Web Payments Community Group Telecon

Minutes for 2014-04-09

Dave Longley is scribing.
Manu Sporny: Additional to agenda, Joseph said he wanted to talk about UNCITRAL stuff he'll be involved in during the next few weeks.
Manu Sporny: Any other updates/changes to the agenda?
David I. Lehn: Nope
No other updates noted.

Topic: Internet Governance Forum 2014

Manu Sporny: If folks will remember, last year we participated in the IGF, as a result, a number of orgs from there came to the web payments workshop, specifically, the british computer society, they had great input on identity, the world bank came as well, played a very big part talking about needs of world w/web payments
Manu Sporny: There were a number of other orgs as well, it was a very good outcome based on our participation in IGF.
Manu Sporny: So we should think heavily about how we should participate, Pindar, any thoughts?
Pindar Wong: Yeah, i'd like to speak in favor of our participation, if you recall last year we tried to design it so there were follow-on activities, so it would be more than just talking about policy issues involved, i'd like to also structure it so that any output from this years IGF and any other meetings can be fed into W3C this year
Pindar Wong: One of the things that came up from last year was the tremendous interest in the web payments work and we'd like to deal with the issues more than just once a year, there's an interest in more than just talking about the issues, wanting to move forward w/actions
Manu Sporny: Talking about where we should take what can be standardized is what we want to do, we have to get into consumer rights issues, anonimity issues things we got from talking about identity at the workshop, outlining the stuff that will happen at w3c on identity and getting input from IGF and talk about getting them to influence the work by discussing w3c's official group that will be looking at this
Manu Sporny: We're going to be creating technical standards, if people at IGF want to get involved they can come to w3c and work with the group
Pindar Wong: Yes, moving from the theoretical to the practical is very important, the deadline is 15th of april, so if we want to participate we have to get cracking
Pindar Wong: I'd be very happy to work with you to get something put together
Pindar Wong: I think seeing the results from last time is a positive indicator we should go, it would be worth while, i'd be happy to work with you to flesh out a proposal
Dave Longley: I agree w/ Pindar's thoughts - getting more feedback on the identity work would be helpful. [scribe assist by Manu Sporny]
Manu Sporny: Pindar were you thinking of focusing on web payments or identity+web and security implications, etc?
Pindar Wong: Given response from last year, the interface between identity and web payments is the crux of the issue and the IGF is a really good place to have dialog about interfacing, the issue of identity+identifiers with respect to payments is where we ought to focus
Pindar Wong: Its the interface that's important, the payment is the motivation. Ddealing with the interplay with identity and anonymity is important and vital to address, etc.
Pindar Wong: Last year i made a mistake of not controlling presentation time and we can correct that this year and get a lot of good policy-level feedback on areas we would not normally have access to
Brent Shambaugh: +1
Manu Sporny: The one thing we were really missing at the web payments workshop was that kind of policy input, so IGF is important to get feedback from
Manu Sporny: So maybe Pindar and i can take this offline and report back to CG later
Pindar Wong: I'll have some time to work on this for the next few days
Manu Sporny: Good, let's work together on this. We'll take it offline and report back to the group when we have it figured out. Anything else on IGF?
Nothing else on IGF.

Topic: Getting United Nations' CITRAL Involved

Joseph Potvin: Is anyone familiar with UNCITRAL?
Pindar Wong: Yes, i am a bit
Joseph Potvin: They focus on international trade law has some working groups for ecommerce and has a number of initiatives that seem to me to provide the legal environment in which the whole discussion w/w3c web payments seems to be situated, they way it works is they have delegates from numerous countries, they've been doing ecommerce since 80s, countries have their own legal positions, they produce a model/template law and that is taken and interpreted into the legal context of each participating country, as a result each country's legal tradition comes in, but across borders there are some common things that come into play because of the template, etc.
Joseph Potvin: A fair bit of work on nitty gritty details of ecommerce trying to determine the specific thing that is being moved around with the various ecommerce payments alternatives, whether a digital packet of money going around or is meta data about money, and if meta data, what is it, is it a bill of exchange a promisory note, etc. when writing software you have to be really clear about classes and properties, etc.
Pindar Wong: The point about terminology about promissory notes and negotiable instruments, and getting to know the terminology in this space is really important if only to avoid potential friction later on, the terminology is quite key
Joseph Potvin: To give an example of the degree of headache: in 1978, the Bank of Montreal was shipping dollar $5 bills and had an accident where the truck transporting the bills burned. The legal case went to the Supreme Court and question was whether or not the Bank of Canada should re-issue the those $5 bills. Are these bill "money itself" or are they "promissory notes" for the money? The result was a Supreme Court split decision 3-3. An interesting case synopsys is here: http://www.rdo-olr.uottawa.ca/index2.php?option=com_sobi2&sobi2Task=dd_download&fid=891&Itemid=842
Joseph Potvin: Even at highest court there is disagreement with what we're dealing with
Joseph Potvin: In the case of w3c potential specifications, i don't think we want to have ambiguity about the classes we're dealing with, so there's a legal side and a technical side to this, on tech side legal stuff becomes requirements for what's being coded, etc.
Joseph Potvin: Accounting entries that cause numbers to go up/down aren't money moving around and are at a level of systems architecture but it will be problematic if the community gets them wrong and courts start deciding that things are invalid
Manu Sporny: I definitely agree that we need to get the terminology right and make sure that it lines up with international law, my concern is that we dont' want to create some kind of blocking item that prevents tech work from happening because we're waiting for legal decision to play out
Manu Sporny: This is the UN so it works in broad strokes, not low-level technical detail
Manu Sporny: There may be a mismatch with high-level vs. low-level language and a speed mismatch with how quickly w3c can work vs. UN
Pindar Wong: The phasing and expectations of when useful output from this group might interface is quite an important one, i think there is a phasing issue where these processes are deliberate and slow moving but i wouldn't actually say them informing our process is the right perspective, i'd look at it the other way around, getting them to shape their processes as ours evolve, the flow of the direction is a little bit back to front
Manu Sporny: I think that since Joseph is volunteering to participate in that work and is very motivated to do so, we should have him reach out to that group and be the liason.
Pindar Wong: Absolutely, i'm in full support, nothing i've said should imply otherwise
Manu Sporny: I agree, joseph should reach out and liaise with them
Manu Sporny: But i agree with you pindar that the faster moving w3c process should inform the slower moving UN proecss
Pindar Wong: After first year they should be very aware of this group's existence
Manu Sporny: So in general, if Joseph wants to interface with that group, we should make first contact with them, make them aware of the work at W3C CG and the potential upcoming IG, and we want faster moving group to provide input to the slower moving group (faster=w3c cg, slower=UN)
Manu Sporny: And then there's a feedback loop where we get input from UN and put back into w3c cg
Joseph Potvin: I was just talking to someone on phone about w3c having observer status with that working group and i will follow up
Manu Sporny: It would be Wendy or Rigo. I'd be surprised if any one of them can make it, but they'd be the contact at w3c
Joseph Potvin: I'll try and arrange for w3c to have observer status and see if i can be the observer
Manu Sporny: Definitely clear that with w3c first, do not say that you're representing them.
Manu Sporny: You can't use their name without their permission
Joseph Potvin: Of course, I was going to clear it with them first.
Manu Sporny: It sounds like there's al ot of positive upside as long as we don't tie two groups together too tightly
Joseph Potvin: Bitcoin a good example of not getting legal stuff working early on then with a stroke of a pen all the tech work becomes bogged down by the legal ramifications.
Joseph Potvin: My experience over past 15 years working on this kind of thing ... as long as lawyers are comfortable with concepts being straightened out then they can move pretty quickly
Manu Sporny: Let us know if you need anything from us, otherwise ball is in your court, go ahead and make first contact, let us know how things go
Joseph Potvin: :-) I'll leave it at that. I'll follow up with Wendy Selzer and keep you al l informed

Topic: Web Payments Workshop Review

Manu Sporny: Web payments workshop very successful, more so than we thought there would be, lots of problems brought up (identity, payments) and general feeling that w3c should do something about them
Manu Sporny: We could have found out that there was no desire for w3c to address these problems, instead orgs thought there were lots of problems and w3c could and should solve them with relatively narrowly scoped work.
Manu Sporny: Minutes were cleaned up by web payments cg, we've gotten compliments about how nice they are, etc. there are 14 hours of minutes there so we can't go through all of them of course
Manu Sporny: We can hit 3 highlights on the call today, spending about 10 minutes per highlight ... any questions in general about workshop?
Pindar Wong: Slides were excellent and thanks for taking such outstanding notes
Brent Shambaugh: +1
Manu Sporny: W3c has a great history of being very open and transparent for these events and running them, etc.
Manu Sporny: Half of the people coming to the workshop were new to w3c and chatter afterwards was that attendees were very impressed with the community and people were trying to solve problems of a technical nature and not getting stuck on policy, etc. and most felt that everyone was really on point for most of the time there

Topic: Identity, Anonymity, Privacy, and Security

Manu Sporny: We're kind of going out of order ... it's ordered by items with most about interest at workshop
Manu Sporny: First item was somewhat tangential to payments, there was a big push at the workshop to try and address the identity problem on the web
Manu Sporny: In order to do a payment of any sizeable amount you have to sort out the identities involved in the transaction, to establish trust and sort out know-your-customer and anti money laundering issues, etc.
Manu Sporny: Identity was a huge topic at the workshop, 70% of the papers submitted stated that identity was a serious issue on the web, that we needed to figure out at a way to transmit personal credentials without violating privacy, even for incredibly low-value transactions you currently have to give otu too much personal data
Manu Sporny: There was a debate, one group saying eradicating anonymity, another one saying eradicating that would be like 1984 future, etc. good debate
Manu Sporny: Folks involved in the discussion were IETF, qualcomm, microsoft, w3c talking about webcrypto API and role played in identity space, Louise Bennett from the Chartered Institute for IT (British Computer Society) did a phenomenal job talking about balance between anonymity and privacy and security and balancing with the law, etc.
Manu Sporny: End result, personal opinion here, it would be very difficult for w3c to ignore identity problem for much longer
Manu Sporny: Big swell of w3c companies wanting to address the identity problem, 1. by itself it's a problem on the internet, 2. for payments use cases we have to figure identity problem out
Manu Sporny: Any thoughts so far?
Pindar Wong: Do you recall any specific comments bout Lucy Lynch from ISOC?
Manu Sporny: She wasn't there, Karen O'Donahue was (from IETF / ISOC). I emailed Lucy and she said she couldn't make it ... sent karen on her behalf
Manu Sporny: Karen did digital signature stuff at IETF, she co-chairs the JOSE working group.
Manu Sporny: Hannes Tschofenig in charge of OAuth work at IETF and strong proponent for getting anonymity and privacy right, was speaking on behalf of privacy and identity, and wendy seltzer from w3c were some of the strongest voices for supporting anonymity and privacy from day 1
Pindar Wong: I value Lucy's opinion/views deeply, she's a great star in this area, so was curious
Manu Sporny: She did help shape agenda for workshop, but was unfortunate she had a conflict and couldn't make it
Manu Sporny: It was interesting because at w3c ... i spoke with some w3c staff ... and my general input was you're going to have to do something about identity it's clear, and w3c said they tried to do something about this 3 years ago, we had a workshop and it wasn't clear what identity was, the problem wasn't clearly defined, and w3c is wary about picking it up again because it wasn't clear what identity is on the web, and it means a wh ole bunch of different things to different people, but now there are w3c orgs that want to solve very specific identity issues, like transmitting credentials across the web ins a secure, private way, passport, license ID, citizen of a particular state/province, whether you have a degree from a university, an email address is another type of verifiable credential, etc.
Manu Sporny: We have put out the "Identity Credentials" specification via the Web Payments CG, OpenID Connect also exists, as do things like LTI - so we're not starting from scratch:
Manu Sporny: There's a blog post out there about this, it's a call for a credential-based login, there's a spec built someway off of persona, reuses best bits of web payments work, puts a stake in the ground to build off of, etc.
Manu Sporny: Pindar, if you could make her aware of the Identity Credentials spec work in the CG that would be great
Manu Sporny: I'll be pushing this myself in various places, we'll also be having a w3c plenary later where this proposal will be on the table in october, so this is something concrete to look at
Pindar Wong: Since we have IGF 2014 in september, plenary in october, maybe focusing on the identity issue would be best
Joseph Potvin: I provided a link on identity management in IRC, which connects in because it provides the pathway to communicate on all of this stuff with the ministries and departments of justice in these countries where this will matter where these things must be permitted within these jurisdictions, so once again it goes beyond the technical ability to resolve these issues, it also has to do with linkage w/justice departments, etc.
Brent Shambaugh: For security, I was trying to reach out to OWASP. Could I drop a link?
Manu Sporny: I agree, please get them involved and aware that this is going on.
Manu Sporny: Security was also a big thing that went along with identity, just like security+payments, brent added link about OWASP, can you give a background?
Brent Shambaugh: It's an open source security group that deals with mobile security.
Brent Shambaugh: They have a top 10 mobile problems list - password, identity, securing sensitive data, things like that.
Brent Shambaugh: I was really impressed with what they had put together, check out the Top Ten Mobile Risks list they have above.
Manu Sporny: Maybe one of the things we could do is just invite some of the OWASP people onto the call and chat with them, talk about there's work at w3c that might start in the next year, we'd like their input on it, etc.
Manu Sporny: Maybe also contact Natasha Rooney at GSMA as she may be in contact w/them as well.

Topic: Current and Future Payment Systems

Manu Sporny: This had to do with ... they got all of the big providers, big payment companies on stage to talk about where we are currently and where we need to go, there was a pretty big gap between what the current banks and payments companies were talking about and what folks like ripple labs and bitcoin companies and to some degree w3c were talking about
Manu Sporny: The groups were Worldline, The World Bank, Ripple Labs, The US Federal Reserve, CoinApex, and many others.
Manu Sporny: We didn't have a lot of feedback from the banks ... their position was mostly that nothing was so wrong that we couldn't make minor changes to make progress, etc. the input from the cryptocurrency providers was that there were fairly big problems that need to be addressed, international remittances, for example are absolutely awful, there was a lot of back and forth for where this w3c standard would go, the clear outcome from that was that there was nothing w3c could do to really modify current payment systems in the world, the w3c standards will have to apply to emerging nations w/no real banking infrastructure, or they will have to layer on top of existing payment systems today, the top layer will have to simulate the complex underwriting below
Manu Sporny: So payments will look faster to the customer but will still use old infrastructure underneath, which we expected
Manu Sporny: In the CG, we just need to build a shim that would hide complexities of the old system
Manu Sporny: The other thing is we can't create anything that changes the fundamental movement of money in the first iteration of this technology
Manu Sporny: So the thing we need to focus on has more to do with consumer facing tech ... than with back end banking systems.
Joseph Potvin: Connie, from the US Federal Reserve, indicated that there were technologies in Bitcoin that could improve payments for ACH-based systems.
Joseph Potvin: GIRO (spanish word, pronounced "Hero") banking is about moving money around but doesn't actually move money around, it's just a distributed accounting system
Joseph Potvin: Here is a nice summary of how GIRO works -- see the diagram on pg 2 http://www.abs.org.sg/pdfs/Financial/GIRO/IBG_Procedures.pdf
Joseph Potvin: One account goes up the other goes down
Joseph Potvin: And it can handle conversions as well, ACH is like this system
Joseph Potvin: The reserve bank of india is in the process of setting one up as well, these are different from other currency systems because the other ones move digital packets around
Joseph Potvin: And this is just accounting
Joseph Potvin: I'd like to reinforce what she said about that
Joseph Potvin: More attention should be paid to GIRO banking as well
Manu Sporny: What i'm trying to get across is that our ability to change ACH with a W3C spec is almost non-existent. That's something that the banks have control over and are probably not willing to change in any large way.
Joseph Potvin: There are many GIRO banking systems
Joseph Potvin: My recommendation is for the community to understand GIRO banking, and how it differs from conventional banking. GIRO is a business model for banking, not a brand.
Joseph Potvin: About what would would a w3c spec be about? and it seems it should be able a generic GIRO spec ... and i don't think it would be about the kind of thing that ripple is, a GIRO wouldn't require anything like an XRP to (Joseph's audio becomes garbled and disconnects).
Manu Sporny: I think what we was going to say was that you wouldn't need XRP to do transactions, it's merely based on the trust of the banks in the network and w3c could try and standardize that. We'll have to have a whole conference call to talk about that, the feedback I got from banks is that they wouldn't be all that interested in making that big of a change to their systems.
Manu Sporny: It's too expensive for them, to the tune of tens of millions of dollars, unless it's fairly easy to make a technical change there, i'm a bit dubious whether w3c could accomplish that.

Topic: Initiating Payments and Digital Receipts

Manu Sporny: The key takeaway there is that we had agreement ... we heard that banks wouldn't be willing to do that, we heard instead that various people would be willing to standardize payments and a mechanism that's universal on all websites for intiating payments and a digital receipt and that dovetails into the discussion here ... i'm not disagreeing with Joseph just saying w3c may fail if we try to take a problem of that scope on.
Manu Sporny: Definite agreement around initiating payments and digital receipts at the workshop.
Joseph Potvin: There's no need to try to change or influence the incumbent banking solutions, but GIRO banking seems to me to be the model most suited to any eventual W3C spec on payments
Manu Sporny: Standardizing initiating a payment ... and then once initiated, regardless of which payment system you're using then is up to the payment provider and what they do is generate a standard digital receipt (standard across the web) so that the merchant can verify that digital receipt, so the only three things are really required to standardize. A basic identity/credential protocol, a simple protocol to initiate payments, and merchant-verifiable digital receipts.
Manu Sporny: That would open up the entire market to far more competition, it would mean you could plug and play payment providers, etc.
Manu Sporny: Visa mastercard, paypal would all still exist, but banks could participate as well, they'd just run extra software on top of their systems, and also new payment providers could pop up and could operate int his space
Manu Sporny: All using these standards
Manu Sporny: So the first cut of the web paymetns work would have fairly narrow scope, measurable goals, we have use cases from CG, etc. it would be best way to proceed
Pindar Wong: On the issue w/payments and digital receipts, that's where i thought the CG was before Paris ... and afterwards we're at the same place, and that sounds like a huge win for the CG
Manu Sporny: Yup, people at the workshop were essentially playing catchup with the CG and it's great that we were in the right place
Manu Sporny: There was some gnashing of teeth by fairly large payments players about the CG predicting this
Manu Sporny: They wanted to say that for the first time a bunch of people came together and decided initiating payments and digital receipts was the way to go, but in reality the CG was there years ago.
Manu Sporny: But we don't need to hammer that home, it's more important that two fairly diverse/different groups/events came together and both agreed on the direction, etc.
Pindar Wong: Yup, no interest in bragging rights, just think it's huge win CG is in the right place
Pindar Wong: Identity in payments is going to be a big one, good to get more important from outside this field from IGF, etc.
Pindar Wong: For initiation of payments, digital receipts, this is a great outcome, great achievement
Manu Sporny: To be clear, everyone thought identity was a big problem and is important but not a clear path forward, just that it needs to be addressed
Manu Sporny: We're out of time for today
Manu Sporny: We will probably have a follow up conversation next week, tons of use cases to discuss, progress on specs that have been happening in parallel to discuss, etc.
Manu Sporny: I will be out in the bay area, silicon valley, next week April 16th-18th, in case any other Web Payments CG members want to meet up.

Created by the Web Payments Community Group. Shared with love under a CC-BY license. Thanks to our contributors.