Re: Seeking feedback on "user consent" text in Web Payments Working Group specification

Ian - thanks for the opportunity to comment.

I agree that there is complexity here and that it is not advisable to try
to specify a complete UX experience. However, the specification
over-emphasizes the degree of regional variation in best practice and is
likely to encourage implementers to through up their hands. There is
nothing in the proposed language that a developer can implement, so many
will do nothing. Or, if they work for a responsible organization, they will
talk to their lawyers.

Just because there isn't global agreement on what is required it does not
mean that W3C should wash its hands of enabling some minimum standard best
privacy practice.

Good minimum privacy practice when handling personal data requires
transparency for users and the various intermediaries along the way who use
this data.

For users, when personal data is transferred, there should be a clear
policy about how it is handled. That is, I would argue, the minimum
required by nearly all legal systems and is just plain good design.

For implementers, when receiving or processing personal data, they should
know whether the user has consented to the transfer and under what terms.

To enable user agent developers to meet these goals, I would simply provide
a mechanism in the protocol to indicate two facts:

(a) was user consent provided? (could be a boolean or a JSON object)
(b) under what policy (specified by a URI)

By making these two simple pieces of data visible in the mechanism, W3C
will provide users and implementers a tractable way to be sure that privacy
issues are addressed and that the privacy conditions can easily travel
along with the personal data through the API.

W3C has been down the path of trying to specific the semantics of such
policy (with P3P) and that was complicated. I don't suggest going back
there. However, I do think it would be good practice to enable this
protocol, which seems to be very careful about how to communication about
mundane (but sensitive) things like shipping addresses (and which have
considerable international variation), to also look at how to be sure that
personal data is handled with awareness of privacy practice.

Best

Danny


-- 
Daniel J. Weitzner, Principal Research Scientist
Director, MIT Internet Policy Research Initiative
Massachusetts Institute of Technology
Tel: +1 617 253 8036

On Fri, Oct 7, 2016 at 9:24 AM Adrian Bateman <adrianba@microsoft.com>
wrote:

> > On Fri, Oct 07, 2016 at 05:38:19, Lukasz Olejnik (W3C) wrote:
> > The UA MUST inform about the past and current uses of the API "
>
> That seems unnecessary. When someone is trying to checkout in an online
> store, they don't expect to see all the times other web sites might
> have called the API.
>
> The question at hand here is the degree to which user consent can
> be defined in a technical specification where UX is out of scope.
> We have lots of experience in other working groups of trying to
> specify this and given the different legal and regulatory
> environments around the world, I posit that we should not be
> trying to specify such policy in this kind of document. It is
> sufficient to be clear that UAs will not release information
> in the absence of consent, whatever form that takes.
>

Received on Tuesday, 18 October 2016 20:31:40 UTC