PayPal working again, PaySafeCard support canceled

Dear users,

it has been some time since our last sign of life. We had some pretty busy days catching up with the backlog after the OHM2013 event.

PayPal

So after a lot of complaining and back and forth PayPal reinstated our account. The reasons for it being disabled in the first place are a bit conflicting. Starting with the fundraiser for heml.is and ending with PayPal not being able to find our street address on $maps-service and trying to call us at 4am in the morning when nobody is going to pick up the phone. In any case, after a full week of not being able to talk to anyone at Paypal, things got resolved basically the minute our story gained publicity. Thank you all for that.

PaySafeCard

So while PayPal was down a lot of our European users switched to PaySafeCard. The spike was so huge that we decided to apply for a direct account with them. This would automate the process and lower the time until your account would be activated.

After we submitted all the necessary documents we got a short reply from PaySafeCard that they won't be able to clear us in their "compliance department". Since that message was a bit unclear we asked for more information which resulted in a short message saying that PaySafe is not working with VPN services. It is always interesting to see when companies that should be neutral have different kinds of measurements for their customers. If you take a quick glance at this page on the PaySafeCard website you will see that they advertise a service called JonDos which, as it turns out, is a proxy service.

So how does their service and ours differ you might ask. It does not. We dispatched a request via TF resulting in the following statement (taken from the TF article):

"In terms of security it is a very high risk for paysafecard, because you cannot trace
where the information is coming from," Unger says.

"In many cases VPN services are used for businesses which have something to hide - this
can be any illegal business because if the address is anonymous, you cannot trace where
all the information is coming from. People can hide a lot of illegal content and you will
never be able to detect the original source," she adds.

Looking at the list of businesses that use PaySafeCard one can also see a lot of ISPs that offer hosting. Maybe the people at PaySafeCard can grace us with an explanation of how paying anonymously for a VPS, a dedicated server or a shell account differs when taking their statement into account. Do they think people are not able to install a torrent client, use SSH or any other things they obviously deem as "something to hide"? Like, running a Tor exit node?

When (government) reality catches up with your business model

It looks like the presumption of innocence is gone, and you, our dear users, are defined as potential criminals just because you want to protect your online privacy. As part of the debate we got a document that you can take a look at here. Unfortunately the document in question is in German but after translating the content we found out that it is a summary about the latest Anti-Money Laundering Directive from the EU summit held in the beginning of 2013.

Why would somebody send us such a document? As it turns out the EU is not happy with the current legislation and is pushing for a tighter lock-down of e-currencies. You can find the directive in its full beauty here. As usual, the reason being criminal and/or terrorist activities.

This directive states rather hidden that a number of money transactions require special handling. They differentiate between "Simplified Customer Due Diligence" (low risk transactions) and "Enhanced Customer Due Diligence" (high risk transactions). So whats the big deal you might ask. Lets have a look at the details.

We have to skip to "ANNEX III" to see the actual issue. There we find the following text:

Product, service, transaction or delivery channel risk factors:
(a) private banking;
(b) products or transactions that might favour anonymity;
(c) non-face-to-face business relationships or transactions;
(d) payment received from unknown or un-associated third parties;
(e) new products and new business practices, including new delivery mechanism, and the
    use of new or developing technologies for both new and pre-existing products

Please read points b) and c) carefully. Essentially this means that any privacy services that provide you as a user with some anonymity will be governed by article 16(3) of the directive: "Enhanced Customer Due Diligence". The phrasing of point c) is quite open to interpretation as well; are they talking about non-face-to-face transactions or non-face-to-face business transactions? What does "Enhanced Customer Due Diligence" stand for in this context? Luckily for us there are websites dedicated to translating the language of our governments into more accessible terms. We will just provide a few snippets please read the full text if you are interested.

Impact of new law

General due diligence obligations

As a general due diligence measure, the Anti-money Laundering Act
requires that the legal entity:

- identify the customer and verify his or her identity;
- obtain information on the purpose and intended nature of the business relationship;
- clarify whether the contracting party acts for a beneficial owner and, when 
  applicable, identify the beneficial owner and verify the data on a risk-based approach;
  and conduct ongoing monitoring of the business relationship and ensure that the 
  documents, data or information held are kept up to date.

However, Section 3(2)3 of the Anti-money Laundering Act and Section 25i(1) of the Banking
Act modify these obligations for the issuance, distribution and redemption of e-money. 
For e-money institutions, Section 22(2) of the Payment Services Act refers to Section 25i
of the Banking Act and is therefore applicable. E-money issuers, agents and persons 
distributing or redeeming e-money must always identify their customers and continuously 
monitor the business relationship. Furthermore, the data collected must be recorded in 
accordance with Section 8 of the Anti-money Laundering Act.

Identifying customers

As is the case for other subjects of anti-money laundering obligations, the 
identification of the customer requires:

- in the case of natural persons, the name, address, birth date and place and nationality
  of the person, and verification of this information with an identification card or a 
  passport; or
- in the case of legal entities, data on the name of the company, the form of 
  organisation, the registration number (if applicable), the address of the registered
  office or headquarter and the names of the members of the legal entity's 
  representative body or statutory representative.

So no more buying vouchers at gas stations, kiosks and supermarkets unless you provide your passport/ID card that can be associated with the payment in question?

However, e-money issuers, agents and points of sale are exempt from the identification 
requirement if the value stored to the pre-paid card does not exceed €100 a month and, 
in case of a rechargeable card, the amount cannot exceed €100 a month and the 
e-money cannot be combined technically with e-money from another issuer. 
Furthermore, when e-money is redeemed for cash, customer due diligence measures must
be applied if the amount exceeds €20. This exemption and its application to all 
persons involved in the issuing, distribution and redemption of e-money is the result
of the protests described above.

However, there is an exception to the exception if the e-money owner acquires an amount
of more than €100 a month with several transactions which obviously belong together 
('smurfing'). In the case of such artificial splitting, the customer due diligence 
measures apply (Section 25i(2)2 of the Banking Act).

Section 25i(5) of the Banking Act and Section 3(2)4 of the Anti-money Laundering Act
provide that simplified due diligence measures can be applied if:

- requested by the legally bound person; and
- there is a low risk of money laundering, terrorist financing or other criminal acts 
  associated with the specific e-money business.

Here is the interesting part in regards to PaySafeCard. The way their current system works, smurfing is possible. They can't prohibit anyone buying vouchers for 10k a month since it is anonymous. The directive is not yet established law but it is supposed to be adopted within 2 years of its ratification. This means that ANY e-currency will have this kind of problem -- not just PaySafeCards. Germany acknowledging Bitcoin is nice but it also means that the Anti-Money Laundering Directive has to be applied there too.

The question that arises now is: "Shall we protect and protest for companies that violate our trust while claiming to do the opposite"? As if recent events in light of the Snowden leaks had not shown how massive the dragnets are. PaySafeCard is taking the way of least resistance now to sell us out. If this EU directive is put in place as it stands now we, as a society, might well lose one of the last buffers we have defending us from our governments (and foreign ones too) snooping in on us: the ability to purchase in private, anonymously. Just like we do with cash.

So as of now we are not going to accept PaySafeCards anymore until the matter is resolved. If you are unhappy about this please complain to PaySafeCard.

The IPredator team