Table of Contents
Commerce shows up on the Internet in two forms: the technology of commerce on the Internet and the psychology, philosophy, and economics of commerce. Let's talk about the latter first.
First, the Internet is not a mass of consumers waiting to buy what you want to sell. It may become that someday, but for now it is the closest thing to mass communication that the world has. Television, radio, newspapers, and magazines are almost entirely one way, allowing little or no feedback or interaction between the readers and the writers, whereas the Internet comes from a tradition of intense discussion of almost every issue imaginable.
Don't go onto the Internet with old ideas about marketing and sales--they won't work, and they'll do you great damage. Irate customers can easily make their views known to thousands of people. On the other hand, on the Internet word-of-mouth praise can spread faster than you thought possible.
Imagine a world in which Question Authority is a way of life, not a motto on a bumper sticker. And remember that much of your audience is in a position to evaluate, analyze, test, and comment on any exaggerated claims you might make for your product. Internet users are interested in solid information and technical responses to their problems, not hot air from public relations people. This is the culture of the Internet--it looks nothing like a Nielsen family.
The demographics of the Internet are changing. Users of the Internet are not just the young, white (nerdy) male computer students that many people assume is the Net population. For the last few years, partly because of Gopher, WWW and WAIS, the Net has seen a huge influx of new faces. First, more and more university faculty, staff, and students are seeing the Internet as important to their research and communication needs. History and anthropology students and faculty are on mailing lists and run Gopher and Web sites. Many who once thought computers were only useful as word processors are now browsing the WWW and doing Veronica searches. In addition, the number of commercial hookups to the Internet has increased tremendously. Many companies want their employees to have access to the databases and information on the Internet. Finally, the major commercial online services, like America Online, CompuServe, and Prodigy, are racing to provide full graphical browsing of the Internet along with their commercial databases. Their users are even more varied.
For all these reasons the quantity and variety of potential users of your Internet publishing efforts have changed. But because the Internet is expanding so rapidly and is controlled by no one, it is impossible to say with any precision exactly what the demographics are. The Graphics, Visualization, and Usability Center of the College of Computing at Georgia Institute of Technology in Atlanta has made some valiant and sophisticated attempts to find out, however, at least for the WWW. The center ran its third WWW User Survey on April 10, 1995, and plans to resurvey every six months. (For results see <http://www.cc.gatech.edu/gvu/user_surveys/>.)
Georgia Tech received 13,000 responses to the April 1995 demographics questionnaire, which also had separate sections on WWW browser usage, consumer attitudes and preferences, and questions for Web service providers. The survey runs for a month, during which the center posts notices about it all over the Net. In addition, Prodigy placed a link to the surveys from Prodigy's entrance to the Web. Because the survey is voluntary, the center makes no claims about the representativeness of the data for the entire Web population. The center provides the data and results free of charge to the Internet community.
The Internet offers many opportunities in addition to direct sales. The opportunities consist of using the Internet's amazing interactive communications possibilities to complement other aspects of your business or organization. For example, you might
If you are thinking about making people pay for access to your Gopher, WWW, or WAIS servers, several factors make this more complicated than you might suspect. The solutions are being worked out, but each approach is different. This chapter attempts to describe some charging schemes that are in development or use and to explain how they are different. You must decide which, if any, you want to use.
Don't expect to get rich, but yes, some are making money on the Internet.
The officers of First Virtual Holding Company, one of the first transaction systems on the Internet (see Survey of Charging Techniques later in this chapter), say that thousands of dollars are coming in daily through its InfoHaus online "store." Author Stu Sjouwerman said that in 10 weeks he sold 200 copies of his book Make Money on the Internet . . . The Right Way at $10 per copy through InfoHaus.
In the sprig of 1994 Laura Fillmore, president of the Online BookStore, told attendees at a Texas conference on making money on the Internet that they should expect to use imagination and creativity to come up with new approaches to publishing. Her speech, "Slaves of a New Machine: Exploring the For-Free/For-Pay Conundrum," is worth reading. <http://cism.bus.utexas.edu/ravi/laura_talk.html> Her point is that the Net remains a learning experience for everyone, and it's not always possible to predict what you'll learn or whether you'll make money in the process. Check out the archive at <http://marketplace.com/obs/english/papers/top.htm> for some of her other talks and papers.
There are several different economic models for making money on the Internet. The first thing to think about is what exactly you are selling. Even something as seemingly simple as selling the text of a book or an article may present many different alternatives.
Here are some ways to approach online sales:
Table 7-1 lists several Net sites and resources where people are dealing with issues related to commerce on the Internet.
Once you get into the world of online commerce, you have to pay attention to a range of issues and concepts that could affect the security of any system you put in place. Some concepts and questions will prepare you to understand and evaluate the charging techniques that follow. Other questions constitute the beginning of a check list for developing a charging system that will meet your needs.
Digital cash is the electronic equivalent of cash money. Like cash it would be anonymous and come in different denominations. Various electronic commerce schemes are being developed to offer this capability over the Internet. Usually, they rely on some form of public key encryption or digital signature to determine the value and validity of this electronic currency.
Originally proposed in 1976 by Whitfield Diffie, a digital signature is a way to ensure that something composed entirely of electrons is actually a message sent to you by a certain person. Digital signatures usually use public key encryption techniques.
Lightweight security schemes are considered to have certain fundamental flaws that leave them open to attack by sophisticated programmers. But they can be useful when the value or security of what you need to protect is not likely to inspire sophisticated attacks. Heavy-duty security systems are considered safe from all manner of attack. Kerberos is one example of a heavy-duty security system. You can find out more about Kerberos at < http://www.contrib.andrew.cmu.edu/usr/db74/kerberos.html> or <http://nii.isi.edu/info/kerberos/documentation.html>.
Private key encryption is the type described in most spy novels. Someone uses a key or cipher to encrypt a document, and only those who have a copy of that key can decode the message. This is a powerful method, but it requires the safe transmission of the key between the people who need to see the message. Obviously, e-mail is not a safe means of transmission so this can be a problem over the Internet. One technique is to send it using public key encryption.
Public key encryption, the brainchild of Diffie, is based on the difficulty of finding the prime factors of extremely large numbers. This makes it possible to generate linked encryption keys, one is kept private, the other made available publicly. They both do one-way encryption, that is, whatever is encrypted using one key can only be decoded by using the other. If someone encrypts a message to you with your public key, only the owner of the matching private key (presumably you) can decrypt the message. To exchange encrypted messages both parties must have their own private key as well as the other's public key.
This section reviews some efforts to develop online charging. I'll attempt to explain how each works, as well as its advantages and disadvantages. Think of this as a survey of a growing field and inquire online for more information about any that catch your interest. This is a fast-growing field and changes come rapidly.
A series of papers at the AT&T Research site describes an anonymous credit card system that preserves the anonymity of the parties and the security of the transaction while arranging for payment for goods and services. <http://www.research.att.com/#acc>
CyberCash can be used to buy and sell information as well as hard goods. The CyberCash approach to Internet commerce is to establish a trustworthy link between the Internet and the traditional banking world (see Figure 7-1). A Reston, Virginia, company called CyberCash, Inc., has teamed up with Wells Fargo, the seventh largest bank in the United States, and Check Free Corporation, the leading electronic commerce company in the United States. CyberCash offers credit and debit card transactions and eventually plans to offer true digital cash that can be transferred among friends and strangers and not just merchants.
CyberCash allows credit card holders to encrypt their personal credit card data in a way that only CyberCash can decrypt. It goes like this:
CyberCash can handle charges, voids, and returns, as well as peer-to-peer transactions (direct exchanges between two equal parties) and transactions too small to handle through normal credit card channels. CyberCash will charge banks a fee for the consumer-to-merchant transactions, but the fee structure will be competitive with traditional systems. CyberCash fees for transfers between individuals are expected to cost about as much as a postage stamp. <http://www.cybercash.com/>
The DigiCash Corporation's ecash(TM) system (see Figure 7-2) provides an electronic equivalent for most functions of cash, especially anonymity. Ecash enables users to withdraw "digital coins" from their ecash bank and spend them across the Internet anonymously. This ability to cut the chain of interlocking information that invades privacy is one of the main goals of ecash and DigiCash's related plans for echecks.
Ecash was announced in May 1994 at the First International WWW Conference in Geneva; a $1 million open-ended trial run began in October 1994 during the Second International WWW Conference in Chicago. The trial uses a currency called cyberdollars or cyberbucks, which have no relation to any currency, living or dead. During the trial period (which has no set end date) DigiCash gives $100 in cyberbucks to every participant to spend in participating cybershops. More than 11,000 people have registered, and 5,000 have "spent" their cyberbucks.
Ecash, short for electronic cash (which is the same as digital cash), <http://www.digicash.com/ecash/ecash-home.html>, relies on public key cryptography to create digital signatures that are then used with random-number "blinding" to ensure the privacy of all parties. Ecash is a product of DigiCash, <http://www.digicash.com>, which has offices in Amsterdam and Palo Alto, California. DigiCash was founded in 1990 by cryptographic experts and has been involved in smart cards, security, and electronic payments systems.
The client software for ecash is available for Macintosh, Windows, and UNIX platforms after registration. The server software is available for UNIX WWW servers (both NCSA and CERN), Windows (but only for testing), and is under development for Macintosh WWW servers. Although DigiCash is running an ecash bank for the trial, it has no plans to link cyberdollars to any real currency. Instead, the company is discussing licensing arrangements with banks, financial institutions, and other organizations (possibly governments) that are interested in issuing ecash.
There are ecash shops, ecash customers, and ecash banks (although the cyberbucks have no value, the items and services being sold do). One of the main goals of ecash is to provide security, confidentiality, and auditability. Although it is not possible for the bank or government authorities to link the buyer to a specific transaction, it is possible for buyers to prove definitively (if they wish) that they have made a particular payment. But if they try to spend the coins more than once, they effectively leave a trail. The system is designed in such a way that anonymity is assured for only one transaction per coin. See DigiCash's Web site for additional details.
The ecash system works as follows:
First Virtual Holdings, Inc. (see Figure 7-4), which began providing services in late 1994, has a different slant on the electronic commerce problem. <http://www.fv.com/> Instead of developing complicated password and encryption schemes, First Virtual set out to design a system that does not need to send any confidential information over the Internet and does not depend on particular hardware or software.
First Virtual's solution is to replace your credit card number (which you provide by voice when you first sign up) with a First Virtual account that you use for all transactions. You might ask why First Virtual's account number doesn't run the same risks as a credit card number when passing over the Internet. But the account number alone is not enough to complete a transaction. No purchases are final until they are confirmed by e-mail with the purchaser. Although someone could lie and deny making a purchase, someone who does that often is going to lose their account. The system was designed to work from any country but initially requires a credit card (and for merchants a checking account) from a financial institution in the United States or Canada. Follow this link to reach First Virtual's FAQ: <http://www.fv.com/faq/index.html>.
First Virtual offers a software addition to Web servers that allows them to accept First Virtual payments. Buyers pay a $2 registration fee and no transaction charges. Sellers have a $10 registration fee and a transaction fee of 29 cents plus 2% of the value of the transaction, which is deducted from the amount paid by the buyer. Sellers also pay a $1 fee whenever a deposit is made to the seller's checking account. For those without servers of their own First Virtual offers InfoHaus, <http://www.infohaus.com>, an electronic go-between that will sell your items for you, for a commission, of course, and a monthly charge of $1.50 per megabyte of storage. According to Tom Gable, spokesman for First Virtual, InfoHaus merchants were doing thousands of dollars in sales per day in April 1995.
A transaction on the First Virtual system would proceed as follows:
First Virtual's system requires the sellers to be willing to allow buyers to download their product with no absolute guarantee of getting paid each time. But First Virtual does guarantee it will eliminate abusers from the system. Except for requiring a certain amount of trust, First Virtual's is an elegant system for certain types of sales and appears to be growing. It's main advantage is that all it takes to be a seller is an e-mail address and a checking account.
Mondex is an electronic cash smart card (a plastic card with a microcomputer chip embedded in it) that allows the safe movement of money over the Internet. Each time a Mondex card is used, the chip on the card generates a unique digital signature that is recognized by the other Mondex card involved in the transaction. The digital signature is the guarantee that the cards involved are genuine and that they are dealing with genuine Mondex signals. This recognition process also identifies the card for which the cash is intended, which means that a third party cannot intercept funds. Mondex is being launched in England by NatWest and Midland Banks in conjunction with BT (British Telecom). A test was started in Swindon, England, in July 1995. For additional information, see <http://www.mondex.com/mondex/home.htm>.
Carnegie Mellon University's Information Networking Institute is designing the protocols that will allow users with NetBill accounts to buy from merchants whose servers run NetBill software. The system would use a debit approach like a bank ATM card. The institute is designing the system so that it is possible to bill for 1-cent transactions (credit cards usually charge 25 to 50 cents per transaction); its focus will be network-delivered (downloaded) goods with a certified delivery protocol to guarantee delivery. The protocols will be open so that others can build on this technology. In February 1995 Carnegie Mellon and Visa formed a partnership to develop and conduct a precommercial trial of NetBill by the end of the year. For further information, see <http://www.ini.cmu.edu/netbill/>.
The constraints are that the system assumes realtime communication between three parties and it uses encryption (which limits its exportability). NetBill does not prevent redistribution of downloaded goods, although another project of the institute's involves encoding serial numbers in documents.
NetCheque/NetCash at <http://nii-server.isi.edu/info/NetCheque>, which is being developed at the University of Southern California's Institute for Scientific Information, works much like paper checks. It will require an electronic signature, and the payee will have to endorse with another electronic signature. Based on the Kerberos security software system and Prospero file system, users registered with NetCheque servers can write checks to other users. The other users or merchants then deposit these checks via an electronic clearing house.
NetCheque software was released in December 1994 for testing and development. It runs on SunOS. Its developers say it meets the following criteria:
Security--works on open networks but protects all parties to the transaction
Flexibility--allows different kinds of payments: personal checks, cashier's checks, credit cards, and eventually electronic cash
Scalability--can handle extremely large numbers of transactions
Efficiency--a per-transaction cost of a fraction of a cent
Unobtrusiveness--does not interrupt other computing activities and is expected to integrate easily with existing network and online software, such as CompuServe, America Online, and Prodigy
NetChex is a virtual checking account system for online transactions in development by Net 1, Inc., based in Phoenix. The client software runs on DOS or Windows machines and permits authorized users (members) to gain access to and transmit electronic checks for free. NetChex processes those electronic checks and generates an actual check that is sent to the merchant's bank. Without the client software the member cannot generate signature keys and access encryption algorithms. The software is copy protected so that it cannot be copied surreptitiously to another machine for fraudulent purposes. According to the June 26, 1995, edition of PC Week, NetChex is ready to unveil its system but is waiting to ally with a bank or larger partner. <http://www.netchex.com/>
Open Market's payment system, as embodied in its $4,995 WebServer, allows for the purchase of both hard goods and information. Open Market <http://www.openmarket.com/> uses existing Internet and World-Wide Web protocols, but it comes in separate parts, or modules, each performing a specific function. The modular design means that when improvements in authentication or security schemes (or some other part of the process) come along, the newer version can replace the appropriate module, and the server need not replace the entire system.
The Open Market purchase process goes like this:
Open Market has some advantages:
PayNet Corporation is working with the Thompson Publishing Group to develop a system that focuses specifically on business-to-business information. PayNet provides a service for niche business publications (such as Management of Aboveground Storage Tanks) that are distributed as newsletters and inserts to looseleaf notebooks. Most consumers don't pay $500 a year to subscribe to a newsletter, but many companies do.
PayNet is a three-party payment system; providers and customers register with PayNet and the customer gains access to any publication in the system. Companies can get reports similar to long-distance phone bills. Employees can allocate purchases to particular job codes and subscribe to publications or pay by access.
The billing approach is a hybrid of telephone and credit card billing systems. Like telephones, PayNet is designed to handle many small charges. PayNet's goal is to process 10-cent transactions economically, with the smallest transaction costing 1 cent. That would increase for larger transactions. PayNet relies on encryption for messaging. It can provide encryption for content, but that's not the focus. PayNet does not depend on a particular brand of encryption. Initially, PayNet will be for U.S. companies only because of the complexities of international payments.
PayNet is expected to work like this:
The PayNet server has to be online to complete the transaction, but there will be multiple servers so that one will always be available. For further information send e-mail to info@paynet.com.
Secure HTTP <http://www.commerce.net/information/standards/drafts/shttp.txt> is being developed by Enterprise Integration Technologies (EIT) as an extension of the HyperText Transfer Protocol to provide a secure means of transporting information across the Internet. Secure HTTP can be used in a wide variety of WWW contexts because it is concerned only with the way messages are formatted and the protocol by which they are exchanged. Secure HTTP is available to software developers through Terisa's SecureWeb client and server tool kits (see section on Terisa).
Netscape calls its solution to security problems SSL (Secure Sockets Layer) <http://home.mcom.com/info/SSL.html>. Netscape has proposed that the W3O working group on security consider SSL for "part of a general security approach for the Web." Netscape is also working with W3O and others to establish open security standards for the Net. Open standards mean that the details are openly available and not proprietary to any one company. Note that open protocols are what the Internet was built on. Netscape has joined with Terisa to develop a common security standard that incorporates both Secure HTTP and SSL.
Netscape's system works at a low level, below the application level, but above TCP/IP, to secure transmission privacy between a client and server, no matter what application they're running--FTP, Telnet, Gopher, Usenet News, e-mail, WWW, or anything else that comes along. Application messages between client and server are sent in encrypted form, using RSA's patented encryption algorithms.
Netscape's SSL provides three types of protection:
The key feature of Netscape's security scheme is that it would underlie the actual application you are using without interfering with it. So you could layer another security system atop SSL, flexibility that could prove useful.
Shen <http://www.w3.org/hypertext/WWW/Shen/ref/shen.html> is a security scheme being developed under the sponsorship of CERN and the European Union. The philosophy is to build as much as possible on existing RFCs, especially the Privacy Enhanced Mail (PEM) standard in order to encourage integration of e-mail, Usenet News, and Web systems. PEM is defined in a set of four RFCs (1421--1424) available at <ftp://ds.internic.net/rfc/> that define message encryption and authentication techniques for electronic mail over the Internet.
The Shen security scheme provides for three levels of security:
Terisa Systems was founded as a joint venture of Enterprise Integration Technologies (EIT) and RSA Data Security to formulate a security system for the WWW. The company did that with S-HTTP, but competitor Netscape Communications proposed its own scheme for network security. Both systems have advantages (detailed later), but it looked like they were going to fight for customers. For users and those wishing to sell on the Internet, such competition promised confusion, because some sites would require one security system and others would use another. An elegant solution was reached, however, when America Online, CompuServe, Prodigy, IBM, and Netscape Communications announced their intent to join Terisa as equity holders in the effort to develop Terisa's SecureWeb client and server tool kits, incorporating both S-HTTP and SSL by late 1995 (see Figure 7-5). These tool kits are aimed at software developers instead of end users or merchants.
The inclusion of America Online, CompuServe, and Prodigy in this venture is particularly important, because they are the three largest commercial alternatives to the Internet. This signifies how important they consider the Internet and Internet commerce to their future business. The move also bodes well for the rapid development of uniform standards for Internet commerce. <http://www.terisa.com/>
Some companies have avoided the wait for secure Internet commerce to develop by collecting money and credit card information offline. Voicemail systems or human telephone operators are often used to take credit card numbers over the phone and then activate the requested service online or supply the user with an authorization code that can be used safely via e-mail or online forms. Although the authorization code might be stolen via the Internet, it is not widely useful like a credit card number, so it is much less vulnerable.
An electronic magazine called WEBster came up with an ingenious method for selling its electronic text over the Internet (see Figure 7-6). For $29 you subscribe to one of its electronic magazines. Every two weeks you receive an e-mail table of contents. If you like some or all items on the list, you send an e-mail message requesting the articles. WEBster's specially modified list server accepts such requests only from registered subscribers. The payment for the subscription is handled entirely offline. The system enables WEBster to market to a much larger population--all those who have e-mail access, as opposed to those who have a WWW or Gopher browser. <http://www.tgc.com/webster.html>
Internet Publishing is not just about selling things, but this chapter is. Commerce is becoming part of the Internet, although the new forms of communication between companies and their customers may be more important than direct transfers of electronic cash or checks. The Internet isn't advertising as usual. Marketing on the Internet has a different flavor, because Internet users have the same ability to disseminate their message worldwide as do the corporations and organizations doing the marketing. Fitting into the changing Internet culture is a requirement for a company that wants to come off well. This is done by active participation in relevant newsgroups and mailing lists with an emphasis on solid technical information rather than marketing hype. Servers should provide free tools and information that are valuable, not just public relations hype.
Different economic models exist for making money on the Internet, which has room for many more. It's not clear yet whether Gopher, Web, or WAIS servers can directly pay for themselves through sales on the Internet. Many companies are experimenting with the technology. Some are using the experience to position themselves for the future and learn about related technologies (like multimedia CD-ROMs). Others are exploring different relationships with their customers and between different sections of their companies.
Some charging techniques are already in place (First Virtual and CyberCash) and others are in testing or coming online (DigiCash and CyberCash). The technology is being built into Web browsers and servers now and may come to FTP, Gopher, and others in the near future.