Business TOS question regarding regarding privacy (need opinions)

[Rassah]

What would you guys think of a policy that states "We will not release personal information to third parties, but if they are investigating fraud and ask us questions, we may answer very specific questions with simple yes/no answers, such as "Is this specific bitcoin address registered to this specific e-mail address." (I.e. this is something Roger could have asked Piuk, and if nethead's e-mail was not in fact linked to the same btc address he received money to, his privacy would have been safe)

That seems like it may be breaking too much privacy, but at the same time is quite restricted, so... opinions? Suggesting for improvements?

[DannyHamilton]

As long as the privacy policy states specifically the circumstances that personal information will be revealed, then I don't have a problem with it at all.  It would be completely unacceptable to have a privacy policy that states that personal information will never be shared with a third party except when required to by law and to then engage in the practice you are suggesting, but as long as it is spelled out in the privacy policy I don't see a problem.

Some people who value their privacy highly may choose not to use the site, other people who aren't as concerned about their privacy will happily use it.  Sounds like a perfectly legitimate practice if a company wants to operate in that way.

[caveden]

The way you put in OP is quite vague.

Actually, ethics says you may violate the rights of someone that has made a higher violation of your rights in order to catch him. Of course that, if I do so against you and further on you're deemed innocent, then I'm an aggressor that has a debt towards you - a basic principle that should be applied to state police and courts every time they execute those raids on innocents homes, btw.

That's already an objective ethical rule. But it would be nice if you could formalize that in contracts, of course.

[BadBear]

I probably wouldn't trust a business that did that, nor frequent them. Just because some random other business decides someone did something wrong doesn't make it true.

[John (John K.)]

What would you guys think of a policy that states "We will not release personal information to third parties, but if they are investigating fraud and ask us questions, we may answer very specific questions with simple yes/no questions, such as "Is this specific bitcoin address registered to this specific e-mail address." (I.e. this is something Roger could have asked Piuk, and if nethead's e-mail was not in fact linked to the same btc address he received money to, his privacy would have been safe)

That seems like it may be breaking too much privacy, but at the same time is quite restricted, so... opinions? Suggesting for improvements?

I think that's fair game for legitimate businesses. There's enough of scammers and opportunity-takers to destroy other businesses already. In fact, I think it's required by law of a business to reveal the information they might have on users if a warrant/official request is issued.

PS: In Roger's case, I would surmise that the reason why Roger accessed the database was to prove that the address is in fact under control of nethead and it wasn't an anonymizer address (which is one use only).

[DannyHamilton]

I probably wouldn't trust a business that did that . . .

. . . I think that's fair game for legitimate businesses . . .

And this is exactly why privacy policies are important and why violations of privacy policies should be considered extremely serious as far as the trustworthiness of a particular business goes.  The privacy policy allows potential customers to make an educated decision on how they feel about the policy and avoid unexpected and unpleasant surprises when their information is used the way the company says they will.

[BadBear]

A warrant would bypass any TOS already, so that doesn't mean much. A little different than random business deciding someone's guilt.

[Rassah]

A warrant would bypass any TOS already, so that doesn't mean much. A little different than random business deciding someone's guilt.

I guess this is what I'm trying to figure out - what do you do if the agency that would issue a warrant, or require the release of info by law, does not exist? Like in cross-border disputes? How could this be handled by the companies themselves, while still protecting consumers?

[piuk]

What would you guys think of a policy that states "We will not release personal information to third parties, but if they are investigating fraud and ask us questions, we may answer very specific questions with simple yes/no questions

I do not like it, in the case of "Roger vs Nethead" a yes/no was all that was needed to confirm he was likely the owner of the bitcoin address in question. The fact that his email address and ip was revealed was not of much consequence as that information was already know to the bitcoinstore, so the end result was the same.

Blockchain's policy stands as it always has "We will not sell, distribute or lease your personal information to third parties unless we are required by law to do so.". Hopefully if required to do so by law we will be holding as little information as possible.

Yes I am fully aware this policy was broken and I apologise for that. Steps have been taken to resolve the immediate problem of admin access and make determining information on wallets more difficult in future by hashing addresses.  The same hashing will be done with ip addresses.

[Rassah]

What would you guys think of a policy that states "We will not release personal information to third parties, but if they are investigating fraud and ask us questions, we may answer very specific questions with simple yes/no questions

I do not like it, in the case of "Rogver vs Nethead" a yes/no was all that was needed to confirm he was likely the owner of the bitcoin address in question. The fact that his email address and ip was revealed was not of much consequence as that information was already know to the bitcoinstore, so the end result was the same.

Blockchain's policy stands as it always has "We will not sell, distribute or lease your personal information to third parties unless we are required by law to do so.". Hopefully if required to do so by law we will be holding as little information as possible.

Yes I am fully aware this policy was broken and I apologise for that. Steps have been taken to resolve the immediate problem of admin access and make determining information on wallets more difficult in future by hashing addresses.  The same hashing will be done with ip addresses.

 I don't understand what you mean. Would you have been OK with answering "yes" had Roger asked you "Does this particular Bitcoin address reside in a wallet belonging to this specific email address?" (asking you instead of doing it yourself) Or is having to answer "yes/no/anything at all" the part you don't like?