Re: From W3C's eCommerce Interest Group of the 1990s to Today's Web Payments Discussion

On Tue, 22 Apr 2014 11:58:31 +0200, Hannes Tschofenig  
<hannes.tschofenig@gmx.net> wrote:

> Hi Joseph,
>
> those are indeed very good questions and I hope someone can share their
> views.

I expect lots of people can.

> After the workshop I was also wondering what exactly makes the payment
> topic difficult. My impression is that the technology is the easy part.

For some definition of easy, that's true.

> Everyone can come up with a new data model, new protocol extension, and
> crypto protocol. The tough part seems to be about finding the right mix
> of incentives for various parties to deploy the technology.

Right. Somethings that this means:

The cost of transactions needs to be reasonable, and at web scale that  
includes currency exchange. The app-store model where the cost is 30% is  
not viable for enormous segments of the market - although it is fine for  
all kinds of pure-digital products where the marginal cost of shipping one  
more unit is negligible, and could work for bottled water where the profit  
margin is ludicrous, it's way too high for all kinds of important things.  
If transactions are sufficiently cheap, it is possible to build a  
distribution network by charging on top of them. If not, we build  
monopolies or oligopolies like the present situation with credit cards.

There is enormous value to the world, both "morally" and financially, if  
we enable individuals to pass relatively small amounts of money to each  
other, especially across national and currency borders. Although it should  
be noted that people who are currently making a lot of money doing so are  
unlikely to want to help us make that business less lucrative by inviting  
more competition and lower prices.

To paraphrase Jörg's statement on anonymity: It is pretty easy to build a  
B2B network on top of a system that allows for individuals to give money  
to each other. (After all, that's how our current infrastructure  
developed). It is far more likely that it is VERY difficult to enable  
individuals to transact using an infrastructure designed for B2B.

We need to understand the legal/political issues involved. There are  
requirements to "Know Your Customer", to enable governments to fight  
money-laundering, funding of organisations they don't like such as  
terrorist, people-, arms- and drug-smuggling networks. We should recognise  
that this will almost certainly also include ordinary opposition movements  
and even social service organisations in some countries.

Similarly, in many countries banking is highly regulated. It is not  
unreasonable to assume that very profitable banks will hire very effective  
lobbyists to point out that if they are exposed to competition who are  
allowed to operate on a lower overhead basis by skipping some of the  
risk-management procedures banks are required to have in place, there will  
be jobs and political funding at stake. Without assigning bad motives to  
anyone, this would be a natural consequence of removing some of the income  
of banks, and in democracies many politicians are naturally averse to job  
losses since it affects their ability to get voted back to office to  
continue all the good work they are doing. Thus it is far easier to build  
an ecosystem that doesn't overturn the existing one entirely, but helps it  
to evolve in ways that we can convince all the stakeholders to accept if  
not like.

There needs to be a reasonably high level of security in the transaction -  
i.e. you either need to know that it is very likely you are making the  
transaction with whoever you think you are, and that it is prohibitively  
expensive for anyone to "crack" it, or there needs to be a very low-cost  
but effective way to reverse a transaction that went bad. Without this,  
you will need a market in insurance which pushes up the transaction cost.  
(This is something you have in many types of credit card transactions,  
where "the system" silently absorbs the cost of a lot of fraud in exchange  
for the fees they charge).

> It would have been useful to learn more from those who had been involved
> in some of those efforts to get a better understanding of why things
> failed.

I think I already said so, but the major failures I have seen were caused  
by either having too little support at the start (which is my diagnosis of  
what went wrong with W3C's 1990s efforts, along with most of the  
electronic "cash" systems of the time), or building complexity that pushed  
the cost too high (which is what happened to SET, the Visa/Mastercard  
system of the time which was basically side-stepped by the porn industry,  
who could easily afford the risk of dodgy transactions being reversed, and  
then adopted more broadly as the necessary risk management became more  
generally affordable).

Let's not overstate the security of the current frameworks. When you give  
someone a credit card number, you *probably* now use a site with an  
Extended Validation certificate - the ones with the green bit in the  
URL/Address bar, and you *may* use some 2-factor authentication. But this  
is a long way from universally true. And is very recent. And there are  
constant examples of major organisations with enormous failures to secure  
transactions. International airlines and car rental companies are the ones  
I keep seeing, but I assume that all industries have a sliding scale of  
effectiveness, including banking. There is also a lot of human involvement  
in things like remittance networks, which I think, as alluded to above,  
are one of the most important use cases that we should be addressing.

Enormous amounts of commerce were and to some extent still are transacted  
on far less secure networks and systems. It seems reasonable to assume  
that large-scale surveillance operations have collected massive numbers of  
credit card details since the 1990s. Although many of those have probably  
expired, many probably haven't although it appears that they are rarely  
fraudulently used (or we would hear about it). They may even have been  
thrown away again. We don't know how many such operations exist, but we do  
know the number is greater than zero. We similarly know that stealing one  
credit card for a single use is pretty easy (in terms of cost/benefit). So  
it seems that a lot of our "security" is provided by people mostly not  
being "thieves".

That's some potted thoughts that are probably worth about 2 kopecks. If  
you could transfer that value to me because you agreed, we wouldn't be  
having this discussion.

cheers

Chaals

> Ciao
> Hannes
>
> PS: The IETF has also done work in this area and it also failed:
> http://datatracker.ietf.org/wg/trade/charter/
>
> On 04/07/2014 01:15 PM, Joseph Potvin wrote:
>> Further to the wrap-up discussion about the creating on an Interest  
>> Group
>> http://www.w3.org/2013/10/payments/minutes/2014-03-25-wrapup/
>>
>> Does anyone on these lists have the "two-decades view" of W3C
>> involvement with this topic?
>> http://www.w3.org/ECommerce/
>> http://www.w3.org/TR/EC-related-activities
>> http://www.w3.org/ECommerce/Micropayments/
>> http://www.w3.org/TR/NOTE-jepi
>>
>> Three questions:
>>
>> 1. What happened to those original efforts towards a W3C Specification
>> on eCommerce that would have included specifications on web payments?
>>
>> 2. What should we learn from substance and fate of those earlier  
>> efforts?
>>
>> 3. Is there a need to "start" a new IG?  Or might the W3C eCommerce IG
>> just re-convene, update its charter, and carry on?
>>
>> Joseph Potvin
>>
>>
>> On Thu, Apr 3, 2014 at 11:51 AM, Stephane Boyera <boyera@w3.org> wrote:
>>> Dear All,
>>>
>>> Thanks to the great help from the Web Payments Community Group and Manu
>>> Sporny, we just published a new cleaned version of the minutes of the
>>> workshop at
>>> http://www.w3.org/2013/10/payments/minutes/
>>> The agenda with links to slides and presentations is available at
>>> http://www.w3.org/2013/10/payments/agenda
>>>
>>> We are planning to circulate a draft report for your comments in the  
>>> next 10
>>> days.
>>>
>>> Best
>>> Stephane
>>> --
>>> Stephane Boyera        stephane@w3.org
>>> W3C                +33 (0) 6 73 84 87 27
>>> BP 93
>>> F-06902 Sophia Antipolis Cedex,
>>> France
>>>
>>
>


-- 
Charles McCathie Nevile - Consultant (web standards) CTO Office, Yandex
       chaals@yandex-team.ru         Find more at http://yandex.com

Received on Wednesday, 23 April 2014 10:11:00 UTC