> PayPal has demanded that we monitor data traffic as well as all our customers’ files for illegal content. They have also asked us to provide them with detailed statistics about the files types of our customers sync and share on https://app.seafile.de
That's a pretty big WTF right there.
I know PayPal has a on overall pretty scummy reputation, but I still I cannot imagine PayPal doing this because they themselves think they'll benefit from this data.
To me this seems like a demand which comes "upstream" from above PayPal, from its payment providers (VISA, MasterCard, American Express, etc). Would I be overly paranoid to imagine these demands and claims are the result of lobbing by entities like RIAA and MPAA? They do have a history for blocking payments to known pirate-friendly services after all.
And as such, they clearly have too much power, and there needs to be some anti-discriminatory financial regulation to stop business-hostile practices like this from being lobbied and put in place.
You may have not realised but banks and any financial institutions have been deputised by the regulators to be the financial police. They need to ensure that none of their client use financial services to commit crimes or launder the proceeds of a crime, under the penalty of heavy (up to multi billions) fines. Particularly in the US.
I am pretty sure this is what is forcing paypal to do this. And also why I wish good luck to startups who think they will disrupt this massively over regulated industry.
I worked for a financial services related startup for a while and was involved in implementing KYC/AML protections and AFAIK there isn't any relation between this and those laws. KYC is simply identifying your customers (nothing related to what they are doing) e.g. drivers license info, home address, etc. AML has to do with financial instruments passing through a business' account from customer (a) to customer (b) (in some cases (a) and (b) being the same individual). Given they are processing subscriptions here it seems far more likely that this is somehow related to RIAA/MPAA, or at least a fear of said groups.
It's not about onboarding/general KYC since this isn't about end users.
Paypal does it's own risk assessment for business partners, what I'm pretty sure this is is a simple "classification" case.
Paypal classifies the type of business you are and if you belong to certain types of businesses they put some requirements on you based on regulations and their own internal requirements usually produced by their legal department.
Paypal has probably seen what happened to file sharing websites like Mega and if you are tagged as a file sharing service they want to ensure that you do everything to prevent it being used for piracy, including being able to audit it themselves and to be able to either put pressure on you or cut off their services if they think they are at too much of a risk.
Now I understand that Seafile isn't anything like Mega but It's also not exactly on the scale of dropbox this also means that most likely no one at Paypal really knows what it is, or where they are heading business wise and so they just stick some additional requirements on them.
Also (this is true for 2-3 years ago, I don't know if it is still the case) filesharing websties and other sites that you can buy "premium currency" such as various online games, vidoe chat apps (usually porgnography) etc. are the main source of fraud for compromised accounts as far as Paypal goes this on it's own can bring on additional requirements from Paypal.
That's the minimum, but it's certainly not all there is to it.
Know Your Customer really means know your customer.
As one of many practical examples, when dealing with a legal entity such a trust, merely identifying its officers is insufficient -- you must also identify the beneficial owner (BO). Effectively, this means that you have to look through all possible shell companies until you arrive at a natural person.
I don't know if you want to advertise lack of enforcement so loudly. Your practices would leave you to vulnerable to litigation if one of your customers were laundering money or committing crimes through your service. You've done enough to survive an audit if there have been no issues, but you'd be found negligent if there are.
To be fair, boldfield did say "worked for ... for a while" which implies they're no longer with the company (which might be a story in its own right). Still, it's good advice for others chiming in who may presently be in the same position.
> You may have not realised but banks and any financial institutions have been deputised by the regulators to be the financial police. They need to endure that none of their client use financial services to commit crimes or launder the proceeds of a crime, under the penalty of heavy (up to multi billions) fines. Particularly in the US.
While I fully agree with this statement, PayPal's actions here seem excessive even by the broadest interpretations of anti-money-laundering regulations. Furthermore, AML regulations target a specific set of transactions and/or individuals.
"Monitoring all traffic for illegal content" is a vague statement that could mean anything. Illegal where? Illegal how?
Edit: I forgot to mention: PayPal operates as a credit institution (ie, a bank) within the EU, so the strict AML regulations the parent alluded to apply to it directly.
Paypal seems to have a long and ugly history of aggressive-yet-incoherent legal interpretations.
They lock down donations to any unpopular group, and refuse to release already-held funds. They freeze Kickstarter campaigns as soon as someone says the word "fraud", and cause the exact damage they're trying to prevent by tying up all the funds so neither backers nor creators can get the money.
They're incredibly capricious, and as far as I can tell have taken the stance that overcaution is always acceptable.
Because PayPal doesn't want to lose money from customers that use their complaint system or worse through chargeback from the credit card companies.
As far as donations for dubious causes goes well if they think that it will either lose them business due to reputation, or worse lose them money if a government decides to freeze those funds they will cut it off.
PayPal for the most part is not a fractional lender when you have a 1000$ in a PayPal account PayPal has to reserve the full amount, PayPal isn't protected from a run over by central banks and what limited protection it has is probably performed by underwriters at not the most beneficial of terms.
If some one is opening a donation account for ISIS, anti LGBT or w/e you might call an "unpopular cause" and that either causes them a huge PR headache or worse a government decides to freeze those funds they lose a lot of money.
This can be complicated even further since while the funds are frozens the users who transferred these funds might be eligible for protection under PayPal's own policies and if not then they can always initiate a chargeback from their own credit card company.
It is true that banks will go a long way to try to satisfy banking regulators. But unless you have some evidence I am simply unwilling to believe that banking regulators can make up any restrictions they like without regard for the actual requirements of federal law.
But unless you have some evidence I am simply unwilling to believe that banking regulators can make up any restrictions they like without regard for the actual requirements of federal law.
The actual requirements of federal law are often (intentionally) formulated on such a high level that in practice, the banking regulator does end up specifying the actual rules.
Say, for example, a federal law requires that banks "take reasonable measures to impede money laundering".
Now what those "reasonable measures" are is usually determined by the overseeing regulator (eg: the SEC). Sure, you can disagree with their assessment, but they'll fine you anyway and then, the best-case scenario is that after X years in court, the fine gets overturned.
Not only is that true, it's usually not even the regulators that are making up the final actionable items. Businesses hire independent auditors who need to make sure their clients are well clear of what the regulators would be concerned with, and so push them to go even farther. And of course, once you have passed one audit, the next year's audit will be even more strict, even if the regulations themselves have not changed. The auditors do need to justify their own employment, after all.
Coming from a bank (but with limited interaction with regulators), regulators usually try to work within the law. However, I would like to remind you the law is all contradicting and has literally tens if not hundreds of thousands of various laws each one with its own implications.
Point being, regulators can justify just about anything. That is why all large banks have an army of lawyers. They then work with regulators to find some middle ground.
The law is very complicated, but it generally gives regulators that actual power. They can make demands to specific banks. They can even make demands to specific banking systems; like, a regulator can go to a bank and say "You need to make your AML system do Y instead of X."
And the bank has to do it or they end up like HSBC. In fact, that was exactly why HSBC was fined billions. Regulators told them to do specific things, like use Form X in Iran instead of Form Y, or classify Mexico with risk measure N+1 instead of N, and they didn't do them. This is all in the various public records.
It's considered a given that money laundering occurs at every big bank. It's impossible not to happen at an organization of that size.
This entire subthread is about how AML is enforced. Specifically, it's enforced by regulators doing whatever they feel they need to do. The punishment wasn't for money laundering, it's for money laundering in a manner that obedience, according to the regulators, would have caught.
For international banks, it's especially arbitrary because regulations are so loose overseas. In the UK it's very easy to move small amounts anonymously. This is routinely used for small-time laundering by organized crime and banks are fully aware of it. The long arm of US law goes after UK banks handling Mexican dirty money, but not UK banks handling UK dirty money. A lot of what constitutes "illegal money laundering" is actually political.
But payday loan companies and credit cards that charge 29% interest plus hundreds of dollars in feeds to "help people with poor credit" are fine.
Supporting US government entities in defense that kill tons of innocent people every day; that's fine too.
Self regulating? Man that works so well, especially in 2008. We're going to let you keep doing that too.
Weed stores in states where it's legal? Hi it's the DEA. We're confiscating these accounts for you. Here's a fine (at least until later this year, but still only for medicinal marijuana)
It's a cluster fuck of bullshit. Of course you can always use a different payment provider, but with PayPal being just so damn easy with very little competition, it's like saying if Amazon removed your eBook, just publish it somewhere else. The trouble is the distribution networks are so big that they become the only means of distribution. If you control 90% of the market and shut down a DropBox competitor, you're choosing which companies succeed.
> Self regulating? Man that works so well, especially in 2008.
What self regulating existed in 2008? Banking and finance have been hyper regulated for decades. There are no industries more regulated than those. There was no self-regulating and you won't be able to point to any substantial self-regulating that caused the housing bubble and crash (unless you're talking about the Fed's low interest rate policies). The SEC, Fed, FHA, CFPB, and Treasury were intentionally looking the other way while vast fraud was occurring because all of the voters were getting rich off of housing and stock market bubbles. The Fed was laughing during their meetings about the bubble, you can read the minutes today.
Oh yeah, and guess what, housing is higher today than it was at the bubble peak (and so is the stock market mini-bubble today). So are we self-regulated again now? Nope, we're even more regulated now, with all the big banks directly and strictly under control of the Fed; it all has to do with artificially low interest rates, which is universally understood at this point - the Fed now openly admits to creating asset inflation to try to spur the economy.
Regulation has done a great job in several industries of concentrating the industries into a few major players, because it is incredibly difficult to comply for new/small companies. Banking and finance is one, telecom is another.
Telecoms got itself monopolised just fine before regulations came along. AT&T sealed in the concept of operating as a regulated monopoly. But that goes back to 1913.
There are industries which tend naturally toward monopolies, with transport, communications, broadcast, and software among them. There are also industries which tend naturally away from monopolies, such as sandwich shops, cement providers, and laundromats.
(Not that there cannot be some concentration, or even national chains among these. But they're rarely dominant.)
Transport, comms, banking, and information technology, tend toward monopolies.
Consulting is a mixed bag -- if you're relying on creativity, not so much, but if you're relying on marketing and business contacts, both of which are far more a network effect (with strong lock-in elements), yes. Contrast your typical small-gig design shop vs. the Big Declining n Accounting Firms, or IBM and Oracle (consulting / business services).
Retail can be local (small effects) or global: large grocery stores, WalMart, Amazon.
There are other effects as well. I've been curious about Maersk's adoption of ultra-large cargo ships, even as shipping volumes have been falling. While there's a financing-design-build lag, there's also the possiblity that having and operating a large ship puts pressures on other operators -- if you're operating and loading, you're taking cargo which would go onto smaller vessels.
Lobbying from these industries players for bad regulation might have helped but regulation is usally nothing bad. I'm happy in EU knowing that most stuff I can buy is at least to some degree vetted for killing me.
Payday loan companies in particular were hit hard by Operation Choke Point in 2013 (I worked at a "lending startup" that was targeted and had to pivot; a lot of payday/consumer lending companies ended up shutting down).
Have they been deputized into service or pressed into mandatory service? My understanding is that the Know Your Client (KYC) laws are mandatory, with multi-billion dollar fines for companies who violate them. (HSBC has gotten into trouble with this recently)
I think what the grandparent meant to say with being "deputized to be the financial police" is that the extent of this mandatory service has become so substantial that financial institutions often are left with the feeling that they are performing work (at their own expense) which feels like work that law enforcement should be doing.
It used to be that law enforcement pointed out the bad guys, or even just suspects, to you. Now, you're supposed to identify and report possible bad guys to law enforcement.
There's nothing wrong with that on principle, of course, but in practice, every bank must now train some personnel to detect not only suspicious individuals or transactions, but even suspicious patterns of transactions.
And that's when you start feeling like you've been deputized -- it feels like you are performing a criminil investigation on behalf of others.
The same position is true for UK and EU as for USA: a firm handling money can't accept it unless they've done anti-money laundering checks. This includes e.g. identity checking, and checking both sender and sometimes also recipient for criminal associations.
For example, Seafile could have said "Files are accessible only to one customer. It is of course possible to share passwords. However, we use geoip to monitor the number of locations used by each customer, and take appropriate action when a customer's set is oddly large. This should effectively block the use of Seafile for piracy." Perhaps Paypal would have said no, but perhaps yes.
I don't agree that Seafile should be under any obligation to do that. If customers want to share files, let them. Storage services shouldn't ever look at what the files contain or their metadata.
edit: looks like paypal openly states it won't process for file sharing services who don't monitor content. I guess most services that don't have a high dispute rate...
Last year I saw a customer (not at Seafile) who accessed our (paid) service from 20 different countries on the same day. Do you think that customer travelled to all those countries on that day? Do you think we were wrong to look for such globetrotting customers? Do you think we were wrong, or Seafile would be wrong, to look for customers who share their account with their hundred best friends?
Yes, you were, of course, it's none of your damn business what your customers use your product for as long as they pay for it and it's not obviously illegal. If you are concerned about resource usage, limit the resources that you sell per account, and then enforce that limit if you like, but don't stick your nose into other people's lives.
And I must say I find it particularly strange that you seem to find it somehow impossible how someone could use an internet service from 20 countries in one day. I mean, it's the internet, right? A computer on every continent is only a few mouse clicks away. And international teams, either of freelancers, or of employees of a company, working together on projects, isn't exactly unusual either.
How can it be "not obviously illegal" if you're not checking. Side note, piracy is illegal in a lot of countries.
If my account was accessed from 20 different countries in a day you can be damn well sure I'd want to be given a heads up too, as it's likely my account has been compromised.
> How can it be "not obviously illegal" if you're not checking. Side note, piracy is illegal in a lot of countries.
How could something be obvious if you have to check? Lots of stuff you can do in an appartment is illegal, too. That's still no reason for a landlord to install cameras to check. It's just none of their damn business.
It's obvious if a potential customer asks whether your service is good for warez hosting, or if a potential tenant ask whether your appartment is well-suited for getting rid of bodies. Anything where you have to violate their privacy in order to find out just is not obvious, and it's not your job to monitor people's private lives for possible illegal activity (and it is highly unethical to do so--it's what totalitarian regimes do, read up on the GDR's Stasi if you want to know what living in such a society is like).
> If my account was accessed from 20 different countries in a day you can be damn well sure I'd want to be given a heads up too, as it's likely my account has been compromised.
If you want to monitor your own account (or want to have someone, like the hoster, monitor it for you), feel free. It's still none of the hoster's business to investigate it any further without your explicit instruction to do so.
A streaming service, actually, and one which doesn't sell to teams. The T&C prohibit giving anyone the password, with an exception for household members, so concurrent use from 20 countries stretches credulity.
It depends. If the purpose is to prevent access to customer data not authorized by the customer then it's ok. If you do it to further the interests of anyone other than your customer it's unethical.
Yes, you were wrong. Maybe the user was just lending the files to his/her best friends? Or some other kind of fair use... You can't just generalize that all file-sharing is illegal.
Fair use doesn't even enter the question. How do you know the customer didn't own the copyright on his files, and was well within his rights to share the files with anyone of his choosing?
There was a sherif (or other law enforcement type) who tried to intimidate credit card processors for supporting online sex trade via Backpage last year. A judge stepped in and said he was overreaching (Backpage has content that is legal as well). First link from a Google search:
Paypal has been acting like this of their own accord for some time now. More than a decade ago a friend of mine sold cold filter bags for herbal extracts online using Paypal. The product was completely legal and didn't allude in any way that it was designed for illegal use (read marijuana hash making).
Paypal decided, about 9 months in, to close their account in a similar fashion to the service here and deny them access to thousands in funds, touting an irrelevant bong sales ban in a state somewhere in the US (he was in Canada). It took years for him to get the seized funds back from Paypal.
If Dropbox-style hash checking of files could be seen as the standard in the industry, I can see how failing to do that could be seen by a court as potentially negligent.
I think that there have been issues like this for porn sites in the past, because they have significant chargeback rates - to the point where man payment processes won't deal with them.
I've run into this issue in the past, but I also can't blame them. Has everyone forgotten the early 2000s when porn sites would use 0-days to embed dialers in your computer to rack up huge dial-up charges? Or offer you 'trial' memberships and make it very very difficult to cancel?
Visa and MasterCard eventually stepped in and made the banks do extra legwork for the porn sites. That had to leave a bad impression on them.
It's not even really the chargebacks: You'll still be considered high-risk even if you can demonstrate having very few chargebacks. It's more that you're lumped into a pool with some very bad actors in an industry that has a bad history.
Oh, I agree entirely. I suspect the "File Sharing" sites may have the same issue. I wonder how many people charge-back the payment for "Download GoT S05E01.mp4 here"?
File sharing sites are definitely scam central. There are entire sites built around advertising pirate downloads of niche content via pay-only download sites which are actually just files filled with null bytes, then profiting from the referral fees.
porn sites either charged you or installed dialers, not both.
and the charge backs on the legit ones were so high because the operators for the scammy ones needed to sign up, download everything, get his money back, and serve you the stolen content.
Another victim of Paypal here. I run Jumpshare, a file sharing and collaboration service for creative professionals. This is what Paypal sent us:
"May 8, 2016: When you signed up for your PayPal account, you agreed to our User Agreement and Acceptable Use Policy. Because some of your recent transactions violated this policy, we've had to permanently limit your account.
Please remove any references to PayPal from your website."
They never mentioned which transactions violated the policy, we have never had any complains from our customers. There was no prior warning. We called them and they asked us to email them. We sent multiple emails and nobody bothered to respond back. We lost 30% of our recurring monthly revenue right away!
We now use Stripe as our sole payment service provider. After this experience, we will probably never accept Paypal again.
Having read during the last few years about the endless horror stories businesses have endured with PayPal, I honestly don't understand why anyone would still use PayPal when there clearly are alternatives (be that US companies like Stripe or EU companies like Paymill).
Because they're still anecdotal and for most people, PayPal works just fine. I find the stories horrifying, but I ran about 40,000 transactions through PayPal in the last 5-6 years and never had any problems.
I guess this is how it is for most people, at least, I can use PayPal as a buyer on most online businesses I deal with.
Sure, using PayPal as a buyer is great as long as you never get into a dispute with a seller. It took about 4 months for me to get PayPal to refund my money when a seller on eBay ripped me off.
PayPal support was so inept they claimed that I had not returned the merchandise despite giving them the DHL tracking number and shipping receipt multiple times and eventually they closed my case in favor of the merchant.
I had to keep calling and harassing them and finally threatening to have the charges reversed by my credit card company when they suddenly reversed their decision.
I will never use PayPal for anything if I can avoid it.
I used to accept PayPal as a payment method when I was doing freelancing, ran hundreds of thousands of dollars through my account over the many years of having it. One client refuted a payment SIX MONTHS later, and they granted it to him based on the fact that it was a digital service and there's no way to verify it was successfully transferred.
I immediately closed my bank account (PayPal wouldn't let me remove it while a refund was being made. Yes they were going to debit my bank account since I had no funds in my account, which I never kept).
Now they've put that amount in collections and honestly, as someone who cares about his credit, that one will stay the time until it's removed. I'm not paying them, or the thief.
You could get together all your documentation with respect to that transaction and dispute that negative credit item directly with the three credit bureaus.
Exactly right, up to now the dispute existed in PayPal's walled garden and played out under their rules. PayPal's dispute resolution process has some serious flaws - with many high-profile examples - and often drags out to just slightly longer than the time limit for chargebacks (funny that, huh?).
I would raise the stakes a bit more and send PayPal a hard copy of supporting documentation and tell them that you will be disputing any negative report. Send this by a recorded delivery method like registered mail or courier. This means you can go to court and prove that PayPal had clear evidence of fraud and failed to take appropriate action. It also proves that they had knowledge of these facts prior to making the negative report to the credit agencies, which puts them in a bad spot if this all ends up in court. In the USA, the Fair Debt Reporting Act covers this scenario but similar laws exist in other countries.
Keep good documentation and send everything by a trackable method and never let these companies get away with ignoring you when you have a legitimate issue. Just make sure you are sure you have proof that you are correct, otherwise keep better documentation next time.
We run thousands of PayPal transactions per day. I've been keeping a record of the horrifying failures we've experienced in anticipation of someday writing a scathing blog entry. We sometimes see lost transactions - as in, call the 'execute' endpoint, get a 500, then all future attempts to fetch information for the payment fail. And no webhook. File a ticket, wait two weeks, then someone at PayPal acknowledges the problem and says it's fixed.
Forget all the policy problems. PayPal's basic technology platform doesn't work.
Let's not forget the real reason Paypal is popular. It has nothing to do with the international presence, or any other crap like that. It's because someone with ONE WEEK experience as a webdeveloper can implement a paypal button on their site and it'll just work. Stripe may seem like the same level of ease to a lot of developers, but things like JSON APIs, etc, are confusing to the kinds of developers Paypal appeals to and thus Paypal will remain the incumbent.
For me part of the reason is that Paypal is available in more countries than Stripe. For example, here I can withdraw money from PayPal to my local bank account. I dont think its possible with Stripe.
Last time I used Stripe it was directly connected to a bank account. They would sit on funds for a couple of days I guess this was to allow the transaction to clear whatever batch cycles happen behind the scenes (debits cards were typically faster than credit charges) but the deposits came directly into the account.
I think it varies by country. Also Stripe isn't available in nearly as many markets as PayPal, two big ones that immediately pop out are Estonia and Hong Kong.
Another thing to bear in mind is lots of people outside the "main Western" countries (for lack of a better term) still don't have credit or debit cards that can be used to pay online. PayPal accepts a lot of local payment methods and even lets you transfer funds from your bank account.
I live in Lithuania (part of the EU since 2004, and Euro since 2015) and only this year have major retailers started to accept cards online. Before that you would receive an invoice and have to make a bank transfer (each bank had their own online payment system merchants could integrate to make it more streamlined) before goods were dispatched. Even now most cards need to be opted in for online payments.
The rest of the world (including a significant portion of EU) still isn't, though. You can sell from basically anywhere with PayPal or FastSpring, not so with Stripe.
That may be true in US and other supported countries but unfortunately here (SE Asia) its not yet available. Stripe needs to support ALL countries to overtake PayPal.
Because in some countries - like, for example, the Netherlands - creditcards are not a universally used thing. That leaves you with roughly two options for processing payments in a reasonably-easy-to-integrate manner: PayPal and Bitcoin.
And not enough people use Bitcoin to remove PayPal entirely.
EDIT: Yes, I know we have iDeal in the Netherlands. Every single company that processes it alongside other methods is either a nightmare to integrate, charges ridiculous fees, requires significant volume, doesn't do payouts over SEPA, or is similarly problematic as PayPal.
In my particular case, an added problem is that most of them refuse to process donations.
Looking at Stripe's API docs, it seems their preferred payment technology is javascript popup which asks for CC number directly. If the technology has been 'properly implemented', only Stripe will see the credit card details, but as a consumer, I have no way to tell if the technology has been implemented properly.
As a result, I feel it is much safer to avoid typing my credit card number into random websites. Thus, my first reaction to a site which asks for my credit card (directly or via Stripe) is 'OK, are there any alternatives which take a safer payment method'
Given that we've all read similar situations happening all over the web, I'm surprised organizations aren't including "paypal drops us for arbitrary reasons" or "paypal freezes our funds with them for arbitrary reasons" in their risk assessments when choosing vendors. In almost every case, that risk should probably push decision makers away from Paypal.
It is also a little entertaining that their "brand risk" department is probably doing so much unintentional damage to the brand.
For most of their existence, PayPal have been living the "shady questionably-legal startup" dream, operating in a heavily regulated industry while ignoring almost all of the regulations.
They've been screwing over their customers, closing accounts on allegation of fraud and dragging out refunding the alleged victims for months and months, since before they were acquired by eBay. People still use their service.
It's always been this way. People use PayPal because it's convenient, and because there's no real competitor with comparable market penetration. No, I'm not sure that PayPal's brand will suffer much from continuing to act the way they've always done.
> For most of their existence, PayPal have been living the "shady questionably-legal startup" dream, operating in a heavily regulated industry while ignoring almost all of the regulations.
I'm not saying you're wrong (because I actually don't know) but this seems to be way off base. What specific regulations are they ignoring? My understanding is that most of the things people gripe about with PayPal are borne out of PayPal's attempt to stay in line with regulations.
I suppose it depends on whether you think of PayPal as a payment processing company that just so happens to prefer keeping your money on their internal accounts indefinitely rather than paying out ASAP like most competitors, or as a pseudo-bank in denial about their bankiness.
It's the same for all other payment processing methods - no matter how you handle your money, "our bank drops us for one reason or another", "our creditcard acquiring provider freezes our funds for arbitrary reasons", "our favorite cryptocurrency suddenly loses liquidity due to a major fraud event" and all kinds of other channel risks should absolutely be on your mind if you want to, like, base your whole business on receiving money through that channel.
You should have alternate payment channels - even if you don't want to use them now, even if they're twice as expensive, if you need that money flowing then you want to have a solid alternate payment channel. Even if you don't want to advertise them to your customers due to e.g. costs, then you want to have all the legal agreements and technical integration in place so that you can turn it on right now if you needed to.
> It is also a little entertaining that their "brand risk" department is probably doing so much unintentional damage to the brand.
reply
Their brand risk department obviosly tries to optimize the brand for someone big, someone nameless, and not for the customers.
This itself leads to questions about paypals business model. Are they in business to provide payment services to users, or are their primary customers actually not end users, but someone buying something else?
The reason PayPal continues to be provided with the opportunity to fuck people over is primarily due to their low financial/technical barriers to entry. A website can be configured to accept PayPal payments in less than half a day, and setting up a new PayPal account is a very straightforward process.
Compare this with setting up a merchant account to take payments (here in the UK), which takes weeks, involves finding a payment gateway, all sorts of paperwork and hoop jumping.
Fortunately companies like stripe.com have appeared here and will now eat in to PayPals user base. I can't wait for PayPal to go away.
The sad truth is that Stripe is behaving exactly like PayPal. What's worse is that Stripe's fraud protection is non-existing. In other words, Stripe is actually worse than PayPal, as you risk the same account freeze, closing etc, but in addition, you will be swamped down with fraudulent purchases and chargebacks.
(Disclaimer: I work at Stripe) Stripe does have a fraud protection product, which is enabled by default for every user. It centers around a machine learning system, that uses static signals (e.g. card issuing country) and time-dependent, dynamic signals (e.g. "how many different devices have tried to use this card in the last N hours?") to analyze every charge that hits our systems. Transactions that are deemed almost certainly fraudulent are automatically declined (but can be reviewed in the dashboard or via the API.)
We're constantly working on product & performance improvements, but feel free to get in touch with me directly (tara@stripe.com) to ask questions or share feedback on our models (and fraud product in general).
For posterity, yes you do have this "neural network" thing. It does not really work now AFAIK, but I do hope you will succeed as we definitely need a viable alternative to PayPal.
Though I'm sceptical to this approach. In machine learning 101 we learned that there always exist a statistical method that would beat a neural network. In this case, a system that gathers actual relevant data for statistical scoring. You know hard data, like an up to date list of stolen credit card numbers, a history of chargeback per credit card etc. PayPal has this and of 1000 transactions, we have 1-2 fraudulent chargebacks. Compared to Strip this is the difference between heaven and hell. PayPal sucks, but at least they have a working fraud protection system.
Nothing kills an online business faster than being swamped in fraud and chargebacks. I mean, good APIs are great and Stripe certainly has that, but a working fraud protecting system is what really matters to those of us who sell online.
I deployed Nochex instead of PayPal back in 2005, and it took less than half a day, and came with guaranteed no chargebacks on UK payments and lower fees.
Good PayPal competitors have existed in this space for a long time. PayPal still remains.
I'm once again astonished with how much control of our businesses is simply out of our hands.
When looking at practices these financial institutions use it makes me wonder what can't they do?
Everyone cites "regulations", but as far as I understand, they make the regulations. Directly or indirectly.
Take for example the known cases where PayPal freezes accounts holding people's money. If I take someone else's money and refuse to give it back to them, it's a crime in pretty much every nation. But when banks and financial institutions do that, they get away scot-free (with maybe some small rants from the internet) and keep doing this systematically profiting in almost all cases.
If we're not bound to middle men like Stripe and PayPal, we're bound to Visa and Mastercard. Is there any way out of this madness?
Essentially, it goes way further than what these financial institutions can do. It goes directly to what the U.S. fed can do - the clearing house for the USD. It can cut off any bank for misconduct/doing business with e.g. Cuba etc.
Also, the UN bank can threaten to kick out your central/federal bank too.
Also an interesting example of bank politics is that Khadaffi made several laws in Libya against UN bank rules, for example providing loans with infinite term and zero interest for newlyweds. During the civil war, one of the first things the rebels did was create a central bank in Misrata, pledge loyalty to UN and then redquest to be recognized as the true Libyan Government.
> the UN bank can threaten to kick out your central/federal bank too
This does not exist. Central banks interface with each other. The closest thing to what you're describing is the European Central Bank.
> pledge loyalty to UN
This is gibberish. One can be recognised by the United Nations (UN). One can also, by accepting its Charter and paying one's fees, become a UN Member. But there is no pledging of fielty involved.
None of these is referred to as "a UN Bank". Only the World Bank is a part of the United Nations system. It makes loans to developing countries. The only way being "kicked out" of the World Bank makes sense would be if it refused to lend to you (which it does often and usually with minimum consequence). Note that the World Bank System lends to many non-UN member entities, e.g. private businesses and non-profits. China got pissed off at the World Bank and IMF last year and effectively kicked itself out by starting a competitor in its "New Development Bank".
The Bank for International Settlements is a discussion forum whose recommendations are not binding. The United States, for instance, added its own touch to Basel III, Switzerland layered on a "Swiss finish" and China, India and many others simply ignored it. Being "kicked out" of the BIS would simply mean you don't get to go to its meetings. Many countries do fine without being BIS members. The Financial Stability Board is an even smaller group with even less tangible activity than the BIS. (It published a book report on rules it thought sovereign wealth funds should follow. Compliance is voluntary and one need not be a member to read or implement, or as more countries have done, ignore, the report's suggestions.)
The closest international financial systems one can be "kicked out" of with consequence are the electronic-dollar transmission system operated by the New York Federal Reserve [1] (you can still use printed dollars if America "kicks you out") and the Society for Worldwide Interbank Financial Telecommunication (SWIFT) [2]. SWIFT is not a club for only central banks–many private banks are SWIFT members, too, and many get "kicked out" for doing varieties of stupid things. They can still move their money around by asking other banks to do it for them.
The international financial Illuminati you think exists does not.
I don't know what you think happens when paypal/bank/etc freezes an accounts but they don't get to keep the money, normally it gets refunded to the source of income (i.e customer refund), transferred to the government (i.e. income from criminal proceedings) or returned to account holder after a period of time (ensuring there's no clawbacks) .
If I'm a bank with billions of dollars worth of money from third parties, can't I use a big portion of that money to profit? Moving money around, gaming the currencies, stocks, etc.
Maybe I'm too naive at this, but in my mind, they have to keep some money ready for people to pick up, but the rest of it, they use it for whatever they want. If I go to my bank and ask to take a large sum of cash, they won't give it to me right away.
They profit when money is not at your hands, therefore even if people do get their money back some day, they would have already profited from it.
I'm quite intrigued by this topic, but never got around to really dive into it, so please... if you can educate me on how this is not profitable for financial institutions, I'd be glad to read it!
Yes, they do provide a good service. But they're still a "duopoly" (is that a thing?) as far as I know.
Can't even think on who's the third most used credit card provider.
As always with lack of competition all of these institutions are free to do as they wish. Specially since they deal with money, that can be (and often is) used for lobbying.
But I'm a pessimist, and these are just my 2 cents
Maybe it's all in my head and people are not influenced by money, democracy is a real thing and big companies obey all laws.
As you don't know whether Discover or Amex is bigger? Why does that matter? And Paypal is not a credit card. You can link it directly to your bank account and pay with it as the transaction processor. That's a big part of why it's so popular. Might as well complain about bitcoins.
The point is that referring to Visa and MC as a duopoly is inaccurate. There are other ways to process payments besides through the credit card system.
OK but for the most part when Paypal or others close down your account and/or freeze funds, you /have/ done something illegal. You may not care about billions of dollars of movies, games and tv shows being pirated, but the people who pay for them to be produced do, so the banks and others protect their rights. As far as kickstarter and so on, this is to prevent your customers from being ripped off, which has happened where KS project never delivers the project and so on.
For sure banks and paypal have overstepped but I wouldn't call it "madness". If you want to sell filesharing accounts try bitcoin, I hear it works very well
They're well within their rights to decline your business. If a bank told the government, "We have no absolutely no idea what our customers are doing with their money or who they're sending it to. Maybe they're sending it to terrorists or drug lords, maybe they're not; it's none of our business and we respect their privacy", they'd get shut down in a heartbeat.
I can understand if Paypal doesn't want to appear on the front page of the news for funding an underground child porn ring that signed up as one of your "enterprise clients".
> They're well within their rights to decline your business.
They are. Should we condone it?
> "Maybe they're sending it to terrorists or drug lords, maybe they're not; it's none of our business and we respect their privacy"
Isn't this similar to the idea of banning web browsers, as they render HTML which, as we all know, can be used to write text (<span>plaintext!</span>) inciting terrorism? And it sometimes is. Are you using a browser right now?
Things we deem "evil" are planned using technology. Should we ban technology?
Isn't this similar to the idea of banning web browsers, as they render HTML which, as we all know, can be used to write text (<span>plaintext!</span>) inciting terrorism? And it sometimes is. Are you using a browser right now?
Things we deem "evil" are planned using technology. Should we ban technology?
Nicely answered. This 'safety' insanity is getting way out of control.
> Isn't this similar to the idea of banning web browsers, as they render HTML which, as we all know, can be used to write text (<span>plaintext!</span>) inciting terrorism? And it sometimes is. Are you using a browser right now?
Search engines and hosting services already monitor for illegal content.
Reasonable people can disagree over whether requiring a filesharing service to monitor for illegal content is excessively onerous, but the slippery-slope fallacy does noone any favours. You can make any policy sound absurd by taking it to a far enough extreme. Often we do need to weigh up costs and benefits and take a policy line somewhere in the middle.
I feel like "search engines" means only Google in this case. IF you want to look for porn or torrents or anything that does not show up on google just use Bing, it feels like the restrictions don't apply to MS at all because they are not the biggest search engine around.
> slippery-slope fallacy ... sound absurd by taking it to a far enough extreme.
Assuming that you actually value logic, given your choice of words, how do you not see that the magnitude of the absurdity is directly related a faulty premise - a fallacy?
Live and let live * [1..1000] = nice .. nice
Kill at random * [1..1000] = bad .. horrific
So no, not every policy can be made to sound absurd.
"Live and let live" can absolutely be made to sound absurd by taking it to the extreme. Does the amount of taking-far-enough needed to make something sound absurd vary? Sure. But the post I replied to was doing a whole lot of taking-far-enough.
> ...needed to make something sound absurd vary? Sure.
That is your point, not mine. I'm saying that you're focusing on the wrong part of the equation. Imagine a machine with two variables that you have influence over, calibration error and runtime. You are suggesting short runtimes in order to minimize the impact of calibration error, I'm suggesting recalibration.
I'd love to hear an extreme for "Live and let live", but I'm guessing that whatever scenario you can imagine is based on a faulty premise like "How can we wreak revenge without a death penalty?!".
> That is your point, not mine. I'm saying that you're focusing on the wrong part of the equation. Imagine a machine with two variables that you have influence over, calibration error and runtime. You are suggesting short runtimes in order to minimize the impact of calibration error, I'm suggesting recalibration.
Please stop with the extended metaphors and just say what you're trying to say directly.
> I'd love to hear an extreme for "Live and let live", but I'm guessing that whatever scenario you can imagine is based on a faulty premise like "How can we wreak revenge without a death penalty?!".
Whatever. Are you interested in a constructive discussion or not? There are plenty of silly extremes for "live and let live" - harming the environment in ways that don't kill anyone? Harming themselves in all the various ways that can happen? Harming their children?
I count two metaphors, used only because the direct explanation failed to get through to you.
> Whatever. Are you interested in a constructive discussion or not?
I think it is clear that won't happen, "Whatever" is a strong indicator of disinterest.
> There are plenty of silly extremes for "live and let live"
None of those examples make any sense, which can be explained in two way: you don't know that "live and let live" is an idiom related to coexistence and tolerance, or you think that "extreme" necessitates mutual exclusivity.
yes this is illegal! They will be fined. No company in EU is allowed to send personal user data to USA without certain restrictions (e.g. Google Apps has a lot of extra legal documents and staff/etc. to keep sure you can use them also from the EU). From a legal point of view it is even forbidden to make business in EU with clients in e.g. WhatsApp (because their servers are outside of EU).
You can put every company which sends your personal data outside EU to court (Safe Harbour rules were kicked in the butt some time ago). Some people are even trying that with Facebook (and may be successful with that).
>Safe Harbour rules were kicked in the butt some time ago
Yes I know that. Yet I don't know of any company being shut down who violates this. There are some minor fines which afaik are disputed. In my opinion this decision has been pretty toothless so far.
I think nobody is interested in shutting down companies in general. Fines can be hurtful in general and if you are a serious company you reduce your risks and do not do anything against the law. I would not say it is toothless... there is a big market now (even Microsoft is in there) which promotes cloud services in your own country.
Maybe their response in this specific case is warranted, but there are thousands of other smaller cases where PayPal simply does what it wants even if it's completely unfair and illogical.
PayPal is a shitty company, with a borderline monopoly on online payments until very recently.
PayPal is made shitty by the laws relating to the financial system. If it doesn't act shitty, it stands to get fined for hundreds of millions, or even billions of dollars.
That argument makes no sense.. Presumably Seafile has other payment options that are not asking for the same level of access. I can't remember the last time people mentioned terrorists (or other criminals') bank accounts in the news other than HSBC who intentionally laundered drug money.
> Presumably Seafile has other payment options that are not asking for the same level of access.
They don't. If you look at the website now, they are offering their services for free temporarily, because they don't have any payment providers anymore. It seems Paypal was their only method of payment.
> I can't remember the last time people mentioned terrorists (or other criminals') bank accounts in the news
You might just need to look deeper. There was a Planet Money episode about how the IRS & DEA created an entire fake bank just to catch people laundering drug money:
> They don't. If you look at the website now, they are offering their services for free temporarily, because they don't have any payment providers anymore. It seems Paypal was their only method of payment.
This surprised me. The only time I've set up transactions with Paypal as the only option was when I didn't expect any transactions (a nonprofit that needed to have a public donation function for legal reasons, but actually got all its money from foundation grants).
As a user, I don't mind Paypal as an option, but when it's the only option it doesn't give a good impression.
Different companies have different risk profiles. A bank that operates entirely in one or two countries has a very different perspective than Paypal who operates in 200+ countries.
Just to give one example: If you sold a comic that was offensive to Muslims in the US, it might get on the news but would ultimately be permitted. If Paypal allowed it, they could get blocked from countries that are predominantly Muslim.
My bank offers international ACH, but only to Canada, Mexico, and Europe. I believe there is strength to limiting yourself to these. Paypal have chosen to operate as widely as possible, which can be a weakness in what they can allow
From what I've seen, it's generally far more expensive to do international banking in most countries. My bank will do it for places like the Phillipines, but only as an expensive wire transfer. I think if it were easy to offer low-cost banking, they would offer it.
Why should banks expect to be shut down over that?
Suppose I build a road. I would also have no idea what people are transporting on that road: maybe they’re moving drugs or sending stuff to terrorists, as you say. And it would be absolutely ludicrous to hold the road-builder in any way responsible for activities on the road.
At some point, a service is just a service and it should remain firmly bounded. Yes, bad people exist. No, we shouldn’t screw with every little thing just in case bad people use those things.
Would you say DropBox is a file sharing service? Is every site that offers downloads a file sharing service?
I would interpret this restriction for services similar to RapidShare, MegaUpload, etc. with the only intention of sharing files. Seafile is primarily for hosting your personal data.
1. Create an account 2. send the login info to all your friends 3. Upload whatever files you want to share. Now you all have access to download or upload. Its semi private because the files never leave the account.
Similar to when people use an email account and only ever save drafts. Two people have the login info, connect to the account and write draft emails but never send them. I think I saw that in a tv show, not sure if it's a real thing.
One question is, once the US dollar becomes a vehicle for prior restraint -- meaning no one can own, spend or transfer it without meeting a long list of largely-arbitrary conditions imposed by the US government -- is it still "money" at all? Or is it just another extrajudicial law enforcement tool, backed up by the full faith and credit of a moral and intellectual toddler with 20,000 nukes?
It would sure be nice if the next Satoshi, whoever he/she/it is, manages to create something (a) that scales properly, and (b) that ordinary people can actually use.
There should be a feature in torrent clients which add some random bytes to videos when downloading them without braking the video itself so md5 checks would be useless for illegal content downloads
That would making seeding it impossible though as you wouldn't be able to verify the chunk is what you claim it is and eventually lead to the whole video being corrupt.
And then DropBox runs that on every file, so you you have the normal md5 and the torrent-obfuscation-reversed md5. They check both. We have now achieved nothing.
What about having a client-side only "corruption" function that is unique for each client? The file is visually the same, the md5 hash is different but when the torrent client is sending the data it just "uncorrupts" the file. When the file is received by another client, that one person's client will take care of uniquely corrupting their own version for storage.
This is not possible. The torrent protocol works by checking the hash of each file that it downloads so it can reseed the file. If these files were changed by even 1 bit then they couldn't be reseeded back into the torrent network.
If the corruption is reversible then the people doing the checking can also reverse it. They'll have both the corrupt version and the reverse-fixed version and just have to check an extra hash per thing they're scanning for
I think that parent means that between torrent clients, the original file is being transferred, but the version that is saved on the hard drive (or Dropbox) is slightly altered, for example by adding/changing a random number of bytes.
When the file is opened in a torrent client, it will recognize these changes, revert them (in memory) and seed the original file.
Can you explain how Public Key Encryption would be related? I was thinking more in terms of a torrent client corrupting a predictable last bit of each saved file (which could cause tons serious corruption issues in itself for non-media files). This appears to only be feasible if each user had their own private key that could be used to compute where the corrupted bit is added to media files.
If you are using a torrent application, it is safe to say that either you or your actual torrent application can connect to the internet and create a key... If you chose to opt out than that is fine, if you choose to opt in you get what was discussed previously.
Not sure why you would go the route of having it predictable?
If the corruption is based on a value, different for each client (eg, a random number or the serial number of your motherboard), how do you reverse it ?
If you can't reverse it you can't seed it anymore and BitTorrent breaks
Even if that's not the case they'd just switch from grabbing a hash of the entire file to finding sub-hashes of the file or other fingerprints. You'd have to do a lot of corrupting to make this worth it.
If adobe premiere can sync my audio tracks when one is barely audible and the other has background noise you better believe there's a service that can find stored movies against a database of files
Also if you're already using BitTorrent why are you sharing these files on Dropbox et al
The idea is to save the file on Dropbox, but wrapped in symmetrical encryption so that they don't know what it is. You know your key because you created it, but they don't.
Your torrent client would see the normal file, they wouldn't see anything except random garbage.
Why? Um, perhaps to have a "torrent box" which stored data in a more accessible place?
Perhaps just to crap on someone's stupid censorship.
Private key for each client which would salt the file when saved and removed when shared. Could be done, but requires computing and breaks when the client is reinstalled.
Hashes, even md5, are pretty good about going nuts when even one bit is changed in the input. And video codecs (speaking very broadly) are tolerant of a bit error rate like 1e-9 or they'd be useless over the air or on optical media. So simply have your torrent client randomly flip 1 in a billion bits as it downloads. The md5 will never match and the movie quality will be unimpaired.
so if a billion people were to download it, lucky number one-billion would receive a completely garbage file.
Ok, ok. That's not statistically likely to happen. But you do have the problem then of other files being shared via bittorrent, it's not all movie files. You'd also have to re-start basically the entire BT network too, as all clients would no longer be backwards compatible - Good luck too getting every single torrent client dev to implement this at the same time!
Ah the incorrect assumption is that what the filesystem and dropbox scanners see must equal what the torrent client talks about, which isn't actually true.
A preselected and stored in a dotfile or windows equivalent 9 digit number, or the bottom nine decimal digits of a MAC address, or some chunk of a UUID, or whatever. You could salt which bit is gonna get flipped by adding in the filename, or the partial timestamp of the first time the torrent client was ever executed, or one way or another your specific client has a secret nine digit decimal number that it only uses for file operations involving .mp4 extension files longer than a gig (or whatever seems appropriate).
One way or another when you copy a buffer from the torrent system to the filesystem you flip every X-th bit where X is stored locally. Make sure to flip it BOTH when downloading and again when uploading. Your video player won't care when it impacts a single bit error, the other torrent users won't ever know because they never see a flipped bit. Well, technically other torrent users see a flipped, flipped bit, aka the original, unless you're using trinary or something (LOL)
Maybe a mental model is imagining it as the worlds most incompetent FUSE/loop encrypted file system such that the "encrypted" contents on the hard drive have only 1 bit in 1e9 bits flipped and otherwise the remaining billion bits are identical to the "unencrypted" file. Only for "long" .mp4 files, perhaps.
The main problem that would develop is people downloading a torrent, then trying to seed using a machine that has a different "secret bit" above. It would look like your seeder has a tiny bit of file system corruption, which I guess does happen today and is apparently survivable. I would guess most people most of the time do not download a torrent on one system them upload a new torrent on another machine.
There need be no coordination with torrent client devs. Someone could implement this today without anyone else knowing, or it could be done using a FUSE loop filesystem without changing the torrent client at all. I suppose if you never seed a file after copying it to dropbox it would be easy to write a "special cp" that inserts bit error rates around 1e-9 rather than making a perfect copy.
I have no idea based on security posture if you want to slightly obscure every file or just some. Also no need to flip a completely random bit, a smart enough parser could pick the next bit that won't utterly trash the container spec for avi or mkv or ogg or mp3 or pdf or jpeg. So I'm saying flip the next bit that isn't a major file format protocol bit to make it user transparent.
Another weird mental model is think of it like steganography but to defeat 3rd party hash scanners not to hide real data. In fact its hiding not much.
All that sounds a lot of effort when the reality would be they'd just check the file in a different way than full-file md5 hashes as soon as this appeared.
Seriously, the easier way to do this is just make a password protected zip file. Boom. Done. No extra mucking around with random bytes and whatnot. You want to share? Give the password to your friends.
Also its a bit unfair. Given this attack, design a perfect defense. OK here's an easy one. Oh OK well that works, but they'll just try a different attack. Well yeah, but that wasn't the initial challenge provided.
Also precomputed rainbow tables aren't so funny when you have gig wide columns instead of hash wide columns. For that alone its an entertaining idea.
Its encryption, you apply a transform before putting it onto the dropbox, and then you apply a transform after you pull it back, and the key it'd be encrypted against would be per user (like most encryption)
I guess GP meant that torrent client could e.g. pad a file on disk (safest option) and store that metadata along with original hash. Hashes would not change over the torrent network, but would be different in other networks
Yeah, but checking a md5 on a "list of pirated movies" database is a lot different than sending data about file uploads to a random company with no promise of what they will do with it.
Dropbox is a US based company, is not bound by EU data protection law, the Charter of Fundamental Rights of the EU (basically the EU's Bill of Rights), and additionally the US Constitutional ban on warrentless searches does not apply to EU citizens in EU.
EU Dropbox customers are the customers of Dropbox Ireland Limited (a company registered in Ireland), not Dropbox, Inc., a company registered in Delaware, so actually all of the EU regulations apply to their EU customers.
Source: I'm a paying Dropbox customer living in the UK and my invoices are issued by Dropbox Ireland Limited.
Where
Around the world. To provide you with the Services, we may store, process and transmit information in the United States and locations around the world - including those outside your country. Information may also be stored locally on the devices you use to access the Services.
Safe Harbor. Dropbox complies with the EU-U.S. and Swiss-U.S. Safe Harbor ("Safe Harbor") frameworks and principles. We have certified our compliance, and you can view our certifications here. You can learn more about Safe Harbor by visiting http://export.gov/safeharbor. JAMS is the independent organization responsible for reviewing and resolving complaints about our Safe Harbor compliance. We ask that you first submit any such complaints directly to us via privacy@dropbox.com. If you aren't satisfied with our response, please contact JAMS at http://www.jamsinternational.com/rules-procedures/safeharbor....
NOTE: When transferring data from the European Union, the European Economic Area, and Switzerland, Dropbox relies upon a variety of legal mechanisms, including contracts with our users. Dropbox doesn’t rely upon Safe Harbor as a legal basis for data transfer but does adhere to the Safe Harbor Privacy Principles while specific guidance for the forthcoming EU-US Privacy Shield program is developed. For information about data transfers from Europe to the United States, please visit this page.
Constitutional rights don't apply to Dropbox at all. They are a private entity. If they want to inspect your data, they can, especially if they have disclosed this in their terms of service. That's why I would never put anything sensitive (tax returns, etc.) on dropbox without encrypting in locally first.
Constitutional rights don't apply to Dropbox at all. They are a private entity. If they want to inspect your data, they can
This is one of the reasons the EU courts have found that US law is not at all adequate for storing EU citizens data. In the EU, the Charter of Fundamental Rights ("Constitual rights") do very much apply to your dealings with a private company.
Compliance Officer in financial sector in Luxembourg here.
The request you have received is related to anti money laundering regulations. As you guys seem to be based in Germany. So bear in mind that PayPal operates across the European Union as a Luxembourg-based bank. Anti-money laundering regulation is typically stricter in Lux than in the USA. The Lux regulator is the "CSSF", and you can find the detail of the regulation here: http://www.cssf.lu/en/supervision/financial-crime/aml-ctf/la...
So, suprise suprise, my 6 years old blogpost continues to be spot on https://jeena.net/paypal that is when I deleted my PayPal account. But it was not all dance on roses after that, suprisingly many only offer PayPal as a way to pay them, so I always have to try to contact them and to try to explain and to ask for another way to pay. Most of the time they won't/can't help me.
Had to use Paypal today to make a payment to a company who can't otherwise find a reasonable way to take credit cards online. I feel their pain, having been in that position. Paypal randomly saw that it was reasonable to demand I answer a phone in another country (though I haven't been based there for perhaps 15 years) if I wanted to log in to my account. I had to work around this by having them send a payment request, then paid about USD$1000. Wish they accepted Bitcoin, I was livid at the experience. Every time I deal with Paypal it's the same. Their PR crap a year or two back about "sorting things out" was obviously empty. Stripe isn't much better: after a reasonable start, last time I wanted to use them I couldn't because my address is in a different country to my card (ANYONE LISTENING?). These abuses are reaching a breaking point, nobody is going to deal with credit cards soon. Here in amusingly progressive mainland China, they are a minor mode of payment and shrinking: good riddance!
Am I misinterpreting something? It sounds like you're upset with PayPal because you tried to make a payment from a country other than the one on record (which trips every fraud detection out there) and that they tried to contact you for verification with the number they had on file which you haven't updated in 15 years. That sounds like reasonable behavior from their end.
... except that I haven't changed my behavior and the 'reasonable' action they took was permanently locking me out of my account. Note that they presented this whole experience to me in a foreign language because obviously my GeoIP is the same as my location because privacy, China and VPNs don't exist. And of course, I had no choice but to leave that number on record because it matches my credit card address. Because of course, there is no such thing as a credit card with an address outside of the issuing country, or someone that lives at many addresses or an address where there is no reliable mail. It's basically a number of bad assumptions layered with bad customer service and algorithms. Every year my credit card company randomly stops my card because they think it's weird a transaction occurred in some country or other. I say "See how I just bought a plane ticket right before that? How is that strange?". Right on my card it says "World Mastercard". I have or have had accounts with this same bank in 5 countries. They know this. But we can't just blame the bank, it's the credit card system. Apparently in every corner of the world, idiots run these algorithms. Finally, note that for this wonderful experience I pay 5% of USD$1000 = USD$50. The US intelligence sponsored monopoly of card companies on payment has to end.
(I'm listening!) I work at Stripe on our fraud protection tools and would love to help. I want to dig into this particular situation -- mind sending me an email at tara@stripe.com?
As a german that's not my experience at all. Credit cards aren't that common here and SEPA transfers are slow as hell and always a minor hassle, that I tend to avoid as long as I can.
Without Paypal a lot of european customers wouldn't be able to buy from international vendors.
As someone who sell stuff to Germans, could you please get a credit card? The only reason why we need to deal with PayPal is our German customer, 50% or more of our transactions in Germany is PayPal.
Well, over here (in Germany) everyone gets a bank-issued debit card while a credit card usually comes with additional fees (I think it's 20-30€/year in my case, not sure right now). While it's not much, and I absolutely need a credit card for international purchases, a lot of fellow germans simply don't see the benefit when they could as well use the free debit card their bank gave them. And online their Paypal account is linked to their banking account which enables instant payments without credit cards.
I live in Germany, and two of my credit cards have a monthly fee of EUR 0.00. One of them even has zero fees for foreign currency transactions and ATM withdrawals, which is why I got that particular one. There are good cards available in Germany if you look around.
>Well, over here everyone
I my case it would be down there... Took a second to figure out you're probably not in the US.
It's more or less the same here, almost no one has real credit card, they're mostly VISA (co-branded) or MasterCard branded debit cards, but everyone has a card that can be used online.
> It's more or less the same here, almost no one has real credit card, they're mostly VISA (co-branded) or MasterCard branded debit cards
Er, no. Almost everyone has a branded debit card, as most banks will give you that for free, but nearly 75% of the country has at least one actual credit card.
Those debit cards only work for in-person transactions however. Some German companies let you do direct debits or bank transfers for online payments, but it's very annoying compared to a real debit card.
You saying that they operate across most of europe and if you're european, try these guys out. Then their own site having lines like Your bank account just as mobile as you are. and Banking everywhere made me think for a moment that they may actually offer their services across Europe.
Not the case. Digging deeper [1] we can find this: The only conditions are that you're at least 18 years old and have a residential address in Germany or Austria.
I do now that I live near Nuremberg, which is one of the safest cities in the world, but it was a hard thing to get used to, as I went to college in a US city rather infamous for its crime.
Surprisingly large restaurants in Nuremberg do not take credit cards. A lot of German and Austrian small business owners see no good reason to pay the credit card companies the ~3% fee when most of their customers are perfectly happy to settle a 500 EUR bill in cash. Always pay your hotel bill in rural Austria the night before you leave to prevent an emergency dash to the village ATM :)
>A lot of German and Austrian small business owners see no good reason to pay the credit card companies the ~3% fee when most of their customers are perfectly happy to settle a 500 EUR bill in cash.
Well, and mostly to avoid paying taxes. Card acceptance cost is down to under 1% since last year and often depositing money costs more.
There is no requirement for proper cash registers here in Germany, so card acceptance remains low in small businesses.
Germany has its own shitty debit card system called "girocard". And whereas other smart countries (e.g. UK) switched to international schemes, this is still the card issued to most customers. There are a few downsides of this
* No Card-Not-Present-Transactions, because the cobranding is only for abroad
* Visa/MasterCard cobranding was not allowed until a few days ago (when the EU introduced new laws)
* Used to have high minimum fees (7 cents) for a long time, so expensive for smaller transactions
* Cashback only from 20€
* No damn contactless
=> Germanys banking sector is still mostly stuck back in 2000. Debit cards are around, but mostly for cash withdraws. Smaller transactions are mostly paid in cash, because they used to be expensive and no contactless.
The big banks have no interest in changing that, because as long as card payments are unpopular, they can charge >5€ for cash withdraws if you make "out-of-network" ATM withdraws.
tl;dr: Germany has its own shitty debit card system stuck in 2000 which sucks.
Worth pointing out that "bank-issued debit cards" in Germany usually refers to EC Cards, which is not the same as the Visa / Mastercard debit cards the rest of the world is used to. As a tourist in early 2015, international Visa & Mastercards were useless in most supermarkets & department stores - but international chains that get lots of tourists will take them (eg Starbucks, McDonalds, Subway etc).
I love Germany, but the credit card thing drives me nuts. I understand Germans like financial privacy, but I like having an electronic record of my purchases instead of having to write down every cash transaction I make before I forget it. (If there was a way to get a prepaid EC Karte as a tourist, I might not mind so much.)
Germany: SEPA direct debit, sofortueberweisung.de, giropay, and if you're willing to put up with PCI compliance bullshit, credit cards. All three are vastly cheaper than PP, too.
I still find the idea behind sofortüberweisung shady. Maybe they're actually the nicest people in the world with the best security practices known to humanity, but I still won't hand them the login credentials to my online banking or my card's PIN.
They actually admitted (2011) that they scrape the last 30 days of transfers of your banking account.
German Source: http://www.golem.de/1105/83811.html
I use it whenever it is available. The process is seamless and as far as I remember I was redirected to my bank, to enter my data there. I never had to give my bank data to a 3rd party.
sofortueberweisung is kinda shady though - don't you have to agree that they are allowed to read your transaction history?
Since you give them full access to your online banking account, they certainly are able to.
I'd rather pay with Paypal than SEPA SDD, which ported the brain damaged idea of allowing anyone to pull money from your account with an IBAN by simply claiming they are authorized. We actually had to lose our DD system with its sane authorization process to implement this crap.
And still, credit card fraud seems to be a huge issue in the US, while Lastschriftbetrug is a relatively minor issue in Germany. (and both have a charge back procedure)
PCI compliance isn't that big a deal, unless you insist on handling the the transaction yourself, which almost no one does.
Going via a payment provider, like Strip, PayPal, PayEx and a boat load of other companies, reduces your PCI compliance to a self assessment form, which talk all of 10 minutes to fill out.
And it's quick. I can send money between two different UK bank accounts, using sort code and account number, and it appears in the recipient's account within about half an hour.
In Europe (Germany and Austria from my experience), many online services specifically support bank transfers using an IBAN number. It does seem to take a little longer though for the money to process.
I live in a developing country (some call it third world) and we've had this capability for many years. I can pay from my computer, mobile, or at an ATM. How is the US so far behind the rest of the developed and developing world?
Germany is pretty bad in banks to be honest. Transfers can take a whole day even between my own accounts and no way of seeing any movements during the weekend, incredibly old school.
See, the point is that you're saying 'in the UK'. We've been struggling to find a payment solution that works globally and sadly PayPal is the best we have found that covers a lot of countries.
Barclays and Natwest in the UK will allow you to send money to anyone with an email address.
Anyone? Anyone in the UK? Or anyone in the UK with a Barclays or Natwest account? Paypal is still probably the quickest and easiest way to send money to 'anyone' in the world.
According to the PingIt website you can only send money internationally if you know the recipients IBAN number and transfers takes up to two working days. So it sounds like it is just an app front end to bog standard old school international bank transfers.
International bank transfers (at least to/from outside of Europe) are a massive pain, can take many days to clear and often cost quite a bit more than what PayPal charges.
I've just done a bank transfer from Poland to UK and the money was in my Barclays account in 15 minutes. Just a couple years ago it used to take 3-4 days but now it's as quick as sending money locally.
Just normal bank transfer. As long as you have the target bank account number, which is standardized across Europe now, you can pay anyone. Takes a few days though. There is a European rule that a cross-border transfer may not cost more than a national one, which means that in most countries, only business accounts pay (low) fees.
In the Netherlands, within the same bank it can be within an hour or so, but to other banks up to two days. Internationally from/to NL can still take a week in my experience.
You still usually need a TAN that's either on a piece of paper at home or generated by a special device (and with Smartphones, I don't really trust mTAN), with PayPal you only need a password. So yes, it's less secure, but more convenient.
Merchants also seem to prefer PayPal because it gives them an instant payment confirmation.
We switched from PayPal because the service was so bad, with 1 in 4 card payments from a very reputable sector (schools) refused for no discernible reason. Mu inner cynic strongly suspects it was purely to drive more people to use a PayPal account.
We tried two other card providers before we found Stripe, and my inner cynic has been silenced. I strongly recommend them.
Sure, Stripe is great - but we couldn't rely on credit cards alone, at least not here in Germany. The value of Paypal is the fact that it connects to your bank account and enables instant payments for people without credit cards, which aren't that common here in Germany.
That's why we offer Stripe and Paypal in our store. Dropping Paypal would be insane as it is our most popular payment method, with Stripe coming in as a close second.
As bank transfer takes a lot of time to "process", money exchanging in Europe is really annoying. Paypal made and makes it fast. I don't like them, but I don't know anything better sadly.
With the vast majority (99%+ of non-card Euro transactions, and a substantial majority of card Euro transactions too) going via SEPA in Europe these days, the benefit of Paypal is much reduced. It is competing much more with card payments these days than with direct transfers, given the combination of SEPA and even faster local schemes (e.g. in the UK, a huge proportion of smaller charges go via Faster Payments, which will sometimes be near instant and usually below two hours).
I still use Paypal quite a bit, but because it's simply convenient to use it and be able to change where my payments go from (which card/account etc.) without having to change what's on file with merchants.
If you would use SEPA for an SAAS registration, how would you handle the waiting time of multiple days? Accept the customer without prove of payment or ask him to come back in a few days?
For SaaS it's easy, you just treat the payment as a success. If it ends up failing, you treat it as a chargeback.
For selling goods that you hand over (e.g. irrevocable product keys) it's much trickier and depends on the specific business whether it makes sense to have the customer wait.
I wonder if legal action can be taken against PayPal for demanding this kind of information. PayPal blackmailed them into breaking a law (they didn't break it but they suffered financial loss from not doing it).
If I told a customer who absolutely depends on my business to harass/attack somebody, I would certainly hold liable as well.
Or can PayPal take legal action against them for violating ToS? Did they properly disclose they were a file sharing site (as required by PayPal) before signing up to take payments? If they can't meet PayPal's ToS, they shouldn't have signed up. [Paypal sucks, but this doesn't seem like a cause for legal remedy]
The want to position themselves as a financial services provider equivalent to traditional banks, except that they reserve the right arbitrarily - and without recourse - remove their services.
As a customer this means you can be cut out from your ability to use "currency".
As a business this means you're beholden to arbitrary decisions that you can't really risk assess against - and if you've built your business on this service it could be devastating.
I was under the impression that European wire transfers were cheap (free), fast, and reliable. If that's true, why is something like PayPal even needed? Can't Seafile just have their clients transfer money to Seafile's account? Or are wire transfers not free for "retail" use like this?
One time SEPA transfers are already really simple, yes. Recurring ones, not so much. However SEPA Direct Debit [1] does look like an interesting new recurring system, with a compliance deadline of 31 October 2016. I will definitely be looking more into this, and probably will be trying it out in the wild.
I have quite some personal experience with PayPal, and their policies seem quite random. If one person gets it into his or her head that something is not allowed, no voice of reason will change the decision. I wouldn't shed too much tears over it though, there are many better and cheaper alternative forms of payment.
Can you give some examples? I know in America there are lots of startups doing it, but what about the rest of the world? I looked into Skrill a few years ago which seems to be just as international as Paypal, but also with just as horrible terms and conditions.
In Germany (where seafile is located), there is for example Paymill [1] for accepting credit cards and SEPA direct debit. It is pretty expensive (2.95% + 28 cents per transaction) but it seems to have a good API and if it is more reliable than PayPal (which isn't exactly cheap either) it might be worth it.
PayPal is basically a pass-through wallet, meaning most people don't actually hold funds in their wallet but get they transactions funded one-on-one by a different source. For PayPal this is usually a credit card or direct debit from a bank account.
In most circumstances it's a lot cheaper to accept the credit card or do the direct debits directly (via a payment service provider). If you're operating internationally, find a PSP that offers many local payment options. For example, in many European countries, very few people have a credit card. If you offer your customers local payment options like Giropay and Sofort you won't need to bother with PayPal in my opinion.
Amazon Payments? It's as international as it can get, but I can't say anything about their terms, I've only used it from customer side (which is excellent).
This is one of the not-very-international startups. Only available for merchants in 2 or 3 countries last I checked. I don't think small companies can do true international payment processing because of the labor needed to handle all the red tape in every country they go into.
Edit: I see they're already grown a lot and are even starting to try unlikely countries like Brazil and New Zealand.
I'd appreciate if somebody lists some alternatives (better or otherwise). I've plans to launch a paid online service and would like to study all payment options.
What is the most disappointing is PayPal's lack of Customer Service. Why would any vendor want to use their services when they are so badly treated? It also throws into question the data security of other vendors's cloud storage. Is everyone looking at my stuff?!?
It sounds like bullshit, but there's actually some truth to it: when providers of legal services with sketchy uses (I'm talking things like usenet searching, seedboxes, VPNs, scan4you, etc) lose access to PayPal they generally add Bitcoin as at least an option.
It's harder to obtain currency in some of the sketchier webwallets (things like PerfectMoney, WebMoney, etc) and they've been largely replaced with Bitcoin.
Likely because with Bitcoin you don't have to risk a government raid or an allout scam because the payment provider is sketchy (look into Liberty Reserve and Fethard Finance which used to be popular for this purpose).
Since complying with this demand would violate German / European data protection laws (and also be morally wrong in our opinion) we have declined to comply with this demand.
Has anyone made a site yet detailing all of these horror stories? Paypal's behavior is unacceptable and needs to change, yet years later things still seem just as bad for their customers.
Now it's seafile.de, a couple of months ago they started to block accounts used to pay VPN services. What's next?
I am not judging the company, because I am sure that they would like to have users to pay everything possible via their services. That's fine. I just find it incoherent to claim that they are democratizing the way to manage/move money around.
Can you sue Paypal for basically telling you "break the law or don't use us" (I think that's a pretty bad idea on ideological grounds but I wonder if it's technically possible)? Especially since Paypal has to be regulated within the EU in some way I'd say such a request should result in at least a cursory check if the EU license (iirc. they operate as a bank) of Paypal should be revoked/suspended/investigated.
For those thinking this has something to do with "regulation", it does not. Paypal has done this sort of thing for years. In the past it has been the "cyberlockers" and VPN services, even Wikileaks. Someone is putting soft pressure on Paypal. Someone in government or, more likely, someone within the copyright-lobby is threatening them. That has been the pattern in the past.
"AML" this is all cover for CIA economic espionage as always the people asking the questions are the competitors. Who need know how, who and where your customers are marketing reasons to undercut your prices for selected customers! You see never hand over your member list when you don't know who the end users are. Think T-mobile and at&t then about the switch offers to selected user based on data usage.
AFAIK PayPal only do this if they have internal proof that laws are already being broken on the according websites. I don't know Seafile, but the same happened to other file hosters in the past which silently and willingly accepted that copyrighted material is exchanged by using their services.
Last year I worked for a Dropbox-like service, and PayPal was continually giving us grief over using them as a payment service as well. I don't recall them asking us to monitor every user's traffic, though.
I use PayPal often for online stores where my Discover card isnt accepted but I cant believe they are still around and have a huge market share. The platform is so broken.
For me it's the opposite, i never use Paypal because i keep reading evil stories about them - i don't want to support a company which behaves like this...
I don't think they need regulation. I think they need to carry on like they are for a few more years so I can watch them be eaten alive by crypto currencies and other fintech innovations.
>a few more years so I can watch them be eaten alive by crypto currencies and
Yeah, don't hold your breath. Nobody (with the statistical significance meaning of "nobody") really cares about crypto currencies. At best, crypto-geeks aside, they attracted a share of "gold digger" personalities. That's whether the same media that cover the grumpy cat have covered them, or whether some random company uses a payment processor that accepts payments in Bitcoin.
I think the problem is that PayPal almost have a monopoly on e-commercial market, and because of the stickiness of users, it's hard to break the monopoly.
I do not believe they have a monoply any more. a few years ago they where much more prolifict, I paid for ALOT of things via paypal. in the last 5 years I have made 0 transactions on paypal.
With Amazon, Stripe, and others merchant solutions, as well as Apple and Google geting into the game soon for webpayments in addition to app paymets I do not believe the reliance on paypal as a quick way to process credit cards for business is as high as it was, further the reluctance for consumers to enter their credit card data never really materialized.
Currently I think a business that only has PayPal as a payment option is harming their business, while you might keep it around for those few users that still only want to use paypal if I see an option to use anything other than paypal I will take it.
I think Paypal has very strong brand recognition with the average consumer for such an esoteric product (online payment processor as opposed to say candy bar). Anecdotally many people enjoy how easy it is to pay with Paypal and that they have a perceived extra layer of protection. This is doubly true for this case since credit cards are historically not as wide spread in Germany as elsewhere (and thus Paypal linked to your bank account becomes a pretty attractive option). Most "Paypal is bad" stories I'm reading are at the expense of merchants not buyers. As long as they control buyer mindshare it's hard for merchants to opt out imo.
I wonder if there's studies or analysis on this (expected revenue loss with no Paypal option). Were I to start an online shop I'd prefer something like Stripe but would be pretty worried about missing out on a lot of revenue.
Agreed; with both of you. Maybe it won't be crypto-currencies, but Paypal Has To Go®. Let them screw up two or three more times. They're antiquated and operate like a typical barely-legal, gray-area, fee-riddled credit institution.
I wonder why Douglas Crockford, a brilliant man, still works there (other than obviously well compensated time).
Big banks screw up impressively, but not consistently. They can go broke and survive, they can commit massive fraud and survive, but they can't be utterly useless at the very act of banking and survive.
Paypal is rapidly approaching that point. It's name is almost synonymous with "we'll ban you without warning, and freeze your funds when we do". It's literally the first thing I expect when I see 'Paypal' in a headline.
Big banks survive partly due to FDIC insurance and similar - they're fairly unlikely to simply strip all the cash from depositors. Paypal, by contrast, has ruined everyone from Amazon sellers, to Kickstarter campaigns, to startups. At this point, I can't imagine starting a business that relied on Paypal without having another, more reliable way of handling payments.
Put it this way: I would trust Chase to handle my paychecks, even if they do make bad investments. If they started randomly freezing 2% of deposits, I would sure as hell not continue trusting them.
In my opinion, you are probably right, to a big extent at least. I could well picture PayPal becoming the "Microsoft" of payment services: big and loaded but slow and basically living off past glories. People are already moving away to better alternatives and PayPal is too heavy, corporative and managerial to react in time.
>Agreed; with both of you. Maybe it won't be crypto-currencies, but Paypal Has To Go®. Let them screw up two or three more times.
They've already screwed up and screwed people over publicly dozens of times. Paypal does have to go, but I don't think paypal will die until someone offers an equivalent service.
>They've already screwed up and screwed people over publicly dozens of times.
Dozens of times means absolutely nothing considering the billion that uses them.
Do you many how many thousands of times banks and insurance companies actually screw people -- and yet nobody bats an eye?
Besides the big assumption is that this is due to PayPals incompetence or malice, and not due to BS regulations (that anybody else will have to follow too).
They probably mean either big screw ups, or hundreds of thousands of little ones. Eg, trying to circumvent banking laws, allowing donations to the KKK while refusing to cater to wikileaks, seizing funds from well known legitimate businesses, UX anti patterns (eg fake endorsements from the site), Braintree not understanding why you'd want to use CSP to stop someone stealing credit card details, etc.
I don't want to victim blame, but if you work in tech, and still involve PayPal in your business in any way you shouldn't be surprised about the outcome. Use Stripe, use GoCardless. Paypal Has To Go®.
And I think that "shouldn't be surprised" is what ultimately threatens to kill Paypal.
I wouldn't ever use Paypal as a primary or exclusive channel for a startup, and I'm not alone. It may not become publicly hated, but if companies end up too scared to give it traffic, it will still die.
Younger kids might not remember how incredibly painful it was to do credit card transactions in the 1990s. It wasn't just filling out a form or getting a bank to agree to it. Being told "monitor what your users upload in exchange for 3%" would have been something to kill for.
Exactly - for a great deal many people, PayPal is preferable to paying directly to the seller. Until another branded payment provider has that level of mindshare across the general populace, and seen as being secure and trustworthy from twentysomethings to grandparents, then they wont be beaten.
But will companies continue to run the risk of letting Paypal ban their accounts (and often, freeze their funds in the process)?
I can't imagine a consumer revolt, but at a certain point "makes your users feel secure" is outweighed by "makes you terrified you'll lose your money". I suspect that something like Stripe or Square will eventually sell companies on a "we won't screw you over" narrative and start to compete directly.
Probably. At this stage, the integration with PayPal is as much for the user's benefit as it is the company's (Stripe has an easier integration path, and is elegant from a back end perspective), and it isn't the customers concern that a supplier might have their account frozen. We're looking at this from a company/developer perspective, but that's not the driver for it any more.
Most large companies work hard to keep customers happy because the competition is down the street. PayPal benefits from barriers to entry and a two sided market to make this less of an option for merchants.
> so I can watch them be eaten alive by crypto currencies and other fintech innovations
If crypto currencies become an even remotely threatening actor in finance, I'm sure you'll witness how quickly governments (being in the pocket of Big Finance) will crack down on them (i.e. you won't have any legal CC to nonCC trading).
Right now, of course, CCs are more of a practical joke.
That's a pretty big WTF right there.
I know PayPal has a on overall pretty scummy reputation, but I still I cannot imagine PayPal doing this because they themselves think they'll benefit from this data.
To me this seems like a demand which comes "upstream" from above PayPal, from its payment providers (VISA, MasterCard, American Express, etc). Would I be overly paranoid to imagine these demands and claims are the result of lobbing by entities like RIAA and MPAA? They do have a history for blocking payments to known pirate-friendly services after all.
And as such, they clearly have too much power, and there needs to be some anti-discriminatory financial regulation to stop business-hostile practices like this from being lobbied and put in place.
Because this is just madness.