Summary of the events last night - And an apology.

[DannyHamilton]

. . . and honestly, I'm tempted to think like Rassah here and ask "What's the fucking problem in that? Should we really be that passive and let thiefs always get away, cleanly, without even some public shaming?" . . .

No problem with it at all, as long as your company's privacy policy indicates that personal information will be used in this way.  On the other hand if you make an explicit commitment to your customers that their personal information will not be shared with a third party for any reason except as demanded by law enforcement, then violation of that commitment is a big problem.  If you are going to act in that way, why bother lying to your customers with a privacy policy at all?

[paulie_w]

agree with the sentiment against rodger, even if i really appreciate his efforts in the bitcoin world.

protect your customer data, even if they are assholes, or lose the trust of potential customers.

i won't be shopping at bitcoinstore now, as much as i really was looking forward to for my next computer purchases.

[repentance]

. . . and honestly, I'm tempted to think like Rassah here and ask "What's the fucking problem in that? Should we really be that passive and let thiefs always get away, cleanly, without even some public shaming?" . . .

No problem with it at all, as long as your company's privacy policy indicates that personal information will be used in this way.  On the other hand if you make an explicit commitment to your customers that their personal information will not be shared with a third party for any reason except as demanded by law enforcement, then violation of that commitment is a big problem.  If you are going to act in that way, why bother lying to your customers with a privacy policy at all?

Pretty much every real world company I deal with explicitly says that they will share information with credit reporting agencies if you don't pay them, as well as with the authorities if presented with a valid request.  Some also state that they will share information with other companies within the same group (often you can opt out of that as it's usually a marketing thing).

The point is that they explicitly state the circumstances under which information will be shared and with whom.  If Bitcoin businesses are going to share information with each other, they need to explicitly state that in their terms of service and privacy policies.  They also need to be very mindful of the types of data which they can legally share and what records need to be kept in terms of data-sharing.

[caveden]

No problem with it at all, as long as your company's privacy policy indicates that personal information will be used in this way.  On the other hand if you make an explicit commitment to your customers that their personal information will not be shared with a third party for any reason except as demanded by law enforcement, then violation of that commitment is a big problem.  If you are going to act in that way, why bother lying to your customers with a privacy policy at all?

Breaking the nose of someone and running is normally criminal. But if you're breaking the nose of someone and running to avoid a flash kidnapping, that's perfectly justifiable.
Disrespecting a contract is normally criminal. Disrespecting a contract to avoid the other party to steal from you is normally justifiable (unless of course the breach of contract implies you taking much more from the other party than what this party is taking from you, i.e., disproportional reaction).

The main mistake of Roger here was being too impulsive. Perhaps the customer was innocent. So maybe the best action on Roger's part was to only act after some mediation decided he's right - he had the time to do so anyway. On the other hand, professional mediation would likely cost much more than 5BTC. And he was convinced the guy was a liar. If he's really correct, his actions would be justifiable in comparison to the actions of Nethead.

Anyway, it wouldn't hurt to state what you say in the TOS - that they have the right to break their contract with you if you steal from them is something that's ethically deductible anyway, explicitly stating it would help making it clearer.

[DannyHamilton]

Breaking the nose of someone and running is normally criminal. But if you're breaking the nose of someone and running to avoid a flash kidnapping, that's perfectly justifiable.
Disrespecting a contract is normally criminal. Disrespecting a contract to avoid the other party to steal from you is normally justifiable (unless of course the breach of contract implies you taking much more from the other party than what this party is taking from you, i.e., disproportional reaction).

The main mistake of Roger here was being too impulsive. Perhaps the customer was innocent. So maybe the best action on Roger's part was to only act after some mediation decided he's right - he had the time to do so anyway. On the other hand, professional mediation would likely cost much more than 5BTC. And he was convinced the guy was a liar. If he's really correct, his actions would be justifiable in comparison to the actions of Nethead.

Anyway, it wouldn't hurt to state what you say in the TOS - that they have the right to break their contract with you if you steal from them is something that's ethically deductible anyway, explicitly stating it would help making it clearer.

The issue in this event was that nobody was stealing from blockchain.info.  blockchain.info was not due any funds.  Roger, acting in an employee capacity at blockchain.info abused his access to their database to violate blockchain.info's privacy policy so as to gain leverage in a dispute between BitcoinStore.com and a BitcoinStore.com customer.

If Roger had violated BitcoinStore.com's privacy policy and publicly used personal information stored by BitcoinStore.com in an attempt to resolve what he believed to be a fraudulent action, it would have been less severe (I still hold that it would have been wrong of him, but not as bad as what he did).  Instead, information that only blockchain.info was supposed to have was revealed to BitcoinStore.com to assist them in their investigation and their attempt to determine whether fraud had even occured.

Are you arguing that I should be able to contact blockchain.info and ask them for a list of all bitcoin addresses associated with your email address or phone number so I can check and see if you have engaged in fraud with me?  Even if it violates blockchain.info's privacy policy?

How is blockchain.info supposed to know if I have a valid fraud claim against you or am just fishing for information I can use to blackmail you?

[John (John K.)]

To recap...

 - Customer pays for something on BitcoinStore
 - BitcoinStore request customer to pay some hidden fee
 - Customer wants refund
 - BitcoinStore refunds customer in full +4BTC (why? idk), and asks Customer to send back the extra 4BTC
 - Customer is pissed off for having BitcoinStore wast his time and refuses to give the 4BTC back
 - BitcoinStore publishes Customers sensitive information to EVERYONE on the internet

is this what happened?

No.

More like this:

• Customer pays for something on BitcoinStore
• Customer requests BitcoinStore lie on Customs forms (against BitcoinStore policy)
• BitcoinStore offers choice of refund or truth on Customs forms
• Customer requests refund
• BitcoinStore refunds to address given by customer

At this point everything is fine so far. Then:

• In separate transaction Bitcoin accidentally has additional 4+ BTC sent to Customer
• BitcoinStore requests that Customer send back the extra 4+ BTC
• Customer decides he prefers to keep the BTC and lies saying the address receiving the 4+ BTC is not his
• BitcoinStore accesses proof that the address does belong to Customer and provides that proof only to the Customer
• Customer gets angry that this proof of his lie was available an publishes his own sensitive information to EVERYONE on the internet to let them know that BitcoinStore has access to this proof
• BitcoinStore's ability to access this proof is removed due to abuse of the access

This is mostly true. I would like to add that what Roger published in this forum initially was information from its own site, and not blockchain.info's information. The blockchain.info's information was merely used as proof for nethead/bitbitman when he replied rudely and denied that the address was the anonymizer's address. It was published by nethead himself.

In fact, apart from Roger accessing the blockchain.info to verify that nethead's address wasn't an anonymizer address and he indeed holds the privatekeys to it, I don't really see what was wrong in his situation.
Even bitcoinstore's privacy policy does have a clause pertaining to this situation.

We will not disclose or sell your personal contact information to any third parties without your permission. But we will disclose these information when legally required to do so, at the request of governmental authorities conducting an investigation, to verify or enforce compliance with the policies governing our website and applicable laws or to protect against misuse or unauthorized use of our website.

[/list]

[DannyHamilton]

. . . In fact, apart from Roger accessing the blockchain.info to verify that nethead's address wasn't an anonymizer address and he indeed holds the privatekeys to it, I don't really see what was wrong in his situation . . .

Agreed.  The error in judgement that Roger made was to access the records of blockchain.info to gain leverage in a dispute between BitcoinStore and a BitcoinStore customer.  Had he not done this (or had the customer returned the funds that were accidentally sent to him), then none of this discussion would ever have occurred, Roger's reputation would still be intact, and Roger would still have access to the Admin Panel of blockchain.info to assist Piuk with customer support.

[caveden]

The issue in this event was that nobody was stealing from blockchain.info.  blockchain.info was not due any funds.  Roger, acting in an employee capacity at blockchain.info abused his access to their database to violate blockchain.info's privacy policy so as to gain leverage in a dispute between BitcoinStore.com and a BitcoinStore.com customer.

If Roger had violated BitcoinStore.com's privacy policy and publicly used personal information stored by BitcoinStore.com in an attempt to resolve what he believed to be a fraudulent action, it would have been less severe (I still hold that it would have been wrong of him, but not as bad as what he did).  Instead, information that only blockchain.info was supposed to have was revealed to BitcoinStore.com to assist them in their investigation and their attempt to determine whether fraud had even occured.

You're talking about abstractions, while what matters are the actions of actual individuals.

Are you arguing that I should be able to contact blockchain.info and ask them for a list of all bitcoin addresses associated with your email address or phone number so I can check and see if you have engaged in fraud with me?  Even if it violates blockchain.info's privacy policy?

I'm not arguing you should have such power no matter what.
I'm arguing that, if you happen to have - for example, because you happen to be an admin there - and you break your contract against me because you believe I'm violating your rights, then a few outcomes are possible after a "proper trial':

• I'm proved guilty of violating your rights. I took more from you than you took from me. Conclusion: I still owe you.
• I'm proved guilty of violating your rights, but it's decided that you ended up taking more from me than I took from you. Conclusion: You owe me in proportion.
• I'm proved innocent of violating your rights. Conclusion: you aggressed me and has a full criminal debt towards me, proportional to the actions you took against me.

That's what I'm arguing.
Rothbard explains it well in one of his texts, it was a text about police raids and searching for criminals. I searched it to link here but couldn't find it.

How is blockchain.info supposed to know if I have a valid fraud claim against you or am just fishing for information I can use to blackmail you?

I don't know how this abstract entity is supposed to know this. But that's not the point. I'm not arguing they should give everybody the ability to demand people's data like that.

[DannyHamilton]

. . . You're talking about abstractions, while what matters are the actions of actual individuals . . .

Ok, so lets look at the actions of the actual entities involved in this dispute.

I'm arguing that, if you happen to have - for example, because you happen to be an admin there - and you break your contract against me because you believe I'm violating your rights, then a few outcomes are possible after a "proper trial':

• I'm proved guilty of violating your rights. I took more from you than you took from me. Conclusion: I still owe you.
• I'm proved guilty of violating your rights, but it's decided that you ended up taking more from me than I took from you. Conclusion: You owe me in proportion.
• I'm proved innocent of violating your rights. Conclusion: you aggressed me and has a full criminal debt towards me, proportional to the actions you took against me.

There were 3 entities involved in this transaction (keep in mind that the BitcoinStore customer did not take anything from Roger.  If he was guilty, then he was guilty of keeping something that belonged to BitcoinStore.com, not Roger).

Entity 1: NetHead
Entity 2: BitcoinStore
Entity 3: Blockchain.info

In no way did NetHead violate the rights of blockchain.info.  blockchain.info has a privacy policy that states that they will not reveal personal information to third parties.  NetHead might have violated the rights of BitcoinStore.  Under what circumstances was it ok for an employee at blockchain.info to provide personal information to an employee at BitcoinStore?

How is blockchain.info supposed to know if I have a valid fraud claim against you or am just fishing for information I can use to blackmail you?

I don't know how this abstract entity is supposed to know this. But that's not the point. I'm not arguing they should give everybody the ability to demand people's data like that.

And yet that is exactly what they did.  They gave Roger from BitcoinStore the ability to demand people's data exactly like that, and he used that ability against the privacy policy of blockchain.info.

They have since addressed this issue, and they didn't know when they gave Roger this ability that he'd actually use it, but that doesn't make Roger's actions acting as an employee of blockchain.info any less wrong.

[repentance]

Disrespecting a contract is normally criminal.

No.  Breaching a contract is usually a civil matter with civil remedies available.  Theft is a criminal matter with criminal law remedies available - thus Roger would have every right to disclose all of the information his business held on the customer to law enforcement or to seek recovery of the overpayment through civil action if he chose that path.  The issues here are both the obtaining of information from a third party as well as the disclosure of information held by the business involved.  NetHead violating the ToS of BitcoinStore (if you hold that's what he did) did not justify the violation of Blockchain.info's privacy policy.  They are separate entities and the fact that Roger is involved in both of them is irrelevant.

We need to remember that there's a significant amount of cross-ownership of Bitcoin entities and this is a situation which could easily arise again unless all Bitcoin services take appropriate measures to protect user data from being shared with other Bitcoin businesses which may have common employees/investors or they explicitly advise their users that they will share that data with other businesses.

[Grecoin]

With a name like Nikolaos I guess he's Greek. It's unbelievable how tight things are for regular people there right now. I feel so sorry for them, their entire country has been taken for a ride ever since WW2.

And somebody just puts a large sum on his account just like that. (didn't get how much it was) When he probably needs it the most. It's understandable that he got tempted.

Please cut the drama because the guy is Greek. The tv news are getting in your brains and this shit with the Greek situation (problem way exaggerated) has to end sometime, so no reason you feel sorry.

All this waste-of-time thread has nothing to do with the guy's nationality, btw this mess was about 4 btc (four!)

[DannyHamilton]

. . . btw this mess was about 4 btc (four!)

Agreed, Roger damaged his own reputation, the reputation of MemoryDealers.com, the reputation of BitcoinStore, and the reputation of blockchain.info all over 4 BTC.  Seems ridiculous when you look at it that way.

Clearly NetHead was wrong in his actions, and by returning the 4 BTC could have prevented all of this, but that doesn't justify the damage that Roger did over that same 4 BTC.

[caveden]

. . . You're talking about abstractions, while what matters are the actions of actual individuals . . .

Ok, so lets look at the actions of the actual entities involved in this dispute.
....
There were 3 entities involved in this transaction (keep in mind that the BitcoinStore customer did not take anything from Roger.  If he was guilty, then he was guilty of keeping something that belonged to BitcoinStore.com, not Roger).

Entity 1: NetHead
Entity 2: BitcoinStore
Entity 3: Blockchain.info

In no way did NetHead violate the rights of blockchain.info.  blockchain.info has a privacy policy that states that they will not reveal personal information to third parties.  NetHead might have violated the rights of BitcoinStore.  Under what circumstances was it ok for an employee at blockchain.info to provide personal information to an employee at BitcoinStore?

It's almost as if you didn't read the first phrase of mine you quoted.

Blockchain.info and BitcoinStore are just abstractions. They don't actually have any rights, they don't exist ethically. Only individuals have rights, and when under contract, obligations. Contracts may allow the creation of these abstractions, but in the end, there are always individuals behind them.

There were two individuals in this dispute: Nethead and Roger. It's their actions that count.

How is blockchain.info supposed to know if I have a valid fraud claim against you or am just fishing for information I can use to blackmail you?

I don't know how this abstract entity is supposed to know this. But that's not the point. I'm not arguing they should give everybody the ability to demand people's data like that.

And yet that is exactly what they did.  They gave Roger from BitcoinStore the ability to demand people's data exactly like that, and he used that ability against the privacy policy of blockchain.info.

Roger owns part of Bitcoinchain.info AFAIK, he's not some random dude that asked for data and got it.
As an owner of Blockchain.info, he's probably bound by this privacy policy. I'm not sure if he did really broke it, as he didn't release blockchain.info data publicly, but that's irrelevant as I explained before - if he did broke the contract he had with Neathead as owner of Blockchain.info, such breach of contract is eclipsed by the fact that Nethead took part of Roger's property.

Now, if Roger also broke a contract he had with the other owners of Blockchain.info by gathering this data the way he did, that's another matter between them, irrelevant in what concerns Nethead.

They have since addressed this issue, and they didn't know when they gave Roger this ability that he'd actually use it, but that doesn't make Roger's actions acting as an employee of blockchain.info any less wrong.

They're much less wrong than Nethead's actions and therefore are forgivable.
His relations with the other owners of blockchain.info and his privileges in their application is a totally separate matter.

Disrespecting a contract is normally criminal.

No.  Breaching a contract is usually a civil matter with civil remedies available.  Theft is a criminal matter with criminal law remedies available

When I say "crime" I mean any violation of an individuals right, be it a slap in the face or murder - contract breaching is within.
These distinctions you mention are just administrative distinctions, separating different courts to rule over different issues.

Perhaps the word "crime" in English is not appropriate to describe every violation of somebody's rights. In my language it is fine enough. In French I know that it's not - the word crime is restricted to some serious offenses. Anyway, if that's the case, it's just semantics. Find an English word good enough to describe any violation of somebody's right and replace it whenever I said crime or criminal before.

[DannyHamilton]

. . . It's almost as if you didn't read the first phrase of mine you quoted.

Blockchain.info and BitcoinStore are just abstractions. They don't actually have any rights, they don't exist ethically. Only individuals have rights, and when under contract, obligations. Contracts may allow the creation of these abstractions, but in the end, there are always individuals behind them.

There were two individuals in this dispute: Nethead and Roger. It's their actions that count . . .

Sorry, I misunderstood the part where you were calling "companies" "abstractions" without rights, responsibilities, or obligations.

I see now what you are saying.  I disagree with you completely, but since our realities don't overlap we will not be able to come to an agreement on this matter.  Others who agree with you that contracts, rights, and obligations only apply to actual individual people and not to companies, and in that case you can all probably find a way to accept Roger's actions as justified and ethical.

In my reality, among the people like me who believe that contracts, rights, and obligations apply to companies, it is clear that Roger acted in a manner that damaged his reputation and the reputation of the businesses he is involved in.

[caveden]

NetHead violating the ToS of BitcoinStore (if you hold that's what he did) did not justify the violation of Blockchain.info's privacy policy.  They are separate entities and the fact that Roger is involved in both of them is irrelevant.

Let me try to make it clearer:

- Nethead took Roger property.
- Roger had a previous contract with Nethead via blockchain.info, in which Nethead had provided data which Roger was supposed to keep private.
- Roger used the data he had on Nethead due to this other contract in private to demonstrate to Nethead how he know he had Roger's money and his excuse was a lie. I highly doubt that this would be a violation of the contract mentioned above since the data was not made public by Roger.
- Roger's actions might have represented a breach of the contract he had with the other owners of Blockchain.info. But that's a problem between them, irrelevant to Nethead.

[caveden]

In my reality, among the people like me who believe that contracts, rights, and obligations apply to companies

Companies are just "shared property", nothing more.
You may have a contract with a company, the same way you may rent a house that belongs to a married couple. Saying you have a contract with such shared properties is the equivalent of saying you have a contract with each of the owners of the said share property, proportionally.

I don't see how it could be any different, ethically speaking.

And btw, there's only one reality.

[DannyHamilton]

Companies are just "shared property", nothing more.
You may have a contract with a company, the same way you may rent a house that belongs to a married couple. Saying you have a contract with such shared properties is the equivalent of saying you have a contract with each of the owners of the said share property, proportionally.

I don't see how it could be any different, ethically speaking.

Given this understanding of how contracts and ethics works, I'm curious how you resolve following...

The blockchain.info company has a single owner named Piuk.
I enter into a business relationship with blockchain.info (Piuk) and the terms of the contract assure me that the personal information I provide to blockchain.info (Piuk) "will not be shared with any other third party or advertisers."
Later, without informing me, Piuk sells a 25% stake in his company to another individual named Roger.

Who is my contract with?  I never intended to enter into a contract directly with Roger.  I never agreed to do so. I am not willing to allow Roger to use my personal information for any purpose unless it is specifically for meeting the obligations that Piuk and I agreed to for the service he and I call blockchain.info.

So, am I unknowingly and without my permission forced into a contract with the individual of Roger, and forced to allow him to use my personal information for his own purposes as long as he doesn't share that information with anyone else?

And btw, there's only one reality.

That's that I thought, but it appears I was mistaken.

[makomk]

Roger said that the email address used on nethead's Bitcoinstore account matched the email address of the wallet containing the address the coins were sent to, tying nethead directly to it. Nethead claimed that the address in question was a one-time anonymizing address, but that would very likely be a lie, since Blockchain's anonymizer doesn't work like that. Anonymizing addresses receive coins, send them to the mixer, and the coins come out of the mixer into the rest of your wallet. These addresses are not "disposable," or meant to be used only once.

Errrm, yes they are. "Each anonymous transaction creates an entry in a forwarding or routing table which is used to track the final destination address and the value of the transaction. After 6 confirmations (~1 hour) the entry is permanently removed from database leaving no connection between the input and output address. Unused forwarding entries are removed after 8 hours."

So if it was a blockchain.info anonymizing address, any transactions more than about an hour after the first one wouldn't have been forwarded to the receipient. And yes, you can add addresses given out by the anonymizing service to your blockchain.info wallet as watching-only addresses if you want to be notified when someone sends money to them or do taint analysis on them.

[repentance]

- Roger had a previous contract with Nethead via blockchain.info, in which Nethead had provided data which Roger was supposed to keep private.
- Roger used the data he had on Nethead due to this other contract in private to demonstrate to Nethead how he know he had Roger's money and his excuse was a lie. I highly doubt that this would be a violation of the contract mentioned above since the data was not made public by Roger.

If the privacy policy was violated, it really doesn't matter whether the information was made public.  The fact that it Blockchaininfo's data was accessed and used by a third party (and BitcoinStore is a third party, regardless of Roger's involvement in both ventures) at all is the problem.  Either every other Bitcoin business should be able to access Blockchain info's user data or no other Bitcoin business should be able to access it.  People would be howling blue murder if MtGox decided to start giving out information on it's users to other Bitcoin businesses and rightly so.  People would also be very pissed off if every time they owed a company money in the real world that company could get access to the records of other businesses of which they were a customer.

Personally, I'm glad that Roger did chose to make this public and that Nethead responded publicly because if this matter had been kept private no-one would have been aware of the inappropriate sharing of information.  While Blockchaininfo and Bitcoinstore have addressed this, we have no idea  whether other Bitcoin businesses are also sharing user data without the knowledge of their users.

Apart from making the circumstances under which they'll share information with other businesses very clear in their user agreements, perhaps Bitcoin businesses also need to make clear to their employees and investors what constitutes appropriate use of any personal user information to which they have access.

[Rassah]

Errrm, yes they are. "Each anonymous transaction creates an entry in a forwarding or routing table which is used to track the final destination address and the value of the transaction. After 6 confirmations (~1 hour) the entry is permanently removed from database leaving no connection between the input and output address. Unused forwarding entries are removed after 8 hours."

So if it was a blockchain.info anonymizing address, any transactions more than about an hour after the first one wouldn't have been forwarded to the receipient. And yes, you can add addresses given out by the anonymizing service to your blockchain.info wallet as watching-only addresses if you want to be notified when someone sends money to them or do taint analysis on them.

Relevant parts bolded. In blockchain.info you can create an anonymous receiving address, which, when receiving money, automatically sends it through the mixer using "anonymous transactions," and after a while, the money ends up in your personal wallet (someone else's coins, but of the same amount). As far as I know, that anonymous receiving address is yours, and stays there, ready to receive more coins to send through the "anonymous transactions" process until you manually delete it. Am I wrong?  Does that address disappear the first time it receives any coins?