[Payout Updates] Bitcoinica site is taken offline for security investigation

[LoupGaroux]

You can't use the privacy policy to keep something from the police in a criminal matter, however you can't unilaterally decide someone is a criminal and then post their information to the entire world without violating the policy.  If anybody could just make that determination, no privacy policy in the world has any meaning whatsoever.  

Google could just randomly decide you are a criminal and publish your gmail inbox, for instance.  

Ummm, not to be trollish or OT on this one... but Google, Yahoo and Comcast all regularly provide the contents of millions of in-boxes, out-boxes, sent-mails and browsing activity to foreign governments, commercial partners, and political campaigns without the benefit of due process, opt-in, subpoena or legal requirement to do so, and in each case it is a direct violation of their TOS with their users. Privacy policies are about as trustworthy as panties on prom night, they tend to get lost pretty quick when the prize is in sight, and somebody usually ends up getting screwed in the deal.

[1713582874]

1713582874

[1713582874]

1713582874

[1713582874]

1713582874

[1713582874]

1713582874

[Rarity]

They provide information to governments in accordance with the law, they don't publish them online for the entire world.  I think you are mistaken if you think turning over information in response to a legal government request violates the TOS.

As for the rest, you can feel free to link situations in which information has been shared with business partners and the TOS did not explicitly allow it.  Regardless, shifting the defense from "they did nothing wrong" to "everybody is doing it" is just goalpost shifting that does not excuse violating a privacy policy and sharing with a partner is also not the same as publishing something openly for the entire internet to read.  If every company is jumping off a bridge, I don't expect Bitcoin companies to follow along.  

[JoelKatz]

Ummm, not to be trollish or OT on this one... but Google, Yahoo and Comcast all regularly provide the contents of millions of in-boxes, out-boxes, sent-mails and browsing activity to foreign governments, commercial partners, and political campaigns without the benefit of due process, opt-in, subpoena or legal requirement to do so, and in each case it is a direct violation of their TOS with their users. Privacy policies are about as trustworthy as panties on prom night, they tend to get lost pretty quick when the prize is in sight, and somebody usually ends up getting screwed in the deal.

None of that is even remotely comparable to an organization that provides financial services releasing a named customer's transaction information to the public, in violation of their own privacy policy and in the absence of any government investigation, where the obviously foreseeable result of that release is that the customer will be publicly suspected of having committed a significant criminal offense. "Everybody steals paperclips from the office" is not a rational response to accusations of murder. They are *that* different.

[LoupGaroux]

They provide information to governments in accordance with the law, they don't publish them online for the entire world.  I think you are mistaken if you think turning over information in response to a legal government request violates the TOS.

As for the rest, you can feel free to link situations in which information has been shared with business partners and the TOS did not explicitly allow it.  Regardless, shifting the defense from "they did nothing wrong" to "everybody is doing it" is just goalpost shifting that does not excuse violating a privacy policy and sharing with a partner is also not the same as publishing something openly for the entire internet to read.  If every company is jumping off a bridge, I don't expect Bitcoin companies to follow along.  

Ah, but most of it is not in accordance with the law, and most certainly not in accordance with the TOS. Hence my point, that any privacy policy is toast when any investigation has begun, even if that investigation is as lame as the PRC government wanting to keep Falun Gong emails out of their country, or the US government wanting to see any email that includes the phrase "assault rifle". So under the guise of "investigation" Zhou Tong's entire history with a company can be shared, for by his own actions Zhou Tong has made this forum the venue for the investigation.

And cheekily, if every business was jumping off a bridge, I expect most bitcoin businesses would be lining up to lemming themselves with the rest of them, but they would be very self-righteous about how outre they are to accept a crypto currency for the trip.

[Rarity]

Ah, but most of it is not in accordance with the law, and most certainly not in accordance with the TOS. Hence my point

Yes you did say that, but I do believe you are incorrect.  Generally the privacy policy outlines what information they can and can't share, that is the whole point.  There is no reason not to disclose what you will share, sharing the information is totally legal if the patron agrees to the policy and generally the majority of people agree without even reading.

that any privacy policy is toast when any investigation has begun, even if that investigation is as lame as the PRC government wanting to keep Falun Gong emails out of their country, or the US government wanting to see any email that includes the phrase "assault rifle". So under the guise of "investigation" Zhou Tong's entire history with a company can be shared, for by his own actions Zhou Tong has made this forum the venue for the investigation.

Share WITH THE GOVERNMENT for the GOVERNMENT INVESTIGATION, not published for the world to anyone interested in playing detective.  The government has their own policies to only share the information when appropriate explicitly because this isn't a license to expose everything about the subject to the world.  

[JoelKatz]

So under the guise of "investigation" Zhou Tong's entire history with a company can be shared, for by his own actions Zhou Tong has made this forum the venue for the investigation.

Is any operator of any Bitcoin exchange willing to adopt this argument?

Will any of you agree with this statement: "If we suspect you've committed a crime, and you've discussed that issue publicly, our exchange reserves the right to release your account and transaction information to the public on that same forum, to further that discussion and investigation."

Somehow I don't think that there's a financial organization of any kind, exchange, bank, wallet service, or the like, that will publicly agree with that statement. You might want to think about *why* that is. (Hint: That's not what their customers expect, and have a right to expect.)

[Inedible]

Punished?

You don't feel it's punishing to have the community turn on you and treat you as if you were guilty?

His reputation ruined?

Seems to me it pretty much is.

That's because the wrote the damn system full of fail - he deserves this reputation.

I don't know if you've ever written any software (and I don't assume you haven't) but they're hard to secure. I can't believe for one second you're saying he deserves to be treated as if he's guilty just because he wrote bad code. Other websites have had security issues too, do you mean to say we should treat them all the same way?

We aren't a court, but we can express our opinions here. If I believe that he's a thief and there is evidence to that - noone can stop me from saying it out loud.

You're right. You can shout as loud as you like and that's also why we have defamation laws. If you're wrong and you're taken to court for defamation, I suppose you'll accept the damages, no contest?

[Rarity]

You publicly revealed the e-mail address that was used, for one.  I note you didn't mention it by name this time and just mentioned "an email address" instead.  You revealed that customer data without giving Zhou a chance to clarify that it had been compromised so as to imply his guilt.  

Also, could you point to the portion of your privacy policy that states than the policy is invalid and you no longer have an obligation to protect information if anyone makes a personal decision to reveal information on their own to others?  Should the rest of your users be concerned that they are waiving their right to have the data held with you kept secure if they ever mention any details of their transactions?

[Rarity]

You publicly revealed the e-mail address that was used, for one.  I note you didn't mention it by name this time and just mentioned "an email address" instead.  You revealed that customer data without giving Zhou a chance to clarify that it had been compromised so as to imply his guilt.  

Also, could you point to the portion of your privacy policy that states than the policy is invalid and you no longer have an obligation to protect information if anyone makes a personal decision to reveal information on their own to others?  Should the rest of your users be concerned that they are waiving their right to have the data held with you kept secure if they ever mention any details of their transactions?

I released the email address used to launder the proceedings of a crime, and NOT the email address used by Zhou Tong on his 40k order. I have also stated that to our understanding, this email address belonged to Zhou Tong, as part of the supporting information as to why his funds were being with held. Again, Zhou Tong beg the question in a PUBLIC forum of why his funds were being withheld, and we offered an answer.

I still need to understand how we broke any confidentiality laws, or our own terms and conditions? The article on the Bitcoin Magazine states, as a fact, that we have breached our terms and conditions without providing any specifics. I am asking for those specifics now.

Could you point to the portion of your privacy agreement where it notes the agreement is invalid when you suspect someone has committed a crime?  Can you violate this agreement with anyone as long as you allege, without conviction or even charges filed, that a crime has occurred?  And again, since you ask about what Zhou said in public, where is the portion of your privacy policy where it is stated that the policy is invalid if you discuss your accounts in public?

It doesn't seem like you are even disputing you violated the privacy of an account holder, you are just making excuses for why that is okay without pointing to where your policy states that.

[zhoutong]

Aurum Capital Holdings, Incorporated will not sell your personal information or otherwise disclose it to a third party without your consent, except under the following circumstances:

If ordered by a ruling body of competent jurisdiction as recognized by Commonwealth of Dominica law.
If ordered by the issuing bank for our debit cards customers as part of their ongoing Know Your Customer verification procedures.

* The Liberty Reserve account used by the hacker is U9236056.
* The email address used by the hacker was stevejobs807@gmail.com.
* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.
* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.

The matter of the fact is, we have never released any personal, sensitive, and/or confidential information regarding Zhou Tong that has not been previously and compulsory disclosed by himself to the public. By making this information public, and by begin the question of why his funds were being withheld on a public forum, we are well within our rights, both from a legal and ethical stand point, to make an statement regarding the situation. I will invite anyone to challenge this under the laws of the Commonwealth of Dominica.

Cordially,
Roberto

(3) A financial institution or person carrying on a scheduled business, shall not notify any person, other than a court, competent authority or other person authorised by law, that information has been requested by or furnished to a court or the Authority.

http://www.imolin.org/doc/amlid/Dominica_MoneyLaundering(Prevention)Act_2000.pdf

[Rarity]

 

He forgone confidentiality when he made this information compulsorily available in a public forum.

Says who?  Not your privacy policy, that's for damn sure.  To be clear, you are agreeing that any time someone discusses their transactions in public you are freed from any responsibility to your privacy policy.  I think you should spell that out for people when they use your service.  Or else, explain which circumstance this is:

-
If ordered by a ruling body of competent jurisdiction as recognized by Commonwealth of Dominica law.
If ordered by the issuing bank for our debit cards customers as part of their ongoing Know Your Customer verification procedures.
-

Who ordered you to release this info?

I am not interested in entertaining your train of thought, but to obtain a rational explanation from Bitcoin Magazine as to why those accusations were made in the aforementioned article.

It seems like the answer is, because they are factually correct. 

[Rarity]

You gave us implicit consent to make a statement regarding this situation the moment you chose to make the information regarding your dealings with our company public.

There you have it, the unwritten and formerly undisclosed AurumXChange privacy policy is that if you ever mention having dealings with them they consider it consent to publish any information they have about your account publicly online.

Account holders better be made aware of this, criticizing them could mean facing serious public backlash if you have admitted you have an account.

[bittenbob]

Aurum Capital Holdings, Incorporated will not sell your personal information or otherwise disclose it to a third party without your consent, except under the following circumstances:

If ordered by a ruling body of competent jurisdiction as recognized by Commonwealth of Dominica law.
If ordered by the issuing bank for our debit cards customers as part of their ongoing Know Your Customer verification procedures.

* The Liberty Reserve account used by the hacker is U9236056.
* The email address used by the hacker was stevejobs807@gmail.com.
* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.
* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.

The matter of the fact is, we have never released any personal, sensitive, and/or confidential information regarding Zhou Tong that has not been previously and compulsory disclosed by himself to the public. By making this information public, and by begin the question of why his funds were being withheld on a public forum, we are well within our rights, both from a legal and ethical stand point, to make an statement regarding the situation. I will invite anyone to challenge this under the laws of the Commonwealth of Dominica.

Cordially,
Roberto

(3) A financial institution or person carrying on a scheduled business, shall not notify any person, other than a court, competent authority or other person authorised by law, that information has been requested by or furnished to a court or the Authority.

http://www.imolin.org/doc/amlid/Dominica_MoneyLaundering(Prevention)Act_2000.pdf

Actually, Zhou, thank you very much for posting this quote:

Aurum Capital Holdings, Incorporated will not sell your personal information or otherwise disclose it to a third party without your consent, except under the following circumstances:

If ordered by a ruling body of competent jurisdiction as recognized by Commonwealth of Dominica law.
If ordered by the issuing bank for our debit cards customers as part of their ongoing Know Your Customer verification procedures.

You gave us implicit consent to make a statement regarding this situation the moment you chose to make the information regarding your dealings with our company public.

Anybody that feels differently is more than welcome to lodge a complaint with the relevant authorities of court of law. My interest mainly is the rational behind the Bitcoin Magazine article.

Thank you.

First of all, thank you for providing a well reasoned and researched defense. It did appear as if you were violated some TOS because we were not aware of the earlier posts. When you were repeatedly asked about it on the forum, you ignored the question. It appeared to be a clear violation and you must have been asked about a dozen times with no response. It is our shortcoming for not contacting you directly for a comment before publishing the article.

While I had nothing to do with writing the article, I can defend that content at the time it was written.

[Rarity]

You gave us implicit consent to make a statement regarding this situation the moment you chose to make the information regarding your dealings with our company public.

There you have it, the AurumXChange privacy policy is that if you ever mention having dealings with them they consider it consent to publish any information they have about your account publicly online.

Account holders better be made aware of this, criticizing them could mean facing serious public backlash if you have admitted you have an account.

Zhou Tong didn't criticize us at any time previous to our statements. Your logic failed, so you resort to manufacturing things to libel.

This is not "our policy". It is the law of the Commonwealth of Dominica, and the law on most, if not all, common-law based countries.

I did not say he did criticize you, there wasn't much reason to prior to your decision to violate his privacy and help start this witch hunt.  However, it is entirely true that you could pull this same routine on someone who did and point to the same false legal interpretation. 

[bitcoinBull]

Aurum Capital Holdings, Incorporated will not sell your personal information or otherwise disclose it to a third party without your consent, except under the following circumstances:

If ordered by a ruling body of competent jurisdiction as recognized by Commonwealth of Dominica law.
If ordered by the issuing bank for our debit cards customers as part of their ongoing Know Your Customer verification procedures.

(3) A financial institution or person carrying on a scheduled business, shall not notify any person, other than a court, competent authority or other person authorised by law, that information has been requested by or furnished to a court or the Authority.

http://www.imolin.org/doc/amlid/Dominica_MoneyLaundering(Prevention)Act_2000.pdf

AurumXchange didn't reveal your personal information, they only revealed the hacker's e-mail address and liberty reserve account. They confirmed publicly that you had an order with them and the amount of it (not in an email/pm as you requested). Your personal information would be your email address, your singapore bank account, or your physical address, but they didn't reveal any of that.

So they did disclose the hacker's e-mail address and LR account (the bank account was revealed by zhou), first with MtGox and then publicly, when they weren't ordered to do so under either of the two exceptions of the privacy policy. But that doesn't violate their privacy policy, because the policy only applies to users following their Terms of Service. The hacker violated the ToS so he doesn't have those protections.

By providing us with your personal information, you agree to the collection, storage and use of your personal information by Aurum Capital Holdings Incorporated in the manner set out in this privacy policy and the Terms and Conditions set forth for our services.

The (3) from the Dominican law doesn't apply here, since there was no court or Authority which requested the information.

[Rarity]

It's a shame your attempts to spin this seem to be working.  Here is a challenge for a journalist looking at the facts of this matter:  What law states that privacy agreements are invalid  if a user of a site discusses any aspect of their business with a company publicly?

[Rarity]

It's a shame your attempts to spin this seem to be working.

Perhaps they are working because I am not spinning. I present my case with facts and in a calm manner. You are on a never ending quest for shilling and no critical-thinking individual in this forum takes you seriously at this point.

No see, the non-spin answer is to cite the law instead of personally attacking your critics.  

A journalist after the facts here might also ask you how your company feels about the stalking and threats of criminal activity against Zhou Tong that have occurred in the wake of your violation of his privacy.  They also might ask why, even if you felt your were legally allowed to violate his privacy, you felt the obligation to do so when you could have contracted him privately to learn his account had been compromised and that you would be starting up a lynch mob for no reason if you went public.

[Herodes]

Just browsed through this, as the last pages are a complete shitstorm discussing minutious details that are completely uninteresting.

Seeing as how inefficient most state sponsored investigative units are (unless there's a shitload of money at stake, or some prominent politician is threatened), the community is well served with responsible business owners that use their common sense to fix things.

Theres a lot of yelling about lawyers, suing that or this and so on, but stop yelling, and go to a lawyer if that's the case, and he will take it from there.

We clearly see that the parties involved in the Bitcoinica scandal does not stand up and work in concert to have the clusterfuck fixed, and as so, the adults in the community needs to stand up and work togheter to learn the immature boys proper conduct. Proper conduct is not stealing and/or witholding millions of dollars and huge BTC amounts.

Some of the discussion that goes on here is akin to discuss whether you should turn your computer off or leave it running while your're engulfed in flames in a burning house.

At one point I called the financial crime unit in my country because I had reason to believe a multi-million dollar scam had been going on for years with a certain company ripping customers off non-trivial amounts. The response from the financial crime unit was that this was totally uninteresting ant it's up to the consumers to look after themselves.

Then I called the organization that is looking after the consumers interest, eventually the fact was established that they're totally tooth less, and can't do anything about nothing.

I contacted VISA, Mastercard, registrars etc. All were unwilling to do anything about the case. So in the end, I realized for me, as a consumer, and it wasn't even my money that was lost, but someone elses, and I only tried to help, the fight was not worth fighting. I could've continued fighting it, but there was nothing in it for me. I tried to do some efforts to shut them down so others would not be scammed, but as long as many customers are scammed for small amounts, nobody cares, and esp. not if the company had disguised the scamming such that it's not 'outside the law' while still questionable. The company in question was also incorporated in a jurisdiction were they were incredibly hard to reach.

IF the full amount in the scam concerned was stolen from a state agency, you can be 100% sure that every stone in the country would be turned to find the perpetrators.

So, what I realized is that I need to look after myself and my family, I can't rely on authorities to get help when I need it, but the taxes I still need to pay..

So for the bitcoinica case, lawyering up will only cost a shitload.

I would advise all those involved to figure out how to solve this, and then get to work. It would be incredibly sad if someone actually got killed over this. Even a man who steals millions of dollars should not be killed. (If I felt that way if it was my own money that was stolen, is another matter).

But the point is that there's no point arguing over minute details while millions worth of USD is missing.

All logic dictates that when Zhou Tong at the same time of the hack tries to withdraw an amount equal to that stolen, and an e-mail address associated to him is used along with the 'hack', then it's all reason to be suspicious. I would've acted exactly the same way as aurumexchange in such a case, and if anyone thought I acted illegally or unethical, then bring the lawsuits on, I applaud aurumxchange for hos he acted in this case.

Please hold onto the funds in question, until it's sorted out without a shadow of a doubt that everything is cleared.

And a message for Zhou Thong: You think you're clever, and you love to brag. In fact you're a young man, and you have many years left before you mature as a person, and learn to moderate yourself, if you're involved or not, I sincerely hope this will be sorted out, and if you're involved in stealing other people's money, you should do your best to make it good again, and admit what you did. How would you feel if someone stole a large amount of money from you ?

Sometime the day will come when you can put the hand on your heart and say: "I'm too old to know it all". That's an Oscar Wilde quote btw. And funny thing, many young braggers don't even phantom what it means..

[bitcoinBull]

It's a shame your attempts to spin this seem to be working.  Here is a challenge for a journalist looking at the facts of this matter:  What law states that privacy agreements are invalid  if a user of a site discusses any aspect of their business with a company publicly?

They didn't violate zhoutong's privacy, they violated the hacker's privacy (actually the hacker never had it in the first place since he didn't follow the ToS). Zhou had already stated that he had a $40k LR order with aurumxchange, and they publicly confirmed that. What they also disclosed, along with MtGox, was that the hacker's email address had a connection to zhoutong. That was a fact so its not libel, and its not a violation of privacy since the thief doesn't have privacy protections.

The violator of zhoutong's privacy in this scenario is Chen Jianhai, by means of identity theft. I really hope zhou can get the rest of the stolen funds back, BTC and the USD, and turn them over to Patrick Murk in agreement with Bitcoinica LP. It is in his best interest.

[Rarity]

It's a shame your attempts to spin this seem to be working.  Here is a challenge for a journalist looking at the facts of this matter:  What law states that privacy agreements are invalid  if a user of a site discusses any aspect of their business with a company publicly?

They didn't violate zhoutong's privacy, they violated the hacker's privacy (actually the hacker never had it in the first place since he didn't follow the ToS). Zhou had already stated that he had a $40k LR order with aurumxchange, and they publicly confirmed that. What they also disclosed, along with MtGox, was that the hacker's email address had a connection to zhoutong. That was a fact so its not libel, and its not a violation of privacy since the thief doesn't have privacy protections.

The violator of zhoutong's privacy in this scenario is Chen Jianhai, by means of identity theft. I really hope zhou can get the rest of the stolen funds back, BTC and the USD, and turn them over to Patrick Murk in agreement with Bitcoinica LP. It is in his best interest.

This is of course, poppycock, the actions of the hacker do not mean that it's open season on Zhou Tong, and Zhou Tong's own discussion of his business to not mean all aspects of it can be revealed to the world.

If I were to hack your e-mail address and use it to commit a crime, that does not mean that the company that hosts it can now publish the contents of the account for the world to see.  You still have an agreement with them no matter what I do to you.