- From: Barry Leiba <barryleiba@computer.org>
- Date: Tue, 18 Oct 2016 11:43:11 -0400
- To: Ian Jacobs <ij@w3.org>
- Cc: public-privacy@w3.org, Adam Roach <abr@mozilla.com>, "Telford-Reed, Nick" <Nick.Telford-Reed@worldpay.com>, Adrian Hope-Bailie <adrian@ripple.com>
> The Web Payments WG’s draft “Payment Request API” [1] involves user actions > to share some information with a merchant (e.g., credit card details, shipping address). > We would like to make it clear in the specification that that information should not be > shared without user consent. Opinions vary on how much (if any) guidance to provide > about securing user content. > > I would like to ask for your review of the proposal below, which would appear in > our “Privacy Considerations” (section 18). Please let me know whether you find the text > below useful and sufficient. ... > ================= > Proposal for 18.1 Exposing user information > > Capturing user information (payment credentials, shipping address, > etc.) exposes personally-identifiable information to applications. The > user agent should never share user information to the web page without > user consent. > > For a number of reasons, this specification does not recommend > particular practices for establishing user consent: > > • What constitutes user consent from a regulatory perspective > may vary by jurisdiction. > > • Users provide consent through a variety of mechanisms, both > case-by-case (e.g., one-time click-through agreement) and > persistent (e.g., contractual agreements that involve a single > user interaction, user agent settings, and operating system > settings). > > • There are numerous good practices for establishing consent, > such as clear notice to the user about implications of an > action, usability of configuration interfaces to view and > change user decisions, and avoiding unnecessary prompts. > Developers should therefore consult up-to-date good practice > documentation, which may vary by region, browser, operating > system, and payment system. It doesn't seem sufficient to me, as I have a different view of transactional information. So let me back up for a moment: When a consumer buys something (or otherwise does a "transaction") on the Internet, I think there's a difference between the information that the web site gets to create the user's account (let's call it "account information") and that which it obtains for the purpose of this transaction (let's call it "transaction information"). I think the text above works mostly fine for account information (though I would say MUST NOT share without consent), but isn't adequate for transaction information. I believe that transaction information MUST NOT be shared (never mind consent) outside of what's necessary to complete the transaction (that would include providing the credit card information to the bank to get approval and process payment, providing the shipping address to the shipping company, and that sort of thing). I think consumers assume that a purchase transaction is private, and we need to keep it that way. Note, for example, that the consumer might provide an address as part of the account setup, and that address would fall under the "only with permission" sharing of account information. But if the user provided a different shipping address for this transaction, it's transaction information, and I'd say "must not share." (Of course, the merchant might include a "Save this address to your account?" option in that case, and if the user says yes then it becomes account information and things are fuzzier. Which is why you're right not to go into too much detail.) I would also explicitly say that certain key account information, such as saved credit cards and bank account information, MUST NOT be shared as well, even though it's account information. What, if anything, you want to say about collected information such as what items the consumer looked at and which ones she purchased, is a separate question, but it's also relevant here, and I don't think you should ignore it. I'd say it falls under "not without user consent." Finally, in any case, I think we need to be strong and consistent about saying that we never share information without user consent, hence my suggestion to change "should never share...without user consent," to "MUST NOT share...without user consent." Barry
Received on Tuesday, 18 October 2016 15:43:43 UTC