[Openid-specs-ab] Fwd: New EU laws

Breno de Medeiros breno at google.com
Thu Mar 10 00:47:16 UTC 2011


What we're talking about is session management -- login and
authentication functions.

IANAL, but I don't think we need to worry about secondary uses of this
application other than authentication (whatever they may be). We
should do the protocol work in a manner that is sensible and let the
market and policy makers sort out what and what not is legal.

On Wed, Mar 9, 2011 at 16:15, Anthony Nadalin <tonynad at microsoft.com> wrote:
> Doesn’t this actually have to manifest itself as a law in each country
> (which may take a long time)?
>
>
>
> From: openid-specs-ab-bounces at lists.openid.net
> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
> Sent: Wednesday, March 09, 2011 4:13 PM
> To: Henrik Biering
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Fwd: New EU laws
>
>
>
> The method we are discussing for session management is not unlike what some
> people do for tracking cookies.
>
>
>
> I would not want to have session management and Single Logout caught up in
> the same net.
>
>
>
> As you say this will take forever to sort out if it goes ahead.
>
>
>
> Though at some point we m,ay want to pre-emptively show how cookies can
> legitimately be used in this sort of application.
>
>
>
> John B.
>
> On 2011-03-09, at 8:44 PM, Henrik Biering wrote:
>
> Fortunately this updated directive does NOT target cookies that are
> placed/read in order to provide the basic service requested by a user.
>
> But it is causing great concern to people providing services such as third
> party advertisement and analytics tracking users (or rather devices) across
> the internet.
>
> One problem is that the directive itself is (mildly stated) very unclear and
> the national implementation efforts so far totally uncoordinated. Thus it is
> likely that the directive will be interpreted and legally implemented in
> about 30 different ways across Europe. This may imply significant
> localization efforts for international content providers and e-commerce
> sites.
>
> Another major problem is that a publisher (e.g. newspaper) currently often
> does not know or control the individual media agencies or advertisers who
> may place cookies on a users computer while the end user is visiting the
> publishers site. According to legal people it is the owner of the visited
> site who must manage the consent for all third party cookies. This means
> that even if the third party service provider gets a users global accept for
> tracking the user, such a consent would not in itself be legally adequate
> for the publishing site.
>
> Also this is not convenient for a user who might have allowed e.g. an
> analytics service at 1000 sites before he decides to disallow its tracking
> entirely. So maybe this can end up being a good business case for Oauth /
> UMA, allowing the user centralized consent management for the  sites they
> visit as well as for the third party services relating to these sites. At
> least I will try to influence the danish draft decree (core part provided
> below in english translation, public hearing ends 1 April) in a way that
> makes this a viable option.
>
> ---------------- Core part of the proposed Danish decree of the Directive
> ---------------
> § 3 Natural or legal persons may not store information or gain access to
> information already stored in an end users terminal equipment, or enable
> third-parties to store information or gain access to information if the end
> user does not give consent after receiving adequate information about the
> storage of or access to data.
>
> Paragraph. 2. By consent, cf. 1, means any freely given specific and
> informed expression of will, by which the end user agrees to the storage of
> data or access to already stored information in the end users terminal
> equipment.
>
> Paragraph. 3. Information, cf. 1, is appropriate when it as a minimum
>
> 1) appears in a clear, concise and understandable language, or alternatively
> by means of pictures,
>
> 2) contains information about the purpose of storage of or access to data in
> the end users terminal equipment
>
> 3) contains information about how long the information is intended to be
> stored in the end users terminal equipment
>
> 4) contains information about the name of any natural or legal person who
> stores or acesses the information
>
> 5) provides a readily available access for end users to refuse consent or
> revoke consent to the storage of or access to data and a clear, precise and
> understandable instructions on how the end user is using such access and
>
> 6) is readily available by a full and clear disclosure to the end user.
> Moreover, information about storage or access to information on the end
> users terminal equipment through an information and content service must be
> permanently, directly and easily accessible to the end user of the
> information and content services.
>
>
> § 4 Notwithstanding § 3, natural or legal persons may store information or
> gain access to information already stored in an end-user terminal equipment,
> if
>
> 1) the storage of or access to information has the sole purpose of
> transmitting communications over an electronic communications network or
>
> 2) the storage of or access to data is required to enable the provider of an
> information and content service, explicitly requested by the end user, to
> deliver this service.
>
> Paragraph. 2. Storage of or access to information in an end-user terminal
> equipment is required, cf. 1, No. 2, if the storing of or access to
> information is a technical requirement to provide a service that works in
> accordance with the purpose of the service.
> ----------------------- End -------------------------------
>
> =henrik
>
> By 09-03-2011 15:55, John Bradley wrote:
>
> Something to keep in mind with respect to session management.
>
>
>
> Without seeing the regulation it is hard to know what to make of it.
>
>
>
> I suppose every site in the EU might have to ask for permission to create a
> session cookie on the persons computer before letting them in.
>
>
>
> I can't think of any alternative other than mutual TLS to do it.
>
>
>
> Though now that I think about it, it could be a way to push e-id cards?
>
>
>
> John B.
>
>
>
> Begin forwarded message:
>
>
> http://www.scmagazineuk.com/new-laws-on-cookies-will-come-into-effect-from-25th-may/article/197821/?DCMP=EMC-SCUK_Newswire
>
> Websites will have to gain ‘explicit consent' from visitors to store or
> access information on their computers from 25th May.
>
> A new European e-Privacy directive has been announced today and will affect
> any business tracking users via their cookies online. Exact details from the
> Department for Culture, Media and Sport (DCMS) are currently being drawn up
> and will not be available until the end of May, but enforcement and
> penalties are not expected in the short term as businesses are given a
> window to ‘address their use of cookies'.
>
> The new law is an amendment to the EU's Privacy and Electronic
> Communications Directive and will require UK businesses and other
> organisations to obtain consent from visitors to their websites in order to
> store and retrieve usage information from users' computers.
>
> Speaking today, the Information Commissioner Christopher Graham warned UK
> businesses and other organisations running websites that they must ‘wake up'
> to the EU legislation.
>
> He said: “While the roll out of this new law will be a challenge, it will
> have positive benefits as it will give people more choice and control over
> what information businesses and other organisations can store on and access
> from consumers' own computers.
>
> “We are proactively working with the government, businesses and the public
> sector to find a workable solution. We recognise that the internet as we
> know it today depends on the widespread use of cookies and there are of
> course legitimate business reasons for using them. So we are clear that
> these changes must not have a detrimental impact on consumers nor cause an
> unnecessary burden on UK businesses. One option being considered is to allow
> consent to the use of cookies to be given via browser settings.
>
> “Once the new regulations are published there will be a major job of
> education and guidance to be undertaken. In the meantime, both the business
> community and public sector organisations need to start thinking clearly
> about how they will meet the requirements of the new directive.”
>
> The Information Commissioner's Office will be responsible for regulation,
> while the Department for Culture, Media and Sport will lead on the
> implementation on the new measures in the UK.
>
> Minister for culture, communications and the creative industries, Ed Vaizey,
> said: “Revisions to the e-Privacy directive will provide consumers with more
> choice and control over their internet experience. But at the same time we
> need to make sure these changes do not make using the internet more
> difficult.
>
> “Businesses need to be working to address the way they use cookies. We
> recognise that work will not be complete by the implementation deadline. The
> government is clear that it will take time for meaningful solutions to be
> developed, evaluated and rolled out.”
>
> ____________________________________________________________
> You receive
>
>
>
>
>
> _______________________________________________
>
> Openid-specs-ab mailing list
>
> Openid-specs-ab at lists.openid.net
>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>



-- 
--Breno


More information about the Openid-specs-ab mailing list