Re: Seeking feedback on "user consent" text in Web Payments Working Group specification

Hi Barry,

Thank you for sending comments. Some clarifications and a suggested change inline.

Ian

> On Oct 18, 2016, at 10:43 AM, Barry Leiba <barryleiba@computer.org> wrote:
> 
>> The Web Payments WG’s draft “Payment Request API” [1] involves user actions
>> to share some information with a merchant (e.g., credit card details, shipping address).
>> We would like to make it clear in the specification that that information should not be
>> shared without user consent. Opinions vary on how much (if any) guidance to provide
>> about securing user content.
>> 
>> I would like to ask for your review of the proposal below, which would appear in
>> our “Privacy Considerations” (section 18). Please let me know whether you find the text
>> below useful and sufficient.
> ...
>> =================
>> Proposal for 18.1 Exposing user information
>> 
>> Capturing user information (payment credentials, shipping address,
>> etc.) exposes personally-identifiable information to applications. The
>> user agent should never share user information to the web page without
>> user consent.
>> 
>> For a number of reasons, this specification does not recommend
>> particular practices for establishing user consent:
>> 
>>        • What constitutes user consent from a regulatory perspective
>>        may vary by jurisdiction.
>> 
>>        • Users provide consent through a variety of mechanisms, both
>>        case-by-case (e.g., one-time click-through agreement) and
>>        persistent (e.g., contractual agreements that involve a single
>>        user interaction, user agent settings, and operating system
>>        settings).
>> 
>>        • There are numerous good practices for establishing consent,
>>        such as clear notice to the user about implications of an
>>        action, usability of configuration interfaces to view and
>>        change user decisions, and avoiding unnecessary prompts.
>>        Developers should therefore consult up-to-date good practice
>>        documentation, which may vary by region, browser, operating
>>        system, and payment system.
> 
> It doesn't seem sufficient to me, as I have a different view of
> transactional information.  So let me back up for a moment:
> 
> When a consumer buys something (or otherwise does a "transaction") on
> the Internet, I think there's a difference between the information
> that the web site gets to create the user's account (let's call it
> "account information") and that which it obtains for the purpose of
> this transaction (let's call it "transaction information”).

Agreed.

>  I think
> the text above works mostly fine for account information (though I
> would say MUST NOT share without consent), but isn't adequate for
> transaction information.

The payment request API spec only details with transaction information.

> 
> I believe that transaction information MUST NOT be shared (never mind
> consent) outside of what's necessary to complete the transaction (that
> would include providing the credit card information to the bank to get
> approval and process payment, providing the shipping address to the
> shipping company, and that sort of thing).  I think consumers assume
> that a purchase transaction is private, and we need to keep it that
> way.

The payment request API only involves collection of information that is
necessary to complete the transaction. Perhaps we need to clarify
the text so that the scope of the recommendation is only about the
data gathered via the API. Something like:

  "Capturing user information (payment credentials, shipping address,
etc.) exposes personally-identifiable information to applications. The
user agent should never share information captured via this
API to the web page without user consent.”

It’s a separate point whether the text says “SHOULD NEVER”
or “MUST NOT”.

> 
> Note, for example, that the consumer might provide an address as part
> of the account setup, and that address would fall under the "only with
> permission" sharing of account information.  But if the user provided
> a different shipping address for this transaction, it's transaction
> information, and I'd say "must not share."  (Of course, the merchant
> might include a "Save this address to your account?" option in that
> case, and if the user says yes then it becomes account information and
> things are fuzzier.  Which is why you're right not to go into too much
> detail.)
> 
> I would also explicitly say that certain key account information, such
> as saved credit cards and bank account information, MUST NOT be shared
> as well, even though it's account information.

I’m not sure to understand that point. This API is about returning payment
instrument information (such as card information) to the merchant, or
whoever is providing services to the merchant.

> 
> What, if anything, you want to say about collected information such as
> what items the consumer looked at and which ones she purchased, is a
> separate question, but it's also relevant here, and I don't think you
> should ignore it.  I'd say it falls under "not without user consent."
> 
> Finally, in any case, I think we need to be strong and consistent
> about saying that we never share information without user consent,
> hence my suggestion to change "should never share...without user
> consent," to "MUST NOT share...without user consent."
> 
> Barry

--
Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
Tel:                       +1 718 260 9447

Received on Wednesday, 19 October 2016 19:43:37 UTC