RE: User Consent and Addresses

First, we (Microsoft) objected to making such statements in, for example, the Geolocation API. I have no problem with people choosing write recommendations about user experience in a separate document but it shouldn’t be part of an API specification. As an example of one problem, the original language in the Geolocation API wasn’t followed by any implementation and the text had to be retroactively amended to be more realistic considering actual implementations. This suggests it wasn’t helpful to spend time defining the experience.

Another problem with the Geolocation work is that it tried to capture what and not why, which got left behind. In our specs, we should ensure that the security and privacy considerations sections accurately reflect the concerns and leave it up to implementations to determine how to address those concerns.

We shouldn’t spend time in this group trying to decide what user consent might mean including under which geo-specific regulations this might be impacted by.

From: Adam Roach [mailto:abr@mozilla.com]
Sent: Friday, May 6, 2016 2:48 PM
To: Adrian Bateman <adrianba@microsoft.com>; Web Payments Working Group <public-payments-wg@w3.org>
Subject: User Consent and Addresses


From: Adam Roach [mailto:abr@mozilla.com]
Sent: Wednesday, May 4, 2016 3:47 PM

Issue A: Interaction between address updates and user consent

Section 16.1 specifies that user data, such as shipping addresses, are to be provided to the merchant page only with user consent. It's unclear how this interacts with the behavior of "onshippingaddresschange," which fires every time the user changes their address in a payment app. As a user, I would not inherently expect such actions to be automatically exfiltrated to the merchant web page. We definitely need to think through and document what kind of behavior represents informed user consent in these cases.


On 5/4/16 20:07, Adrian Bateman responded:

On Issue A, I very much disagree. This group should not be defining user consent.



I'm trying to understand this assertion. Other specifications that deal with users' private information -- such as the Geolocation API and the Media Capture API -- include treatments of user consent. What is it about the Web Payments WG that would make our specifications exempt from doing so?
--
Adam Roach
Principal Platform Engineer
Office of the CTO

Received on Friday, 6 May 2016 23:40:45 UTC