- From: Samuel Weiler <weiler@w3.org>
- Date: Mon, 18 Mar 2019 09:30:20 -0400
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
I opened an issue re: how the Payment Request API is, by default, sending more PII 1) than is needed and 2) than sites send now, particularly pre-completion of a transaction. Feel free to chime in on the discussion happening in the Web Payments WG's github repo: https://github.com/w3c/payment-request/issues/842#issuecomment-473907871 Below is my (revised) write-up of the issue (from the comment above): I am concerned about "oversharing" - when an API, by default, automatically sends more identifying information than is sent now. This API is sending straight up PII (personally identifiable information). Because of that, it should meet a high bar. For the two use cases presented - calculating sales tax and shipping costs before completion of a transaction - this API overshares in some cases. Below are some examples that speak to what information is minimally necessary for the use cases. I could also point at specific merchants that ask for less info (since my concern is about what this API sends v. what is sent now), but looking at necessity of the information is probably more helpful in understanding the problem. In the US, billing address is typically not needed for sales tax calculations - those are based entirely on shipping address. Sending any portion of a billing address - at least pre-completion - is oversharing. In New Hampshire, Delaware, Oregon, Montana, and Alaska - US states which have no sales tax - the only portion of a shipping address needed for sales tax calculation is the state. Sending city or post code pre-completion is oversharing. Also in the US, shipping costs are often flat - or at least flat within the "lower 48" states. For the shipping use case, then, sending a city or post code pre-completion might be oversharing. These examples are all from the US - a thriving market for online commerce. And yet even with the mitigations in place so far, this API still overshares. I imagine that similar oversharing happens when we look at other jurisdictions. What portion of which address is needed to calculate shipping cost or sales tax in the Cayman Islands? Do those calculations need anything more than the country? What about in Kenya? Again, I want to avoid a default of oversharing - I want to avoid moving the bar so that more PII is sent 1) than is currently sent and 2) than is necessary. I don't entirely know how to do that, but the diversity of answers across jurisdictions suggests that a fixed answer (e.g. send city and post code) will overshare for a non-trivial number of people.
Received on Monday, 18 March 2019 13:30:23 UTC