[donau] branch master updated (72630b9 -> d8a34cb)

[gnunet]

This is an automated email from the git hooks/post-receive script.

tanja-lange pushed a change to branch master
in repository donau.

    from 72630b9  now actually fixing at the correct spot
     new ed1f509  this spacec an be used better
     new 6a42e60  cleanupstomatch audience
     new 28a808c  much more technical abstract covering all topics
     new d8a34cb  many smaller changes to to edits, done with intro

The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 doc/usenix-security-2025/paper/donau-paper.tex  |  29 +++-
 doc/usenix-security-2025/paper/intro.tex        |  42 +++--
 doc/usenix-security-2025/paper/requirements.tex | 215 +-----------------------
 3 files changed, 59 insertions(+), 227 deletions(-)

diff --git a/doc/usenix-security-2025/paper/donau-paper.tex 
b/doc/usenix-security-2025/paper/donau-paper.tex
index 537aa4a..6305e96 100644
--- a/doc/usenix-security-2025/paper/donau-paper.tex
+++ b/doc/usenix-security-2025/paper/donau-paper.tex
@@ -51,8 +51,27 @@
 \maketitle
 
 \begin{abstract}
-  This paper provides an overview of functional requirements for
-  privacy-preserving donations, keeping in mind the need for tax authorities 
to verify the proper source of donations prior to granting tax benefits. As a 
second contribution it provides a technical design to realize 
privacy-preserving and yet tax-deductable donations in GNU Taler, for which it 
presents the protocol specification and implementation details for the Donation 
Authority (Donau).
+GNU Taler is a privacy-friendly payment protocol that offers full anonymity to
+the customer, making their purchases anonymous and unlinkable not only to
+third parties but even to merchants and banks involved. While this payment
+mechanism obviously can be used to make donations,, the anonymity guarantees
+seem at odds with the desire of donors to receive tax benefits fro their
+charitable donations.
+
+The main contribution of this paper is the technical design and implementation
+of a system that achieves privacy for the donor while providing them with a
+proof that they donated to a charity. The charity does not learn the identity
+of the donor and the tax authority does not learn which charities received the
+donations. Our design introduces anew  entity, the Donation Authority, which we
+call Donau. This entity may be operated by the tax authority, and even then
+they do not learn the identities of the charities and only get a summary
+statement of all donations made by the tax payer in a certain timeframe.
+
+The paper is based on our analysis of functional requirements for
+privacy-preserving donations and of further desirable properties which
+amount to requirements for some countries. We show how to realize some
+of them within our design while showing how others could be
+instantiated with significant changes or additions to the design.
 \end{abstract}
 
 %\reportkeywords{GNU Taler, Tax-deductible Donations. Donau, Donation 
Authority,
@@ -69,7 +88,7 @@
 
 \ifodd0
 
-\section*{Acknowledgements}
+\section*{Acknowledgments}
 
 This work was funded by ANONYMIZED.
 %in part by the European Commision through the
@@ -93,7 +112,9 @@ constructive discussion on the subject.
 \bibliography{donau-paper,bibliography}
 
 % Maybe for camera-ready?
-%\appendix
+\appendix
+\input{appendix}
+
 %\input{implementation}
 
 \end{document}
diff --git a/doc/usenix-security-2025/paper/intro.tex 
b/doc/usenix-security-2025/paper/intro.tex
index 41d98e9..53db505 100644
--- a/doc/usenix-security-2025/paper/intro.tex
+++ b/doc/usenix-security-2025/paper/intro.tex
@@ -102,7 +102,7 @@ comes into play. Historically, people wanting to make an 
anonymous donation
 might have an envelope with cash or a box of goods delivered. Obviously, this
 was never compatible with providing tax benefits. Alternatively, they might
 arrange for an expensive intermediary like a notary (although that would not be
-fully anonymous, and depend on the discretion of the notary).
+fully anonymous and depends on the discretion of the notary).
 
 Technically guaranteed donation confidentiality is certainly
 non-trivial to implement in the digital payment era. What you donate to and why
@@ -111,24 +111,28 @@ uncomfortable number of actors handling sensitive data 
that allows for
 profiling and targeted discrimination on grounds. And there are even more that
 later on may get access to it. Digital payments are logged and made accessible
 to many different actors, and reporting donations to tax authorities adds yet
-(at least) one more actor to the pipeline.  It is the scope of this document to
+(at least) one more actor to the pipeline.  In this work we
 try and solve this issue and finally introduce donation confidentiality which
 adheres to ``privacy by design''.
 
 
 \subsection{Overview of the requirements analysis}
 
-There are two types of donations we will consider. The first is {\em
+There are two types of donations. The first is {\em
   ad hoc} or {\em informal donations}, which are made from individual
-to individual as {\em one time gifts} typically in appreciation of the
+to individual as {\em one time gifts} typically out of spontaneous compassion
+or in appreciation of the
 work being done by an individual or collective. The second category is
 {\em regulated donations} involving at least one {\em recognized}
 philanthropic organization or charity.  Both involve voluntary
 transferal of some financial assets for which no products or services
 are rendered in return.
 % NOTE[oec]: what types of donations are _not_ considered, and why?
+% TL for the first time I'd include ad-hoc donations to beggars or to some
+% collection boxes; that doesn't fit well with the appreciateion but rather
+% with pity or compassion
 
-In the design requirements we will mostly cover donations to charities
+We focus on donations to charities
 which would be eligible for claiming tax benefits as that scenario triggers the
 most complex requirements.
 
@@ -136,9 +140,11 @@ As part of their regular operations as well as their 
recognition as
 public benefit organizations, registered charities are already typically
 subject to a variety of audits as well as strict regulatory and fiscal
 scrutiny. Good causes that do not adhere to these rules are stripped from any
-fiscal benefits. At least donations to recognized public benefit organizations
-may therefore be confidential: donors should be able to freely choose whichever
-of the approved philanthropies they donate to, without disclosing which.
+fiscal benefits. 
+From a regulatory point of view, it should be compliant to have donations to
+recognized public benefit organizations
+be confidential: donors should be able to freely choose whichever
+of the approved philanthropies they donate to, without having to disclose 
which.
 
 We note that in some countries there are different tiers of philanthropies.
 Some countries like Italy and the Netherlands have for instance particular tax
@@ -167,7 +173,8 @@ donor is not inherently traceable via the underlying 
payment.
 
 This paper presents the design and implementation of a donation
 protocol producing digitally signed proofs of donation that are linked
-to the donor but unlinkable to the charity on top of the GNU
+to the donor but unlinkable to the charity.
+The deisn can be used for donations made using the GNU
 Taler~\cite{Taler} payment system.  GNU Taler is a {\em digital
   commons}, based on free software and advanced cryptography. This
 means that -- unlike proprietary products -- anyone can easily extend
@@ -185,7 +192,7 @@ achieving privacy-preserving donations with 
tax-deductability.
 
 \subsection{Approach}
 
-Today, charities issuing donation receipts which generally bear the
+Today, charities issue donation receipts which generally bear the
 name of the charity.  The donor often has to include the donation
 receipts in their tax declaration; this means the tax authority not
 only learns the amount that the tax payer donated to charitable
@@ -211,7 +218,7 @@ additional service separate from the charities and the 
payment system.
 The Donau is responsible for recognizing charitable organizations and
 tracking the total amount of donation receipts each charity is issuing
 for the charitable contributions the charity is receiving.  It is
-typically be expected that each competent tax authority would operate
+typically expected that each competent tax authority would operate
 a Donau for the taxpayers in its domain.  We note that the Donau does
 not receive sensitive private information about donors: privacy is
 achieved using cryptography to unlink proofs of donations from the
@@ -231,5 +238,16 @@ Section~\ref{discussion} explains extensions of the core 
design that
 could be used to address all of the main use-cases.  Many of these
 extensions are simply a matter of proper integration and user
 interface design, while a few presume the existence of a widely
-available digital identity system~\cite{FIXME} providing a single
+available digital identity system, such as citizen ID cards or the European
+identity wallet current being developed,  providing a single
 unlinkable pseudonym for each citizen per charity.
+
+Navigating donation regulations involves adhering to a multitude of
+directives on transparency, anti-money laundering, tax compliance, and
+data protection while also meeting specific requirements in individual
+countries. Compliance ensures trust in the philanthropic sector,
+promoting ethical giving practices within a complex regulatory
+landscape.  Cross-border donations are particularly challenging.
+We review some of the legal and regulatory background in
+Appendix~\ref{app-back}.
+
diff --git a/doc/usenix-security-2025/paper/requirements.tex 
b/doc/usenix-security-2025/paper/requirements.tex
index 993f474..1a4b91a 100644
--- a/doc/usenix-security-2025/paper/requirements.tex
+++ b/doc/usenix-security-2025/paper/requirements.tex
@@ -107,14 +107,15 @@ of any specific donations.
 
 \subsection{Optional Features} \label{sec:optionalfeatures}
 
-The following list of optional features of a donation system would
-allow for a maximum fit with as many fiscal regimes as possible for
+The following covers optional features permitting a donation system 
+to have a maximum fit with as many fiscal regimes as possible for
 both informal and regulated donations, while at the same time serving
 the interest of the donors in question in the best possible
 manner. Specific realizations may weigh these differently based on
 local regulations and capabilities, but most need to be be provided in
 some form.
 
+\ifodd0
 \begin{itemize}
 \item Provide fiscal statement
 \item Proof of registration
@@ -134,6 +135,7 @@ some form.
 
 \noindent
 We will elaborate on each of these features below.
+\fi
 
 \subsubsection{Feature: Provide fiscal statement}
 
@@ -391,212 +393,3 @@ prove to an employer that some eligible person (typically 
an employee
 or retiree) has donated money which needs to be matched -- obviously,
 without disclosing anything else.
 
-
-\subsection{General background information}
-
-This section contains general background information pertaining donations.
-
-% FIXME: make this less EU-specific for USENIX???
-
-\subsubsection{General Regulatory Framework}
-
-European Union (EU) member states regulate donations through a blend
-of EU-wide directives and country-specific laws. While there is no
-uniform regulation that applies to all donations in Europe, certain EU
-directives and principles affect donation practices, particularly
-those related to transparency, anti-money laundering (AML), tax
-compliance, and donor data protection.
-
-\subsubsection{Transparency and Accountability}
-
-Transparency in charitable donations is crucial to maintain public
-trust and deter financial misuse. European countries typically require
-organizations that receive donations to adhere to transparency
-measures, including:
-
-\begin{itemize}
-\item {\bf Public Financial Reporting:} Most European countries
-  mandate that charities, nonprofits, and similar organizations
-  publish annual financial reports. These reports generally include
-  detailed breakdowns of income sources, donation amounts, and
-  expenditures.
-\item {\bf Disclosures for Large Donations:} In some countries, large
-  donations must be reported to regulatory authorities. This threshold
-  and the specific requirements vary by country. For example, Germany
-  requires registration for organizations receiving public donations,
-  while the UK mandates certain reporting for donations above a
-  particular threshold.
-\item {\bf Third-Party Audit Requirements:} To verify the financial
-  integrity of charitable organizations, many countries mandate
-  independent audits for organizations surpassing specific revenue
-  thresholds.
-\end{itemize}
-
-\subsubsection{Anti-Money Laundering (AML) and Counter-Terrorism Financing 
(CTF)}
-
-Given the potential for abuse of charitable donations for money
-laundering and financing illegal activities, EU-wide Anti-Money
-Laundering Directives (such as the AMLD5) require organizations to
-implement stringent controls.
-
-\begin{itemize}
-\item {\bf Know Your Donor (KYD):} Similar to the Know Your Customer
-  (KYC) practices in the financial sector, some countries require
-  organizations to verify the identity of donors making significant
-  contributions. This requirement is typically tied to AML laws.
-\item {\bf Transaction Monitoring and Reporting:} Charitable
-  organizations must monitor donation transactions and report any
-  suspicious activities to relevant national authorities.
-\item {\bf Registration with Financial Intelligence Units (FIUs):}
-  Nonprofits are encouraged, and sometimes required, to register with
-  FIUs in certain EU countries to facilitate AML compliance.
-\end{itemize}
-
-\subsubsection{Taxation and Deductibility}
-
-The tax treatment of donations varies across Europe, but many
-countries provide tax incentives to encourage charitable
-giving. Donations to qualifying nonprofit organizations are often
-tax-deductible, either partially or fully, depending on local laws.
-
-\begin{itemize}
-\item {\bf Eligibility of Donors and Organizations:} Both the donor
-  and the recipient organization usually need to meet specific
-  criteria. For instance, only donations to accredited charities
-  registered with national authorities are often eligible for tax
-  relief.
-\item {\bf Limits on Deductions:} Most countries place caps on
-  deductible donations, typically as a percentage of the donor’s
-  income. For example, France allows deductions up to 20\% of taxable
-  income, whereas Germany permits deductions up to 20\% of annual
-  income or corporate profits.
-\item {\bf Cross-Border Donations and Tax Relief:} The EU's ``Stauffer
-  doctrine'' principle requires member states to treat cross-border
-  donations similarly to domestic donations if the recipient
-  organization meets equivalent standards, which facilitates
-  cross-border charitable giving across the EU.
-\end{itemize}
-
-\subsubsection{Data Protection and Privacy (GDPR)}
-
-The General Data Protection Regulation (GDPR) is a significant EU law
-that affects how personal data is collected, stored, and managed,
-including for donations.
-
-\begin{itemize}
-\item {\bf Consent for Data Collection:} Donors must be informed of
-  how their personal data will be used, and organizations must obtain
-  explicit consent if data will be used for purposes beyond the
-  donation transaction itself, such as marketing.
-\item {\bf Data Minimization and Retention:} Organizations are
-  expected to collect only the data necessary for processing the
-  donation, retain it only as long as necessary, and ensure proper
-  data deletion practices.
-\item {\bf Right to Access and Erasure:} Donors have the right to
-  request access to their personal data held by an organization and
-  can request deletion or correction of their data under specific
-  circumstances.
-\end{itemize}
-
-\subsubsection{Corporate Donations and Sponsorships}
-
-Corporate donations are also regulated, particularly when related to
-tax deductibility, disclosures, and compliance requirements.
-
-\begin{itemize}
-\item {\bf Transparency in Corporate Sponsorships:} European countries
-  may require public disclosure of corporate donations or sponsorship
-  arrangements, especially when public funds are involved. Many
-  countries also enforce rules against donations that may appear to be
-  intended for influencing legislation or government actions.
-\item {\bf Limits on Corporate Donations:} Some countries impose caps
-  on corporate donations eligible for tax relief to prevent excessive
-  deductions and potential misuse.
-\end{itemize}
-
-\subsubsection{Cross-Border Giving and EU Philanthropy Initiatives}
-
-The European Union encourages philanthropy across borders within
-Europe, but the process is still complex due to varying national tax
-and legal frameworks.
-
-\begin{itemize}
-\item {\bf European Foundation Statute and the European Philanthropy
-  Manifesto:} These initiatives aim to harmonize cross-border
-  philanthropy regulations. The proposed European Foundation Statute,
-  for instance, would create a legal form of a foundation operating
-  across the EU.
-\item {\bf Transnational Requirements for Nonprofits:} Nonprofits must
-  navigate both the tax and regulatory requirements of each country in
-  which they operate or fundraise, including any special
-  registrations, tax filings, or documentation for cross-border
-  transactions.
-\end{itemize}
-
-\subsubsection{Ethical Standards and Codes of Conduct}
-
-Some countries have established or encouraged adoption of ethical
-standards or codes of conduct for fundraising activities. Examples
-include:
-
-\begin{itemize}
-\item {\bf Code of Conduct for Fundraising:} Many countries have
-  adopted codes of conduct, which may govern methods for soliciting
-  donations, advertising practices, and donor interaction
-  protocols. There are also private initiatives such as the Donor
-  Pledge from the Dutch foundation Donateursbelangen (``Donor Interest
-  Foundation'').
-\item {\bf Charity Commissions and Regulatory Bodies:} Several
-  European countries have independent regulatory bodies that oversee
-  charitable organizations, such as the Charity Commission in the UK,
-  to ensure compliance and ethical conduct in donations.
-\end{itemize}
-
-\subsection{Country-Specific Considerations}
-
-While EU-wide directives provide a framework, each country has unique
-laws.  Here are a few examples:
-
-\begin{itemize}
-\item {\bf Germany:} Nonprofit organizations must register with local
-  authorities to receive tax exemptions, and donations exceeding
-  10\,000 EUR must be reported.
-\item {\bf France:} Nonprofits must adhere to the ``Loi de 1901'' and
-  comply with annual reporting requirements to remain eligible for
-  public donations.
-\item {\bf Italy:} Nonprofits are eligible for tax incentives if they
-  register as ONLUS (Organizzazione Non Lucrativa di Utilità Sociale)
-  or a similar designation under Italian law.
-\end{itemize}
-
-\subsection{Summary}
-
-Navigating donation regulations involves adhering to a multitude of
-directives on transparency, anti-money laundering, tax compliance, and
-data protection while also meeting specific requirements in individual
-countries. Compliance ensures trust in the philanthropic sector,
-promoting ethical giving practices within a complex regulatory
-landscape.  Cross-border donations are particularly challenging.
-
-
-\ifodd0
-Some bits of thoughts
-
-Article 56 TFEU guarantees free movement of services throughout the
-EU.  In particular, this obliges each EU country to recognize the
-charitable organizations that are registered in other countries, as
-confirmed by the following decision of the Court of Justice of the
-European Union:
-
-\url{https://op.europa.eu/en/publication-detail/-/publication/d3892f27-39b1-4a26-98b3-451a7ffb101d/language-en}
-
-
-
-\subsection{Yearly Donation Limit}
-
-In some tax jurisdictions, the tax authority may set a limit on the
-total amount of donations that a charity may receive in a given tax
-year.
-%XXX ~\cite{?}  A Donation Authority must enable tracking and enforcement of 
such a limit.
-
-\fi

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.