Hacker News new | past | comments | ask | show | jobs | submit login
“PayPal has demanded that we monitor data traffic as well as customers’ files” (seafile.de)
1030 points by zolder on June 21, 2016 | hide | past | web | favorite | 340 comments

> PayPal has demanded that we monitor data traffic as well as all our customers’ files for illegal content. They have also asked us to provide them with detailed statistics about the files types of our customers sync and share on https://app.seafile.de

That's a pretty big WTF right there.

I know PayPal has a on overall pretty scummy reputation, but I still I cannot imagine PayPal doing this because they themselves think they'll benefit from this data.

To me this seems like a demand which comes "upstream" from above PayPal, from its payment providers (VISA, MasterCard, American Express, etc). Would I be overly paranoid to imagine these demands and claims are the result of lobbing by entities like RIAA and MPAA? They do have a history for blocking payments to known pirate-friendly services after all.

And as such, they clearly have too much power, and there needs to be some anti-discriminatory financial regulation to stop business-hostile practices like this from being lobbied and put in place.

Because this is just madness.

Welcome to the world of financial regulations!

You may have not realised but banks and any financial institutions have been deputised by the regulators to be the financial police. They need to ensure that none of their client use financial services to commit crimes or launder the proceeds of a crime, under the penalty of heavy (up to multi billions) fines. Particularly in the US.

I am pretty sure this is what is forcing paypal to do this. And also why I wish good luck to startups who think they will disrupt this massively over regulated industry.

I worked for a financial services related startup for a while and was involved in implementing KYC/AML protections and AFAIK there isn't any relation between this and those laws. KYC is simply identifying your customers (nothing related to what they are doing) e.g. drivers license info, home address, etc. AML has to do with financial instruments passing through a business' account from customer (a) to customer (b) (in some cases (a) and (b) being the same individual). Given they are processing subscriptions here it seems far more likely that this is somehow related to RIAA/MPAA, or at least a fear of said groups.

It's not about onboarding/general KYC since this isn't about end users.

Paypal does it's own risk assessment for business partners, what I'm pretty sure this is is a simple "classification" case.

Paypal classifies the type of business you are and if you belong to certain types of businesses they put some requirements on you based on regulations and their own internal requirements usually produced by their legal department.

Paypal has probably seen what happened to file sharing websites like Mega and if you are tagged as a file sharing service they want to ensure that you do everything to prevent it being used for piracy, including being able to audit it themselves and to be able to either put pressure on you or cut off their services if they think they are at too much of a risk.

Now I understand that Seafile isn't anything like Mega but It's also not exactly on the scale of dropbox this also means that most likely no one at Paypal really knows what it is, or where they are heading business wise and so they just stick some additional requirements on them.

Also (this is true for 2-3 years ago, I don't know if it is still the case) filesharing websties and other sites that you can buy "premium currency" such as various online games, vidoe chat apps (usually porgnography) etc. are the main source of fraud for compromised accounts as far as Paypal goes this on it's own can bring on additional requirements from Paypal.

KYC is simply identifying your customers

That's the minimum, but it's certainly not all there is to it.

Know Your Customer really means know your customer.

As one of many practical examples, when dealing with a legal entity such a trust, merely identifying its officers is insufficient -- you must also identify the beneficial owner (BO). Effectively, this means that you have to look through all possible shell companies until you arrive at a natural person.

I don't know if you want to advertise lack of enforcement so loudly. Your practices would leave you to vulnerable to litigation if one of your customers were laundering money or committing crimes through your service. You've done enough to survive an audit if there have been no issues, but you'd be found negligent if there are.

To be fair, boldfield did say "worked for ... for a while" which implies they're no longer with the company (which might be a story in its own right). Still, it's good advice for others chiming in who may presently be in the same position.

> Welcome to the world of financial regulations!

> You may have not realised but banks and any financial institutions have been deputised by the regulators to be the financial police. They need to endure that none of their client use financial services to commit crimes or launder the proceeds of a crime, under the penalty of heavy (up to multi billions) fines. Particularly in the US.

While I fully agree with this statement, PayPal's actions here seem excessive even by the broadest interpretations of anti-money-laundering regulations. Furthermore, AML regulations target a specific set of transactions and/or individuals.

"Monitoring all traffic for illegal content" is a vague statement that could mean anything. Illegal where? Illegal how?

Edit: I forgot to mention: PayPal operates as a credit institution (ie, a bank) within the EU, so the strict AML regulations the parent alluded to apply to it directly.

Paypal seems to have a long and ugly history of aggressive-yet-incoherent legal interpretations.

They lock down donations to any unpopular group, and refuse to release already-held funds. They freeze Kickstarter campaigns as soon as someone says the word "fraud", and cause the exact damage they're trying to prevent by tying up all the funds so neither backers nor creators can get the money.

They're incredibly capricious, and as far as I can tell have taken the stance that overcaution is always acceptable.

Because PayPal doesn't want to lose money from customers that use their complaint system or worse through chargeback from the credit card companies.

As far as donations for dubious causes goes well if they think that it will either lose them business due to reputation, or worse lose them money if a government decides to freeze those funds they will cut it off.

PayPal for the most part is not a fractional lender when you have a 1000$ in a PayPal account PayPal has to reserve the full amount, PayPal isn't protected from a run over by central banks and what limited protection it has is probably performed by underwriters at not the most beneficial of terms.

If some one is opening a donation account for ISIS, anti LGBT or w/e you might call an "unpopular cause" and that either causes them a huge PR headache or worse a government decides to freeze those funds they lose a lot of money. This can be complicated even further since while the funds are frozens the users who transferred these funds might be eligible for protection under PayPal's own policies and if not then they can always initiate a chargeback from their own credit card company.

Paypal has lost tons of money to fraud, and with the margins they have it's not surprising they err on the side of caution.

In the US, at least, AML regulations are whatever the regulators say they are.

I call BS on that.

It is true that banks will go a long way to try to satisfy banking regulators. But unless you have some evidence I am simply unwilling to believe that banking regulators can make up any restrictions they like without regard for the actual requirements of federal law.

But unless you have some evidence I am simply unwilling to believe that banking regulators can make up any restrictions they like without regard for the actual requirements of federal law.

The actual requirements of federal law are often (intentionally) formulated on such a high level that in practice, the banking regulator does end up specifying the actual rules.

Say, for example, a federal law requires that banks "take reasonable measures to impede money laundering".

Now what those "reasonable measures" are is usually determined by the overseeing regulator (eg: the SEC). Sure, you can disagree with their assessment, but they'll fine you anyway and then, the best-case scenario is that after X years in court, the fine gets overturned.

Not only is that true, it's usually not even the regulators that are making up the final actionable items. Businesses hire independent auditors who need to make sure their clients are well clear of what the regulators would be concerned with, and so push them to go even farther. And of course, once you have passed one audit, the next year's audit will be even more strict, even if the regulations themselves have not changed. The auditors do need to justify their own employment, after all.

Coming from a bank (but with limited interaction with regulators), regulators usually try to work within the law. However, I would like to remind you the law is all contradicting and has literally tens if not hundreds of thousands of various laws each one with its own implications.

Point being, regulators can justify just about anything. That is why all large banks have an army of lawyers. They then work with regulators to find some middle ground.

The law is very complicated, but it generally gives regulators that actual power. They can make demands to specific banks. They can even make demands to specific banking systems; like, a regulator can go to a bank and say "You need to make your AML system do Y instead of X."

And the bank has to do it or they end up like HSBC. In fact, that was exactly why HSBC was fined billions. Regulators told them to do specific things, like use Form X in Iran instead of Form Y, or classify Mexico with risk measure N+1 instead of N, and they didn't do them. This is all in the various public records.

Are you sure that is "all" that HSBC did? Your explanation seems very simplified.

e.g. from https://www.theguardian.com/business/2012/dec/14/hsbc-money-...

"In some branches the boxes of cash being deposited were so big the tellers' windows had to be enlarged."

It's considered a given that money laundering occurs at every big bank. It's impossible not to happen at an organization of that size.

This entire subthread is about how AML is enforced. Specifically, it's enforced by regulators doing whatever they feel they need to do. The punishment wasn't for money laundering, it's for money laundering in a manner that obedience, according to the regulators, would have caught.

For international banks, it's especially arbitrary because regulations are so loose overseas. In the UK it's very easy to move small amounts anonymously. This is routinely used for small-time laundering by organized crime and banks are fully aware of it. The long arm of US law goes after UK banks handling Mexican dirty money, but not UK banks handling UK dirty money. A lot of what constitutes "illegal money laundering" is actually political.

Don't respond to hyperbole to hyperbole.

GP was making a vague reference to Rulemaking.

You should be willing to educate yourself, not be https://en.wikipedia.org/wiki/Rulemaking

Crimes. Yes.

But payday loan companies and credit cards that charge 29% interest plus hundreds of dollars in feeds to "help people with poor credit" are fine.

Supporting US government entities in defense that kill tons of innocent people every day; that's fine too.

Self regulating? Man that works so well, especially in 2008. We're going to let you keep doing that too.

Weed stores in states where it's legal? Hi it's the DEA. We're confiscating these accounts for you. Here's a fine (at least until later this year, but still only for medicinal marijuana)

It's a cluster fuck of bullshit. Of course you can always use a different payment provider, but with PayPal being just so damn easy with very little competition, it's like saying if Amazon removed your eBook, just publish it somewhere else. The trouble is the distribution networks are so big that they become the only means of distribution. If you control 90% of the market and shut down a DropBox competitor, you're choosing which companies succeed.

> Self regulating? Man that works so well, especially in 2008.

What self regulating existed in 2008? Banking and finance have been hyper regulated for decades. There are no industries more regulated than those. There was no self-regulating and you won't be able to point to any substantial self-regulating that caused the housing bubble and crash (unless you're talking about the Fed's low interest rate policies). The SEC, Fed, FHA, CFPB, and Treasury were intentionally looking the other way while vast fraud was occurring because all of the voters were getting rich off of housing and stock market bubbles. The Fed was laughing during their meetings about the bubble, you can read the minutes today.

Oh yeah, and guess what, housing is higher today than it was at the bubble peak (and so is the stock market mini-bubble today). So are we self-regulated again now? Nope, we're even more regulated now, with all the big banks directly and strictly under control of the Fed; it all has to do with artificially low interest rates, which is universally understood at this point - the Fed now openly admits to creating asset inflation to try to spur the economy.

Regulation has done a great job in several industries of concentrating the industries into a few major players, because it is incredibly difficult to comply for new/small companies. Banking and finance is one, telecom is another.

Telecoms got itself monopolised just fine before regulations came along. AT&T sealed in the concept of operating as a regulated monopoly. But that goes back to 1913.

There are industries which tend naturally toward monopolies, with transport, communications, broadcast, and software among them. There are also industries which tend naturally away from monopolies, such as sandwich shops, cement providers, and laundromats.

(Not that there cannot be some concentration, or even national chains among these. But they're rarely dominant.)

Would you say that industries with heavy network effects tend towards monopolies, while those without tend to produce more competition?

That's a large part of it.

Transport, comms, banking, and information technology, tend toward monopolies.

Consulting is a mixed bag -- if you're relying on creativity, not so much, but if you're relying on marketing and business contacts, both of which are far more a network effect (with strong lock-in elements), yes. Contrast your typical small-gig design shop vs. the Big Declining n Accounting Firms, or IBM and Oracle (consulting / business services).

Retail can be local (small effects) or global: large grocery stores, WalMart, Amazon.

There are other effects as well. I've been curious about Maersk's adoption of ultra-large cargo ships, even as shipping volumes have been falling. While there's a financing-design-build lag, there's also the possiblity that having and operating a large ship puts pressures on other operators -- if you're operating and loading, you're taking cargo which would go onto smaller vessels.

It's complicated.

Part of this also plays into concepts of what and how technological mechanisms actuall function: https://ello.co/dredmorbius/post/klsjjjzzl9plqxz-ms8nww

I'd include among "network effects" urban and even empirical structures.

[citation needed]

Lobbying from these industries players for bad regulation might have helped but regulation is usally nothing bad. I'm happy in EU knowing that most stuff I can buy is at least to some degree vetted for killing me.

> But payday loan companies and credit cards that charge 29% interest plus hundreds of dollars in feeds to "help people with poor credit" are fine.

Nope, you do not even need to commit crimes to be targeted by the DOJ:



Payday loan companies in particular were hit hard by Operation Choke Point in 2013 (I worked at a "lending startup" that was targeted and had to pivot; a lot of payday/consumer lending companies ended up shutting down).

Right, all those bad things you mentioned are not crimes, because we have not passed laws against them.

Have they been deputized into service or pressed into mandatory service? My understanding is that the Know Your Client (KYC) laws are mandatory, with multi-billion dollar fines for companies who violate them. (HSBC has gotten into trouble with this recently)

Correct, it's mandatory service.

I think what the grandparent meant to say with being "deputized to be the financial police" is that the extent of this mandatory service has become so substantial that financial institutions often are left with the feeling that they are performing work (at their own expense) which feels like work that law enforcement should be doing.

It used to be that law enforcement pointed out the bad guys, or even just suspects, to you. Now, you're supposed to identify and report possible bad guys to law enforcement.

There's nothing wrong with that on principle, of course, but in practice, every bank must now train some personnel to detect not only suspicious individuals or transactions, but even suspicious patterns of transactions.

And that's when you start feeling like you've been deputized -- it feels like you are performing a criminil investigation on behalf of others.

> They need to ensure that none of their client use financial services to commit crimes

There are also laws that give financial institutions due diligence obligations to ensure they're not facilitating "unsanctioned boycotts".

yeah. USA. But this is Germany and EU and you violate either PayPal terms or the laws of the country.

The same position is true for UK and EU as for USA: a firm handling money can't accept it unless they've done anti-money laundering checks. This includes e.g. identity checking, and checking both sender and sometimes also recipient for criminal associations.

That doesn't seem entirely clear.

For example, Seafile could have said "Files are accessible only to one customer. It is of course possible to share passwords. However, we use geoip to monitor the number of locations used by each customer, and take appropriate action when a customer's set is oddly large. This should effectively block the use of Seafile for piracy." Perhaps Paypal would have said no, but perhaps yes.

I don't agree that Seafile should be under any obligation to do that. If customers want to share files, let them. Storage services shouldn't ever look at what the files contain or their metadata.

edit: looks like paypal openly states it won't process for file sharing services who don't monitor content. I guess most services that don't have a high dispute rate...

Last year I saw a customer (not at Seafile) who accessed our (paid) service from 20 different countries on the same day. Do you think that customer travelled to all those countries on that day? Do you think we were wrong to look for such globetrotting customers? Do you think we were wrong, or Seafile would be wrong, to look for customers who share their account with their hundred best friends?

Yes, you were, of course, it's none of your damn business what your customers use your product for as long as they pay for it and it's not obviously illegal. If you are concerned about resource usage, limit the resources that you sell per account, and then enforce that limit if you like, but don't stick your nose into other people's lives.

And I must say I find it particularly strange that you seem to find it somehow impossible how someone could use an internet service from 20 countries in one day. I mean, it's the internet, right? A computer on every continent is only a few mouse clicks away. And international teams, either of freelancers, or of employees of a company, working together on projects, isn't exactly unusual either.

How can it be "not obviously illegal" if you're not checking. Side note, piracy is illegal in a lot of countries.

If my account was accessed from 20 different countries in a day you can be damn well sure I'd want to be given a heads up too, as it's likely my account has been compromised.

> How can it be "not obviously illegal" if you're not checking. Side note, piracy is illegal in a lot of countries.

How could something be obvious if you have to check? Lots of stuff you can do in an appartment is illegal, too. That's still no reason for a landlord to install cameras to check. It's just none of their damn business.

It's obvious if a potential customer asks whether your service is good for warez hosting, or if a potential tenant ask whether your appartment is well-suited for getting rid of bodies. Anything where you have to violate their privacy in order to find out just is not obvious, and it's not your job to monitor people's private lives for possible illegal activity (and it is highly unethical to do so--it's what totalitarian regimes do, read up on the GDR's Stasi if you want to know what living in such a society is like).

> If my account was accessed from 20 different countries in a day you can be damn well sure I'd want to be given a heads up too, as it's likely my account has been compromised.

If you want to monitor your own account (or want to have someone, like the hoster, monitor it for you), feel free. It's still none of the hoster's business to investigate it any further without your explicit instruction to do so.

A streaming service, actually, and one which doesn't sell to teams. The T&C prohibit giving anyone the password, with an exception for household members, so concurrent use from 20 countries stretches credulity.

It could be a single customer, Tor, proxies, etc exist. Further analysis of usage patterns could rule this out (with very high probability) though.

As for 'were you wrong', no, not if you ruled out the above. That doesn't make it something that you should have to do though.

It depends. If the purpose is to prevent access to customer data not authorized by the customer then it's ok. If you do it to further the interests of anyone other than your customer it's unethical.

Yes, you were wrong. Maybe the user was just lending the files to his/her best friends? Or some other kind of fair use... You can't just generalize that all file-sharing is illegal.

Fair use doesn't even enter the question. How do you know the customer didn't own the copyright on his files, and was well within his rights to share the files with anyone of his choosing?

One of the highlights to the Banking Secrecy Act update in 2014 is listed in the first spot:

- Suspicious Activity Reporting


There are well founded reasons for financial regulation. Predatory lending, money laundering, scams, terrorism funding, etc.

There was a sherif (or other law enforcement type) who tried to intimidate credit card processors for supporting online sex trade via Backpage last year. A judge stepped in and said he was overreaching (Backpage has content that is legal as well). First link from a Google search:


Paypal has been acting like this of their own accord for some time now. More than a decade ago a friend of mine sold cold filter bags for herbal extracts online using Paypal. The product was completely legal and didn't allude in any way that it was designed for illegal use (read marijuana hash making).

Paypal decided, about 9 months in, to close their account in a similar fashion to the service here and deny them access to thousands in funds, touting an irrelevant bong sales ban in a state somewhere in the US (he was in Canada). It took years for him to get the seized funds back from Paypal.

I try to boycott them unless absolutely needed.

I've never absolutely needed Paypal. What situations have you run across where you have to use them? Just curious.

PayPal-only eBay transactions.

Regulations will probably come in the form of making these types of checks mandatory.

See, for example, how US Senators pressure payment providers to check up on whether their customers may be profiting from illegal file-sharing:


If Dropbox-style hash checking of files could be seen as the standard in the industry, I can see how failing to do that could be seen by a court as potentially negligent.

Could be a good argument for client side encryption.

I think that there have been issues like this for porn sites in the past, because they have significant chargeback rates - to the point where man payment processes won't deal with them.

I've run into this issue in the past, but I also can't blame them. Has everyone forgotten the early 2000s when porn sites would use 0-days to embed dialers in your computer to rack up huge dial-up charges? Or offer you 'trial' memberships and make it very very difficult to cancel?

Visa and MasterCard eventually stepped in and made the banks do extra legwork for the porn sites. That had to leave a bad impression on them.

It's not even really the chargebacks: You'll still be considered high-risk even if you can demonstrate having very few chargebacks. It's more that you're lumped into a pool with some very bad actors in an industry that has a bad history.

Oh, I agree entirely. I suspect the "File Sharing" sites may have the same issue. I wonder how many people charge-back the payment for "Download GoT S05E01.mp4 here"?

File sharing sites are definitely scam central. There are entire sites built around advertising pirate downloads of niche content via pay-only download sites which are actually just files filled with null bytes, then profiting from the referral fees.

you're mixing up a lot there.

porn sites either charged you or installed dialers, not both.

and the charge backs on the legit ones were so high because the operators for the scammy ones needed to sign up, download everything, get his money back, and serve you the stolen content.

Another victim of Paypal here. I run Jumpshare, a file sharing and collaboration service for creative professionals. This is what Paypal sent us:

"May 8, 2016: When you signed up for your PayPal account, you agreed to our User Agreement and Acceptable Use Policy. Because some of your recent transactions violated this policy, we've had to permanently limit your account.

Please remove any references to PayPal from your website."

They never mentioned which transactions violated the policy, we have never had any complains from our customers. There was no prior warning. We called them and they asked us to email them. We sent multiple emails and nobody bothered to respond back. We lost 30% of our recurring monthly revenue right away!

We now use Stripe as our sole payment service provider. After this experience, we will probably never accept Paypal again.

Having read during the last few years about the endless horror stories businesses have endured with PayPal, I honestly don't understand why anyone would still use PayPal when there clearly are alternatives (be that US companies like Stripe or EU companies like Paymill).

Because they're still anecdotal and for most people, PayPal works just fine. I find the stories horrifying, but I ran about 40,000 transactions through PayPal in the last 5-6 years and never had any problems.

I guess this is how it is for most people, at least, I can use PayPal as a buyer on most online businesses I deal with.

Sure, using PayPal as a buyer is great as long as you never get into a dispute with a seller. It took about 4 months for me to get PayPal to refund my money when a seller on eBay ripped me off.

PayPal support was so inept they claimed that I had not returned the merchandise despite giving them the DHL tracking number and shipping receipt multiple times and eventually they closed my case in favor of the merchant.

I had to keep calling and harassing them and finally threatening to have the charges reversed by my credit card company when they suddenly reversed their decision.

I will never use PayPal for anything if I can avoid it.

I used to accept PayPal as a payment method when I was doing freelancing, ran hundreds of thousands of dollars through my account over the many years of having it. One client refuted a payment SIX MONTHS later, and they granted it to him based on the fact that it was a digital service and there's no way to verify it was successfully transferred.

I immediately closed my bank account (PayPal wouldn't let me remove it while a refund was being made. Yes they were going to debit my bank account since I had no funds in my account, which I never kept).

Now they've put that amount in collections and honestly, as someone who cares about his credit, that one will stay the time until it's removed. I'm not paying them, or the thief.

You could get together all your documentation with respect to that transaction and dispute that negative credit item directly with the three credit bureaus.

Exactly right, up to now the dispute existed in PayPal's walled garden and played out under their rules. PayPal's dispute resolution process has some serious flaws - with many high-profile examples - and often drags out to just slightly longer than the time limit for chargebacks (funny that, huh?).

I would raise the stakes a bit more and send PayPal a hard copy of supporting documentation and tell them that you will be disputing any negative report. Send this by a recorded delivery method like registered mail or courier. This means you can go to court and prove that PayPal had clear evidence of fraud and failed to take appropriate action. It also proves that they had knowledge of these facts prior to making the negative report to the credit agencies, which puts them in a bad spot if this all ends up in court. In the USA, the Fair Debt Reporting Act covers this scenario but similar laws exist in other countries.

Keep good documentation and send everything by a trackable method and never let these companies get away with ignoring you when you have a legitimate issue. Just make sure you are sure you have proof that you are correct, otherwise keep better documentation next time.

As a seller I requested a refund on Ebay and received my refund before I even shipped the goods back!

We run thousands of PayPal transactions per day. I've been keeping a record of the horrifying failures we've experienced in anticipation of someday writing a scathing blog entry. We sometimes see lost transactions - as in, call the 'execute' endpoint, get a 500, then all future attempts to fetch information for the payment fail. And no webhook. File a ticket, wait two weeks, then someone at PayPal acknowledges the problem and says it's fixed.

Forget all the policy problems. PayPal's basic technology platform doesn't work.

Let's not forget the real reason Paypal is popular. It has nothing to do with the international presence, or any other crap like that. It's because someone with ONE WEEK experience as a webdeveloper can implement a paypal button on their site and it'll just work. Stripe may seem like the same level of ease to a lot of developers, but things like JSON APIs, etc, are confusing to the kinds of developers Paypal appeals to and thus Paypal will remain the incumbent.

For me part of the reason is that Paypal is available in more countries than Stripe. For example, here I can withdraw money from PayPal to my local bank account. I dont think its possible with Stripe.

Last time I used Stripe it was directly connected to a bank account. They would sit on funds for a couple of days I guess this was to allow the transaction to clear whatever batch cycles happen behind the scenes (debits cards were typically faster than credit charges) but the deposits came directly into the account.

Has that changed?

I think it varies by country. Also Stripe isn't available in nearly as many markets as PayPal, two big ones that immediately pop out are Estonia and Hong Kong.

Another thing to bear in mind is lots of people outside the "main Western" countries (for lack of a better term) still don't have credit or debit cards that can be used to pay online. PayPal accepts a lot of local payment methods and even lets you transfer funds from your bank account.

I live in Lithuania (part of the EU since 2004, and Euro since 2015) and only this year have major retailers started to accept cards online. Before that you would receive an invoice and have to make a bank transfer (each bank had their own online payment system merchants could integrate to make it more streamlined) before goods were dispatched. Even now most cards need to be opted in for online payments.

fwiw, HK is in private beta: https://stripe.com/global

The rest of the world (including a significant portion of EU) still isn't, though. You can sell from basically anywhere with PayPal or FastSpring, not so with Stripe.

That may be true in US and other supported countries but unfortunately here (SE Asia) its not yet available. Stripe needs to support ALL countries to overtake PayPal.

Stripe: https://stripe.com/global Paypal is huge: https://www.paypal.com/us/webapps/mpp/country-worldwide

Because in some countries - like, for example, the Netherlands - creditcards are not a universally used thing. That leaves you with roughly two options for processing payments in a reasonably-easy-to-integrate manner: PayPal and Bitcoin.

And not enough people use Bitcoin to remove PayPal entirely.

EDIT: Yes, I know we have iDeal in the Netherlands. Every single company that processes it alongside other methods is either a nightmare to integrate, charges ridiculous fees, requires significant volume, doesn't do payouts over SEPA, or is similarly problematic as PayPal.

In my particular case, an added problem is that most of them refuse to process donations.

Because by offering PayPal one usually sees an increase in overall revenue than just by offering credit card payments alone.

Money talks. If revenue goes up, then people use PayPal. It's that simple.

Looking at Stripe's API docs, it seems their preferred payment technology is javascript popup which asks for CC number directly. If the technology has been 'properly implemented', only Stripe will see the credit card details, but as a consumer, I have no way to tell if the technology has been implemented properly.

As a result, I feel it is much safer to avoid typing my credit card number into random websites. Thus, my first reaction to a site which asks for my credit card (directly or via Stripe) is 'OK, are there any alternatives which take a safer payment method'

Given that we've all read similar situations happening all over the web, I'm surprised organizations aren't including "paypal drops us for arbitrary reasons" or "paypal freezes our funds with them for arbitrary reasons" in their risk assessments when choosing vendors. In almost every case, that risk should probably push decision makers away from Paypal.

It is also a little entertaining that their "brand risk" department is probably doing so much unintentional damage to the brand.

For most of their existence, PayPal have been living the "shady questionably-legal startup" dream, operating in a heavily regulated industry while ignoring almost all of the regulations.

They've been screwing over their customers, closing accounts on allegation of fraud and dragging out refunding the alleged victims for months and months, since before they were acquired by eBay. People still use their service.

It's always been this way. People use PayPal because it's convenient, and because there's no real competitor with comparable market penetration. No, I'm not sure that PayPal's brand will suffer much from continuing to act the way they've always done.

> For most of their existence, PayPal have been living the "shady questionably-legal startup" dream, operating in a heavily regulated industry while ignoring almost all of the regulations.

I'm not saying you're wrong (because I actually don't know) but this seems to be way off base. What specific regulations are they ignoring? My understanding is that most of the things people gripe about with PayPal are borne out of PayPal's attempt to stay in line with regulations.

I suppose it depends on whether you think of PayPal as a payment processing company that just so happens to prefer keeping your money on their internal accounts indefinitely rather than paying out ASAP like most competitors, or as a pseudo-bank in denial about their bankiness.

It's the same for all other payment processing methods - no matter how you handle your money, "our bank drops us for one reason or another", "our creditcard acquiring provider freezes our funds for arbitrary reasons", "our favorite cryptocurrency suddenly loses liquidity due to a major fraud event" and all kinds of other channel risks should absolutely be on your mind if you want to, like, base your whole business on receiving money through that channel.

You should have alternate payment channels - even if you don't want to use them now, even if they're twice as expensive, if you need that money flowing then you want to have a solid alternate payment channel. Even if you don't want to advertise them to your customers due to e.g. costs, then you want to have all the legal agreements and technical integration in place so that you can turn it on right now if you needed to.

> It is also a little entertaining that their "brand risk" department is probably doing so much unintentional damage to the brand. reply

Their brand risk department obviosly tries to optimize the brand for someone big, someone nameless, and not for the customers.

This itself leads to questions about paypals business model. Are they in business to provide payment services to users, or are their primary customers actually not end users, but someone buying something else?

Perhaps they want to become "financial Facebook", to profile and and sell users' spending habits.

Or they are being coerced into doing that /conspiracy-theory

The reason PayPal continues to be provided with the opportunity to fuck people over is primarily due to their low financial/technical barriers to entry. A website can be configured to accept PayPal payments in less than half a day, and setting up a new PayPal account is a very straightforward process.

Compare this with setting up a merchant account to take payments (here in the UK), which takes weeks, involves finding a payment gateway, all sorts of paperwork and hoop jumping.

Fortunately companies like stripe.com have appeared here and will now eat in to PayPals user base. I can't wait for PayPal to go away.

> Fortunately companies like stripe.com

The sad truth is that Stripe is behaving exactly like PayPal. What's worse is that Stripe's fraud protection is non-existing. In other words, Stripe is actually worse than PayPal, as you risk the same account freeze, closing etc, but in addition, you will be swamped down with fraudulent purchases and chargebacks.

(Disclaimer: I work at Stripe) Stripe does have a fraud protection product, which is enabled by default for every user. It centers around a machine learning system, that uses static signals (e.g. card issuing country) and time-dependent, dynamic signals (e.g. "how many different devices have tried to use this card in the last N hours?") to analyze every charge that hits our systems. Transactions that are deemed almost certainly fraudulent are automatically declined (but can be reviewed in the dashboard or via the API.)

We're constantly working on product & performance improvements, but feel free to get in touch with me directly (tara@stripe.com) to ask questions or share feedback on our models (and fraud product in general).

For posterity, yes you do have this "neural network" thing. It does not really work now AFAIK, but I do hope you will succeed as we definitely need a viable alternative to PayPal.

Though I'm sceptical to this approach. In machine learning 101 we learned that there always exist a statistical method that would beat a neural network. In this case, a system that gathers actual relevant data for statistical scoring. You know hard data, like an up to date list of stolen credit card numbers, a history of chargeback per credit card etc. PayPal has this and of 1000 transactions, we have 1-2 fraudulent chargebacks. Compared to Strip this is the difference between heaven and hell. PayPal sucks, but at least they have a working fraud protection system.

Nothing kills an online business faster than being swamped in fraud and chargebacks. I mean, good APIs are great and Stripe certainly has that, but a working fraud protecting system is what really matters to those of us who sell online.

Ouch - that's a shame as I was hoping our next startup would use Stripe. I'd better do some more due diligence on them before we commit.

I deployed Nochex instead of PayPal back in 2005, and it took less than half a day, and came with guaranteed no chargebacks on UK payments and lower fees.

Good PayPal competitors have existed in this space for a long time. PayPal still remains.

So is it the sheer dominance of the PayPal brand?

I'm once again astonished with how much control of our businesses is simply out of our hands.

When looking at practices these financial institutions use it makes me wonder what can't they do?

Everyone cites "regulations", but as far as I understand, they make the regulations. Directly or indirectly.

Take for example the known cases where PayPal freezes accounts holding people's money. If I take someone else's money and refuse to give it back to them, it's a crime in pretty much every nation. But when banks and financial institutions do that, they get away scot-free (with maybe some small rants from the internet) and keep doing this systematically profiting in almost all cases.

If we're not bound to middle men like Stripe and PayPal, we're bound to Visa and Mastercard. Is there any way out of this madness?

Essentially, it goes way further than what these financial institutions can do. It goes directly to what the U.S. fed can do - the clearing house for the USD. It can cut off any bank for misconduct/doing business with e.g. Cuba etc.

Also, the UN bank can threaten to kick out your central/federal bank too.

Also an interesting example of bank politics is that Khadaffi made several laws in Libya against UN bank rules, for example providing loans with infinite term and zero interest for newlyweds. During the civil war, one of the first things the rebels did was create a central bank in Misrata, pledge loyalty to UN and then redquest to be recognized as the true Libyan Government.

> the UN bank can threaten to kick out your central/federal bank too

This does not exist. Central banks interface with each other. The closest thing to what you're describing is the European Central Bank.

> pledge loyalty to UN

This is gibberish. One can be recognised by the United Nations (UN). One can also, by accepting its Charter and paying one's fees, become a UN Member. But there is no pledging of fielty involved.

You never heard of World Bank, BIS, FSB, whatnot?

> You never heard of World Bank, BIS, FSB

None of these is referred to as "a UN Bank". Only the World Bank is a part of the United Nations system. It makes loans to developing countries. The only way being "kicked out" of the World Bank makes sense would be if it refused to lend to you (which it does often and usually with minimum consequence). Note that the World Bank System lends to many non-UN member entities, e.g. private businesses and non-profits. China got pissed off at the World Bank and IMF last year and effectively kicked itself out by starting a competitor in its "New Development Bank".

The Bank for International Settlements is a discussion forum whose recommendations are not binding. The United States, for instance, added its own touch to Basel III, Switzerland layered on a "Swiss finish" and China, India and many others simply ignored it. Being "kicked out" of the BIS would simply mean you don't get to go to its meetings. Many countries do fine without being BIS members. The Financial Stability Board is an even smaller group with even less tangible activity than the BIS. (It published a book report on rules it thought sovereign wealth funds should follow. Compliance is voluntary and one need not be a member to read or implement, or as more countries have done, ignore, the report's suggestions.)

The closest international financial systems one can be "kicked out" of with consequence are the electronic-dollar transmission system operated by the New York Federal Reserve [1] (you can still use printed dollars if America "kicks you out") and the Society for Worldwide Interbank Financial Telecommunication (SWIFT) [2]. SWIFT is not a club for only central banks–many private banks are SWIFT members, too, and many get "kicked out" for doing varieties of stupid things. They can still move their money around by asking other banks to do it for them.

The international financial Illuminati you think exists does not.

[1] https://www.newyorkfed.org/aboutthefed/fedpoint/fed20

[2] https://www.swift.com

> infinite term and zero interest for newlyweds

Why not just call it a tax free gift from the government then? And print the money from the central bank. It's about equivalent.

I don't know what you think happens when paypal/bank/etc freezes an accounts but they don't get to keep the money, normally it gets refunded to the source of income (i.e customer refund), transferred to the government (i.e. income from criminal proceedings) or returned to account holder after a period of time (ensuring there's no clawbacks) .

Honestly... I don't know.

Nothing about the process is transparent AFAIK.

If I'm a bank with billions of dollars worth of money from third parties, can't I use a big portion of that money to profit? Moving money around, gaming the currencies, stocks, etc.

Maybe I'm too naive at this, but in my mind, they have to keep some money ready for people to pick up, but the rest of it, they use it for whatever they want. If I go to my bank and ask to take a large sum of cash, they won't give it to me right away.

They profit when money is not at your hands, therefore even if people do get their money back some day, they would have already profited from it.

I'm quite intrigued by this topic, but never got around to really dive into it, so please... if you can educate me on how this is not profitable for financial institutions, I'd be glad to read it!

Accept payment in cash only. Oh, now you want to say that these vendors were providing you an important service after all? Hmm, how interesting.

Yes, they do provide a good service. But they're still a "duopoly" (is that a thing?) as far as I know.

Can't even think on who's the third most used credit card provider.

As always with lack of competition all of these institutions are free to do as they wish. Specially since they deal with money, that can be (and often is) used for lobbying.

But I'm a pessimist, and these are just my 2 cents

Maybe it's all in my head and people are not influenced by money, democracy is a real thing and big companies obey all laws.

As you don't know whether Discover or Amex is bigger? Why does that matter? And Paypal is not a credit card. You can link it directly to your bank account and pay with it as the transaction processor. That's a big part of why it's so popular. Might as well complain about bitcoins.

Sorry I don't understand the point of your answer.

I've mentioned multiple times "financial institutions", which include banks and paypal in my book.

Bitcoins are amazing. Just not there yet. I can't give a credit card of bitcoins for my wife to buy groceries :)

But that's off-topic.

You clearly just want to disagree and that's fine, but please bring arguments instead of weird accusations of bitcoin hatred

> Bitcoins are amazing. Just not there yet. I can't give a credit card of bitcoins for my wife to buy groceries :)

Yes you can. There are actually even multiple providers for just such a card.

The point is that referring to Visa and MC as a duopoly is inaccurate. There are other ways to process payments besides through the credit card system.

OK but for the most part when Paypal or others close down your account and/or freeze funds, you /have/ done something illegal. You may not care about billions of dollars of movies, games and tv shows being pirated, but the people who pay for them to be produced do, so the banks and others protect their rights. As far as kickstarter and so on, this is to prevent your customers from being ripped off, which has happened where KS project never delivers the project and so on.

For sure banks and paypal have overstepped but I wouldn't call it "madness". If you want to sell filesharing accounts try bitcoin, I hear it works very well

not so. PayPal freezing funds and closing accounts in certain circumstances is well documented at this point.

File sharing services are listed as requiring pre-approval, so Seafile should've sent them an email before accepting it as payment:


They're well within their rights to decline your business. If a bank told the government, "We have no absolutely no idea what our customers are doing with their money or who they're sending it to. Maybe they're sending it to terrorists or drug lords, maybe they're not; it's none of our business and we respect their privacy", they'd get shut down in a heartbeat.

I can understand if Paypal doesn't want to appear on the front page of the news for funding an underground child porn ring that signed up as one of your "enterprise clients".

> They're well within their rights to decline your business.

They are. Should we condone it?

> "Maybe they're sending it to terrorists or drug lords, maybe they're not; it's none of our business and we respect their privacy"

Isn't this similar to the idea of banning web browsers, as they render HTML which, as we all know, can be used to write text (<span>plaintext!</span>) inciting terrorism? And it sometimes is. Are you using a browser right now?

Things we deem "evil" are planned using technology. Should we ban technology?

Isn't this similar to the idea of banning web browsers, as they render HTML which, as we all know, can be used to write text (<span>plaintext!</span>) inciting terrorism? And it sometimes is. Are you using a browser right now?

Things we deem "evil" are planned using technology. Should we ban technology?

Nicely answered. This 'safety' insanity is getting way out of control.

> Isn't this similar to the idea of banning web browsers, as they render HTML which, as we all know, can be used to write text (<span>plaintext!</span>) inciting terrorism? And it sometimes is. Are you using a browser right now?

Search engines and hosting services already monitor for illegal content.

Reasonable people can disagree over whether requiring a filesharing service to monitor for illegal content is excessively onerous, but the slippery-slope fallacy does noone any favours. You can make any policy sound absurd by taking it to a far enough extreme. Often we do need to weigh up costs and benefits and take a policy line somewhere in the middle.

I feel like "search engines" means only Google in this case. IF you want to look for porn or torrents or anything that does not show up on google just use Bing, it feels like the restrictions don't apply to MS at all because they are not the biggest search engine around.

> slippery-slope fallacy ... sound absurd by taking it to a far enough extreme.

Assuming that you actually value logic, given your choice of words, how do you not see that the magnitude of the absurdity is directly related a faulty premise - a fallacy?

   Live and let live * [1..1000] = nice .. nice
   Kill at random    * [1..1000] = bad  .. horrific
So no, not every policy can be made to sound absurd.

"Live and let live" can absolutely be made to sound absurd by taking it to the extreme. Does the amount of taking-far-enough needed to make something sound absurd vary? Sure. But the post I replied to was doing a whole lot of taking-far-enough.

> ...needed to make something sound absurd vary? Sure.

That is your point, not mine. I'm saying that you're focusing on the wrong part of the equation. Imagine a machine with two variables that you have influence over, calibration error and runtime. You are suggesting short runtimes in order to minimize the impact of calibration error, I'm suggesting recalibration.

I'd love to hear an extreme for "Live and let live", but I'm guessing that whatever scenario you can imagine is based on a faulty premise like "How can we wreak revenge without a death penalty?!".

> That is your point, not mine. I'm saying that you're focusing on the wrong part of the equation. Imagine a machine with two variables that you have influence over, calibration error and runtime. You are suggesting short runtimes in order to minimize the impact of calibration error, I'm suggesting recalibration.

Please stop with the extended metaphors and just say what you're trying to say directly.

> I'd love to hear an extreme for "Live and let live", but I'm guessing that whatever scenario you can imagine is based on a faulty premise like "How can we wreak revenge without a death penalty?!".

Whatever. Are you interested in a constructive discussion or not? There are plenty of silly extremes for "live and let live" - harming the environment in ways that don't kill anyone? Harming themselves in all the various ways that can happen? Harming their children?

> metaphors

I count two metaphors, used only because the direct explanation failed to get through to you.

> Whatever. Are you interested in a constructive discussion or not?

I think it is clear that won't happen, "Whatever" is a strong indicator of disinterest.

> There are plenty of silly extremes for "live and let live"

None of those examples make any sense, which can be explained in two way: you don't know that "live and let live" is an idiom related to coexistence and tolerance, or you think that "extreme" necessitates mutual exclusivity.

Should we condone it

That's a business decision like any other. There are other ways to accept payments if you don't like the terms under which they sell their service.

And if a EU company were to break the law and send personal data outside the EU, they'd be shut down in a heartbeat too.

yes this is illegal! They will be fined. No company in EU is allowed to send personal user data to USA without certain restrictions (e.g. Google Apps has a lot of extra legal documents and staff/etc. to keep sure you can use them also from the EU). From a legal point of view it is even forbidden to make business in EU with clients in e.g. WhatsApp (because their servers are outside of EU).

Unfortunately not. Are there any examples for this? I din't see any.

Not shut down but fined: http://fortune.com/2016/06/06/germany-privacy-adobe-unilever...

This is very recent (June) and I expect more of this in the future. So it is a real threat especially to smaller companies.

You can put every company which sends your personal data outside EU to court (Safe Harbour rules were kicked in the butt some time ago). Some people are even trying that with Facebook (and may be successful with that).

>Safe Harbour rules were kicked in the butt some time ago

Yes I know that. Yet I don't know of any company being shut down who violates this. There are some minor fines which afaik are disputed. In my opinion this decision has been pretty toothless so far.

I think nobody is interested in shutting down companies in general. Fines can be hurtful in general and if you are a serious company you reduce your risks and do not do anything against the law. I would not say it is toothless... there is a big market now (even Microsoft is in there) which promotes cloud services in your own country.

Extremely unlikely since a new framework was agreed by the Commission in February 2016


Maybe their response in this specific case is warranted, but there are thousands of other smaller cases where PayPal simply does what it wants even if it's completely unfair and illogical.

PayPal is a shitty company, with a borderline monopoly on online payments until very recently.

PayPal is made shitty by the laws relating to the financial system. If it doesn't act shitty, it stands to get fined for hundreds of millions, or even billions of dollars.

That argument makes no sense.. Presumably Seafile has other payment options that are not asking for the same level of access. I can't remember the last time people mentioned terrorists (or other criminals') bank accounts in the news other than HSBC who intentionally laundered drug money.

> Presumably Seafile has other payment options that are not asking for the same level of access.

They don't. If you look at the website now, they are offering their services for free temporarily, because they don't have any payment providers anymore. It seems Paypal was their only method of payment.


> I can't remember the last time people mentioned terrorists (or other criminals') bank accounts in the news

You might just need to look deeper. There was a Planet Money episode about how the IRS & DEA created an entire fake bank just to catch people laundering drug money:


> They don't. If you look at the website now, they are offering their services for free temporarily, because they don't have any payment providers anymore. It seems Paypal was their only method of payment.

This surprised me. The only time I've set up transactions with Paypal as the only option was when I didn't expect any transactions (a nonprofit that needed to have a public donation function for legal reasons, but actually got all its money from foundation grants).

As a user, I don't mind Paypal as an option, but when it's the only option it doesn't give a good impression.

Different companies have different risk profiles. A bank that operates entirely in one or two countries has a very different perspective than Paypal who operates in 200+ countries.

Just to give one example: If you sold a comic that was offensive to Muslims in the US, it might get on the news but would ultimately be permitted. If Paypal allowed it, they could get blocked from countries that are predominantly Muslim.

My bank offers international ACH, but only to Canada, Mexico, and Europe. I believe there is strength to limiting yourself to these. Paypal have chosen to operate as widely as possible, which can be a weakness in what they can allow

From what I've seen, it's generally far more expensive to do international banking in most countries. My bank will do it for places like the Phillipines, but only as an expensive wire transfer. I think if it were easy to offer low-cost banking, they would offer it.

You'll note that seafile has said they're looking for a German provider, which will be regulated differently from PayPal.

Germany has a much stronger attachment to privacy than does the US, so maybe they have fewer "Know Your Customer" laws.

Why should banks expect to be shut down over that?

Suppose I build a road. I would also have no idea what people are transporting on that road: maybe they’re moving drugs or sending stuff to terrorists, as you say. And it would be absolutely ludicrous to hold the road-builder in any way responsible for activities on the road.

At some point, a service is just a service and it should remain firmly bounded. Yes, bad people exist. No, we shouldn’t screw with every little thing just in case bad people use those things.

Would you say DropBox is a file sharing service? Is every site that offers downloads a file sharing service?

I would interpret this restriction for services similar to RapidShare, MegaUpload, etc. with the only intention of sharing files. Seafile is primarily for hosting your personal data.

1. Create an account 2. send the login info to all your friends 3. Upload whatever files you want to share. Now you all have access to download or upload. Its semi private because the files never leave the account.

Similar to when people use an email account and only ever save drafts. Two people have the login info, connect to the account and write draft emails but never send them. I think I saw that in a tv show, not sure if it's a real thing.


"They would share an email account, with one saving a message in the drafts folder and the other deleting it after reading it."

One question is, once the US dollar becomes a vehicle for prior restraint -- meaning no one can own, spend or transfer it without meeting a long list of largely-arbitrary conditions imposed by the US government -- is it still "money" at all? Or is it just another extrajudicial law enforcement tool, backed up by the full faith and credit of a moral and intellectual toddler with 20,000 nukes?

It would sure be nice if the next Satoshi, whoever he/she/it is, manages to create something (a) that scales properly, and (b) that ordinary people can actually use.

Did Seafile never request for this approval?

Apparently the other filesharing companies spy on user data,that is why they are on Paypal.

I wonder. It is a bit worrying that DropBox accepts PayPal.

Dropbox has been known to search users' data for files matching md5 sums someone claims they own, such as movies or known illegal photos.


There should be a feature in torrent clients which add some random bytes to videos when downloading them without braking the video itself so md5 checks would be useless for illegal content downloads

That would making seeding it impossible though as you wouldn't be able to verify the chunk is what you claim it is and eventually lead to the whole video being corrupt.

as long as the torrent client knows how to reverse the changes it made to the file (why wouldn't it?) then there won't be any problem.

Its just a really really simple form of "encryption", which most torrent clients do support

And then DropBox runs that on every file, so you you have the normal md5 and the torrent-obfuscation-reversed md5. They check both. We have now achieved nothing.

What about having a client-side only "corruption" function that is unique for each client? The file is visually the same, the md5 hash is different but when the torrent client is sending the data it just "uncorrupts" the file. When the file is received by another client, that one person's client will take care of uniquely corrupting their own version for storage.

This is not possible. The torrent protocol works by checking the hash of each file that it downloads so it can reseed the file. If these files were changed by even 1 bit then they couldn't be reseeded back into the torrent network.

unless the "corruption" is reversible by the torrent client, which it would be

If the corruption is reversible then the people doing the checking can also reverse it. They'll have both the corrupt version and the reverse-fixed version and just have to check an extra hash per thing they're scanning for

I think that parent means that between torrent clients, the original file is being transferred, but the version that is saved on the hard drive (or Dropbox) is slightly altered, for example by adding/changing a random number of bytes.

When the file is opened in a torrent client, it will recognize these changes, revert them (in memory) and seed the original file.

I guess as long as Public Key Encryption works, something like this should be theoretically possible?

Can you explain how Public Key Encryption would be related? I was thinking more in terms of a torrent client corrupting a predictable last bit of each saved file (which could cause tons serious corruption issues in itself for non-media files). This appears to only be feasible if each user had their own private key that could be used to compute where the corrupted bit is added to media files.

If you are using a torrent application, it is safe to say that either you or your actual torrent application can connect to the internet and create a key... If you chose to opt out than that is fine, if you choose to opt in you get what was discussed previously.

Not sure why you would go the route of having it predictable?

If the corruption is based on a value, different for each client (eg, a random number or the serial number of your motherboard), how do you reverse it ?

If you can't reverse it you can't seed it anymore and BitTorrent breaks

Even if that's not the case they'd just switch from grabbing a hash of the entire file to finding sub-hashes of the file or other fingerprints. You'd have to do a lot of corrupting to make this worth it.

If adobe premiere can sync my audio tracks when one is barely audible and the other has background noise you better believe there's a service that can find stored movies against a database of files

Also if you're already using BitTorrent why are you sharing these files on Dropbox et al

The idea is to save the file on Dropbox, but wrapped in symmetrical encryption so that they don't know what it is. You know your key because you created it, but they don't.

Your torrent client would see the normal file, they wouldn't see anything except random garbage.

Why? Um, perhaps to have a "torrent box" which stored data in a more accessible place?

Perhaps just to crap on someone's stupid censorship.

Private key for each client which would salt the file when saved and removed when shared. Could be done, but requires computing and breaks when the client is reinstalled.

Hashes, even md5, are pretty good about going nuts when even one bit is changed in the input. And video codecs (speaking very broadly) are tolerant of a bit error rate like 1e-9 or they'd be useless over the air or on optical media. So simply have your torrent client randomly flip 1 in a billion bits as it downloads. The md5 will never match and the movie quality will be unimpaired.

so if a billion people were to download it, lucky number one-billion would receive a completely garbage file.

Ok, ok. That's not statistically likely to happen. But you do have the problem then of other files being shared via bittorrent, it's not all movie files. You'd also have to re-start basically the entire BT network too, as all clients would no longer be backwards compatible - Good luck too getting every single torrent client dev to implement this at the same time!

Ah the incorrect assumption is that what the filesystem and dropbox scanners see must equal what the torrent client talks about, which isn't actually true.

A preselected and stored in a dotfile or windows equivalent 9 digit number, or the bottom nine decimal digits of a MAC address, or some chunk of a UUID, or whatever. You could salt which bit is gonna get flipped by adding in the filename, or the partial timestamp of the first time the torrent client was ever executed, or one way or another your specific client has a secret nine digit decimal number that it only uses for file operations involving .mp4 extension files longer than a gig (or whatever seems appropriate).

One way or another when you copy a buffer from the torrent system to the filesystem you flip every X-th bit where X is stored locally. Make sure to flip it BOTH when downloading and again when uploading. Your video player won't care when it impacts a single bit error, the other torrent users won't ever know because they never see a flipped bit. Well, technically other torrent users see a flipped, flipped bit, aka the original, unless you're using trinary or something (LOL)

Maybe a mental model is imagining it as the worlds most incompetent FUSE/loop encrypted file system such that the "encrypted" contents on the hard drive have only 1 bit in 1e9 bits flipped and otherwise the remaining billion bits are identical to the "unencrypted" file. Only for "long" .mp4 files, perhaps.

The main problem that would develop is people downloading a torrent, then trying to seed using a machine that has a different "secret bit" above. It would look like your seeder has a tiny bit of file system corruption, which I guess does happen today and is apparently survivable. I would guess most people most of the time do not download a torrent on one system them upload a new torrent on another machine.

There need be no coordination with torrent client devs. Someone could implement this today without anyone else knowing, or it could be done using a FUSE loop filesystem without changing the torrent client at all. I suppose if you never seed a file after copying it to dropbox it would be easy to write a "special cp" that inserts bit error rates around 1e-9 rather than making a perfect copy.

I have no idea based on security posture if you want to slightly obscure every file or just some. Also no need to flip a completely random bit, a smart enough parser could pick the next bit that won't utterly trash the container spec for avi or mkv or ogg or mp3 or pdf or jpeg. So I'm saying flip the next bit that isn't a major file format protocol bit to make it user transparent.

Another weird mental model is think of it like steganography but to defeat 3rd party hash scanners not to hide real data. In fact its hiding not much.

All that sounds a lot of effort when the reality would be they'd just check the file in a different way than full-file md5 hashes as soon as this appeared.

Seriously, the easier way to do this is just make a password protected zip file. Boom. Done. No extra mucking around with random bytes and whatnot. You want to share? Give the password to your friends.

Perfect being the enemy of good enough, etc.

Also its a bit unfair. Given this attack, design a perfect defense. OK here's an easy one. Oh OK well that works, but they'll just try a different attack. Well yeah, but that wasn't the initial challenge provided.

Also precomputed rainbow tables aren't so funny when you have gig wide columns instead of hash wide columns. For that alone its an entertaining idea.

except each client could have its own seed

If it's reversible like that it is still possible for PayPal and others to implement it too.

Its encryption, you apply a transform before putting it onto the dropbox, and then you apply a transform after you pull it back, and the key it'd be encrypted against would be per user (like most encryption)

Aren't the files matched by checksums though? I.e. you have a checksum and that's how tracker knows what you want?

I guess GP meant that torrent client could e.g. pad a file on disk (safest option) and store that metadata along with original hash. Hashes would not change over the torrent network, but would be different in other networks

They'd use some other method of fingerprinting then. It'd be an interesting arms race.

Yeah, but checking a md5 on a "list of pirated movies" database is a lot different than sending data about file uploads to a random company with no promise of what they will do with it.

Dropbox is a US based company, is not bound by EU data protection law, the Charter of Fundamental Rights of the EU (basically the EU's Bill of Rights), and additionally the US Constitutional ban on warrentless searches does not apply to EU citizens in EU.

EU Dropbox customers are the customers of Dropbox Ireland Limited (a company registered in Ireland), not Dropbox, Inc., a company registered in Delaware, so actually all of the EU regulations apply to their EU customers.

Source: I'm a paying Dropbox customer living in the UK and my invoices are issued by Dropbox Ireland Limited.

But where is your data stored?


Where Around the world. To provide you with the Services, we may store, process and transmit information in the United States and locations around the world - including those outside your country. Information may also be stored locally on the devices you use to access the Services.

Safe Harbor. Dropbox complies with the EU-U.S. and Swiss-U.S. Safe Harbor ("Safe Harbor") frameworks and principles. We have certified our compliance, and you can view our certifications here. You can learn more about Safe Harbor by visiting http://export.gov/safeharbor. JAMS is the independent organization responsible for reviewing and resolving complaints about our Safe Harbor compliance. We ask that you first submit any such complaints directly to us via privacy@dropbox.com. If you aren't satisfied with our response, please contact JAMS at http://www.jamsinternational.com/rules-procedures/safeharbor....

NOTE: When transferring data from the European Union, the European Economic Area, and Switzerland, Dropbox relies upon a variety of legal mechanisms, including contracts with our users. Dropbox doesn’t rely upon Safe Harbor as a legal basis for data transfer but does adhere to the Safe Harbor Privacy Principles while specific guidance for the forthcoming EU-US Privacy Shield program is developed. For information about data transfers from Europe to the United States, please visit this page.

Constitutional rights don't apply to Dropbox at all. They are a private entity. If they want to inspect your data, they can, especially if they have disclosed this in their terms of service. That's why I would never put anything sensitive (tax returns, etc.) on dropbox without encrypting in locally first.

Constitutional rights don't apply to Dropbox at all. They are a private entity. If they want to inspect your data, they can

This is one of the reasons the EU courts have found that US law is not at all adequate for storing EU citizens data. In the EU, the Charter of Fundamental Rights ("Constitual rights") do very much apply to your dealings with a private company.

Max Schrems would like to have a few words about that.

Now you're worried about it? You should've started doing that when they accepted Condoleezza Rice on their board.

Compliance Officer in financial sector in Luxembourg here. The request you have received is related to anti money laundering regulations. As you guys seem to be based in Germany. So bear in mind that PayPal operates across the European Union as a Luxembourg-based bank. Anti-money laundering regulation is typically stricter in Lux than in the USA. The Lux regulator is the "CSSF", and you can find the detail of the regulation here: http://www.cssf.lu/en/supervision/financial-crime/aml-ctf/la...

So, suprise suprise, my 6 years old blogpost continues to be spot on https://jeena.net/paypal that is when I deleted my PayPal account. But it was not all dance on roses after that, suprisingly many only offer PayPal as a way to pay them, so I always have to try to contact them and to try to explain and to ask for another way to pay. Most of the time they won't/can't help me.

look into bitcoin.

Sending money in an envelope would be easier and more accepted.

Not if you are in Germany, with bitcoin.de it is a very simple process.

Had to use Paypal today to make a payment to a company who can't otherwise find a reasonable way to take credit cards online. I feel their pain, having been in that position. Paypal randomly saw that it was reasonable to demand I answer a phone in another country (though I haven't been based there for perhaps 15 years) if I wanted to log in to my account. I had to work around this by having them send a payment request, then paid about USD$1000. Wish they accepted Bitcoin, I was livid at the experience. Every time I deal with Paypal it's the same. Their PR crap a year or two back about "sorting things out" was obviously empty. Stripe isn't much better: after a reasonable start, last time I wanted to use them I couldn't because my address is in a different country to my card (ANYONE LISTENING?). These abuses are reaching a breaking point, nobody is going to deal with credit cards soon. Here in amusingly progressive mainland China, they are a minor mode of payment and shrinking: good riddance!

Am I misinterpreting something? It sounds like you're upset with PayPal because you tried to make a payment from a country other than the one on record (which trips every fraud detection out there) and that they tried to contact you for verification with the number they had on file which you haven't updated in 15 years. That sounds like reasonable behavior from their end.

... except that I haven't changed my behavior and the 'reasonable' action they took was permanently locking me out of my account. Note that they presented this whole experience to me in a foreign language because obviously my GeoIP is the same as my location because privacy, China and VPNs don't exist. And of course, I had no choice but to leave that number on record because it matches my credit card address. Because of course, there is no such thing as a credit card with an address outside of the issuing country, or someone that lives at many addresses or an address where there is no reliable mail. It's basically a number of bad assumptions layered with bad customer service and algorithms. Every year my credit card company randomly stops my card because they think it's weird a transaction occurred in some country or other. I say "See how I just bought a plane ticket right before that? How is that strange?". Right on my card it says "World Mastercard". I have or have had accounts with this same bank in 5 countries. They know this. But we can't just blame the bank, it's the credit card system. Apparently in every corner of the world, idiots run these algorithms. Finally, note that for this wonderful experience I pay 5% of USD$1000 = USD$50. The US intelligence sponsored monopoly of card companies on payment has to end.

(I'm listening!) I work at Stripe on our fraud protection tools and would love to help. I want to dig into this particular situation -- mind sending me an email at tara@stripe.com?

Here's PayPal's page on what they require for file-sharing services:

>Merchants offering file-sharing programs or access to newsgroup services must monitor for and prevent access to illegal content.


"Article is currently unavailable"

Searching for this entry with keywords like "file-sharing" did not turn up anything.

>Searching for this entry with keywords like "file-sharing" did not turn up anything.

Well that's really helpful of them.

I've updated the link, can you read it now?

Edit: FWIW, this was on the first page of Google for me - in Poland - when searching "paypal file-sharing"

Thanks, the link works now for me.

Apparently this depends on the country. Your link includes JP for Japan and the contact mail address for Japan (which ironically is spelled wrong).

I really cannot reach it from Germany without this ?country.x=JP.

Paypal only exists because the current infrastructure of payments in the US is a joke

Nobody needs paypal in Europe. Of course, they try to sell themselves as "the easiest way" (which is right to a point) but it's mostly unneeded

As a german that's not my experience at all. Credit cards aren't that common here and SEPA transfers are slow as hell and always a minor hassle, that I tend to avoid as long as I can.

Without Paypal a lot of european customers wouldn't be able to buy from international vendors.

As someone who sell stuff to Germans, could you please get a credit card? The only reason why we need to deal with PayPal is our German customer, 50% or more of our transactions in Germany is PayPal.

It's a shitty company, with a shitty product.

Well, over here (in Germany) everyone gets a bank-issued debit card while a credit card usually comes with additional fees (I think it's 20-30€/year in my case, not sure right now). While it's not much, and I absolutely need a credit card for international purchases, a lot of fellow germans simply don't see the benefit when they could as well use the free debit card their bank gave them. And online their Paypal account is linked to their banking account which enables instant payments without credit cards.

I live in Germany, and two of my credit cards have a monthly fee of EUR 0.00. One of them even has zero fees for foreign currency transactions and ATM withdrawals, which is why I got that particular one. There are good cards available in Germany if you look around.

Edit: EUR 0.00 annual fee, of course.

>Well, over here everyone I my case it would be down there... Took a second to figure out you're probably not in the US.

It's more or less the same here, almost no one has real credit card, they're mostly VISA (co-branded) or MasterCard branded debit cards, but everyone has a card that can be used online.

> It's more or less the same here, almost no one has real credit card, they're mostly VISA (co-branded) or MasterCard branded debit cards

Er, no. Almost everyone has a branded debit card, as most banks will give you that for free, but nearly 75% of the country has at least one actual credit card.

Those debit cards only work for in-person transactions however. Some German companies let you do direct debits or bank transfers for online payments, but it's very annoying compared to a real debit card.

I'd like to recommend the bank Number26. They're german and operate across most of europe.


Seriously, if you're european, try these guys out - they're worth it.

You saying that they operate across most of europe and if you're european, try these guys out. Then their own site having lines like Your bank account just as mobile as you are. and Banking everywhere made me think for a moment that they may actually offer their services across Europe.

Not the case. Digging deeper [1] we can find this: The only conditions are that you're at least 18 years old and have a residential address in Germany or Austria.

[1] https://number26.eu/bank-account/

I assume their landing page is not up to date.


Pretty sure they have customers in Ireland (some discussion about stamp duty on debit cards few months ago)

I'm in Greece right now, didn't have any trouble setting up a bank account with them.

What about debit cards? I mean, you don't carry cash around all the time do you?

I do now that I live near Nuremberg, which is one of the safest cities in the world, but it was a hard thing to get used to, as I went to college in a US city rather infamous for its crime.

Surprisingly large restaurants in Nuremberg do not take credit cards. A lot of German and Austrian small business owners see no good reason to pay the credit card companies the ~3% fee when most of their customers are perfectly happy to settle a 500 EUR bill in cash. Always pay your hotel bill in rural Austria the night before you leave to prevent an emergency dash to the village ATM :)

>A lot of German and Austrian small business owners see no good reason to pay the credit card companies the ~3% fee when most of their customers are perfectly happy to settle a 500 EUR bill in cash.

Well, and mostly to avoid paying taxes. Card acceptance cost is down to under 1% since last year and often depositing money costs more.

There is no requirement for proper cash registers here in Germany, so card acceptance remains low in small businesses.

In Germany people do carry cash. Especially in Berlin, where there are plenty of smaller stores and restaurants that accept only cash.

Germany has its own shitty debit card system called "girocard". And whereas other smart countries (e.g. UK) switched to international schemes, this is still the card issued to most customers. There are a few downsides of this

* No Card-Not-Present-Transactions, because the cobranding is only for abroad

* Visa/MasterCard cobranding was not allowed until a few days ago (when the EU introduced new laws)

* Used to have high minimum fees (7 cents) for a long time, so expensive for smaller transactions

* Cashback only from 20€

* No damn contactless

=> Germanys banking sector is still mostly stuck back in 2000. Debit cards are around, but mostly for cash withdraws. Smaller transactions are mostly paid in cash, because they used to be expensive and no contactless.

The big banks have no interest in changing that, because as long as card payments are unpopular, they can charge >5€ for cash withdraws if you make "out-of-network" ATM withdraws.

tl;dr: Germany has its own shitty debit card system stuck in 2000 which sucks.

Most people still pay with cash. I would guess that per average people have about 50-100$ in their pockets.

Of course not. Yes, in fact bank-issued debit cards are the default here.

Worth pointing out that "bank-issued debit cards" in Germany usually refers to EC Cards, which is not the same as the Visa / Mastercard debit cards the rest of the world is used to. As a tourist in early 2015, international Visa & Mastercards were useless in most supermarkets & department stores - but international chains that get lots of tourists will take them (eg Starbucks, McDonalds, Subway etc).

I love Germany, but the credit card thing drives me nuts. I understand Germans like financial privacy, but I like having an electronic record of my purchases instead of having to write down every cash transaction I make before I forget it. (If there was a way to get a prepaid EC Karte as a tourist, I might not mind so much.)

What are the alternatives in Europe that make Paypal not needed? Genuinely curious, not saying you're wrong by any means.

Germany: SEPA direct debit, sofortueberweisung.de, giropay, and if you're willing to put up with PCI compliance bullshit, credit cards. All three are vastly cheaper than PP, too.

I still find the idea behind sofortüberweisung shady. Maybe they're actually the nicest people in the world with the best security practices known to humanity, but I still won't hand them the login credentials to my online banking or my card's PIN.

They actually admitted (2011) that they scrape the last 30 days of transfers of your banking account. German Source: http://www.golem.de/1105/83811.html

In Germany you now also have paydirekt.de which is a direct competitor to PayPal initiated by most major banks in Germany.

I am in Germany, didn't know about the paydirect.de. Has anyone tested them?

I use it whenever it is available. The process is seamless and as far as I remember I was redirected to my bank, to enter my data there. I never had to give my bank data to a 3rd party.

PS: The proper domain is paydirekt.de

It's pretty useless if you don't buy sugar, Haribo or BBQ stuff on a daily basis.

sofortueberweisung is kinda shady though - don't you have to agree that they are allowed to read your transaction history? Since you give them full access to your online banking account, they certainly are able to.

I'd rather pay with Paypal than SEPA SDD, which ported the brain damaged idea of allowing anyone to pull money from your account with an IBAN by simply claiming they are authorized. We actually had to lose our DD system with its sane authorization process to implement this crap.

And still, credit card fraud seems to be a huge issue in the US, while Lastschriftbetrug is a relatively minor issue in Germany. (and both have a charge back procedure)

PCI compliance isn't that big a deal, unless you insist on handling the the transaction yourself, which almost no one does.

Going via a payment provider, like Strip, PayPal, PayEx and a boat load of other companies, reduces your PCI compliance to a self assessment form, which talk all of 10 minutes to fill out.

Also Paysafecard. It's even anonymous: Buy in a store with cash and use it to pay online.

Barclays and Natwest in the UK will allow you to send money to anyone with an email address. Can't speak for other banks, though.

But all banks will transfer money if you have a recipient account number and sort code.

And it's quick. I can send money between two different UK bank accounts, using sort code and account number, and it appears in the recipient's account within about half an hour.

In Europe (Germany and Austria from my experience), many online services specifically support bank transfers using an IBAN number. It does seem to take a little longer though for the money to process.

I live in a developing country (some call it third world) and we've had this capability for many years. I can pay from my computer, mobile, or at an ATM. How is the US so far behind the rest of the developed and developing world?

They only just got chip and pin cards, while everyone else is moving to contactless payments.

A lot of US banks have actually opted for chip and signature instead of chip and pin...

Which is almost pointless, I never had a signature checked against a card when they were widely used here. A PIN is always checked.

Germany is pretty bad in banks to be honest. Transfers can take a whole day even between my own accounts and no way of seeing any movements during the weekend, incredibly old school.

See, the point is that you're saying 'in the UK'. We've been struggling to find a payment solution that works globally and sadly PayPal is the best we have found that covers a lot of countries.

Barclays and Natwest in the UK will allow you to send money to anyone with an email address.

Anyone? Anyone in the UK? Or anyone in the UK with a Barclays or Natwest account? Paypal is still probably the quickest and easiest way to send money to 'anyone' in the world.

Barclays: Anyone in their 30 country list (PingIt is the app)

According to the PingIt website you can only send money internationally if you know the recipients IBAN number and transfers takes up to two working days. So it sounds like it is just an app front end to bog standard old school international bank transfers.

PayPal just seems like extra steps if your bank lets you do a straight transfer.

International bank transfers (at least to/from outside of Europe) are a massive pain, can take many days to clear and often cost quite a bit more than what PayPal charges.

I've just done a bank transfer from Poland to UK and the money was in my Barclays account in 15 minutes. Just a couple years ago it used to take 3-4 days but now it's as quick as sending money locally.

Just normal bank transfer. As long as you have the target bank account number, which is standardized across Europe now, you can pay anyone. Takes a few days though. There is a European rule that a cross-border transfer may not cost more than a national one, which means that in most countries, only business accounts pay (low) fees.

> Takes a few days though

Typically 24h in the SEPA.

That's a bit optimistic. I've encountered 48hrs between my own accounts within Germany. I wish I still had the luxury of almost instant UK transfers.

In the Netherlands, within the same bank it can be within an hour or so, but to other banks up to two days. Internationally from/to NL can still take a week in my experience.

Still too long - I never use it for online shopping.

You want to pay someone they give you their IBAN and BIK numbers, and you can send them money using this (transfers are usually free or very cheap)

No need for handwritten pieces of paper

You still usually need a TAN that's either on a piece of paper at home or generated by a special device (and with Smartphones, I don't really trust mTAN), with PayPal you only need a password. So yes, it's less secure, but more convenient.

Merchants also seem to prefer PayPal because it gives them an instant payment confirmation.

You're talking about Germany right?

Was never asked for this in Ireland, though they use an electronic token (because paper is outdated) if the transaction is outside of Ireland

We switched from PayPal because the service was so bad, with 1 in 4 card payments from a very reputable sector (schools) refused for no discernible reason. Mu inner cynic strongly suspects it was purely to drive more people to use a PayPal account.

We tried two other card providers before we found Stripe, and my inner cynic has been silenced. I strongly recommend them.

Sure, Stripe is great - but we couldn't rely on credit cards alone, at least not here in Germany. The value of Paypal is the fact that it connects to your bank account and enables instant payments for people without credit cards, which aren't that common here in Germany.

That's why we offer Stripe and Paypal in our store. Dropping Paypal would be insane as it is our most popular payment method, with Stripe coming in as a close second.

Nochex was UK only when I used them, but their website now indicates they take payments from European cards now too.

My bank and Visa integrate 2-factor authentication. https://en.wikipedia.org/wiki/3-D_Secure

Every bank here does this.

any bank that accepts visa/mastercard ?

I don't get the praise; it took two days for a SEPA transfer to finish last time I initiated one. For buying goods online, that's 47 hours too long.

Ah true, for online, real time purchasing, it takes too long

But for other things it's ok

No one here uses SEPA for online purchases. We use 3d secure payments. SEPA is used to move money around, which is usually not time-critical.

As bank transfer takes a lot of time to "process", money exchanging in Europe is really annoying. Paypal made and makes it fast. I don't like them, but I don't know anything better sadly.

With the vast majority (99%+ of non-card Euro transactions, and a substantial majority of card Euro transactions too) going via SEPA in Europe these days, the benefit of Paypal is much reduced. It is competing much more with card payments these days than with direct transfers, given the combination of SEPA and even faster local schemes (e.g. in the UK, a huge proportion of smaller charges go via Faster Payments, which will sometimes be near instant and usually below two hours).

I still use Paypal quite a bit, but because it's simply convenient to use it and be able to change where my payments go from (which card/account etc.) without having to change what's on file with merchants.

If you would use SEPA for an SAAS registration, how would you handle the waiting time of multiple days? Accept the customer without prove of payment or ask him to come back in a few days?

For SaaS it's easy, you just treat the payment as a success. If it ends up failing, you treat it as a chargeback.

For selling goods that you hand over (e.g. irrevocable product keys) it's much trickier and depends on the specific business whether it makes sense to have the customer wait.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact