Re: [w3c/payment-request] Suggested emphasis of privacy protections (#628) from Mark Richards on 2017-09-22 (public-webpayments-specs@w3.org from September 2017)

From: Mark Richards <notifications@github.com>
Date: Fri, 22 Sep 2017 10:00:58 +0000 (UTC)
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/pull/628/c331405794@github.com>

@marcoscaceres - creating an api that includes the private data in the first place is not all you can do to protect privacy, you can not include it in the first place. The PaymentResponse (which is what I believe the payment handler would get) doesn't need to have the fields and you can explicitly make it clear in the spec that payment processors should never get this data.
Which should be really easy to do, because as you state, they don't get it at the moment anyway and they don't need educating about it. So there is absolutely no need to be resistant to either the statement I suggested (that requires no data send regardless of consent) and potentially even removing the risky fields from the PaymentResponse.

Please decide on whether you care about protecting privacy, you've gone from.
1. It'll never be sent
2. User must consent (hmm..what ever consent means)
3. Stripe business case needs to track it
4. We trust these companies

If the w3c is making an internet for the people, it needs to put their protection first, not hand off trust to third parties who may or may not act in the same way in the future. It's not like we've got a history in our industry of not companies not being evil and then very obviously losing multiple anti-trust lawsuits.

If all the w3c can is create an API that leaves the door open for privacy invasion and get a working group to nod heads and state "you can trust us we're not doing anything evil at the moment": then that's a failure for the future: you're delegating protection of users to others outside of w3c and have lost control of protecting users of the internet.

The fintech industry you are dealing with is hopefully sensitive to w3c values. Would they be in the room if they told you they weren't? However, regardless of their noble intent, this is a spec for all areas of the internet and it'd be sad if your API is an enabler for further invasion of privacy in countries where your fintech peers aren't dominant today or may not be able to maintain dominance: once that happens the api will be used however those dominant in that country at corporate or even government level will choose.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/628#issuecomment-331405794

Received on Friday, 22 September 2017 10:01:25 UTC