- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 29 Mar 2023 08:55:55 +0200
- To: Christine Runnegar <runnegar@isoc.org>, "public-privacy@w3.org" <public-privacy@w3.org>
On 2023-03-29 0:45, Christine Runnegar wrote:
> The TAG’s Web Privacy Principles Task Force [1] has published an update to the Privacy Principles document.
>
> https://www.w3.org/TR/privacy-principles/
>
> This is part of the W3C’s ongoing efforts to promote and protect privacy on the web.
>
It is nice to have principles but it is even nicer if you follow them:
https://www.w3.org/TR/secure-payment-confirmation/#sctn-privacy-credential-id-tracking-vector
"However in order to obtain them from the Relying Party,
the merchant already needs an as-strong identifier to
give to the Relying Party (e.g., the credit card number)"
Giving merchants card numbers can hardly pass as privacy oriented. In addition, merchants do not need card numbers, they need confirmations that they are getting paid, something only the payment network can offer.
State-of-the art payment authorization systems like Apple Pay, do not suffer from this issue.
This was mentioned (by me) even before SPC was adopted as a WG item. However, due to the political nature of the W3C, it was tabled (closed on GitHub) without discussions.
thanx,
Anders
FWIW, to cope with this as well as many other limitations (https://github.com/mozilla/standards-positions/issues/570#issuecomment-972578433) of SPC, another payment authorization scheme was developed:
https://fido-web-pay.github.io/specification/#introduction
This kind of system is though is out of scope for the W3C since it challenges Google and Apple by offering a non-propriety wallet in the browser. By also enabling bank-to-bank payments, the design provides an alternative to the VISA/MasterCard oligopoly targeted by the W3C/SPC standard.
Web emulator: https://test.webpki.org/fwp/home
Received on Wednesday, 29 March 2023 06:56:09 UTC