Re: [w3c/payment-request] Regulatory Compliance Support (#632)

@marcoscaceres
The spec is creating the privacy problem by adding the fields, so when you state:

> we (browser vendors) compete on privacy and security aspects

does that mean that the motivation here is to make people vulnerable by default, so browser vendors can compete to sell privacy to those who can afford to protect it (ie: not everyone wants to buy or can afford Apple products and thus Safari)?

I can understand browsers competing regarding aspects like disk encryption of any saved data; FIPS 140-2 compliance, secure synchronization between devices of payment methods, etc, there is a very understandable area for how secure and convenient the browser can make it for a user; but why compete on privacy? We had the discussion about budget tracking and as I explained that is very easily enabled by a separate API that hooks into this upon a user voluntarily adding this service in isolation of their payment methods. So privacy doesn't need to be lost by default.

I'm very worried by the above statement and I'm not sure how to read this other than you are direct conflict with the best interests of consumers and also organisations that are legally obliged to protect their consumers. If the motivation here is to allow freedom for the specification to not protect privacy so it can be selling point of browser vendors; then I would guess that  people and organisations that need payments with regard to sensitive data should be advise to go nowhere near this api (governments, healthcare/medicine vendors, minors. etc), which would be a sad state: w3c specs should be for all, not just for the least at risk.

@ianbjacobs thanks, I'm a bit busy this week, but will try to email soon.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/632#issuecomment-332483531

Received on Wednesday, 27 September 2017 10:50:22 UTC