Payment Request API PII/oversharing/negotiation issue from Samuel Weiler on 2019-03-18 (public-privacy@w3.org from January to March 2019)

From: Samuel Weiler <weiler@w3.org>
Date: Mon, 18 Mar 2019 09:30:20 -0400
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <16dd7da2-c8f3-51a0-4207-c1f938feaf4a@w3.org>

I opened an issue re: how the Payment Request API is, by default, 
sending more PII 1) than is needed and 2) than sites send now, 
particularly pre-completion of a transaction.

Feel free to chime in on the discussion happening in the Web Payments 
WG's github repo:

https://github.com/w3c/payment-request/issues/842#issuecomment-473907871


Below is my (revised) write-up of the issue (from the comment above):


I am concerned about "oversharing" - when an API, by default, 
automatically sends more identifying information than is sent now. This 
API is sending straight up PII (personally identifiable information). 
Because of that, it should meet a high bar.

For the two use cases presented - calculating sales tax and shipping 
costs before completion of a transaction - this API overshares in some 
cases.

Below are some examples that speak to what information is minimally 
necessary for the use cases. I could also point at specific merchants 
that ask for less info (since my concern is about what this API sends v. 
what is sent now), but looking at necessity of the information is 
probably more helpful in understanding the problem.

In the US, billing address is typically not needed for sales tax 
calculations - those are based entirely on shipping address. Sending any 
portion of a billing address - at least pre-completion - is oversharing.

In New Hampshire, Delaware, Oregon, Montana, and Alaska - US states 
which have no sales tax - the only portion of a shipping address needed 
for sales tax calculation is the state. Sending city or post code 
pre-completion is oversharing.

Also in the US, shipping costs are often flat - or at least flat within 
the "lower 48" states. For the shipping use case, then, sending a city 
or post code pre-completion might be oversharing.

These examples are all from the US - a thriving market for online 
commerce. And yet even with the mitigations in place so far, this API 
still overshares. I imagine that similar oversharing happens when we 
look at other jurisdictions. What portion of which address is needed to 
calculate shipping cost or sales tax in the Cayman Islands? Do those 
calculations need anything more than the country? What about in Kenya?

Again, I want to avoid a default of oversharing - I want to avoid moving 
the bar so that more PII is sent 1) than is currently sent and 2) than 
is necessary. I don't entirely know how to do that, but the diversity of 
answers across jurisdictions suggests that a fixed answer (e.g. send 
city and post code) will overshare for a non-trivial number of people.

Received on Monday, 18 March 2019 13:30:23 UTC