Re: Identity providers as first parties from Jonathan Mayer on 2012-06-15 (public-tracking@w3.org from June 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Thu, 14 Jun 2012 17:26:06 -0700
To: Shane Wiley <wileys@yahoo-inc.com>
Cc: "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas <vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, Tamir Israel <tisrael@cippic.ca>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <F611AE53366A4961B5C70175450DD0FB@gmail.com>
Shane,  

I've attached a screenshot of Yahoo's OpenID flow for logging into LiveJournal.  It seems quite clear that LiveJournal will receive some sign-in information from Yahoo, but there's no particularly apparent notice that Yahoo could learn about user activity on LiveJournal.  Do you believe this current UI is sufficient out-of-band consent for Yahoo to learn about a DNT user's post-sign-in behavior on LiveJournal?

Thanks,
Jonathan


On Thursday, June 14, 2012 at 4:47 PM, Shane Wiley wrote:

>  
> Yahoo! is also an identity provider (OpenAuth & OpenID) and present users with detailed permission details prior to accepting their consent.  I believe this group would consider that “out-of-band consent” and therefore any data collection, retention, or use from that point forward is no longer subject to DNT unless there is a new use contemplated where consent was not yet received (which in our world at least we wouldn’t engage in until we had updated consent).  
>  
>  
>   
>  
>  
> I’ve used a few others and they appears to do the same so I’m confused as to what real-world identity provider scenario someone is considering where consent wasn’t already obtained?
>  
>  
>   
>  
>  
> - Shane
>  
>  
>   
>  
>  
> From: Rob van Eijk [mailto:rob@blaeu.com]  
> Sent: Thursday, June 14, 2012 3:52 PM
> To: Kimon Zorbas
> Cc: ifette@google.com (mailto:ifette@google.com); Tamir Israel; JC Cannon (Microsoft); public-tracking@w3.org (mailto:public-tracking@w3.org) Group WG
> Subject: Re: Identity providers as first parties
>  
>  
>  
>  
>   
>  
>  
> We are talking about the same scenario. JC gave the use case a bit more context: "There may be cases where the identity provider supplies ongoing profile or configuration information on behalf of the user. (...)"
>  
> My point is that I disagree that the general terms & conditions, suffices when it comes to seeing the phenomena in a DNT context. I would rather see normative text on use limitations IF you wanted to bring this use case into the scope of DNT=1.  
>  
> Personally I think it fits in the DNT scope nicely. Identity providers have an important role on the Web, and having normative text in the standard that reassures trust makes sense to me. I
>  
> On 15-6-2012 0:25, Kimon Zorbas wrote:  
>  
>  
> Apologies if I miss the point or get the wrong context here.
>  
>  
>  
>  
>  
>   
>  
>  
>  
> Are we not speaking about the scenario, where I log-in on website X with my –e.g.- Facebook credentials? If Facebook uses or not the data from the log-in (subsequent data collection on website X) depends on whether I agreed to it in the general terms & conditions / privacy notice with Facebook. (Let aside that users probably think Facebook shares "a lot of data" with website X). [And in Europe that need to be in line with the law (which structured properly,it does).]
>  
>  
>  
>   
>  
>  
>  
> I am not sure what we are trying to achieve in terms of bringing such uses into the scope of DNT. Please enlighten me.
>  
>  
>  
>   
>  
>  
>  
> Kimon
>  
>  
>  
>   
>  
>  
>  
> From: Rob van Eijk <rob@blaeu.com (mailto:rob@blaeu.com)>
> Reply-To: "rob@blaeu.com (mailto:rob@blaeu.com)" <rob@blaeu.com (mailto:rob@blaeu.com)>
> Date: Friday 15 June 2012 00:08
> To: "ifette@google.com (mailto:ifette@google.com)" <ifette@google.com (mailto:ifette@google.com)>
> Cc: Tamir Israel <tisrael@cippic.ca (mailto:tisrael@cippic.ca)>, JC Cannon <jccannon@microsoft.com (mailto:jccannon@microsoft.com)>, "public-tracking@w3.org (mailto:public-tracking@w3.org) Group WG" <public-tracking@w3.org (mailto:public-tracking@w3.org)>
> Subject: Re: Identity providers as first parties
> Resent-From: <public-tracking@w3.org (mailto:public-tracking@w3.org)>
> Resent-Date: Friday 15 June 2012 00:09
>  
>  
>  
>   
>  
>  
>  
> I am not proclaiming data silo-ing. Normative text addressing the fact that data must only be used for the purpose intended is useful in my opinion. Purpose limitation doesn't necessarily imply technical safeguards. If a party claims to be compliant with DNT, such normative text can put limits. The carve out you might be looking for is legitimate business interests, under which I see security, in this specific context. So I think it can fly with tailwind:
>  
> Identity providers must not use user data beyond the purpose of identification and authentication unless this user data is needed for a legitimate business interest like for example fraudulent login attempts across multiple third party sites.
>  
>  
> On 14-6-2012 23:48, Ian Fette (イアンフェッティ) wrote:  
>  
>  
> Define "help" :-)  
>  
>  
>   
>  
>  
>  
> I can tell you that as an identity provider, there is no way I would silo this data as that would cause huge problems, e.g. I detect someone trying to compromise your account via one access mechanism and there's nothing I can do because it's siloed off? Or I can't rate limit authentication attempts because each third party is separate? Not going to fly.
>  
>  
>  
>   
>  
>  
>  
> In other words, define what you mean by "those extra things."
>  
> On Thursday, June 14, 2012, Rob van Eijk wrote:
>  
>  
> identification and authentication is far from our starting point, however an interesting use case.  
> If identity providers are in the business of using the knowledge for different purposes then what the user intended (ie logging into a service), then for those extra things, the identity providers should be submitted to the DNT preference signal. Would that help?
>  
> Rob
>  
>  
> On 14-6-2012 19:46, Ian Fette (イアンフェッティ) wrote:  
>  
>  
> I think this would probably be ok. I want to be clear though that I would not expect data siloing here. E.g. We are going to watch for fraudulent login attempts across multiple third party sites yada yada yada.
>  
> On Thursday, June 14, 2012, Tamir Israel wrote:
>  
>  
> Would this be workable?  
>  
> Treat the IdP as first party for the authentication process itself on the basis of substantial interaction, but leave significant downstream personalization to out-of-band consent (I think this can be acquired as part of the authentication process in those cases where it is envisions a need to do so).
>  
> On 6/14/2012 11:36 AM, JC Cannon wrote:  
>  
> No, that’s a different scenario. The identity provider is supplying the first-party site information on behalf of the user to simplify transfer of data.
>   
> JC
>   
> From: Tamir Israel [mailto:tisrael@cippic.ca]  
> Sent: Thursday, June 14, 2012 6:35 AM
> To: JC Cannon
> Cc: ifette@google.com (mailto:ifette@google.com); public-tracking@w3.org (mailto:public-tracking@w3.org) Group WG
> Subject: Re: Identity providers as first parties
>   
> Ok.  
>  
> Could/should some of this fall under Jonathan's outsourcing scenario?
>  
> 3.3.2.3 Outsourcing
> A first party MAY outsource website functionality to a third party, in which case the third party may act as the first party under this standard with the following additional restrictions.
>  
> With accompanying conditions?
>  
>  
> On 6/13/2012 10:29 AM, JC Cannon wrote:  
> There may be cases where the identity provider supplies ongoing profile or configuration information on behalf of the user.
>   
> JC
>   
> -----Original Message-----
> From: Tamir Israel [mailto:tisrael@cippic.ca]  
> Sent: Wednesday, June 13, 2012 7:25 AM
> To: ifette@google.com (mailto:ifette@google.com)
> Cc: public-tracking@w3.org (mailto:public-tracking@w3.org) Group WG
> Subject: Re: Identity providers as first parties
>   
> Hi Ian,
>   
> I'm not certain this is as clear as you imply. The entire concept of a federated identity system, for example, is to segregate the identity provider from any processing tasks beyond identity authentication. I would not expect an OpenID identity provider, for example, to suddenly become a 1st party simply because I used it to sign in). The role of that provider should be completed once my identity has been authenticated.
>   
> Best,
> Tamir
>   
> On 6/13/2012 10:13 AM, Ian Fette (ã‚¤ã‚¢ãƒ³ãƒ•ã‚§ãƒƒãƒ†ã‚£) wrote:
> > This email is intended to satisfy ACTION-187 and ISSUE-99
> >   
> > I propose adding to the compliance spec the following:
> >   
> > "If a site offers users the choice to log in with an identity  
> > provider, via means such as OpenID, OAuth, or other conceptually  
> > similar mechanisms, the identity provider is considered a first party  
> > for the current transactions and subsequent transactions for which the  
> > user remains authenticated to the site via the identity  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>
Attachments

image/tiff attachment: yahoo_livejournal_openid.tiff
Received on Friday, 15 June 2012 00:26:42 UTC