PayPal and Mailpile, the scrappy secure mail startup ended the week on a high note: hugging it out (via Twitter) after the online payments behemoth froze more than $40,000 in payments to the crowd-funded startup then donated $1,000 to the project, to boot.
But making it right with the tiny secure email firm is just the beginning of the story at PayPal, which is making the whole mix-up as something of an object lesson in how it needs to change to address a fluid and fast-moving online payments market.
First, some background: Mailpile, of Reykjavík, Iceland, has raised more than $145,000 in a month-long campaign on the crowd funding web site Indiegogo.com to build a “fast, web-mail client with user-friendly encryption and privacy features.”
Beginning on Saturday, PayPal froze more than $40,000 of those donations, suspecting fraud. The company’s spokespeople told company executive Brennan Novak that it wanted to see a “detailed budgetary breakdown” from the company and details on how it would use the donations as a condition of the release of funds.
Outraged, Novak took to social media, which had already latched onto Mailpile as a last, great hope for privacy conscious e-mail users in the face of determined government spying and the sudden shut down of two, better known alternatives: Lavabit and Silent Circle’s SilentMail.
Soon news of the company’s plight was featured prominently on sites like Slashdot.org , Arstechnica.com and Twitter.
PayPal did a quick about-face. In a statement on Thursday, the company said that it had released a hold on funds donated to Mailpile and apologized. Behind the scenes, PayPal President David Marcus personally reached out to Novak to apologize.
In its statement, PayPal said that it was still adapting to activity tied to crowd funding campaigns. “Supporting crowd funding campaigns is an exciting new part of our business. We are working closely with industry-leaders like IndieGoGo and adapting our processes and policies to better serve the innovative companies that are relying on PayPal and crowd funding campaigns to grow their businesses,” the company said.
In a conversation with The Security Ledger, Anuj Nayar, the senior director of global initiatives at PayPal said that the company is in the midst of a major overhaul to make its service more useable, after almost a decade in which it focused on scaling its online payment service and making it secure.
That new approach was outlined by Marcus in an August 28 blog post “Customer First, The PayPal Way,” in which he noted, among other changes, PayPal’s efforts to tilt move the needle on the “security – usability” axis back a bit toward the usability end. Customers, Marcus noted, were sometimes left feeling “less than satisfied” when they ended up (unjustly) on the wrong side of PayPal’s fraud filters.
Internally Marcus spoke of “sharks versus dolphins,” Nayar said: emphasizing the need to spot fraud, without wrongly accusing legitimate customers. Among the changes were adjustments to policies around account freezes “to demonstrate that we trust our customers as much as they trust us,” Marcus wrote.
The hold PayPal put on Mailpile’s account was an object lesson in what the company is trying to do less: allowing an overabundance of caution about possible fraud erect barriers to legitimate customers and transactions.
“With Mailpile, clearly we made a mistake,” Nayar told The Security Ledger. Citing confidentiality rules, he said he couldn’t discuss any details of the case. But he said part of the problem is the complexity of the new, crowd funded payment model, where PayPal’s job is to protect its customer – the crowd funding platform – not the thousands of entrepreneurs and hundreds of thousands of contributors that do business on it. And, because contributors come from all over the globe, PayPal must accommodate that business, while also adhering to a myriad of banking laws in the U.S., Canada, The EU and elsewhere, Nayar.
The company is still adjusting to that – tweaking both its fraud detection algorithms and its policies to account for the unique needs of crowd-funded projects. “These are entirely new business models,” Nayar said. “We haven’t quite nailed what looks good and what looks bad,” he said.
Crowd funding is still a small slice of the 7.5 million payments PayPal processes each day. Fraud associated with crowd funding is a small piece of that. But fraudsters were early into the crowd funding space, and the problem is real, he said. Among the instances he has cited were a Ponzi-style “project” involving gas cards and a project raising money for a life saving surgery that turned out to be used for cosmetic surgery.
Nayar said PayPal has a cross-functional team working on issues like the Mailpile case right now, with big changes to company policy, fraud algorithms and more all on the table. In the meantime, he said that companies that are encountering problems and feel like they are being treated unfairly should reach out to PayPal customer service, where the company to try to get the problem resolved quickly.
In the meantime, Mailpile is moving on. In a blog post on Friday, Novak said the company was moving full speed ahead, and that attention from PayPal’s action had attracted large contributions from a number of donors – PayPal among them.