[w3c/payment-request] Privacy considerations concerning shipping cost calculation (#906)

In my Masters' thesis, I found a set of issues with the Web Payment APIs (see #903 for further reference). This is one of the mentioned issues.

My assumption is that a merchant is considered to be potentially untrustworthy until the payment intent is expressed through clicking on a "buy" button and the creation of the PaymentRequestEvent.

Currently, the mechanism of PaymentRequestUpdateEvents does leak such information before the payment intent was expressed (although redacted to postal codes).

As the spec mentions in the _shipping address changed algorithm_:

> Unfortunately, even with the redactList, recipient anonymity cannot be assured. This is because in some countries postal codes are so fine-grained that they can uniquely identify a recipient.

This issue could be resolved by approaching the shipping cost calculation the other way round.
On many online platforms (e.g. ebay), a merchant specifies the shipping costs depending on the region/country/etc.).
One could allow the same behaviour in the Payment Request API. 
By doing so, no sensitive shipping address information would leak to the merchant before paymentIntent.

A merchant would provide a data structure that comunicates to the user agent the cost depending on the entered address (e.g. Germany: free, EU: 5€, international: 20€). 
The user agent could infer the cost automatically thorugh a lookup in said data structure, without providing information to the merchant.

I am aware that this might be a not too easy change to the spec, but I did want to contribute it to the discussion.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/906

Received on Wednesday, 1 April 2020 14:33:46 UTC