Re: Identity and Payments Was: Mobile phone based ATM & payments solution

Dear Tim,
I'm just an engineer, that is, I'm neither a philosopher nor a lawyer.

Due to this limitation I have huge difficulties converting the things you are writing into some kind of specification.

As an engineer I'm better high-lighting specific areas like the section in identity-credentials talking about governments "publishing" identity data to the web which I find both unrealistic and unnecessary.   The established scheme where you rather carry such data in a physical "container" is good enough and will when housed in a phone offer much higher usability as well as privacy enhancements.

There are exceptions though.  The ICAO is currently plotting with storing visas in e-passports which I believe is an extremely poor idea due to space limitations in security chips and AFAICT unresolvable access control issues.  e-visas can (IMHO...) be published if they are "protected" by hard-to-guess (cryptographic) URLs illustrated by the following in haste created e-visa sample:
http://webpki.org/visa/T7lOL7v4FWz73qfTxedvCQhO6KbQ_x7E2kx60PlOeWI.pdf

This is undeniable a very different access control concept than featured in WebID.  Nothing though prevents you from combining "secret" URLs with group access control, like only admitting member states to actually dereference such URLs.

Cheers
Anders


On 2014-05-02 07:33, Timothy Holborn wrote:
> I appreciate the concern, and as much as I am equally concerned of potential ramifications, I consider a few concepts; along the lines of,
>
> 1. Current web2 systems do not seem to acknowledge natural entities in terms of economic stakeholders, very well.  The trend appears to treat "users" as economic resources, rather than that more broadly considered by citizenship.
>
> 2. Barriers to economic realisation of digitally communicated works, are high and often outside of reach for many natural legal entities without an employment contact disbanding their identity to that of an "agent" for an incorporated legal entity
>
> 3. Remedy for breaches to human rights principles (ie: privacy) is often an economic consequence.  If nothing more than the fact that it's difficult to send an incorporated legal entity to jail. The ability to put a value on any legal breach (whether it be via contract law or other legal method) means "private data" could or perhaps should in theory, have both a value and an explicit agreement pursuant to use.  I consider the ways in which Creative Commons works for licensing, as a format that could be adapted, however, perhaps this is where a discussion should be had...
>
> Do you consider a Facebook "like" a form of payment? People can buy them. So, is there a tangential value to these types of actions?  Equally, a mailing list or call-centre list.  Are your details valuable to you or the collector of that information?
>
> Tangentially, a great deal of traffic is generated by different forms of spam.  Part of a solution to that economic and energy use problem, may be around acknowledging a natural legal entities identity and attributing values to it, such as privacy.  Another adaption may be around opening up the loyalty information systems for small businesses, enabling "identity owners" to define permissions around relationship / communications...
>
> I think most of the human rights factors are about accountability, and acknowledgement of those human rights as an accessibly functional capability of a system.
>
> If web3 is capable of creating "priority date" stamps on documents, such as an email.  Then, a creative work is sent exclusively to a corporation who then exploit the intellectual property without remunerative considerations for copyright considerations (or related thereof); how can a dispute be easily arbitrated without the capacity to include an "offer statement"....
>
> We all need dignity in life.  The reality is that we achieve that, through economics.  I think the reality is that the two concepts are functionally linked, and without specifying a business model, I think perhaps the role of standards is to provide language for these concepts, rather than ideological decisions specifically - so, if business cases exist to do different things, they can be implemented in a way that does not necessitate a "golden handcuff" situation between users acting in good faith, and a specific corporation.
>
> Nonetheless, I don't imagine the two are necessarily implemented as a combined concept. 
>
> Not sure. Challenging the concepts is an important process.   How many people are subject to unlawful acts or breaches to agreements in an exploitative manner: through systems that are web connected?  I'd imagine most of the time most of those people have identity credentials stored and managed by the incorporated entity?  What are the implications of building systems that enable users to store and link their own identity credentials (say, on an rww system, in an institutionally provided "knowledge banking" account - being a secure cloud storage provider, similar to an institutional banking provider) to any commercial agreements, including employment / employee information, or citizenship systems, or medical, or as a service provider, consultant, etc.
>
>
> Sent from my iPad
>
>> On 2 May 2014, at 2:56 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>> I'm a bit worried that the idea of blending payment transactions and identity may open a can of worms for which we have no cure.
>> The internet standards community is very picky about privacy these days which essentially means the less identity information the better.
>>
>> Current EMV (card) transactions do (AFAIK) not provide any identity information except card number which is really just an account.
>>
>> I would at least try to specify in detail what identity may be needed for a specific payment scenario.
>>
>> Cheers
>> Anders
>>
>>> On 2014-05-01 09:12, Timothy Holborn wrote:
>>> Sent from my iPad
>>>
>>>>> On 1 May 2014, at 5:05 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>>>>
>>>>> On 2014-05-01 07:53, Timothy Holborn wrote:
>>>>> http://www.zdnet.com/cba-launches-cardless-atm-cash-withdrawal-service-7000028914/
>>>> thanx Tim, this is really interesting!
>>>>
>>>>> Implications
>>>>> 1. A definition of a "wallet"
>>>>> 2. Banking based interface for CNP (card not present) payments (receipt might be adapted via www of merchant system.  How's it tag the account / transaction, then link it back to a web-payments account system? )
>>>>>
>>>>> 3. If user can connect the "app id" to an online "web payments enabled" profile, then 
>>>>>
>>>>> A. transaction related data could be facilitated to an online account
>>>>> B. how could a merchants online environment and crm be linked to physical retail environments?
>>>>> C. KYC issue seems to be sorted?
>>>> Regarding KYC I remain fix in my belief that this has no room in a payment standard.
>>>>
>>>> Banks do not generally share customer info between each other and certainly not with merchants.
>>>> Not to mention that the amount of KYC and how you obtain it varies widely.
>>>> Paypal's scheme using a credit-card transaction + email round-trip is an example of a smart but still highly specific KYC method.
>>>>
>>>> Anders
>>> Perhaps, maintaining KYC, rather than establishing it specifically, in this business case.  KYC is probably the wrong term, but should explain the concept adequately. 
>>>
>>> WoT (web of trust), httpa (http accountability) - all similar concepts. 
>>>
>>> Accounts will trade data without a banking gateway.  This could be deemed a form of improvement to emailing market sensitive information to involved parties.
>>>
>>>>> Nb: web2 portals trade on user-data (insights, etc.) as part of the ARPU (average revenue per user) calc.  Traditionally banking relationships have not featured a great deal of profiling data, which could be valuable to advertisers in a similar way to the type of data generated in a web2 portal.
>>>>>
>>>>> Who is the trusted "cloud storage" provider, and how is that information made portable between providers (ie: end-user seeks to take their business elsewhere).  From w3 communities perspective, I guess, we're building standards to minimise potential lock-ins.??
>>>>>
>>>>> Timh.
>>>>> Sent from my iPad

Received on Friday, 2 May 2014 06:34:52 UTC