- From: Charles McCathie Nevile <chaals@yandex-team.ru>
- Date: Wed, 23 Apr 2014 12:10:27 +0200
- To: "Joseph Potvin" <jpotvin@opman.ca>, team-webpayments-workshop-announcement@w3.org, "Web Payments CG" <public-webpayments@w3.org>, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>
On Tue, 22 Apr 2014 11:58:31 +0200, Hannes Tschofenig
<hannes.tschofenig@gmx.net> wrote:
> Hi Joseph,
>
> those are indeed very good questions and I hope someone can share their
> views.
I expect lots of people can.
> After the workshop I was also wondering what exactly makes the payment
> topic difficult. My impression is that the technology is the easy part.
For some definition of easy, that's true.
> Everyone can come up with a new data model, new protocol extension, and
> crypto protocol. The tough part seems to be about finding the right mix
> of incentives for various parties to deploy the technology.
Right. Somethings that this means:
The cost of transactions needs to be reasonable, and at web scale that
includes currency exchange. The app-store model where the cost is 30% is
not viable for enormous segments of the market - although it is fine for
all kinds of pure-digital products where the marginal cost of shipping one
more unit is negligible, and could work for bottled water where the profit
margin is ludicrous, it's way too high for all kinds of important things.
If transactions are sufficiently cheap, it is possible to build a
distribution network by charging on top of them. If not, we build
monopolies or oligopolies like the present situation with credit cards.
There is enormous value to the world, both "morally" and financially, if
we enable individuals to pass relatively small amounts of money to each
other, especially across national and currency borders. Although it should
be noted that people who are currently making a lot of money doing so are
unlikely to want to help us make that business less lucrative by inviting
more competition and lower prices.
To paraphrase Jörg's statement on anonymity: It is pretty easy to build a
B2B network on top of a system that allows for individuals to give money
to each other. (After all, that's how our current infrastructure
developed). It is far more likely that it is VERY difficult to enable
individuals to transact using an infrastructure designed for B2B.
We need to understand the legal/political issues involved. There are
requirements to "Know Your Customer", to enable governments to fight
money-laundering, funding of organisations they don't like such as
terrorist, people-, arms- and drug-smuggling networks. We should recognise
that this will almost certainly also include ordinary opposition movements
and even social service organisations in some countries.
Similarly, in many countries banking is highly regulated. It is not
unreasonable to assume that very profitable banks will hire very effective
lobbyists to point out that if they are exposed to competition who are
allowed to operate on a lower overhead basis by skipping some of the
risk-management procedures banks are required to have in place, there will
be jobs and political funding at stake. Without assigning bad motives to
anyone, this would be a natural consequence of removing some of the income
of banks, and in democracies many politicians are naturally averse to job
losses since it affects their ability to get voted back to office to
continue all the good work they are doing. Thus it is far easier to build
an ecosystem that doesn't overturn the existing one entirely, but helps it
to evolve in ways that we can convince all the stakeholders to accept if
not like.
There needs to be a reasonably high level of security in the transaction -
i.e. you either need to know that it is very likely you are making the
transaction with whoever you think you are, and that it is prohibitively
expensive for anyone to "crack" it, or there needs to be a very low-cost
but effective way to reverse a transaction that went bad. Without this,
you will need a market in insurance which pushes up the transaction cost.
(This is something you have in many types of credit card transactions,
where "the system" silently absorbs the cost of a lot of fraud in exchange
for the fees they charge).
> It would have been useful to learn more from those who had been involved
> in some of those efforts to get a better understanding of why things
> failed.
I think I already said so, but the major failures I have seen were caused
by either having too little support at the start (which is my diagnosis of
what went wrong with W3C's 1990s efforts, along with most of the
electronic "cash" systems of the time), or building complexity that pushed
the cost too high (which is what happened to SET, the Visa/Mastercard
system of the time which was basically side-stepped by the porn industry,
who could easily afford the risk of dodgy transactions being reversed, and
then adopted more broadly as the necessary risk management became more
generally affordable).
Let's not overstate the security of the current frameworks. When you give
someone a credit card number, you *probably* now use a site with an
Extended Validation certificate - the ones with the green bit in the
URL/Address bar, and you *may* use some 2-factor authentication. But this
is a long way from universally true. And is very recent. And there are
constant examples of major organisations with enormous failures to secure
transactions. International airlines and car rental companies are the ones
I keep seeing, but I assume that all industries have a sliding scale of
effectiveness, including banking. There is also a lot of human involvement
in things like remittance networks, which I think, as alluded to above,
are one of the most important use cases that we should be addressing.
Enormous amounts of commerce were and to some extent still are transacted
on far less secure networks and systems. It seems reasonable to assume
that large-scale surveillance operations have collected massive numbers of
credit card details since the 1990s. Although many of those have probably
expired, many probably haven't although it appears that they are rarely
fraudulently used (or we would hear about it). They may even have been
thrown away again. We don't know how many such operations exist, but we do
know the number is greater than zero. We similarly know that stealing one
credit card for a single use is pretty easy (in terms of cost/benefit). So
it seems that a lot of our "security" is provided by people mostly not
being "thieves".
That's some potted thoughts that are probably worth about 2 kopecks. If
you could transfer that value to me because you agreed, we wouldn't be
having this discussion.
cheers
Chaals
> Ciao
> Hannes
>
> PS: The IETF has also done work in this area and it also failed:
> http://datatracker.ietf.org/wg/trade/charter/
>
> On 04/07/2014 01:15 PM, Joseph Potvin wrote:
>> Further to the wrap-up discussion about the creating on an Interest
>> Group
>> http://www.w3.org/2013/10/payments/minutes/2014-03-25-wrapup/
>>
>> Does anyone on these lists have the "two-decades view" of W3C
>> involvement with this topic?
>> http://www.w3.org/ECommerce/
>> http://www.w3.org/TR/EC-related-activities
>> http://www.w3.org/ECommerce/Micropayments/
>> http://www.w3.org/TR/NOTE-jepi
>>
>> Three questions:
>>
>> 1. What happened to those original efforts towards a W3C Specification
>> on eCommerce that would have included specifications on web payments?
>>
>> 2. What should we learn from substance and fate of those earlier
>> efforts?
>>
>> 3. Is there a need to "start" a new IG? Or might the W3C eCommerce IG
>> just re-convene, update its charter, and carry on?
>>
>> Joseph Potvin
>>
>>
>> On Thu, Apr 3, 2014 at 11:51 AM, Stephane Boyera <boyera@w3.org> wrote:
>>> Dear All,
>>>
>>> Thanks to the great help from the Web Payments Community Group and Manu
>>> Sporny, we just published a new cleaned version of the minutes of the
>>> workshop at
>>> http://www.w3.org/2013/10/payments/minutes/
>>> The agenda with links to slides and presentations is available at
>>> http://www.w3.org/2013/10/payments/agenda
>>>
>>> We are planning to circulate a draft report for your comments in the
>>> next 10
>>> days.
>>>
>>> Best
>>> Stephane
>>> --
>>> Stephane Boyera stephane@w3.org
>>> W3C +33 (0) 6 73 84 87 27
>>> BP 93
>>> F-06902 Sophia Antipolis Cedex,
>>> France
>>>
>>
>
--
Charles McCathie Nevile - Consultant (web standards) CTO Office, Yandex
chaals@yandex-team.ru Find more at http://yandex.com
Received on Wednesday, 23 April 2014 10:11:00 UTC