- From: Charles McCathie Nevile <chaals@yandex-team.ru>
- Date: Wed, 23 Apr 2014 12:10:27 +0200
- To: "Joseph Potvin" <jpotvin@opman.ca>, team-webpayments-workshop-announcement@w3.org, "Web Payments CG" <public-webpayments@w3.org>, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>
On Tue, 22 Apr 2014 11:58:31 +0200, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Hi Joseph, > > those are indeed very good questions and I hope someone can share their > views. I expect lots of people can. > After the workshop I was also wondering what exactly makes the payment > topic difficult. My impression is that the technology is the easy part. For some definition of easy, that's true. > Everyone can come up with a new data model, new protocol extension, and > crypto protocol. The tough part seems to be about finding the right mix > of incentives for various parties to deploy the technology. Right. Somethings that this means: The cost of transactions needs to be reasonable, and at web scale that includes currency exchange. The app-store model where the cost is 30% is not viable for enormous segments of the market - although it is fine for all kinds of pure-digital products where the marginal cost of shipping one more unit is negligible, and could work for bottled water where the profit margin is ludicrous, it's way too high for all kinds of important things. If transactions are sufficiently cheap, it is possible to build a distribution network by charging on top of them. If not, we build monopolies or oligopolies like the present situation with credit cards. There is enormous value to the world, both "morally" and financially, if we enable individuals to pass relatively small amounts of money to each other, especially across national and currency borders. Although it should be noted that people who are currently making a lot of money doing so are unlikely to want to help us make that business less lucrative by inviting more competition and lower prices. To paraphrase Jörg's statement on anonymity: It is pretty easy to build a B2B network on top of a system that allows for individuals to give money to each other. (After all, that's how our current infrastructure developed). It is far more likely that it is VERY difficult to enable individuals to transact using an infrastructure designed for B2B. We need to understand the legal/political issues involved. There are requirements to "Know Your Customer", to enable governments to fight money-laundering, funding of organisations they don't like such as terrorist, people-, arms- and drug-smuggling networks. We should recognise that this will almost certainly also include ordinary opposition movements and even social service organisations in some countries. Similarly, in many countries banking is highly regulated. It is not unreasonable to assume that very profitable banks will hire very effective lobbyists to point out that if they are exposed to competition who are allowed to operate on a lower overhead basis by skipping some of the risk-management procedures banks are required to have in place, there will be jobs and political funding at stake. Without assigning bad motives to anyone, this would be a natural consequence of removing some of the income of banks, and in democracies many politicians are naturally averse to job losses since it affects their ability to get voted back to office to continue all the good work they are doing. Thus it is far easier to build an ecosystem that doesn't overturn the existing one entirely, but helps it to evolve in ways that we can convince all the stakeholders to accept if not like. There needs to be a reasonably high level of security in the transaction - i.e. you either need to know that it is very likely you are making the transaction with whoever you think you are, and that it is prohibitively expensive for anyone to "crack" it, or there needs to be a very low-cost but effective way to reverse a transaction that went bad. Without this, you will need a market in insurance which pushes up the transaction cost. (This is something you have in many types of credit card transactions, where "the system" silently absorbs the cost of a lot of fraud in exchange for the fees they charge). > It would have been useful to learn more from those who had been involved > in some of those efforts to get a better understanding of why things > failed. I think I already said so, but the major failures I have seen were caused by either having too little support at the start (which is my diagnosis of what went wrong with W3C's 1990s efforts, along with most of the electronic "cash" systems of the time), or building complexity that pushed the cost too high (which is what happened to SET, the Visa/Mastercard system of the time which was basically side-stepped by the porn industry, who could easily afford the risk of dodgy transactions being reversed, and then adopted more broadly as the necessary risk management became more generally affordable). Let's not overstate the security of the current frameworks. When you give someone a credit card number, you *probably* now use a site with an Extended Validation certificate - the ones with the green bit in the URL/Address bar, and you *may* use some 2-factor authentication. But this is a long way from universally true. And is very recent. And there are constant examples of major organisations with enormous failures to secure transactions. International airlines and car rental companies are the ones I keep seeing, but I assume that all industries have a sliding scale of effectiveness, including banking. There is also a lot of human involvement in things like remittance networks, which I think, as alluded to above, are one of the most important use cases that we should be addressing. Enormous amounts of commerce were and to some extent still are transacted on far less secure networks and systems. It seems reasonable to assume that large-scale surveillance operations have collected massive numbers of credit card details since the 1990s. Although many of those have probably expired, many probably haven't although it appears that they are rarely fraudulently used (or we would hear about it). They may even have been thrown away again. We don't know how many such operations exist, but we do know the number is greater than zero. We similarly know that stealing one credit card for a single use is pretty easy (in terms of cost/benefit). So it seems that a lot of our "security" is provided by people mostly not being "thieves". That's some potted thoughts that are probably worth about 2 kopecks. If you could transfer that value to me because you agreed, we wouldn't be having this discussion. cheers Chaals > Ciao > Hannes > > PS: The IETF has also done work in this area and it also failed: > http://datatracker.ietf.org/wg/trade/charter/ > > On 04/07/2014 01:15 PM, Joseph Potvin wrote: >> Further to the wrap-up discussion about the creating on an Interest >> Group >> http://www.w3.org/2013/10/payments/minutes/2014-03-25-wrapup/ >> >> Does anyone on these lists have the "two-decades view" of W3C >> involvement with this topic? >> http://www.w3.org/ECommerce/ >> http://www.w3.org/TR/EC-related-activities >> http://www.w3.org/ECommerce/Micropayments/ >> http://www.w3.org/TR/NOTE-jepi >> >> Three questions: >> >> 1. What happened to those original efforts towards a W3C Specification >> on eCommerce that would have included specifications on web payments? >> >> 2. What should we learn from substance and fate of those earlier >> efforts? >> >> 3. Is there a need to "start" a new IG? Or might the W3C eCommerce IG >> just re-convene, update its charter, and carry on? >> >> Joseph Potvin >> >> >> On Thu, Apr 3, 2014 at 11:51 AM, Stephane Boyera <boyera@w3.org> wrote: >>> Dear All, >>> >>> Thanks to the great help from the Web Payments Community Group and Manu >>> Sporny, we just published a new cleaned version of the minutes of the >>> workshop at >>> http://www.w3.org/2013/10/payments/minutes/ >>> The agenda with links to slides and presentations is available at >>> http://www.w3.org/2013/10/payments/agenda >>> >>> We are planning to circulate a draft report for your comments in the >>> next 10 >>> days. >>> >>> Best >>> Stephane >>> -- >>> Stephane Boyera stephane@w3.org >>> W3C +33 (0) 6 73 84 87 27 >>> BP 93 >>> F-06902 Sophia Antipolis Cedex, >>> France >>> >> > -- Charles McCathie Nevile - Consultant (web standards) CTO Office, Yandex chaals@yandex-team.ru Find more at http://yandex.com
Received on Wednesday, 23 April 2014 10:11:00 UTC