[Openid-specs-risc] connecting with privacy people

Nat Sakimura sakimura at gmail.com
Tue Sep 29 04:32:46 UTC 2015


With so much echoing today, I did not dig in any further, but I still think
it is a good idea to involve privacy regulators early on. As someone who is
closely connected to the privacy regulators, academics and lawyers, I
believe there is a good chance that we can get them on our side.

While we tend to position the account takeover as a security issue, it is a
grave privacy issue as well. Like security, privacy is not black-or-white
thing. We have to deal with a risk framework and there we measure the
benefit against cost. Since the user is already using the email provider
(IDP) as the reset link, there seem to be little privacy cost compared to
the benefit of explicitly sharing them between the provider and the service
and making the probability of chained compromise less.

Also, I would have to point out that user action of "consent" is not always
the best way to address the "meaningful consent". That's the position of
many regulators in EU, at least as I understand. Perhaps you might want to
look at the explanation of "conditions for processing" by ico (UK

In any case, we would have to do the PIA before completing the spec and
start the trust framework, and that has to happen pretty early on:
otherwise, we may have to re-do everything. IMHO, it is wise to start
involving experts from regulating bodies at least informally would be a
good idea. It will eventually travel up to the Article 29 Working party
(WP29, the group of EU privacy regulators) and it cannot be avoided. Then,
why not involve them early on and work together?

OpenID Foundation will be sending out liaison statement to ISO/IEC JTC 1/SC
27/WG 5 (the committee that deals with privacy technology) in a couple of
weeks. My proposal is to include couple of paragraphs on the pros and cons
of explicit consent / bulk roll-in, and opt-out/no-opt-out scenarios. WG
meetings are very busy and usually they will not craft a detailed custom
responses, but they might eventually. At least, they will be aware of the
fact that they had an opportunity to input.


Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20150929/a75c98c2/attachment.html>

More information about the Openid-specs-risc mailing list