- From: Marcos Cáceres <notifications@github.com>
- Date: Mon, 30 Jan 2017 16:31:48 -0800
- To: w3c/webpayments-payment-apps-api <webpayments-payment-apps-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/webpayments-payment-apps-api/issues/99/276237217@github.com>
> This proposal is wrong from a privacy perspective. The notion of how to design systems that preserve privacy is providing information only to those parties who need the information to do their jobs, and withholding it from all others. You are exactly, right. As I'm sure you are aware, [autofill has already shown to be deficient in browsers from a privacy perspective]](https://www.theguardian.com/technology/2017/jan/10/browser-autofill-used-to-steal-personal-details-in-new-phising-attack-chrome-safari) - and probably can't be changed without breaking the Web: it does exactly as you describe, it unwittingly leaks data without user consent. My proposed solution gives more control to users by: * Allowing the payment app to collaborate with the browser's autofill database, when both the payment app and the user want to. This is done through the payment app's UI - and in collaboration with the end-user. * Allowing the payment app to potentially hold different addresses than the autofill database. * Not having a browser's sync mechanism pass around sensitive data. This could become increasingly important in jurisdictions that coerce companies to share such data with government agencies [under secret court orders without public oversight](https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court). This particularly affects foreign nationals. > This proposal violates that principle. It is quite possible that I, as a user, would not like my bank to know who I'm shipping gifts to, and they have no need to possess this information to perform their task. Then the user doesn't need to provide it to the payment app. That information can be provided to the merchant directly. That's what autofill is for. Additionally, just because a merchant says they need your address, doesn't mean the user should trust them (and the browser shouldn't just be giving it out without the consent of the user - which, in my model, is negotiated between the user and the payment app through the payment app's UI). > Moreover, if I'm using a Bitcoin app to provide my payment, and the key value proposition of that Bitcoin app is that it has little to no personal information about me, giving it my full name and shipping address defeats its purpose pretty much entirely. Again, the user is not obliged to provide this information to the payment app. The point is to put the user in control: if the payment app fails to provide the requested information (e.g., shipping address, name, etc.) to the merchant, then the merchant can get that information autofilled by the browser. Or, failing that, the user types that information manually into the merchant's site. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments-payment-apps-api/issues/99#issuecomment-276237217
Received on Tuesday, 31 January 2017 00:32:48 UTC