[Openid-specs-risc] connecting with privacy people

Mark Risher risher at google.com
Tue Sep 29 14:48:15 UTC 2015

Hi, Nat:
Thanks for summarizing. I agree that we'll need to find a comfortable
privacy position early on. My hope is that we can devise a few proposals
that might be approved, as well as get counseling on how to best position
the approach for the larger group. Clearly what we're trying to do is
pro-user, so this should be solvable as long as we can read users' minds
about what they want ;)

I have some time blocked on Friday to sketch out the privacy proposals we
discussed yesterday, and then we can use John's help and others to find
some possible advisors/consultants/regulators (including within our

Talk soon,

Mark E. Risher | Group Product Manager | risher at google.com | 650-253-3123

On Mon, Sep 28, 2015 at 9:32 PM, Nat Sakimura <sakimura at gmail.com> wrote:

> Hi
> With so much echoing today, I did not dig in any further, but I still
> think it is a good idea to involve privacy regulators early on. As someone
> who is closely connected to the privacy regulators, academics and lawyers,
> I believe there is a good chance that we can get them on our side.
> While we tend to position the account takeover as a security issue, it is
> a grave privacy issue as well. Like security, privacy is not black-or-white
> thing. We have to deal with a risk framework and there we measure the
> benefit against cost. Since the user is already using the email provider
> (IDP) as the reset link, there seem to be little privacy cost compared to
> the benefit of explicitly sharing them between the provider and the service
> and making the probability of chained compromise less.
> Also, I would have to point out that user action of "consent" is not
> always the best way to address the "meaningful consent". That's the
> position of many regulators in EU, at least as I understand. Perhaps you
> might want to look at the explanation of "conditions for processing" by ico
> (UK regulator.)
> In any case, we would have to do the PIA before completing the spec and
> start the trust framework, and that has to happen pretty early on:
> otherwise, we may have to re-do everything. IMHO, it is wise to start
> involving experts from regulating bodies at least informally would be a
> good idea. It will eventually travel up to the Article 29 Working party
> (WP29, the group of EU privacy regulators) and it cannot be avoided. Then,
> why not involve them early on and work together?
> OpenID Foundation will be sending out liaison statement to ISO/IEC JTC
> 1/SC 27/WG 5 (the committee that deals with privacy technology) in a couple
> of weeks. My proposal is to include couple of paragraphs on the pros and
> cons of explicit consent / bulk roll-in, and opt-out/no-opt-out scenarios.
> WG meetings are very busy and usually they will not craft a detailed custom
> responses, but they might eventually. At least, they will be aware of the
> fact that they had an opportunity to input.
> Best,
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-risc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20150929/e8fef5e0/attachment.html>

More information about the Openid-specs-risc mailing list