Re: Identity providers as first parties

Jonathan, I never suggested sending back dnt 1 and then tracking the user,
which I think people would infer from "do whatever they want". "Do whatever
they want" is a gross mischaracterization.
On Jun 18, 2012 10:37 AM, "Jonathan Mayer" <jmayer@stanford.edu> wrote:

>  Ian,
>
> I stand by that quote in its entirety.
>
> You have frequently expressed the view that companies, including Google,
> are under no obligation to implement Do Not Track.  And if a company does
> implement Do Not Track, it is free to deviate from the W3C standard so long
> as it is transparent.  You have reaffirmed this view on the mailing list a
> number of times.  Here are snippets from five separate emails:
>
> There's other people in the working group, myself included, who feel that
> since you are under no obligation to honor DNT in the first place (it is
> voluntary and nothing is binding until you tell the user "Yes, I am
> honoring your DNT request") that you already have an option to reject a
> DNT:1 request (for instance, by sending no DNT response headers).
>
> With all due respect, I think you've already heard from a number of
> companies that they will not honor such a signal. The question at hand is
> not whether or not that should be allowed -- the W3C has no power to force
> a company to honor DNT -- but rather how that company's decision should be
> signaled.
>
> A site is already under no obligation to conform to DNT.
>
> From the beginning, I thought everyone understood that no one could force
> a website to implement DNT. . . . I'm trying to take a pragmatic view here,
> and merely ask the question "If a website chooses to implement DNT for a
> subset of users, what is the best way for the website to signal that."
>
> If the site says "I support DNT under the following circumstances" and is
> clear about that, and you are outside of those circumstances, I don't think
> you have any reason to be surprised.
>
> While the minutes of the call are (as usual) a bit thin, here are a three
> instances where you appear to have expressed the same view:
>
> <ifette> no one requires a site to implement DNT
>
> ifette: nothing requiring site to honor DNT, site can just say 'nope, not
> compliant'.
>
> <ifette> the site then has to decide whether to accept that expression of
> your preference or not. It shouldn't lie to you about what it's doing, but
> it's under no obligation -- you don't get to dictate terms ;-)
>
> As for the latter part of the quote: while it is no secret to members of
> this group that economic considerations are a leading cause of objections
> to Do Not Track, many advertising companies had been quite reluctant to
> publicly note as much following the White House festivities.  Arguments
> tended instead to be couched in terms of user empowerment and choice.
>
> The renewed focus on defaults changed that.  Many advertising companies
> began emphasizing the possible negative economic effects of large numbers
> of DNT users.  You yourself got into a lengthy, contentious debate of the
> topic with Lorrie Cranor on a CMU mailing list.  (I'm not going to post
> that conversation since, as I understand it, the list is closed.)
>
> Let me wrap by explaining how these press interactions work.  I don't
> solicit media coverage; reporters call me.  They ask what's going on with
> Do Not Track.  Given the premium I place on public transparency in this
> process, I answer candidly.  I make every effort to ensure that I am
> accurate and fair.  And I direct reporters to other members of the group to
> confirm details.
>
> I've now burned a couple hours on a take-home exam responding to Do Not
> Track emails.  I don't expect I'll be able to chime in again before the
> Bellevue meeting.  If you or anyone else would like to discuss this
> further, I'd be glad to chat during a break.
>
> Jonathan
>
>  On Monday, June 18, 2012 at 9:36 AM, Jeffrey Chester wrote:
>
> I hadn't seen this.  But I think Jonathan was correct in his
> characterization.  Many privacy advocates hope that Google will provide
> greater leadership to adopt meaningful DNT standard.    We are waiting to
> see its plans to ensure the spec protects privacy.
>
> Jeff
>
>
> On Jun 18, 2012, at 12:31 PM, Ian Fette (イアンフェッティ) wrote:
>
> Jeff,
>
> With respect,
>
>
> "It's not clear to what extent we'll get an agreement on this," Mayer told
> CNNMoney. "One of Google's representatives said on the call that the
> company will be able to do whatever it wants anyways. I'm stunned at how
> transparent some of these companies were -- they just want to minimize the
> number of Do Not Track users, period."
>
> http://money.cnn.com/2012/06/07/technology/do-not-track/index.htm
>
> That type of behaviour is not something one would expect from someone who
> bills themselves as being a "tough-but-fair negotiator."
>
> -Ian
>
> On Mon, Jun 18, 2012 at 9:27 AM, Jeffrey Chester <jeff@democraticmedia.org
> > wrote:
>
> Ian:  I suggest that what reporters are doing is merely reading the texts
> posted.  That what's been written says a great deal about both personal
> views and--one assumes--the position taken by the CEO and board on DNT and
> the spec.  There hasn't been anything taken out of context I know about.
>  See you soon.
>
> Jeff
>
>
>
> On Jun 18, 2012, at 12:24 PM, Ian Fette (イアンフェッティ) wrote:
>
> Jeff,
>
> That's precisely the problem. Certain people from this working group seem
> to have no problem taking statements made on calls and feeding warped
> versions of those statements to reporters; such tactics do not typically go
> far when one is trying to be a "negotiator" to reach a "grand compromise".
> (Also, most "negotiators" whom I have seen be successful in the past,
> hostage negotiators excepted, have been neutral uninterested third parties,
> not someone with a clear axe to grind.)
>
> -Ian
>
> On Mon, Jun 18, 2012 at 9:21 AM, Jeffrey Chester <jeff@democraticmedia.org
> > wrote:
>
> Alan:  I find your language and tone troubling.  I hope you know that many
> people are looking at this thread.  Our communications say a great deal
> about ourselves, inc to the EU, FTC and media watching this thread closely.
>  Maybe even Fox News!
>
> Jeff
>
>
>
> On Jun 18, 2012, at 12:17 PM, Alan Chapell wrote:
>
> I have no issue with your personality. My issue is with your tactics.
> Assuming you can cease utilizing tactics that seem unproductive at best,
> then I think you will see fewer emails directed at you; criticizing those
> tactics.
>
> This will be my last note on this matter – I'm hopeful and optimistic that
> we can move forward productively from here….
>
>
> Alan
>
>
> From: Jonathan Mayer <jmayer@stanford.edu>
> Date: Monday, June 18, 2012 12:08 PM
> To: Jeffrey Chester <jeff@democraticmedia.org>
> Cc: Alan Chapell <achapell@chapellassociates.com>, Mike Zaneis <
> mike@iab.net>, Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel <
> tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <
> public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <
> vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon
> (Microsoft)" <jccannon@microsoft.com>
> Subject: Re: Identity providers as first parties
>
>  This thread has devolved into a Fox News-esque referendum on my
> personality. It's both a distraction and ineffectual—those who have
> collaborated with me over the past year know I'm a tireless, tough-but-fair
> negotiator.
>
> Enough. Back to substance.
>
> Jonathan
>
> On Monday, June 18, 2012 at 5:33 AM, Jeffrey Chester wrote:
>
> Jonathan has played an extraordinary productive role, with insights,
> urging compromise (when people like  me looked with dismay about the lack
> of progress in achieving real privacy safeguards so far), and leadership.
>  As I have explained to officials, we have not yet seen serious compromise
> from industry to ensure DNT is a spec that protects privacy.  Jonathan
> wants us to all do better, as do I.   We all know--or should--that what we
> are doing is being closely watched on both sides of the Atlantic by the
> press and policymakers.  It would be a serious loss if we don't make
> progress in Seattle.
>
> Jeff Chester
> Center for Digital Democracy
> Washington DC
> www.democraticmedia.org
> Jeff@democraticmedia.org
>
> On Jun 18, 2012, at 5:19 AM, Alan Chapell <achapell@chapellassociates.com>
> wrote:
>
> Jonathan,
>
> Taking you at your word that your goal is to attain consensus, I would
> humbly suggest that the tactics you are using – particularly over the past
> several weeks – seem at odds with that goal. I'm hopeful that your latest
> email is an indication that we'll see more compromise and fewer juvenile barbs
> when we arrive in Bellevue.
>
> And for the record, as someone from industry – I strongly favor the
> proposal proffered by Shane et al.
>
> Cheers,
>
> Alan Chapell
> Chapell & Associates
> 917 318 8440
>
>
> From: Jonathan Mayer <jmayer@stanford.edu>
> Date: Monday, June 18, 2012 2:06 AM
> To: Mike Zaneis <mike@iab.net>
> Cc: Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel <tisrael@cippic.ca>,
> Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <
> public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <
> vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon
> (Microsoft)" <jccannon@microsoft.com>
> Subject: Re: Identity providers as first parties
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Mon, 18 Jun 2012 06:07:15 +0000
>
> Shane and Mike,
>
> As the Bellevue meeting approaches, this group's sole focus must be
> attaining consensus on a moderate compromise.  I'm doing everything I can
> to facilitate that goal.  I have neither the time nor patience to swap
> puerile barbs for cheap political points.  There's far too much at stake.
>
> Jonathan
>
> On Sunday, June 17, 2012 at 6:58 PM, Mike Zaneis wrote:
>
> Jonathan,
>
> Can you please elaborate on these very serious claims you have made in
> back to back posts?  First, you attack two of the most engaged, productive
> members of the working group (Shane and Roy who are both editors) and claim
> they do not speak for the online advertising industry, yet you did not
> point to any companies or public statements of support for your position.
> As someone who DOES speak for the industry, I know that Shane and Roy
> raise issues that THE industry shares. Please provide substantiation for
> your claims.
>
> As for the unfair competition claims, that is laughable. The only legal
> claim we should be discussing is one of liable for such ridiculous
> statements.
>
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
>
> On Jun 17, 2012, at 5:52 PM, "Jonathan Mayer" <jmayer@stanford.edu> wrote:
>
> Shane,
>
> As I explained in my initial note:
>
> We have received valuable feedback from a number of participant
> viewpoints, including browser vendors, advertising companies, analytics
> services, social networks, policymakers, consumer groups, and researchers.
>  Out of respect for the candid nature of those ongoing conversations, we
> leave it to stakeholders to volunteer their contributions to and views on
> this proposal.
>
> I would add that more than one advertising company expressed concern about
> possible retaliation if they broke away from the industry trade groups.
>  I'll leave it to regulators to decide if the industry's practices
> constitute unfair competition.
>
> Jonathan
>
> On Sunday, June 17, 2012 at 1:51 PM, Shane Wiley wrote:
>
> Jonathan,****
> ** **
> Continue to disagree (on many levels).  Could you please name those in the
> online advertising industry that are supportive of the proposal you shared
> with the WG?****
> ** **
> Thank you,****
> - Shane****
> ** **
> *From:* Jonathan Mayer [ <jmayer@stanford.edu>mailto:jmayer@stanford.edu<jmayer@stanford.edu>]
>
> *Sent:* Sunday, June 17, 2012 1:42 PM
> *To:* Shane Wiley
> *Cc:* Tamir Israel; Rigo Wenning; <public-tracking@w3.org>
> public-tracking@w3.org; <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas;
> <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)
> *Subject:* Re: Identity providers as first parties****
> ** **
> Shane, ****
> ** **
> You and Roy have been vocal in your objections to the EFF/Mozilla/Stanford
> compromise proposal. I'm disappointed, though given your inflexibility
> throughout this process, entirely unsurprised.****
> ** **
> That said, you do not speak for the online advertising industry. Many
> companies have been more willing to countenance constructive compromise.
> Your conclusion that advertising industry participants have "mostly
> rejected" the proposal is inaccurate.****
> ** **
> Jonathan ****
> On Sunday, June 17, 2012 at 12:26 PM, Shane Wiley wrote:****
>
>  Tamir,****
> ** **
> Jonathan's proposal does attempt to address this point but many in the
> room feel this should be left to local law. Justin Brookman and I took a
> pass at this language but it shifted to becoming overly prescriptive
> (legislating via tech standard) so many in the WG asked for local law to
> determine.****
> ** **
> I would suggest this conversation be extracted from Jonathan's proposal to
> be handled separately as the rest of proposal has been mostly rejected by
> those in the WG that are intended to implement DNT in the real-world (on
> the 1st party/3rd party side).****
> ** **
> More to come in Seattle...****
> ** **
> - Shane****
> ** **
> -----Original Message-----****
> From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca>]
> ****
> Sent: Sunday, June 17, 2012 12:19 PM****
> To: Shane Wiley****
> Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org;
> <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas; <ifette@google.com>
> ifette@google.com; JC Cannon (Microsoft)****
> Subject: Re: Identity providers as first parties****
> ** **
> Shane -- I am not remotely attempting doing so.****
> ** **
> As far back as I can see, the spec was going to put conditions on the ****
> means by which out of band consent can be sought.****
> ** **
> Jonathan et al's proposal is:****
> ** **
> 1. Actual presentation: The choice mechanism MUST be actually presented **
> **
> to the user. It MUST NOT be on a linked page, such as a terms of service *
> ***
> or privacy policy.****
> 2. Clear terms: The choice mechanism MUST use clear, non-confusing ****
> terminology.****
> 3. Independent choice: The choice mechanism MUST be presented ****
> independent of other choices. It MUST NOT be bundled with other user ****
> preferences.****
> 4. No default permission: The choice mechanism MUST NOT have the user ****
> permission preference selected by default.****
> ** **
> On 6/17/2012 3:16 PM, Shane Wiley wrote:****
>
> Tamir,****
> ** **
> That's up to local laws to determine. Please do not attempt to legislate
> via W3C tech standard.****
> ** **
>  - Shane****
> ** **
> -----Original Message-----****
> From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca>
> ]****
> Sent: Sunday, June 17, 2012 12:14 PM****
> To: Shane Wiley****
> Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org;
> <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas; <ifette@google.com>
> ifette@google.com; JC Cannon (Microsoft)****
> Subject: Re: Identity providers as first parties****
> ** **
> Shane -- Out of band consent *does* trump DNT-1. We are now trying to****
> define the parameters by which out of band consent can be sought.****
> ** **
> Best,****
> Tamir****
> ** **
> On 6/17/2012 3:11 PM, Shane Wiley wrote:****
>
> Tamir,****
> ** **
> Out-of-band consent trumps DNT. We've been repeating this mantra for over
> a year now - becoming repetitive.****
> ** **
> - Shane****
> ** **
> -----Original Message-----****
> From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca>
> ]****
> Sent: Saturday, June 16, 2012 5:23 PM****
> To: Shane Wiley****
> Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org;
> <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas; <ifette@google.com>
> ifette@google.com; JC Cannon (Microsoft)****
> Subject: Re: Identity providers as first parties****
> ** **
> Shane --****
> ** **
> Just so we're really clear: if a user authenticates with Yahoo! on site***
> *
> A and controls preferences on that site, does the out of band consent****
> dialogue Jonathan showed invalidate DNT-1: on site A? in general?****
> ** **
> Best,****
> Tamir****
> ** **
> On 6/15/2012 11:29 PM, Tamir Israel wrote:****
>
> Ok.****
> ** **
> On 6/15/2012 2:07 PM, Shane Wiley wrote:****
>
> DAA Opt-out and single-sign on are not related. There are some****
> implementations where the ID is needed beyond the authentication****
> event and therefore data collection occurs outside of the initial****
> authentication event. Users do NOT need to choose Yahoo! as their ID****
> provider if they feel uncomfortable with that outcome.****
> ** **
> - Shane****
> ** **
> -----Original Message-----****
> From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca>
> ]****
> Sent: Friday, June 15, 2012 10:56 AM****
> To: Shane Wiley****
> Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org;
> <rob@blaeu.com>rob@blaeu.com; Kimon****
> Zorbas; <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)****
> Subject: Re: Identity providers as first parties****
> ** **
> Shane,****
> ** **
> Maybe we are getting sidetracked.****
> ** **
> Can you please explain the scope of tracking that results from using****
> Yahoo!'s IdM mechanism? Does it mean you can track all my activities on***
> *
> the specific authenticated site? If so does this carry across multiple****
> explicitly authenticated sites? Does it operate in a manner analogous to**
> **
> single sign-on? How does it interact with the existing DAA opt-out?****
> ** **
> Thanks and best regards,****
> Tamir****
> ** **
> On 6/15/2012 11:28 AM, Shane Wiley wrote:****
>
> Tamir,****
> ** **
> Any service gets to determine its own primary purpose - so if OBA is****
> the payment for the service and this is disclosed as a primary****
> purpose, then that's the bargain the users can choose to consent to****
> or not.****
> ** **
> - Shane****
> ** **
> -----Original Message-----****
> From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca>
> ]****
> Sent: Friday, June 15, 2012 8:21 AM****
> To: Shane Wiley****
> Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org;
> <rob@blaeu.com>rob@blaeu.com; Kimon****
> Zorbas; <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)****
> Subject: Re: Identity providers as first parties****
> ** **
> Shane --****
> ** **
> There are 2 questions here. One is whether you can bundle in the****
> obligation to consent to secondary purposes as a condition of****
> authentication in an IdM context. The primary service in an IdM context***
> *
> is authentication, not OBA.****
> ** **
> The second is to what extent the DNT spec should address this. I took****
> the 'independent choice' out of band consent criteria as an attempt to****
> prevent bundling of choices.****
> ** **
> Best,****
> Tamir****
> ** **
> On 6/15/2012 11:06 AM, Shane Wiley wrote:****
>
> Tamir,****
> ** **
> But in the use case we're discussing the service being provided is****
> the primary purpose - a user's online identity. A service****
> determines its primary purpose, discloses this to the user, user****
> consents. Case closed.****
> ** **
> - Shane****
> ** **
> -----Original Message-----****
> From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca>
> ]****
> Sent: Friday, June 15, 2012 8:02 AM****
> To: Shane Wiley****
> Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org;
> <rob@blaeu.com>rob@blaeu.com; Kimon****
> Zorbas; <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)****
> Subject: Re: Identity providers as first parties****
> ** **
> Shane, I disagree. Under PIPEDA you should offer users the possibility****
> of opting out of collection, use or disclosure for purposes****
> secondary to****
> the primary service being offered.****
> ** **
> This is the basis of the opt-out consent scheme being applied to****
> online****
> tracking.****
> ** **
> Best,****
> Tamir****
> ** **
> On 6/15/2012 10:58 AM, Shane Wiley wrote:****
>
> Tamir,****
> ** **
> I disagree and PIPEDA does as well. As long as you're clear to a****
> user what a service provides and a user expressly consents to****
> those practices, the discussion is over.****
> ** **
> Please don't try to raise CA regulatory schemes into conversations****
> on one hand then completely reverse your stance at whim - this****
> seriously undermines your credibility.****
> ** **
> - Shane****
> ** **
> -----Original Message-----****
> From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca>
> ]****
> Sent: Friday, June 15, 2012 7:54 AM****
> To: Shane Wiley****
> Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org;
> <rob@blaeu.com>rob@blaeu.com; Kimon****
> Zorbas; <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)****
> Subject: Re: Identity providers as first parties****
> ** **
> Shane --****
> ** **
> The need for independent choice is critical, I think, to the out****
> of band****
> consent scheme. You shouldn't be able to force users out of their DNT****
> choices as a condition of authentication.****
> ** **
> Best,****
> Tamir****
> ** **
> On 6/15/2012 10:48 AM, Shane Wiley wrote:****
>
> Rigo,****
> ** **
> DNT will NEVER trump an out-of-band consent. The user would****
> simply withdraw from using the service they had provided prior****
> consent to. If the product would like to offer two levels of****
> service, it can of course do that, but that would be completely****
> outside the scope of DNT.****
> ** **
> DNT is not the privacy silver bullet and answer to all privacy****
> issues on the Internet - let's stop trying to push it in that****
> direction.****
> ** **
> Thank you,****
> - Shane****
> ** **
> -----Original Message-----****
> From: Rigo Wenning [ <rigo@w3.org>mailto:rigo@w3.org <rigo@w3.org>]****
> Sent: Friday, June 15, 2012 1:28 AM****
> To: <public-tracking@w3.org>public-tracking@w3.org****
> Cc: Shane Wiley; <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas;
> <ifette@google.com>ifette@google.com;****
> Tamir Israel; JC Cannon (Microsoft)****
> Subject: Re: Identity providers as first parties****
> ** **
> Shane, Kimon,****
> ** **
> On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:****
>
> I’ve used a few others and they appears to do the same so I’m****
> confused as to what real-world identity provider scenario someone****
> is considering where consent wasn’t already obtained?****
>
> I confirm that we agreed that the out-of-band agreement will trump****
> the DNT:1 signal. We also agreed that the service has to signal this****
> to the client.****
> ** **
> I guess, what Rob is trying to achieve is to say, even in this****
> context, a service could offer the choice of stopping to track and****
> only use information for the login/authentication purpose. This****
> could be the meaning of DNT:1 if the Service sends ACK in a****
> login/authentication context. If you're looking for medical****
> information in a login context, you don't want your login provider****
> to spawn that to your insurance. I think this is a very legitimate****
> use case. The service could say: "yes, I see your point" and send****
> ACK instead of "out-of-band".****
> ** **
> We are just defining switches. People will decide whether they****
> switch stuff on or off or provide a switch at all.****
> ** **
> Rigo****
>
> ** **
>
>
>
>
>
>
>
>
>
>
>

Received on Monday, 18 June 2012 17:50:57 UTC