RE: Seeking feedback on "user consent" text in Web Payments Working Group specification from Mike O'Neill on 2016-10-07 (public-privacy@w3.org from October to December 2016)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 7 Oct 2016 14:42:59 +0100
To: "'Ian Jacobs'" <ij@w3.org>, <public-privacy@w3.org>
Cc: "'Adam Roach'" <abr@mozilla.com>, "'Telford-Reed, Nick'" <Nick.Telford-Reed@worldpay.com>, "'Adrian Hope-Bailie'" <adrian@ripple.com>
Message-ID: <05f901d220a0$b84a9f00$28dfdd00$@baycloud.com>

Hi Ian,

I wonder if the "allowpaymentrequest" attribute on an iframe is sufficient to stop rogue script dynamically creating iframes which present bogus payment requests to the user. Maybe a CSP directive would work here, or at least block payment requests from iframes when the top level context is not secure.

Mike

-----Original Message-----
From: Ian Jacobs [mailto:ij@w3.org] 
Sent: 06 October 2016 16:22
To: public-privacy@w3.org
Cc: Adam Roach <abr@mozilla.com>; Telford-Reed, Nick <Nick.Telford-Reed@worldpay.com>; Adrian Hope-Bailie <adrian@ripple.com>
Subject: Seeking feedback on "user consent" text in Web Payments Working Group specification

Dear Privacy IG,

The Web Payments WG’s draft “Payment Request API” [1] involves user actions
to share some information with a merchant (e.g., credit card details, shipping address).
We would like to make it clear in the specification that that information should not be
shared without user consent. Opinions vary on how much (if any) guidance to provide
about securing user content.

I would like to ask for your review of the proposal below, which would appear in
our “Privacy Considerations” (section 18). Please let me know whether you find the text
below useful and sufficient.

For comparison, an analogous section in the Media Capture and Streams specification goes into
greater detail:
 https://w3c.github.io/mediacapture-main/getusermedia.html#privacy-and-security-considerations

Thank you,

Ian

[1] https://w3c.github.io/browser-payment-api/

=================
Proposal for 18.1 Exposing user information

Capturing user information (payment credentials, shipping address, etc.) exposes personally-identifiable information to applications.
The user agent should never share user information to the web page without user consent.

For a number of reasons, this specification does not recommend particular practices for establishing user consent:

 • What constitutes user consent from a regulatory perspective may vary by jurisdiction.

 • Users provide consent through a variety of mechanisms, both case-by-case (e.g., one-time click-through agreement)
          and persistent (e.g., contractual agreements that involve a single user interaction, user agent settings, and operating system settings).

 • There are numerous good practices for establishing consent, such as clear notice to the user about implications of an action,
          usability of configuration interfaces to view and change user decisions, and avoiding unnecessary prompts. Developers should
          therefore consult up-to-date good practice documentation, which may vary by region, browser, operating system, and payment system.

--
Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
Tel:                       +1 718 260 9447

Received on Friday, 7 October 2016 13:44:07 UTC