[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] Regulations for Taler
From: |
Christian Grothoff |
Subject: |
Re: [Taler] Regulations for Taler |
Date: |
Tue, 9 May 2017 10:11:52 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 |
On 05/09/2017 09:38 AM, Dieter wrote:
>>> To me it seems that this is currently not possible (maybe
>>> somewhat possible in case the user has a backup of the wallet).
>> Right. I generally expect that once we have backup/sync, we'll
>> pretty much enforce its use by telling users to print out the key
>> to their (network) backup immediately upon installation or so.
> Could you explain backup/sync a bit more? Is this a local (network)
> backup which the user has to setup himself or a backup somewhere
> online provided by a another party but where the wallet information
> is stored in an encrypted way? Upon loss what would the user do with
> the the key they printed out?
I would expect that by default it's some third party where the wallet
data is stored in an encrypted format. Upon loss, the user would install
a fresh wallet, type in the key and recover his data from the backup.
>> The experts we talked to did not suggest theft of the wallet would
>> be a major issue. Note that customers are not expected to carry
>> significant balances in the wallet, only the cash they spent in
>> their daily lives (not savings!).
> EU legislation (DIRECTIVE 2007/64/EC) limits the liability of the
> user and _once a user has notified a payment service provider that
> his payment instrument may have been compromised, the user should not
> be required to cover any further losses_.
>
> I'm just assuming this directive is applicable to Taler... (Article 3
> Negative scope mentions which types of services to which the
> directive _does not_ apply).
It does list cash, which may be a reason for exclusion. Not sure.
Regardless, the list of exclusions suggests to me that the regulator
might not have intended for digital cash payment systems to fall under
this one.
> Quote from the DIRECTIVE 2007/64/EC [1] (32) In order to provide an
> incentive for the payment service user to notify, without undue
> delay, his provider of any theft or loss of a payment instrument and
> thus to reduce the risk of unauthorised payment transactions, the
> user should be liable only for a limited amount,
This is the crux: the amount is *limited* to your wallet's balance.
Regulation already will limit how much you are allowed to withdraw at a
time.
> unless the payment
> service user has acted fraudulently or with gross negligence.
So we just need to convince regulators that carrying digital cash in
excess of a reasonable "limited amount" and not having backups and
getting hacked as "gross negligence". I mean, if you have a million
bucks in your digital wallet and no backup OR an insecure OS, that's
gross negligence. If you only carry a reasonable balance, say $20,
that's a limited amount. We can even warn users in the wallet if they
start to carry a balance that exceeds whatever regulators deem a
"limited amount", thereby telling them that they are about to be negligent!
0xE29FC3CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature