Re: [webauthn] Cross-origin credential creation in iframes (#1656) from Arshad Noor via GitHub on 2021-08-02 (public-webauthn@w3.org from August 2021)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Mon, 02 Aug 2021 18:03:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-891224247-1627927434-sysbot+gh@w3.org>

While I do not deny that everybody benefits from _Transaction Confirmation_, there are many non-technical issues that need to be considered (some of which I highlighted earlier in this thread). But, here is another one.

Have Banks, PSPs and browser manufacturers given any consideration to how they will comply with [GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj) and [CCPA](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article) regulations wrt providing notice of consent to collecting personally identifiable information (PII) when registering FIDO credentials? While I am not a lawyer, I would consider a _credentialId_ PII since it does uniquely identify a specific individual to an RP. Among other information, CCPA considers a Consumer's _"..unique personal identifier, online identifier, internet protocol address, email address, account name, .."_ PII.

GDPR's Article 7 and [CCPA's Section 999.305](https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf) have explicit statements on how a Consumer must be notified of the collection of PII and how consent must be received by the party collecting that data. In a cross-origin iframe (as shown in [sample screenshots for SPC](https://github.com/w3c/secure-payment-confirmation)), the prompts would definitely not comply with the law in my non-legal opinion - the Consumer _doesn't even know they're dealing with a third-party RP_ in the iframe! While the _card_ may be initially enrolled to be authenticated, generating new credentials with a _credentialId_ that uniquely identifies the Consumer is a different transaction/matter.

A second consideration: in the event the Consumer's privacy is breached - not the Private Key, of course, but just the uniquely identifying _credentialId_ - who is responsible for this breach?

- The Bank that registered the Consumer's credential in the iframe?
- The Merchant/PSP that enabled the iframe to collect the PII? or
- The browser manufacturer that facilitated the Merchant/PSP and the Bank to collect the PII? 

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-891224247 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 2 August 2021 18:03:57 UTC