Google Apps availability broadcasting

John Bradley john.bradley at wingaa.com
Tue Dec 15 11:47:20 UTC 2009 

That was one of the concerns I had about Google's initial plan for a service to provide that info to unauthenticated RP.   To be fair Google expressed similar privacy concerns.   That is why they haven't done it except as an experiment.

I will say that in reality it would not give them very much more information than they have now for most people.

The reality is that most people stay logged in to there gmail/latitude/Google Docs/Google Groups/Google Search/Google Voice/Google wave/Google chat/openID.

When they visit any sight with adsence advertising Google could track that.  This would only incrementally provide a way for them to track you at the sites that don't use google advertising, but take openID login that you don't actually log into with your google openID.

The getting lots of free services in return for letting Google customize your experience seems a good bargain to lots of people.   The reality is that most people never sign out of "The Google" any more.

We however are not here to debate business models.   

The question we have to answer is if openID has preserving user privacy from the RP and OP as one of it's core principals.   

So far the best privacy/user-centric approach I have seen is achieved with a active selector/smart client.

John B.
On 2009-12-15, at 1:51 AM, SitG Admin wrote:

> I can't find the list of candidates at openid.net (I might have to be a member just to see them?), but if Peter Watkins' name is there, I endorse him on the strength of privacy awareness (4 out of 5 posts, recently, just left me impressed).
> 
>> Isn't there another privacy issue here -- that the central discovery service
>> learns what RP sites the user visits? It's not just that I don't want any old
>> RP knowing what OPs I'm logged into (OPs leaking info to RPs), I also don't
>> want mega-OPs like Google discovering what RP sites I frequent (RPs leaking
>> info to OPs).
> 
> So, if I follow some link (or am in an embedded iframe) to read an article that happens to be on the NRA's website, Google (if acting as my OP) could then receive a notice that I might want to *log into* the NRA's website, misprofiling me and serving up targeted advertisements based on my apparent interests? (Change each instance of "NRA" to something embarrassing and/or NSFW to get me ostracized and/or fired.)
> 
> -Shade
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

More information about the specs mailing list