Re: Seeking feedback on "user consent" text in Web Payments Working Group specification

Hi Danny,

Thank you for the feedback. Notes inline.

Ian

> On Oct 18, 2016, at 3:03 PM, Daniel Weitzner <weitzner@mit.edu> wrote:
> 
> Ian - thanks for the opportunity to comment.
> 
> I agree that there is complexity here and that it is not advisable to try to specify a complete UX experience. However, the specification over-emphasizes the degree of regional variation in best practice and is likely to encourage implementers to through up their hands. There is nothing in the proposed language that a developer can implement, so many will do nothing. Or, if they work for a responsible organization, they will talk to their lawyers.
> 
> Just because there isn't global agreement on what is required it does not mean that W3C should wash its hands of enabling some minimum standard best privacy practice.
> 
> Good minimum privacy practice when handling personal data requires transparency for users and the various intermediaries along the way who use this data.
> 
> For users, when personal data is transferred, there should be a clear policy about how it is handled. That is, I would argue, the minimum required by nearly all legal systems and is just plain good design.
> 
> For implementers, when receiving or processing personal data, they should know whether the user has consented to the transfer and under what terms.
> 
> To enable user agent developers to meet these goals, I would simply provide a mechanism in the protocol to indicate two facts:
> 
> (a) was user consent provided? (could be a boolean or a JSON object)
> (b) under what policy (specified by a URI)

Regarding point (b), it seems to me that when you shop on an E-Commerce site, the merchant defines the terms and conditions for interaction.
As just one example, here are the terms for target.com, which includes a section on how transaction data will be used:
 http://www.target.com/c/terms-conditions/-/N-4sr7l

Is the suggestion that the e-commerce paradigm change so that users specify their own terms and conditions for how they agree for others to use their data?

Regarding point (a), it seems to me that if the spec says “the user agent must not share data it collects without user consent” then a flag is unnecessary.
Completion of the API signals consent.

If the language remains “SHOULD NEVER” and the user agent “knows” it is sharing data without user consent, then it seems there is room for a boolean.

Per Barry’s point, I think the group needs to review MUST NOT v. SHOULD NEVER.

Ian

> 
> By making these two simple pieces of data visible in the mechanism, W3C will provide users and implementers a tractable way to be sure that privacy issues are addressed and that the privacy conditions can easily travel along with the personal data through the API.
> 
> W3C has been down the path of trying to specific the semantics of such policy (with P3P) and that was complicated. I don't suggest going back there. However, I do think it would be good practice to enable this protocol, which seems to be very careful about how to communication about mundane (but sensitive) things like shipping addresses (and which have considerable international variation), to also look at how to be sure that personal data is handled with awareness of privacy practice.
> 

--
Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
Tel:                       +1 718 260 9447

Received on Wednesday, 19 October 2016 20:09:06 UTC