Re: Seeking feedback on "user consent" text in Web Payments Working Group specification from Barry Leiba on 2016-10-18 (public-privacy@w3.org from October to December 2016)

From: Barry Leiba <barryleiba@computer.org>
Date: Tue, 18 Oct 2016 11:43:11 -0400
To: Ian Jacobs <ij@w3.org>
Cc: public-privacy@w3.org, Adam Roach <abr@mozilla.com>, "Telford-Reed, Nick" <Nick.Telford-Reed@worldpay.com>, Adrian Hope-Bailie <adrian@ripple.com>
Message-ID: <CALaySJKAA_fy07=Gj-TNOx746t1KAziErC5OqC+jPZg7VJQY9A@mail.gmail.com>

> The Web Payments WG’s draft “Payment Request API” [1] involves user actions
> to share some information with a merchant (e.g., credit card details, shipping address).
> We would like to make it clear in the specification that that information should not be
> shared without user consent. Opinions vary on how much (if any) guidance to provide
> about securing user content.
>
> I would like to ask for your review of the proposal below, which would appear in
> our “Privacy Considerations” (section 18). Please let me know whether you find the text
> below useful and sufficient.
...
> =================
> Proposal for 18.1 Exposing user information
>
> Capturing user information (payment credentials, shipping address,
> etc.) exposes personally-identifiable information to applications. The
> user agent should never share user information to the web page without
> user consent.
>
> For a number of reasons, this specification does not recommend
> particular practices for establishing user consent:
>
>         • What constitutes user consent from a regulatory perspective
>         may vary by jurisdiction.
>
>         • Users provide consent through a variety of mechanisms, both
>         case-by-case (e.g., one-time click-through agreement) and
>         persistent (e.g., contractual agreements that involve a single
>         user interaction, user agent settings, and operating system
>         settings).
>
>         • There are numerous good practices for establishing consent,
>         such as clear notice to the user about implications of an
>         action, usability of configuration interfaces to view and
>         change user decisions, and avoiding unnecessary prompts.
>         Developers should therefore consult up-to-date good practice
>         documentation, which may vary by region, browser, operating
>         system, and payment system.

It doesn't seem sufficient to me, as I have a different view of
transactional information.  So let me back up for a moment:

When a consumer buys something (or otherwise does a "transaction") on
the Internet, I think there's a difference between the information
that the web site gets to create the user's account (let's call it
"account information") and that which it obtains for the purpose of
this transaction (let's call it "transaction information").  I think
the text above works mostly fine for account information (though I
would say MUST NOT share without consent), but isn't adequate for
transaction information.

I believe that transaction information MUST NOT be shared (never mind
consent) outside of what's necessary to complete the transaction (that
would include providing the credit card information to the bank to get
approval and process payment, providing the shipping address to the
shipping company, and that sort of thing).  I think consumers assume
that a purchase transaction is private, and we need to keep it that
way.

Note, for example, that the consumer might provide an address as part
of the account setup, and that address would fall under the "only with
permission" sharing of account information.  But if the user provided
a different shipping address for this transaction, it's transaction
information, and I'd say "must not share."  (Of course, the merchant
might include a "Save this address to your account?" option in that
case, and if the user says yes then it becomes account information and
things are fuzzier.  Which is why you're right not to go into too much
detail.)

I would also explicitly say that certain key account information, such
as saved credit cards and bank account information, MUST NOT be shared
as well, even though it's account information.

What, if anything, you want to say about collected information such as
what items the consumer looked at and which ones she purchased, is a
separate question, but it's also relevant here, and I don't think you
should ignore it.  I'd say it falls under "not without user consent."

Finally, in any case, I think we need to be strong and consistent
about saying that we never share information without user consent,
hence my suggestion to change "should never share...without user
consent," to "MUST NOT share...without user consent."

Barry

Received on Tuesday, 18 October 2016 15:43:43 UTC