- From: Heather West <heatherwest@google.com>
- Date: Mon, 18 Jun 2012 13:44:22 -0400
- To: Jonathan Mayer <jmayer@stanford.edu>
- Cc: Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel <tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>
- Message-ID: <CA+Z3oOaz4HnjPbYRX8=u2qQ5_QMyc_ko7wEijx=JTr+1g5u3oA@mail.gmail.com>
Jonathan, as someone who has provided feedback on the proposal via EFF, I can say that while I suggested edits that would, IMHO, move it closer to the compromise position, giving feedback does not mean that an entity is supportive - just to clarify. I believe others are in the same position. Would be interested to know who is supportive, though I suppose we find out in Seattle. On Sun, Jun 17, 2012 at 5:51 PM, Jonathan Mayer <jmayer@stanford.edu> wrote: > Shane, > > As I explained in my initial note: > > We have received valuable feedback from a number of participant > viewpoints, including browser vendors, advertising companies, analytics > services, social networks, policymakers, consumer groups, and researchers. > Out of respect for the candid nature of those ongoing conversations, we > leave it to stakeholders to volunteer their contributions to and views on > this proposal. > > I would add that more than one advertising company expressed concern about > possible retaliation if they broke away from the industry trade groups. > I'll leave it to regulators to decide if the industry's practices > constitute unfair competition. > > Jonathan > > On Sunday, June 17, 2012 at 1:51 PM, Shane Wiley wrote: > > Jonathan,**** > > ** ** > > Continue to disagree (on many levels). Could you please name those in the > online advertising industry that are supportive of the proposal you shared > with the WG?**** > > ** ** > > Thank you,**** > > - Shane**** > > ** ** > > *From:* Jonathan Mayer [mailto:jmayer@stanford.edu <jmayer@stanford.edu>] > *Sent:* Sunday, June 17, 2012 1:42 PM > *To:* Shane Wiley > *Cc:* Tamir Israel; Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; > Kimon Zorbas; ifette@google.com; JC Cannon (Microsoft) > *Subject:* Re: Identity providers as first parties**** > > ** ** > > Shane, **** > > ** ** > > You and Roy have been vocal in your objections to the EFF/Mozilla/Stanford > compromise proposal. I'm disappointed, though given your inflexibility > throughout this process, entirely unsurprised.**** > > ** ** > > That said, you do not speak for the online advertising industry. Many > companies have been more willing to countenance constructive compromise. > Your conclusion that advertising industry participants have "mostly > rejected" the proposal is inaccurate.**** > > ** ** > > Jonathan **** > > On Sunday, June 17, 2012 at 12:26 PM, Shane Wiley wrote:**** > > Tamir,**** > > ** ** > > Jonathan's proposal does attempt to address this point but many in the > room feel this should be left to local law. Justin Brookman and I took a > pass at this language but it shifted to becoming overly prescriptive > (legislating via tech standard) so many in the WG asked for local law to > determine.**** > > ** ** > > I would suggest this conversation be extracted from Jonathan's proposal to > be handled separately as the rest of proposal has been mostly rejected by > those in the WG that are intended to implement DNT in the real-world (on > the 1st party/3rd party side).**** > > ** ** > > More to come in Seattle...**** > > ** ** > > - Shane**** > > ** ** > > -----Original Message-----**** > > From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>] **** > > Sent: Sunday, June 17, 2012 12:19 PM**** > > To: Shane Wiley**** > > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; > ifette@google.com; JC Cannon (Microsoft)**** > > Subject: Re: Identity providers as first parties**** > > ** ** > > Shane -- I am not remotely attempting doing so.**** > > ** ** > > As far back as I can see, the spec was going to put conditions on the **** > > means by which out of band consent can be sought.**** > > ** ** > > Jonathan et al's proposal is:**** > > ** ** > > 1. Actual presentation: The choice mechanism MUST be actually presented ** > ** > > to the user. It MUST NOT be on a linked page, such as a terms of service * > *** > > or privacy policy.**** > > 2. Clear terms: The choice mechanism MUST use clear, non-confusing **** > > terminology.**** > > 3. Independent choice: The choice mechanism MUST be presented **** > > independent of other choices. It MUST NOT be bundled with other user **** > > preferences.**** > > 4. No default permission: The choice mechanism MUST NOT have the user **** > > permission preference selected by default.**** > > ** ** > > On 6/17/2012 3:16 PM, Shane Wiley wrote:**** > > Tamir,**** > > ** ** > > That's up to local laws to determine. Please do not attempt to legislate > via W3C tech standard.**** > > ** ** > > - Shane**** > > ** ** > > -----Original Message-----**** > > From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]**** > > Sent: Sunday, June 17, 2012 12:14 PM**** > > To: Shane Wiley**** > > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; > ifette@google.com; JC Cannon (Microsoft)**** > > Subject: Re: Identity providers as first parties**** > > ** ** > > Shane -- Out of band consent *does* trump DNT-1. We are now trying to**** > > define the parameters by which out of band consent can be sought.**** > > ** ** > > Best,**** > > Tamir**** > > ** ** > > On 6/17/2012 3:11 PM, Shane Wiley wrote:**** > > Tamir,**** > > ** ** > > Out-of-band consent trumps DNT. We've been repeating this mantra for over > a year now - becoming repetitive.**** > > ** ** > > - Shane**** > > ** ** > > -----Original Message-----**** > > From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]**** > > Sent: Saturday, June 16, 2012 5:23 PM**** > > To: Shane Wiley**** > > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon Zorbas; > ifette@google.com; JC Cannon (Microsoft)**** > > Subject: Re: Identity providers as first parties**** > > ** ** > > Shane --**** > > ** ** > > Just so we're really clear: if a user authenticates with Yahoo! on site*** > * > > A and controls preferences on that site, does the out of band consent**** > > dialogue Jonathan showed invalidate DNT-1: on site A? in general?**** > > ** ** > > Best,**** > > Tamir**** > > ** ** > > On 6/15/2012 11:29 PM, Tamir Israel wrote:**** > > Ok.**** > > ** ** > > On 6/15/2012 2:07 PM, Shane Wiley wrote:**** > > DAA Opt-out and single-sign on are not related. There are some**** > > implementations where the ID is needed beyond the authentication**** > > event and therefore data collection occurs outside of the initial**** > > authentication event. Users do NOT need to choose Yahoo! as their ID**** > > provider if they feel uncomfortable with that outcome.**** > > ** ** > > - Shane**** > > ** ** > > -----Original Message-----**** > > From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]**** > > Sent: Friday, June 15, 2012 10:56 AM**** > > To: Shane Wiley**** > > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon**** > > Zorbas; ifette@google.com; JC Cannon (Microsoft)**** > > Subject: Re: Identity providers as first parties**** > > ** ** > > Shane,**** > > ** ** > > Maybe we are getting sidetracked.**** > > ** ** > > Can you please explain the scope of tracking that results from using**** > > Yahoo!'s IdM mechanism? Does it mean you can track all my activities on*** > * > > the specific authenticated site? If so does this carry across multiple**** > > explicitly authenticated sites? Does it operate in a manner analogous to** > ** > > single sign-on? How does it interact with the existing DAA opt-out?**** > > ** ** > > Thanks and best regards,**** > > Tamir**** > > ** ** > > On 6/15/2012 11:28 AM, Shane Wiley wrote:**** > > Tamir,**** > > ** ** > > Any service gets to determine its own primary purpose - so if OBA is**** > > the payment for the service and this is disclosed as a primary**** > > purpose, then that's the bargain the users can choose to consent to**** > > or not.**** > > ** ** > > - Shane**** > > ** ** > > -----Original Message-----**** > > From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]**** > > Sent: Friday, June 15, 2012 8:21 AM**** > > To: Shane Wiley**** > > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon**** > > Zorbas; ifette@google.com; JC Cannon (Microsoft)**** > > Subject: Re: Identity providers as first parties**** > > ** ** > > Shane --**** > > ** ** > > There are 2 questions here. One is whether you can bundle in the**** > > obligation to consent to secondary purposes as a condition of**** > > authentication in an IdM context. The primary service in an IdM context*** > * > > is authentication, not OBA.**** > > ** ** > > The second is to what extent the DNT spec should address this. I took**** > > the 'independent choice' out of band consent criteria as an attempt to**** > > prevent bundling of choices.**** > > ** ** > > Best,**** > > Tamir**** > > ** ** > > On 6/15/2012 11:06 AM, Shane Wiley wrote:**** > > Tamir,**** > > ** ** > > But in the use case we're discussing the service being provided is**** > > the primary purpose - a user's online identity. A service**** > > determines its primary purpose, discloses this to the user, user**** > > consents. Case closed.**** > > ** ** > > - Shane**** > > ** ** > > -----Original Message-----**** > > From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]**** > > Sent: Friday, June 15, 2012 8:02 AM**** > > To: Shane Wiley**** > > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon**** > > Zorbas; ifette@google.com; JC Cannon (Microsoft)**** > > Subject: Re: Identity providers as first parties**** > > ** ** > > Shane, I disagree. Under PIPEDA you should offer users the possibility**** > > of opting out of collection, use or disclosure for purposes**** > > secondary to**** > > the primary service being offered.**** > > ** ** > > This is the basis of the opt-out consent scheme being applied to**** > > online**** > > tracking.**** > > ** ** > > Best,**** > > Tamir**** > > ** ** > > On 6/15/2012 10:58 AM, Shane Wiley wrote:**** > > Tamir,**** > > ** ** > > I disagree and PIPEDA does as well. As long as you're clear to a**** > > user what a service provides and a user expressly consents to**** > > those practices, the discussion is over.**** > > ** ** > > Please don't try to raise CA regulatory schemes into conversations**** > > on one hand then completely reverse your stance at whim - this**** > > seriously undermines your credibility.**** > > ** ** > > - Shane**** > > ** ** > > -----Original Message-----**** > > From: Tamir Israel [mailto:tisrael@cippic.ca <tisrael@cippic.ca>]**** > > Sent: Friday, June 15, 2012 7:54 AM**** > > To: Shane Wiley**** > > Cc: Rigo Wenning; public-tracking@w3.org; rob@blaeu.com; Kimon**** > > Zorbas; ifette@google.com; JC Cannon (Microsoft)**** > > Subject: Re: Identity providers as first parties**** > > ** ** > > Shane --**** > > ** ** > > The need for independent choice is critical, I think, to the out**** > > of band**** > > consent scheme. You shouldn't be able to force users out of their DNT**** > > choices as a condition of authentication.**** > > ** ** > > Best,**** > > Tamir**** > > ** ** > > On 6/15/2012 10:48 AM, Shane Wiley wrote:**** > > Rigo,**** > > ** ** > > DNT will NEVER trump an out-of-band consent. The user would**** > > simply withdraw from using the service they had provided prior**** > > consent to. If the product would like to offer two levels of**** > > service, it can of course do that, but that would be completely**** > > outside the scope of DNT.**** > > ** ** > > DNT is not the privacy silver bullet and answer to all privacy**** > > issues on the Internet - let's stop trying to push it in that**** > > direction.**** > > ** ** > > Thank you,**** > > - Shane**** > > ** ** > > -----Original Message-----**** > > From: Rigo Wenning [mailto:rigo@w3.org <rigo@w3.org>]**** > > Sent: Friday, June 15, 2012 1:28 AM**** > > To: public-tracking@w3.org**** > > Cc: Shane Wiley; rob@blaeu.com; Kimon Zorbas; ifette@google.com;**** > > Tamir Israel; JC Cannon (Microsoft)**** > > Subject: Re: Identity providers as first parties**** > > ** ** > > Shane, Kimon,**** > > ** ** > > On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:**** > > I’ve used a few others and they appears to do the same so I’m**** > > confused as to what real-world identity provider scenario someone**** > > is considering where consent wasn’t already obtained?**** > > I confirm that we agreed that the out-of-band agreement will trump**** > > the DNT:1 signal. We also agreed that the service has to signal this**** > > to the client.**** > > ** ** > > I guess, what Rob is trying to achieve is to say, even in this**** > > context, a service could offer the choice of stopping to track and**** > > only use information for the login/authentication purpose. This**** > > could be the meaning of DNT:1 if the Service sends ACK in a**** > > login/authentication context. If you're looking for medical**** > > information in a login context, you don't want your login provider**** > > to spawn that to your insurance. I think this is a very legitimate**** > > use case. The service could say: "yes, I see your point" and send**** > > ACK instead of "out-of-band".**** > > ** ** > > We are just defining switches. People will decide whether they**** > > switch stuff on or off or provide a switch at all.**** > > ** ** > > Rigo**** > > ** ** > > > -- Heather West | Google Policy | heatherwest@google.com | 202-643-6381
Received on Monday, 18 June 2012 17:45:14 UTC