Dear Boussac,
Firstly, thank you for starting an open process of communication with Instawallet users. This is a very good start.
However, there is still much to be desired in your communication in terms of completeness and transparency.
To state upfront: I am an Instawallet user with slightly less than 100 BTC across two Instawallets not a fortune, but neither a trivial amount, and one I have no intention of losing.
So I will be addressing you from my personal perspective, but I am also writing in support of all the other Instawallet users that have been inconvenienced by this recent alleged hack. And I say alleged as no-one yet knows the full truth of it.
I would like to believe that you and your company are honest, and the facts stated thus far are correct. However your less than transparent and forthcoming communication to date points to something not right, and in my opinion creates the perception of dishonesty.
I wish to give you the opportunity to correct (this hopefully incorrect) perception by making a full and transparent disclosure related to the questions I will be proposing to you below. None of these questions are of the kind that it would not be appropriate to be forthcoming about.
If you choose to not answer them then I will read that as a deliberate decision to deceive or to hide, and I will take that as a sign of something fraudulent going on. The logical outcome of that is that I will be contacting both the French Embassy in my country and the Embassy of my country in France and initiating a discussion with both of them about how to open a criminal enquiry against Paymium.
If you feel that any of my questions should, for good reasons, not be answered, then you may provide that reason and I will consider it on its merits. I am a very reasonable man, as I am sure are your other Instawallet account holders. However I think you underestimate the backlash you will suffer from these many reasonable people if you do not deal with this situation professionally, ethically and perfectly honestly. Please do not make the mistake of thinking you are dealing with a bunch of kids who will just roll over in the face of something that reveals itself to be bullshit. That would be a costly error of judgement in my opinion.
All that being said I am proceeding in good faith and in the belief that Paymium is an honest company, that your communications have been truthful, and that you have a genuine desire to make right on this situation. So please answer the following questions:
1. Please state your full real name and your current position with Paymium (and whether you are a shareholder, director or employee).
2. Please confirm that you have formal authorisation from the board of Paymium to be communicating on behalf of the company on this forum.
3. Please provide the case number and filing date of the report you state Paymium has filed with the police.
4. Please provide Paymiums formal contact details: office address and telephone number.
5. Please state whether the alleged hack resulted in the loss of coins under Paymiums control. A simple YES or NO is adequate at this point. If you wish to elaborate you may, but I am not requesting that.
6. If coins were lost please state if these happened by (A) the hacker accessing Instawallet accounts directly via their URLs, or (B) by accessing other internal wallets controlled by Paymium, or (C) by some other method.
7. Your comments thus far suggest that the alleged hacker has acquired some or all of the URLs for accessing Instawallet user wallets. Please confirm whether this is the case or not.
8. If the answer to (7) is YES, then please state if these URLs were stored in encrypted form or not.
9. If the answer to (7) is NO, then please state why there needs to be a claims process at all.
10. Your stated claims process on the Instawallets site states: If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.. Please will you describe the logic of that? If a hacker has the URLs then surely he can file a claim as quickly as any legitimate account holder? And if youre assuming that the first claim is likely to be the more legitimate one then why wait 90 days? Your logical methodology makes little sense and I would appreciate clarification.
11. You also state that Claims for wallets that hold a balance greater than 50 BTC will be processed on a case by case and best efforts basis. Please clarify why the arbitrary figure of 50 BTC has been chosen. This comment suggests that you have lost a certain number of coins and need to limit your total payout to what you have left. Please confirm if this is how it is, or if there is another reason for this figure?
12. From your communications it is clear that Paymiums servers were hacked and this affected all your services Instawallet, Paytunia and Bitcoin Central. It also seems evident that you suffered financial loss of some kind. Please explain how that loss directly affects Instawallet clients and not Paytunia and Bitcoin Central clients.
Your direct address to these questions will be a clear indication of your bona fides and intentions of good faith - and will do a lot to restore the faith in your clients that has been shaken by your less than ideal communications. I think it is reasonable to give you until midday UTC on Thursday 11 April to respond. I am posting this here in the forum, will be sending to you by PM, and also emailing to your company email account. Consider this letter open therefore. It may be posted elsewhere and will also be made available to the relevant authorities as required.
Please understand that I wish to do this in an amicable way, and I hope that you receive this communication as such. As I feel that you have dealt with this incident (at least from a communications point of view) in a somewhat cavalier fashion, I feel it incumbent on me to call you out and demand your professionalism and fuller response which I look forward to as Im sure do many others.
Sincerely,
PyedPyper