeu.com (mailto:rob@blaeu.com); Kimon Zorbas; ifette@google.com (mailto:ifette@google.com); > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tamir Israel; JC Cannon (Microsoft) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Subject: Re: Identity providers as first parties > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Shane, Kimon, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thursday 14 June 2012 16:47:03 Shane Wiley wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I’ve used a few others and they appears to do the same so I’m > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > confused as to what real-world identity provider scenario someone > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > is considering where consent wasn’t already obtained? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I confirm that we agreed that the out-of-band agreement will trump > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > the DNT:1 signal. We also agreed that the service has to signal this > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > to the client. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I guess, what Rob is trying to achieve is to say, even in this > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > context, a service could offer the choice of stopping to track and > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > only use information for the login/authentication purpose. This > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > could be the meaning of DNT:1 if the Service sends ACK in a > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > login/authentication context. If you're looking for medical > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > information in a login context, you don't want your login provider > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > to spawn that to your insurance. I think this is a very legitimate > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > use case. The service could say: "yes, I see your point" and send > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ACK instead of "out-of-band". > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We are just defining switches. People will decide whether they > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > switch stuff on or off or provide a switch at all. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rigo > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
Received on Monday, 18 June 2012 17:38:27 UTC