[donau] branch master updated: done with intro

[gnunet]

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository donau.

The following commit(s) were added to refs/heads/master by this push:
     new 48e32f5  done with intro
48e32f5 is described below

commit 48e32f509e763c2ae034928cc335fc3307941706
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Wed Jan 22 12:23:05 2025 +0100

    done with intro
---
 doc/usenix-security-2025/paper/bibliography.bib |  51 ++++++
 doc/usenix-security-2025/paper/donau-paper.tex  |   1 +
 doc/usenix-security-2025/paper/intro.tex        | 198 ++++++++++++++----------
 3 files changed, 171 insertions(+), 79 deletions(-)

diff --git a/doc/usenix-security-2025/paper/bibliography.bib 
b/doc/usenix-security-2025/paper/bibliography.bib
index e761553..03ca1c2 100644
--- a/doc/usenix-security-2025/paper/bibliography.bib
+++ b/doc/usenix-security-2025/paper/bibliography.bib
@@ -154,6 +154,8 @@
   note         = {Accessed: 2025-01-21}
 }
 
+
+
 @InProceedings{donations2003blind,
 author="Al-Meaither, Mansour A.
 and Mitchell, Chris J.",
@@ -169,3 +171,52 @@ pages="50--61",
 abstract="Although many charities have a web presence, almost all of them have 
been designed to accept credit cards as the only means for making donations. 
The anonymity requirements of many donors, however, make the existing means of 
donation inappropriate for them. In this paper we investigate the business need 
for an internet charity donation scheme, identify the security requirements 
such a scheme should fulfill, and propose a scheme that uses an anonymous 
electronic cash technique t [...]
 isbn="978-3-540-45229-4"
 }
+
+@Book{stallman2009free,
+  title={Free Software, Free Society: Selected Essays of Richard M. Stallman},
+  author={Richard Stallman},
+  editor={Joshua  Gay},
+  isbn={978-0-9831592-0-9},
+  year={2009},
+  publisher={GNU Press},
+}
+
+
+@inproceedings{purchase2018wen,
+    author = {Wen, Yu-Ting and Yeh, Pei-Wen and Tsai, Tzu-Hao and Peng, 
Wen-Chih and Shuai, Hong-Han},
+    title = {Customer Purchase Behavior Prediction from Payment Datasets},
+    year = {2018},
+    isbn = {9781450355810},
+    publisher = {Association for Computing Machinery},
+    address = {New York, NY, USA},
+    booktitle = {Proceedings of the Eleventh ACM International Conference on 
Web Search and Data Mining},
+    pages = {628–636},
+    numpages = {9},
+    keywords = {customer behavior prediction, financial technology, real time 
advertising},
+    location = {Marina Del Rey, CA, USA},
+    series = {WSDM '18}
+}
+
+
+
+@article{purchasepsyco2019gladstone,
+ author = {Joe J. Gladstone and Sandra C. Matz and Alain Lemaire},
+ title ={Can Psychological Traits Be Inferred From Spending? Evidence From 
Transaction Data},
+ journal = {Psychological Science},
+ volume = {30},
+ number = {7},
+ pages = {1087-1096},
+ year = {2019},
+ doi = {10.1177/0956797619849435},
+}
+
+
+@article{religiondonation2015deabreu,
+author = {de Abreu, Madalena Eça and Laureano, Raul M. S. and da Silva, Rui 
Vinhas and Dionísio, Pedro},
+title = {Volunteerism, compassion and religiosity as drivers of donations 
practices},
+journal = {International Journal of Nonprofit and Voluntary Sector Marketing},
+volume = {20},
+number = {3},
+pages = {256-276},
+year = {2015}
+}
diff --git a/doc/usenix-security-2025/paper/donau-paper.tex 
b/doc/usenix-security-2025/paper/donau-paper.tex
index ba178ee..1f237ee 100644
--- a/doc/usenix-security-2025/paper/donau-paper.tex
+++ b/doc/usenix-security-2025/paper/donau-paper.tex
@@ -19,6 +19,7 @@
 %\definecolor{urlcolor}{rgb}{0,0,0.65}
 %\usepackage[colorlinks=true, linkcolor=linkcolor, urlcolor=urlcolor, 
citecolor=citecolor]{hyperref}
 
+\usepackage{tikz}
 \usepackage{listings}
 \usepackage{graphicx}
 \date{}
diff --git a/doc/usenix-security-2025/paper/intro.tex 
b/doc/usenix-security-2025/paper/intro.tex
index 53db505..575e580 100644
--- a/doc/usenix-security-2025/paper/intro.tex
+++ b/doc/usenix-security-2025/paper/intro.tex
@@ -2,9 +2,34 @@
 
 This paper presents the design and implementation of a protocol for
 donation handling that satisfies a broad range of potential technical
-requirements and desiderata for donation systems.  The protocol enables
-donors to make incognito donations to registered charities and still
-receive a tax benefit for that donation, while at the same time preventing 
fraud.
+requirements and desiderata for donation systems.  The protocol
+enables {\em donors} to make incognito donations to registered {\em
+  charities} and still receive a tax benefit for donations to
+charities recognized by {\em tax authorities}, while at the same time
+preventing fraud (Figure~\ref{fig:stakeholders}).
+
+\begin{figure}[ht]
+\begin{center}
+\begin{tikzpicture}
+    \node (image) at (0,0) {\includegraphics[width=0.05\textwidth]{stickman}};
+    \node at (0,-1.3) {Donor};
+    %arrow
+    \draw (1,0) -- (5,0) node [midway,above] {donation};
+    %charity
+    \node (image) at (5.5,0) 
{\includegraphics[width=0.075\textwidth]{charity}};
+    \node at (5.5,-0.7) {Charity};
+    %arrow
+    \draw (5,-1) -- (3.5,-2.5) node [midway, below, rotate=45] { recognition };
+    %server
+    \node (image) at (3,-3) {
+    \includegraphics[width=0.06\textwidth]{tax-authority}};
+    \node at (3,-3.8) {Tax Authority};
+    %arrow
+    \draw (1,-1) -- (2.5,-2.5) node [midway, below, rotate=-45] { taxation };
+\end{tikzpicture}
+\end{center}
+\caption{Stakeholders present in the Donau system.} \label{fig:stakeholders}
+\end{figure}
 
 Donating is an important way for people to empower causes they believe in and
 facilitate collective action. In many countries there is explicit state
@@ -14,6 +39,12 @@ away to a recognized, independently administered good cause 
is not
 income that will be used for private consumption. So, conceptually,
 it deserves a different tax treatment.
 
+Today, charities issue donation receipts which generally bear the
+name of the charity.  The donor often has to include the donation
+receipts in their tax declaration; this means the tax authority not
+only learns the amount that the tax payer donated to charitable
+organizations but also how much they gave to which.
+
 %% JL: I strongly suggest completely removing this paragraph. I'm not sure we
 %% need to be so abstractly idealistic, and even if we do, the citation is
 %% ideologically dissonant with the text that precedes it. ALEC is a right-wing
@@ -35,20 +66,21 @@ it deserves a different tax treatment.
 
 Individual spending quickly becomes very intimate and personal, as even
 aggregate spending habits can reveal a great deal about people through
-behavioural analytics and psychographic profiling. This holds even more for
+behavioural analytics and
+psychographic profiling.~\cite{purchase2018wen,purchasepsyco2019gladstone}
+This holds even more for
 acts of donating, which is typically highly revealing about e.g. belief systems
-and intersectionality of the individuals in question.
+and intersectionality of the individuals in 
question.~\cite{religiondonation2015deabreu}
 
 Protecting donation confidentiality is therefore important to protect
 those freedoms. We have to recognize that in some situations the mere
 fact that someone has -- in private -- donated to some cause at some
-point in their life, can put them at risk in another context. The
-right to privacy is thus a critical aspect of donating.
-International
-human rights law provides a non-ambiguous responsibility to promote
-and protect the right to privacy.
+point in their life, can later put them at risk in another context.
+The right to privacy is thus a critical aspect of donating.
 
-Both these rights---towards freedom of thought and to privacy---are
+International human rights law also provides a non-ambiguous responsibility
+to promote and protect the right to privacy:
+Both freedom of thought and informational self-determination are
 anchored in key international treaties and covenants such as the
 Universal Declaration on Human Rights (Article 12)~\cite{udhr1948}, the 
European
 Convention for the Protection of Human Rights and Fundamental Freedoms
@@ -69,8 +101,7 @@ donation, such bad actors start to aggressively pressure a 
particular
 donor for more -- with personalized emails, letters, phone calls and
 even in person visits. This may happen beyond a single good cause:
 people that donate are known to be susceptible to a certain
-proposition, resulting in an avalanche of follow up demanding
-requests.
+proposition, resulting in an avalanche of follow up demands.
 
 In the era of data driven donations and corporate social media
 surveillance, this kind of behavior has unfortunately become so easy
@@ -80,40 +111,39 @@ Netherlands:
   Donateursbelangen}) to de-register and exercise the ``right to be
 forgotten'' after donating.
 
-Even without such excesses, there are many circumstances when people
-like to donate something to their preferred causes without revealing
-their identity.  Some people just prefer to stay anonymous because of
-personal beliefs or even religious requirements, or simply do not want
-to have publicity which might lead to a cascade of efforts from fund
-raisers.
-
-\subsection{Donation confidentiality}
-
-Making a financial donation is a deeply personal choice to share part
-of one's wealth in order to benefit a cause one cares about. Some
-traditional ways of donating (for instance passing around baskets or
-even plates in a religious gathering) are vulnerable to group
-pressure, and door to door fundraising is also confrontational and
-puts people on the spot.
-
-Donations in their purest form should be devoid of such pressures and in cases
-where there is no need for, e.g., virtue signaling, donation confidentiality
-comes into play. Historically, people wanting to make an anonymous donation
-might have an envelope with cash or a box of goods delivered. Obviously, this
-was never compatible with providing tax benefits. Alternatively, they might
-arrange for an expensive intermediary like a notary (although that would not be
-fully anonymous and depends on the discretion of the notary).
-
-Technically guaranteed donation confidentiality is certainly
-non-trivial to implement in the digital payment era. What you donate to and why
-may be strictly personal, but along the financial pipeline there is an
-uncomfortable number of actors handling sensitive data that allows for
-profiling and targeted discrimination on grounds. And there are even more that
-later on may get access to it. Digital payments are logged and made accessible
-to many different actors, and reporting donations to tax authorities adds yet
-(at least) one more actor to the pipeline.  In this work we
-try and solve this issue and finally introduce donation confidentiality which
-adheres to ``privacy by design''.
+% Commenting out, too much repetition for my taste. -CG
+%Even without such excesses, there are many circumstances when people
+%like to donate something to their preferred causes without revealing
+%their identity.  Some people just prefer to stay anonymous because of
+%personal beliefs or even religious requirements, or simply do not want
+%to have publicity which might lead to a cascade of efforts from fund
+%raisers.
+
+%\subsection{Donation confidentiality}
+
+%Making a financial donation is a deeply personal choice to share part
+%of one's wealth in order to benefit a cause one cares about. Some
+%traditional ways of donating (for instance passing around baskets or
+%even plates in a religious gathering) are vulnerable to group
+%pressure, and door to door fundraising is also confrontational and
+%puts people on the spot.
+%
+%Donations in their purest form should be devoid of such pressures and in cases
+%where there is no need for, e.g., virtue signaling, donation confidentiality
+%comes into play. Historically, people wanting to make an anonymous donation
+%might have an envelope with cash or a box of goods delivered. Obviously, this
+%was never compatible with providing tax benefits. Alternatively, they might
+%arrange for an expensive intermediary like a notary (although that would not 
be
+%fully anonymous and depends on the discretion of the notary).
+%
+%Technically guaranteed donation confidentiality is certainly
+%non-trivial to implement in the digital payment era. What you donate to and 
why
+%may be strictly personal, but along the financial pipeline there is an
+%uncomfortable number of actors handling sensitive data that allows for
+%profiling and targeted discrimination on grounds. And there are even more that
+%later on may get access to it. Digital payments are logged and made accessible
+%to many different actors, and reporting donations to tax authorities adds yet
+%(at least) one more actor to the pipeline.
 
 
 \subsection{Overview of the requirements analysis}
@@ -140,7 +170,7 @@ As part of their regular operations as well as their 
recognition as
 public benefit organizations, registered charities are already typically
 subject to a variety of audits as well as strict regulatory and fiscal
 scrutiny. Good causes that do not adhere to these rules are stripped from any
-fiscal benefits. 
+fiscal benefits.
 From a regulatory point of view, it should be compliant to have donations to
 recognized public benefit organizations
 be confidential: donors should be able to freely choose whichever
@@ -154,31 +184,28 @@ into account when designing a system, but does not take 
away the fundamental
 premise that within those categories it is no concern of a government which
 particular recognised causes are supported.
 
-In cases where donation confidentiality is not (yet) feasible, we will
-try and provide fallbacks that best serve the interest of donors, give
-them choice and respect their privacy as least as well as the current
-system in place.
-
-
+In this work we solve the issue of privacy-preserving donations with
+tax deductions by adhering to ``privacy by design'': In cases where
+perfect confidentiality is not (yet) feasible, we provide fallbacks
+that best serve the interest of donors, give them choice and respect
+their privacy as well as the current context allows.
 
 
 \subsection{Digital Cash}
 
 Digital cash~\cite{Chaum89} implemented by tokens issued using blind
-signatures~\cite{DemHeuz2022} provides a foundation for donations where
-the donor remains anonymous while the recipient is easily identified by
-the payment service provider. Payment systems based on digital
-cash are thus an adequate foundation for anonymous donations, as the
+signatures~\cite{DemHeuz2022} has previously been
+suggested~\cite{donations2003blind} as a foundation for donations
+where the donor remains anonymous while the recipient is easily
+identified by the payment service provider. Payment systems based on
+digital cash are an adequate foundation for anonymous donations as the
 donor is not inherently traceable via the underlying payment.
 
-This paper presents the design and implementation of a donation
-protocol producing digitally signed proofs of donation that are linked
-to the donor but unlinkable to the charity.
-The deisn can be used for donations made using the GNU
-Taler~\cite{Taler} payment system.  GNU Taler is a {\em digital
-  commons}, based on free software and advanced cryptography. This
-means that -- unlike proprietary products -- anyone can easily extend
-and customize the core system.
+Our current implementation is designed to work in conjunction with the
+GNU Taler~\cite{Taler} payment system.  GNU Taler is a {\em digital
+  commons}, based on Free Software~\cite{stallman2009free} and advanced
+cryptography. This means that -- unlike proprietary products -- anyone
+can easily extend and customize the core system.
 
 As may be obvious from the underlying acronym "Taxable Anonymous Libre
 Electronic Resources", GNU Taler bridges two seemingly opposite
@@ -192,26 +219,38 @@ achieving privacy-preserving donations with 
tax-deductability.
 
 \subsection{Approach}
 
-Today, charities issue donation receipts which generally bear the
-name of the charity.  The donor often has to include the donation
-receipts in their tax declaration; this means the tax authority not
-only learns the amount that the tax payer donated to charitable
-organizations but also how much they gave to which.
-
-Our {\em Donau} protocol makes it possible for the donor to give an
+At a high level, the Donau protocol consists of five steps:
+\begin{enumerate}
+\item Charities are recognized by the tax authority and their
+  credentials are registered at the Donau service provider.
+\item Tax payers are assigned tax payer identification numbers.
+\item A donor makes a donation to a charity and receives
+  blindly signed donation confirmation tokens bound to
+  their tax payer identification number in return.
+\item After the tax period ends, each donor submits their
+  collected donation confirmation tokens to the Donau and
+  receive a summary donation statement over the total
+  amount bound to their tax payer identification number.
+\item Donors submit the summary donation statement with
+  their tax filing to the donation authority, which validates
+  the digital signature from the Donau.
+\end{enumerate}
+
+The Donau protocol makes it possible for the donor to give an
 unforgeable proof of the combined amount they donated to registered
 charities, without the charities or the tax authorities learning who
 donated to whom. The privacy features obviously require that there is
 more than one charity and more than one donor. The Donau protocol
 itself is actually oblivious to how the payment underlying the
 donation happens. If the donor chooses to donate by credit card or
-bank transfer, then their identity may becomes known to the charity
+bank transfer, then their identity may become known to the charity
 through the payment process.
 %
 However, a relevant feature of the protocol is that the charity does
-not need to learn the identity of the donor. Hence, payments can be
-made with GNU Taler, and in this case the Donau protocol will preserve
-the privacy properties of the GNU Taler payment system.
+not need to learn the identity of the donor. Hence, if payments are
+made with GNU Taler or a similar privacy-preserving payment method, the
+Donau protocol will preserve the privacy properties of that payment
+system.
 
 The design requires the creation of a Donation Authority (Donau), an
 additional service separate from the charities and the payment system.
@@ -222,7 +261,9 @@ typically expected that each competent tax authority would 
operate
 a Donau for the taxpayers in its domain.  We note that the Donau does
 not receive sensitive private information about donors: privacy is
 achieved using cryptography to unlink proofs of donations from the
-actual donation process.
+actual donation process. Even the taxpayer identification number is
+only ever disclosed with the final tax statement to the tax authority,
+but not to the Donau service or the charity.
 
 
 \subsection{Structure of the paper}
@@ -250,4 +291,3 @@ promoting ethical giving practices within a complex 
regulatory
 landscape.  Cross-border donations are particularly challenging.
 We review some of the legal and regulatory background in
 Appendix~\ref{app-back}.
-

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.