- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Mon, 02 Aug 2021 18:03:55 +0000
- To: public-webauthn@w3.org
While I do not deny that everybody benefits from _Transaction Confirmation_, there are many non-technical issues that need to be considered (some of which I highlighted earlier in this thread). But, here is another one. Have Banks, PSPs and browser manufacturers given any consideration to how they will comply with [GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj) and [CCPA](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article) regulations wrt providing notice of consent to collecting personally identifiable information (PII) when registering FIDO credentials? While I am not a lawyer, I would consider a _credentialId_ PII since it does uniquely identify a specific individual to an RP. Among other information, CCPA considers a Consumer's _"..unique personal identifier, online identifier, internet protocol address, email address, account name, .."_ PII. GDPR's Article 7 and [CCPA's Section 999.305](https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf) have explicit statements on how a Consumer must be notified of the collection of PII and how consent must be received by the party collecting that data. In a cross-origin iframe (as shown in [sample screenshots for SPC](https://github.com/w3c/secure-payment-confirmation)), the prompts would definitely not comply with the law in my non-legal opinion - the Consumer _doesn't even know they're dealing with a third-party RP_ in the iframe! While the _card_ may be initially enrolled to be authenticated, generating new credentials with a _credentialId_ that uniquely identifies the Consumer is a different transaction/matter. A second consideration: in the event the Consumer's privacy is breached - not the Private Key, of course, but just the uniquely identifying _credentialId_ - who is responsible for this breach? - The Bank that registered the Consumer's credential in the iframe? - The Merchant/PSP that enabled the iframe to collect the PII? or - The browser manufacturer that facilitated the Merchant/PSP and the Bank to collect the PII? -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-891224247 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 2 August 2021 18:03:57 UTC