Giving an example of an IAB concern that is not relevant to OCP does
not mean that there are no concerns relevant to OCP.
It had always been my expectation that OCP would carry information
about privacy requirements for data shared between the OPES processor
and the callout server, and that the level of confidentiality would
match the requirements. And, to me, that further implied that OCP
must have mechanisms fine-grained enough to keep data separated
and protected at the appropriate level.
OCP MUST be able to protect any information about the user, the user's
preferences, history of user selections, times of connection,
etc. It would be better to avoid having to carry this information at
all, if possible. Only the minimum information about the mechanical
protection should be carried. It had seemed to me that we would
avoid having the OPES processor give the userid to the callout server,
for example, if we could simply give some minimal information about
the OPES services needed on the data.
I think that if we try to duck the issue altogether we will force people
into greater information disclosure and greater privacy risks than if
we address the problem straightforwardly as a protocol requirement.