Re: [Taler] Regulations for Taler

[Christian Grothoff]

On 05/09/2017 09:38 AM, Dieter wrote:
>>> To me it seems that this is currently not possible (maybe
>>> somewhat possible in case the user has a backup of the wallet).
>> Right. I generally expect that once we have backup/sync, we'll
>> pretty much enforce its use by telling users to print out the key
>> to their (network) backup immediately upon installation or so.
> Could you explain backup/sync a bit more? Is this a local (network) 
> backup which the user has to setup himself or a backup somewhere
> online provided by a another party but where the wallet information
> is stored in an encrypted way? Upon loss what would the user do with
> the the key they printed out?

I would expect that by default it's some third party where the wallet
data is stored in an encrypted format. Upon loss, the user would install
a fresh wallet, type in the key and recover his data from the backup.

>> The experts we talked to did not suggest theft of the wallet would
>> be a major issue. Note that customers are not expected to carry
>> significant balances in the wallet, only the cash they spent in
>> their daily lives (not savings!).
> EU legislation (DIRECTIVE 2007/64/EC) limits the liability of the
> user and _once a user has notified a payment service provider that
> his payment instrument may have been compromised, the user should not
> be required to cover any further losses_.
> 
> I'm just assuming this directive is applicable to Taler... (Article 3
> Negative scope mentions which types of services to which the 
> directive _does not_ apply).

It does list cash, which may be a reason for exclusion. Not sure.
Regardless, the list of exclusions suggests to me that the regulator
might not have intended for digital cash payment systems to fall under
this one.

> Quote from the DIRECTIVE 2007/64/EC [1] (32) In order to provide an
> incentive for the payment service user to notify, without undue
> delay, his provider of any theft or loss of a payment instrument and
> thus to reduce the risk of unauthorised payment transactions, the
> user should be liable only for a limited amount, 

This is the crux: the amount is *limited* to your wallet's balance.
Regulation already will limit how much you are allowed to withdraw at a
time.

> unless the payment
> service user has acted fraudulently or with gross negligence.

So we just need to convince regulators that carrying digital cash in
excess of a reasonable "limited amount" and not having backups and
getting hacked as "gross negligence".   I mean, if you have a million
bucks in your digital wallet and no backup OR an insecure OS, that's
gross negligence.  If you only carry a reasonable balance, say $20,
that's a limited amount.  We can even warn users in the wallet if they
start to carry a balance that exceeds whatever regulators deem a
"limited amount", thereby telling them that they are about to be negligent!

0xE29FC3CC.asc
Description: application/pgp-keys

signature.asc
Description: OpenPGP digital signature