Re: [w3c/payment-request] Richer negotiation re: address redaction? (#842) from Samuel Weiler on 2019-03-18 (public-webpayments-specs@w3.org from March 2019)

From: Samuel Weiler <notifications@github.com>
Date: Mon, 18 Mar 2019 06:24:09 -0700
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/842/473907871@github.com>

Restating my concern, which will hopefully answer @marcoscaceres and @ianbjacobs's questions.

I am concerned about "oversharing" - when an API, by default, automatically sends more identifying information than is sent now. This API is sending straight up PII (personally identifiable information). Because of that, it should meet a high bar.

For the two use cases presented - calculating sales tax and shipping costs before completion of a transaction - this API overshares in some cases.

Below are some examples that speak to what information is minimally necessary for the use cases. I could also point at specific merchants that ask for less info (since my concern is about what this API sends v. what is sent now), but looking at necessity of the information is probably more helpful in understanding the problem.

- In the US, billing address is typically not needed for sales tax calculations - those are based entirely on shipping address. Sending any portion of a billing address - at least pre-completion - is oversharing.

- In New Hampshire, Delaware, Oregon, Montana, and Alaska - US states which have no sales tax - the only portion of a shipping address needed for sales tax calculation is the state. Sending city or post code pre-completion is oversharing.

- Also in the US, shipping costs are often flat - or at least flat within the "lower 48" states. For the shipping use case, then, sending a city or post code pre-completion might be oversharing.

These examples are all from the US - a thriving market for online commerce. And yet even with the mitigations in place so far, this API still overshares. I imagine that similar oversharing happens when we look at other jurisdictions. What portion of which address is needed to calculate shipping cost or sales tax in the Cayman Islands? Do those calculations need anything more than the country? What about in Kenya?

Again, I want to avoid a default of oversharing - I want to avoid moving the bar so that more PII is sent 1) than is currently sent and 2) than is necessary. I don't entirely know how to do that, but the diversity of answers across jurisdictions suggests that a fixed answer (e.g. send city and post code) will overshare for a non-trivial number of people.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/842#issuecomment-473907871

Received on Monday, 18 March 2019 13:24:31 UTC