Will this be breaking spigotmc rules?

Discussion in 'Spigot Discussion' started by Creeprr, Mar 7, 2020.

  1. Background
    So I've been working on a plugin that integrates PayPal into the spigot server, basically a PayPal API for Minecraft, where players can send each other money via. PayPal in exchange for ingame perks/items/really anything. It can be used for a lot of things, ingame marketplace with irl. money or a donation service for server owners

    Problem
    The PayPal Payout API which I'm currently using requires permission from PayPal, also from third parties, if I switch to PayPal Marketplace third parties will have to sign a contract with PayPal. It's not really easy for a server owner to set up. Therefore an alternative for me is to set up a server (which I manage) to do all this, so the servers only have to request a payment from my server. If that's the plan, it would be a great help for me if I could somehow charge the users of my plugin like so many other developers do, to keep that server running and keep it maintained.
    However, this rule applies to premium resources:
    upload_2020-3-7_18-50-58.png

    So why am I asking if I know it's breaking a rule?
    Well, I'm just wondering, because the point of accessing a specific server is not to integrate a DRM system, it's basically required for the plugin to function without forcing all plugin users through a lot of manual work (as explained above).

    Otherwise, would it be legal (according to spigotmc rules) to post this as a free resource and charge the users if they need to perform above x amount of transactions per month, or a similar fee? Or is it possible to get dispensation for this special case?

    Thank you for your time.
     
  2. Why even bring real money into the game? I'd just use PayPal. If something bad were to happen, like a bug or information leaks, it could be a catastrophe.

    edit:// pls note i'm not familiar with the PayPal API or how it might integrate in such a way, or what sort of measures could be taken or are already in place to prevent the above xx
     
    #2 Escad, Mar 7, 2020
    Last edited: Mar 13, 2020
    • Agree Agree x 9
  3. Choco

    Moderator

    Yeaaaa... this just sounds like an all around bad idea.
     
    • Agree Agree x 7
  4. Despite being a really insecure way of doing this, it's also just a bad idea. I don't see people even using this. At all.
     
    • Agree Agree x 3
  5. Pretty sure it breaks the Mojang EULA. And if I understand your post correctly, you're handing transactions, which means you could probably be liable for problems. e.g., What if your server gets hacked and someone transfers $10,000? Now you get sued. I strongly suggest you consult a lawyer (who will probably tell you this is a really bad idea).
     
    • Agree Agree x 1
  6. I've been working with the PayPal SDK a lot by now. I realize that safety is pretty important, so let me just sum up how it happens:
    1) The spigot server sends a packet to my server containing only payee (seller) email and the amount of money
    2) My server makes the PayPal call based on that information and returns only a PayPal link to the spigot server
    3) The buyer opens that link, and pays using PayPal (this requires no personal information sent to the spigot server)
    4) My custom server will then notify the spigot server that the payment has occurred
    5) The spigot server will register the payment as complete

    So basically, the only personal information exchanged between the servers is the payee's email. I will obviously do my best to prevent that the emails somehow would get leaked, but I obviously cannot assure that 100% (for obvious reasons).

    In general it's not much different from buycraft or other donation services, except it doesn't use a website.

    I'm genuinely sorry to hear that, as you're a respected member around here. Do you have any improvement ideas?

    Why is it insecure? Educate me.
    A lot of servers have a larger market where players trade in-game money for in-game items.
    I'm not breaking the EULA by distributing this, neither are spigot server owners unless they're selling items or perks that are breaking the EULA. Same goes for players.

    Yes, if my server gets hacked I'm in trouble. Hacking it would require someone to hack the host though, I'm pretty sure. About liability it's not much different from Buycraft.

    Edit: thanks for your replies :)
     
    • Agree Agree x 1
  7. Choco

    Moderator

    Thank you. Don't take it personally because I'm sure you've thought this out, I'm just not sure that proper currency should be integrated into any server whatsoever. The amount of security risks just makes me slightly uncomfortable.
     
    • Agree Agree x 3
  8. No worse than integrating buycraft selling a rank with kits you diamonds imo?
     
    • Agree Agree x 2
    • Like Like x 1
  9. Alright, so I can understand that there is a genuine discomfort about the idea of integrating PayPal into something, I can understand that.

    But in all honesty I think you guys are taking this out if proportion. PayPal is a service meant for payment security.

    What is it exactly that you guys are so worried about? Is this just because you don't trust PayPal in general?

    Let me put up these 5 (super unlikely) scenarios:
    1)
    You want to use my plugin, but I (the developer) am a super bad person, so I log your email and your name when I create the URLs, and boom, I have some of your personal information. That is all I can possibly get from doing this!
    2)
    You buy something from a server with buycraft, buycraft developers are bad persons, so they log your name and email. They now have some of your personal information.
    3)
    You buy something from a server with buycraft, the seller (the server owner) is a bad person, they simply read their PayPal payment log and woops, they also have your email and full name.
    4)
    You buy a plugin off from spigot, md happens to be a bad person, so he logs your personal information
    5)
    You are paying litteraly any company or any person with PayPal. They look in their transaction log and they have your email and name.

    See where I'm going?
     
  10. Choco

    Moderator

    It's not the transactions with reputable companies that puts me off, it's the allowing of transactions between two players (some of whom may be incapable of understanding the consequences) for virtual objects. It's opening players up to scams not with in-game currency, but actual real world currency.

    I don't think that should be made easier to access from within the game itself. Other games that allow for DLC purchases open web browsers to log in and make a purchase - not through the game itself, and even that is with a reputable company selling a service for their own game. Person-to-person and easily accessible transferring of currency from within the game is a terrible, terrible idea.
     
  11. I don't particularly like the idea either, but if OP handles it correctly the plugin will work fine:

    If the items are taken from the original player, then the other use pays, and is then give the items by the plugin, there should be no way to scam the other user
     
    • Agree Agree x 1
  12. If you never gain any access to any passwords at all, I don't see anything wrong
     
    • Agree Agree x 1
  13. I can understand where you're coming from, however, I'm not introducing player to player trades for real money, it's already happening on a lot of servers. Many larger servers have unofficial discord groups dedicated to trading ingame stuff for irl money. With this plugin being created, this market can go out in "the open", where server staff can manage it and put limits on the values of items. And in a secure environment, people will not get scammed for their items.
     
  14. The concept of exchanging money for items certainly isn't new, but if some serious issue were to come up, the players' blame would go to server owners, and consequently, the server owners' to you. It's mostly a what-if situation, but in that kind of scenario it could get pretty nasty very quickly.
     
    #14 Escad, Mar 8, 2020
    Last edited: Mar 13, 2020
  15. And I'd go to PayPal. Easy.

    In all seriousness though, all this isn't much different from all other services with a buyer/seller concept, like buycraft or spigotmc. But I guess I'll just have to make it really clear that I won't take responsibility for sales on servers.
    The good part is that I will have the server owners as middlemen, meaning I won't have to deal with the actual users.

    What do you think of when you write "something serious"? The most serious thing I can come up with is someone paying for something that they can't afford the "child stole parent's credit card" story.
     
  16. In fact it's a great idea. But there are lots of works to do. Including legality, liability, security. Good luck bro.
     
    • Agree Agree x 1
  17. Thank you very much :)

    Does anyone have an answer to the actual question though? Lol
     
  18. Choco

    Moderator

    No; and this is something I’d rather have @md_5 opinion on
     
    • Agree Agree x 1
  19. FYI, you may also run into banking law issues, which are very complex and very different in every country. You might be OK in one country, but completely illegal in another.

    Some reasons to consider regarding legality: Money laundering, terrorism funding, online gambling, fraud, etc... Paypal might be handling the transaction, but you could be liable for being the front end. Especially if you went with yourself as an intermediary holder of the money (in Australia, that action would require you to be registered as a financial service provider, and submit reports and such to the government).
     
  20. I'm not an intermediary holder.
    In all honesty, this makes me question how much people know about PayPal.
    PayPal is a service that does all this for you. This is the same principle as how this very website handles payments. The liability isn't different, the personal data isn't different. It's the same thing.

    To simplify this (again), my application creates a PayPal link where two things are predefined. The receiver's email and the website that the user will be redirected to after the payment. THAT IS ALL

    The money transaction is made by Paypal, I'm just linking to PayPal.


    If I send you a link that links you straight to the Facebook "create-new-profile-page" to help you create an account, does that mean I'm responsible for everything that happens on your Facebook account? No, it doesn't. Does it mean I'm responsible if you use that account to contact terrorists? No, it doesn't. Does it mean that I might run into issues with privacy since there are different privacy laws in every country? No, it doesn't.
     
    • Agree Agree x 1