14:43:30 RRSAgent has joined #wpwg 14:43:30 logging to https://www.w3.org/2022/01/13-wpwg-irc 14:43:35 Meeting: Web Payments Working Group 14:43:47 Agenda: https://lists.w3.org/Archives/Public/public-payments-wg/2022Jan/0002.html 14:43:50 Chair: Nick 14:43:52 Scribe: Ian 14:43:56 I have made the request to generate https://www.w3.org/2022/01/13-wpwg-minutes.html Ian 14:55:15 present+ Ian_Jacobs 14:56:16 clinton has joined #wpwg 14:57:11 agenda+ Reminder of anti-trust and competition guidance 14:57:26 agenda+ Criteo review 14:57:40 agenda+ Context setting 15:00:07 present+ Nick 15:00:12 present+ Wendy_Seltzer 15:00:43 present+ Lionel_Basdevant 15:01:06 present+ Stephen_McGruer 15:01:10 present+ Joshua_Koran 15:01:35 present+ Anne_Pouillard 15:01:49 present+ Nick_Shearer 15:02:47 is there a different webex link for today? the normal one doesn't work 15:03:04 Anne has joined #wpwg 15:03:10 present+ Jonathan_Grossar 15:03:42 present+ David_Benoit 15:03:43 ty 15:04:11 present+ Philippe_Le_Hegaret 15:04:38 s/ty// 15:04:40 zakim, take up item 1 15:04:40 agendum 1 -- Reminder of anti-trust and competition guidance -- taken up [from Ian] 15:04:48 scribe+ 15:04:56 Ian: Some stage setting 15:05:08 Nick: Thanks everyone for joining today's call. 15:05:24 https://www.w3.org/Consortium/Legal/2017/antitrust-guidance 15:05:25 nick_s has joined #wpwg 15:05:27 ...as a reminder of antitrust and competition guidance 15:05:45 (...we share that when we have guests in particular) 15:05:48 zakim, take up item 2 15:05:49 agendum 2 -- Criteo review -- taken up [from Ian] 15:06:20 Ian: we started a member review for Payment Requests and Payment Identifiers. 15:06:34 ... we got an objection from Criteo, which I've been discussing with them 15:06:38 ian: For Payment Request and Payment Method Identfiers, we had two formal objections during member review, including one from Criteo 15:06:56 https://www.w3.org/2021/12/prapi-objs.html#criteo 15:07:02 ...we have addressed some of the concerns in editorial changes 15:07:51 Bastien has joined #WPWG 15:07:51 ...but there were some elements that we couldn't reach consensus 15:08:02 present+ Bastien 15:08:07 ...including topics that might be better addressed in a cross-group fashion 15:09:17 plh has joined #wpwg 15:09:20 As of this point the attendees have been Ian_Jacobs, Nick, Wendy_Seltzer, Lionel_Basdevant, Stephen_McGruer, Joshua_Koran, Anne_Pouillard, Nick_Shearer, Jonathan_Grossar, 15:09:24 ... David_Benoit, Philippe_Le_Hegaret, Bastien 15:09:32 ...In the end, we put forward a call for consensus without addressing the remaining issue 15:09:56 ...we have extended the CfC until tomorrow so that Criteo could address the group directly 15:09:59 present+ Susan_Pandy 15:10:03 zakim, close item 3 15:10:03 agendum 3, Context setting, closed 15:10:04 I see 2 items remaining on the agenda; the next one is 15:10:04 1. Reminder of anti-trust and competition guidance [from Ian] 15:10:09 zakim, close item 1 15:10:09 agendum 1, Reminder of anti-trust and competition guidance, closed 15:10:10 I see 1 item remaining on the agenda: 15:10:10 2. Criteo review [from Ian] 15:10:14 zakim, take up item 2 15:10:14 agendum 2 -- Criteo review -- taken up [from Ian] 15:10:25 Nick: I'd like to invite colleagues from Criteo to talk through the concern. 15:10:35 present+ Robert_Savage 15:10:42 Josh: Thanks everyone for coming today to hear our concerns directly. 15:10:56 ...I hope an interactive conversation will get us to a better outcome. 15:11:08 ...Ian laid out the perspectives he heard, and I tend to agree with most of them. 15:11:27 ...e.g., discussions of competition in other fora is a good thing, and that should not limit discussion here if there are particulars in this document that would raise concerns. 15:11:41 ...the summary of the outstanding concern we have is that standards can give rise to competition issues, 15:11:50 ...otherwise w3c would not have its antitrust guidelines. 15:12:08 ...the current specification does not yet acknowledge that implementers must not self-preference their own solutions in an anti-competitive manner. 15:12:18 ...we acknowledge that w3c cannot control what other organizations can do 15:12:37 ...our ask is not for that, but that the spec include text that would raise awareness. 15:12:40 ...some specifics: 15:12:59 ...section 14.5 says that browsers can rely on other considerations to do whatever they like 15:13:27 ...various statements in the specification are not about user choice or to facilitating transactions between merchants and users 15:13:30 JY_Rossi has joined #wpwg 15:13:47 ...we should not leave spec open-ended to whatever browser wants to do 15:14:15 ...we want to chat about this to see if we can come to some alignment even if we don't enumerate every possible behavior 15:14:36 ...we want to make sure spec does not lead implementers to violate existing w3c policy 15:15:12 ...suppose I control the user agent and also offer my own payment solution, I could put my solution at the top and even filter out other competitors 15:15:21 Nick: Any questions or comments? 15:15:47 q+ 15:15:51 Josh: Do people disagree? Is anything I said controversial? 15:15:54 ack Nick 15:16:32 Nick: I don't know that it's controversial. But I would disagree strongly with the proposed change. I don't believe it's appropriate for a standard to have normative language about what implementers must do in reference to laws that are themselves not defined in the standard. 15:16:54 ...the W3C antitrust and competition guidance is not referenced in any standard today. 15:17:09 ...it exists as part of our organizations all working together. 15:17:30 ...my second concern is: how do you determine that conduct violates antitrust and competition guidelines? 15:17:48 ...e.g., in some countries, it's a regulatory requirement that some payment methods be placed above others; in other countries it's not. 15:18:04 ...I see the concerns but do not support the language as proposed because I don't believe it's appropriate for a technical language. 15:18:18 Josh: We are not wedded to how the concern is addressed; we are open to any method to address the concern. 15:18:51 ...in other standards bodies, there is a pre-amble before each meeting (or referenced in other documents) that the work is not meant to be done in a cartel; we are here to generate open standards to facilitate interactions. 15:19:23 ...I don't think addressing an anti-competitive concern should be controversial; how do we ensure that the current spec is not supporting illegal activity. 15:19:39 ...regarding the point "how would we judge that conduct violates local law or this spec?" I would submit that that is not our job. 15:19:40 q+ 15:20:12 Josh: It's not the role of a standards body to judge the behavior. The standards body produces "neutral" technology that makes things easier ... we just want to be sure we are making the web a better place 15:20:46 ...there are some principles within W3C that guide decisions (e.g., privacy). I also think that decentralization is an important principle. 15:21:03 ack nick 15:21:18 s/Nick: I/Nick_S: I/ 15:22:20 Nick_S: I understand your position. W3C standards in some countries would be illegal (e.g., algorithms related to crypto). We don't speak to that in the standards. That's one of my fundamental objections here. You are taking a concept that is beyond the expertise of the participants on this call and insert references to legal language that is inherently non-normative. 15:22:36 ...there is no single global definition of anti-trust. 15:22:47 ...we have to be careful here; there is no precedent in W3C standards to speak to this topic. 15:23:07 ...it would be like the encrypted media extension spec saying "don't facilitate piracy"; it does not. 15:23:14 ...what's the difference in this case? 15:23:35 ..if we want to ensure that users have choice, are there ways to express that without making references to legal matters? 15:23:47 s/../.../ 15:23:48 ...it's a nuanced issue because there are multiple layers of choice here. 15:23:55 ...the merchant may have a preference 15:24:02 ...the implementer may have a payment method 15:24:05 ...the user has preferences 15:24:09 ...there are many stakeholders here. 15:24:39 ...can we find language that addresses that issue but in different ways? I think if we do it in this standard it will open a box that I don't think should be in W3C's remit. 15:24:50 Josh: You make some good points, Nick_S. 15:25:07 ...our hope is to address the concern; don't need to pursue the proposal as it was written. 15:25:23 ...we have also talked about priority of constituencies, for example. 15:25:41 ...but there is a difference between this spec and the other examples that were cited (piracy, use of cryptography) 15:25:54 ...in the other cases, neither one of those is part of an extant policy of W3C. 15:25:57 q+ 15:26:07 ...in the case of antitrust, there is W3C policy in this space. 15:26:16 present+ Chris_Wood 15:27:22 Josh: One approach could be to include a reference to the antitrust guidance to handle this objection. Without some fix, ambiguous language could be used to violate W3C policy. 15:27:27 ack N 15:27:51 Nick_S: My understanding is that the antitrust policy is for participants in the standards creation, not for implementers. 15:28:03 ....that policy is primarily to address interactions among participants while creating the standards 15:28:09 q+ 15:28:11 ...it's not clear that you can reference it in the standard. 15:28:13 ack wseltzer 15:28:34 wseltzer: Thank you, Nick_S. And thanks everyone for participating here. W3C has different types of policies with different origins 15:28:49 ...this one was written to govern the behavior of participants in w3c venues 15:29:13 ...while the same principles might apply to implementers and those using the technologies, 15:29:50 ...we don't currently have references to this policy in our specs for implementers. 15:30:01 ..that is why Ian proposed that this is a consortium-wide discussion. 15:30:14 I have made the request to generate https://www.w3.org/2022/01/13-wpwg-minutes.html Ian 15:30:45 q+ 15:31:00 Nick: I am hearing that referencing the antitrust policy in ways it was not designed for should not be done by the WG, but should be first addressed in the AB or wherever. 15:31:04 ack ben 15:31:20 s/..that/...that/ 15:31:21 David: I think I partially agree with Nick_S's suggestion that this is out of scope of the technical specification. 15:31:45 present+ JY_Rossi 15:31:59 ...perhaps in this instance, we could make reference that implementers of the standard need to be aware that there are obligations that need to be met. But the standard does not dictate how things are done. 15:32:30 q? 15:33:07 Josh: There's a nuance here that I'm seeing. We're not saying that each spec needs to add a ton of language asking people to become experts in local laws. 15:33:47 ...here's an analogy: if I were to propose a spec that required someone to pay a royalty, that would be rejected. That's what we are saying here, too. 15:34:21 ...we are saying that there is an existing W3C policy, and that this specification introduces ambiguities that could allow someone to violate that policy. 15:34:25 q+ 15:34:54 Josh: I don't think he intent was to allow disintermediation. Could we clean up the language such that an implementer could not simply say "I'm just following the spec." 15:35:27 Nick_S: I'd really like to see if we can find an approach without legal language. Here's an example that's tricky, for example if a payment service provider is compromised. 15:35:54 ...browser engines have revoked entire certificate authorities because either they've been compromised or issued bad certs. Browsers have unilaterally revoked them. 15:36:06 q? 15:36:20 ...one might want to make the argument that that was anti-competitive. But those actions were taken because the security interests of the user are so paramount that we have to do that and can't allow the behavior to continue. 15:36:46 ...you can imagine a scenario where a payment provide is acting in ways detrimental to the user, and implementers may need to take actions on the user's behalf. 15:36:54 ack nick 15:36:58 ...the challenge is how to define that. 15:37:09 q+ 15:37:50 Josh: I agree with you, Nick_S. In the spec already written, there are already enumerations of calling out to the user that there are security issues. But the problem is that there is nebulous language in the spec that could include "my own business reasons" and we don't think that's in the spirt of the specification. 15:38:11 ...we do not need to mention anticompetitive policy. We can bound the spec where it is currently unbounded. 15:38:17 ack smcgruer_[EST] 15:38:27 smcgruer_[EST]: Thanks Nick_S; I share many of your perspectives. 15:38:49 ...in terms of nebulous language: tricky especially where normative. 15:39:12 ...there's a delicate balance. Need, for example, to allow browser to react to not-yet-extant security concerns. 15:39:19 ...I took a look at points in the spec. 15:40:02 (Stephen reviews 3.3.6, 3.3.12, @@, 3.3.18) 15:40:26 smcgruer_[EST]: Of these, the most nebulous is 3.3.18; but it's tricky because it involves user experience. 15:40:50 s/@@/3.3.16.5/ 15:41:10 josh: Also 14.5 15:41:13 smcgruer_[EST]: That one is non-normative. 15:41:31 Josh: We are not saying you need to list every security concern. 15:41:49 ...if you are saying that we can limit browser stepping in ONLY for security and privacy, that would eliminate the ambiguity. 15:42:15 smcgruer_[EST]: I am sympathetic to that statement. Not sure whether trying to constrain the spec in that way could create problems 15:42:16 q+ 15:43:46 ack Ian 15:44:14 Josh: Perhaps rather than "when the user agent wishes" and instead something in the neighborhood of "when the user is protecting people for security or privacy" 15:44:22 ...eliminate the open-ended discretion. 15:45:22 Ian: I think speaking about "security and privacy" does not remove ambiguities in those spaces 15:45:30 q? 15:45:36 q+ 15:45:37 Josh: But if we could limit ambiguities to "security and privacy" that would be a step forward. 15:45:40 ack smcgruer_[EST] 15:46:20 smcgruer_[EST]: I would be interested in the broader w3c perspective on whether every exit condition in every API needs enumerated conditions. 15:47:08 Josh: Then we should block the current spec rather than moving forward. 15:48:20 Ian: Is "protect the user" open-ended? 15:48:43 Josh: There are many ways to protect the user that aren't about security and privacy. 15:48:58 (Ian was referring to "Optionally, if the user agent wishes to disallow the call to show() to protect the user, ") 15:51:21 q? 15:51:29 RRSAGENT, make minutes 15:51:29 I have made the request to generate https://www.w3.org/2022/01/13-wpwg-minutes.html Ian 15:51:37 Topic: Next steps 15:51:59 Nick: People who have concrete suggestions may send them to the mailing list. 15:52:11 ..otherwise we have a CfC that closes tomorrow. 15:52:54 ...thank you everyone for coming together today 15:53:09 ...we really appreciated the presentation 15:53:19 s/..ot/...ot 15:53:24 I have made the request to generate https://www.w3.org/2022/01/13-wpwg-minutes.html Ian 15:53:41 I have made the request to generate https://www.w3.org/2022/01/13-wpwg-minutes.html Ian 16:08:22 Gerhard has joined #wpwg