Tell HN: Stripe killed my music locker service, so I'm open sourcing it
I run a small website at inter.tube. It lets you upload your music collection and stores it in Backblaze B2. It provides a simple web interface to listen to your collection, and support for the Subsonic API (allowing native apps to use it). Fundamentally it is not very different from something like Dropbox or Backblaze: it is a "dumb" backup that simply stores what you give it. It doesn't perform "matching" against other files, it doesn't allow you to access music you didn't explicitly upload, and it doesn't even deduplicate files between different users. It doesn't allow "sharing" of music either, download links are tied to a short access token for a specific user's login session. The only difference between other backup services is that we use the metadata tags in your uploads to organize things better. According to Capitol Records, Inc. v. MP3Tunes, LLC, this is absolutely OK in the eyes of the law (thank you to a fellow HN user for telling me about this court case). Note that we don't even perform deduplication, which was the main controversy in that case.
I have been using Stripe happily for a couple years now, but suddenly (less than 10 minutes after a subscription payment went through), Stripe decided that I violated their Restricted Business policy, in particular "Products and services that infringe intellectual property rights: Sales or distribution of music, movies, software, or any other licensed materials without appropriate authorization". I thought this was a misunderstanding so I clarified that we don't sell music, just storage space (see paragraph above), but they denied my appeal with a short template response.
This saddens me because my reasons for starting the site are the exact opposite of piracy! I was sick of artists getting paid virtually nothing for streaming service plays, so I decided to buy full albums directly from the artist as much as I could. inter.tube just allows you to keep your collection safe and easily accessible.
I'm posting this mostly to warn other Stripe users that essentially any backup service could "violate" these terms, so be careful about the marketing blurbs on your website. Probably any mention of "music" whatsoever is enough to get your account nuked. I really liked Stripe, always recommended it because of its nice API, but I won't be doing that anymore.
inter.tube will likely die. I'm going to refund my few paying users and disable account registration later, I guess.
As a bonus, I've open-sourced inter.tube. However, it is difficult to run because it relies on a bunch of random cloud services (Backblaze B2 + Cloudflare Workers + Lambda) and there's some hard-coded stuff in there, so it's probably not very useful beyond curiosity. If anyone would like to help me with the open sourcing, let me know, and I'll get back to you whenever I have time. Of course, feel free to fork it as well. I am also on GitHub sponsors if anyone would like to sponsor me to help make it easier to self-host (or at least self-deploy).
Source code: https://github.com/guregu/intertube
179 comments
[ 3.1 ms ] story [ 289 ms ] threadSigned up to Paddle and immediately got flagged as high risk with no explanation. I complained on Twitter and the CEO had a human check us out manually. We're in the process of verification but honestly I don't have big hopes.
Ironically, by buying instead of pirating, you directly funded the legal and corporate environment that killed your service.
The right way to fix this is for something like Zelle to get a standardized payment request API. Then the merchant submits a payment request using the customer's email address (the only information the merchant needs from them, so no data breaches), and payments go through irreversibly if they haven't been contested in 30 days, or immediately if the customer affirmatively legitimates the payment on their bank's website/app because the merchant needs to be paid before delivering goods or services. (And payment requests from merchants the customer has never used before get denied after 30 days if not affirmatively legitimated.)
That also removes the credit card fees because it's really a bank transfer.
But where is it?
As far as I can tell, a client paid in a funky way that set off some automated system, and no real person was willing to work with me to get it resolved.
I will never trust Stripe with my business again.
None of this is discussed with customers in a candid way; as a result it can feel very off putting. It's one of the things that bugs me about modern finance. It's too busy building itself into a governmental reporting mechanism, and far too prone to overreach through the exploitation of sanctioning mechanisms.
It's one of those "can't have nice things" sorta bits.
Of course, this doesn't mean your customer service agents should never be helpful and forthcoming, but it's easier and less risky to tell them to say nothing and burn the odd legit customer, rather than risk being on the wrong side of AML legislation.
You can work with a laissez-faire gateway. It will not exist for long, because your company will be people who figured out they're not complying with various laws, so they will either disappear without a trace, or in the worst case scenario, take you down with them. You may end up having to explain to various authorities what you were doing.
Or, you can work with one that's serious about AML/KYC compliance. This means sometimes your account gets flagged for suspicious activity, and you have to play by their rules to get it back. Depending on the provider, they may actually have some ways for you to get your account back, or they won't be bothered.
Stripe is in the category of providers that will actually work with you to get your account back, but they're certainly not perfect. On the other hand, try something like Paypal and you're screwed. Or go with a different big player and find out how much nobody cares about you and the $40 a month of revenue you bring them.
Every time I hear some horror story about Stripe, either the account is back up and running very quickly, or the business was doing something egregiously bad. YMMV, this is just the professional opinion of someone who has been working in FinTech for a long time, and with Stripe for quite some time too.
How does crypto eliminate fraud? It eliminates KYC and AML (until you try to turn crypto into fiat), and you probably won't be held accountable for accepting a fraudulent transaction (yet), but stolen crypto wallets are definitely for sale and being used:
https://cybersecurityventures.com/dark-web-price-list-crypto...
Google Music asked me to upload songs and I did. Is Google really going to get sued to oblivion? I doubt it.
In the UK its technically illegal to rip a CD to your own PC to back it up, for example, see the recent high court case(s) about it where the government won against Brennan (who make hifi gear which can do this) - no different to this app.
The same can't be said for OP who probably doesn't have the time or money to fight it as evidenced by this post.
Part of the reason google/youtube are quasi-monopolistic is that they've already been through all of this, they've had the arguments and the lawsuits in various different territories, and they've reached agreements and paid money to deal with the copyright issues.
> According to Capitol Records, Inc. v. MP3Tunes, LLC, this is absolutely OK in the eyes of the law
https://casetext.com/case/capitol-records-inc-v-mp3tunes-llc
From a quick read of that, it appears that Mp3tunes lost the case, had a huge damages award made against them, as happens a lot, and the overall damages were deemed excessive and reduced to $750k.
In particular is said that the DMCA safe harbor is available to such services, and that deduplication is not a problem.
MP3Tunes did not adequately deal with DMCA takedown requests so didn't get full safe harbor protection leaving them liable for some user's uploads. Also MP3Tunes' founder had infringing songs stored and they got nailed for those.
Whereas if you have a turnover of $10k/year, and they're earning only 0.5% of that in fees, then it isn't worth them taking much risk or putting much effort in to earn $50.
It would be nice if people like stripe were more upfront about this. They could easily say "We have determined that your business might be high risk for us. If you pay us $1000 (which will be credited towards transaction fees), then we will work with you to mitigate these risks".
Nowadays people are tip-toe-ing around egg shells constantly to avoid being the latest outrage that goes viral, but that would be wildly refreshing to see. Honesty from companies (even internally when you work for them!) is getting so rare that a blunt and honest message like that makes me happy just to think about.
It would be awesome to start a new cultural movement toward radical honesty. Just being able to acknowledge the realities around incentives would be a great start.
For some people this is apparently okay and desirable. To me it's horrifying, and tends toward centralizing power far too much.
(not blaming OP, it's a cool project and a shame that people aren't being allowed to exercise their right to make a private copy)
I would be happy to hear any advice for better payment processors, of course.
Instead, we need to hold Stripe responsible to do a better due diligence upfront if they want to do business with these small indie hackers. That was the point of Stripe and now they have become that giant incumbent.
I am not advocating against Stripe relaxing their rules. I am just saying that they need to do better job enforcing early on than one random day. If it was not good enough today, it was not good enough on Day 1. Stripe needs to invest in figuring that out early. Reject me on Day 1 than Day 90 or a year later.
If not, why? Payments are a core part of any SaaS business, and it's important to have trust with important suppliers like that. Getting an account manager and proper business contract go a long way to preventing issues like this. It's somewhat unsurprising that Stripe don't have much trust for companies just signing up for the service as it's generally high risk for abuse.
The thing to remember is that Stripe (or your cloud provider, or your email sending provider, or any other SaaS) get something out of that relationship – they get a sales channel, they can trust you more, they can lock you into their services, they can show you more of their value – these sorts of companies basically want these relationships. The fact you can sign up with a credit card and never talk to anyone is sort of just to appease devs that don't want to talk to anyone, it's not how they make money in the B2B market (it's a bit different for B2C or B2B-ish services like Squarespace).
This project sounds pretty neat, and I could see it appealing to the audiophile market. I know people who would be interested.
But, I'm sorry to say, it sounds like Stripe cancelling your service wasn't the biggest issue, but that the service never found its market. Looking at the site I couldn't tell what it was or who it was for, and it looked a bit dodgy. Copy like "we're not google. we won't kill the site" (said twice) makes it sound like a hobby rather than a company, and even if that's true, it's not going to go over well for marketing. Also, it's sadly somewhat ironic given that the service has indeed gone. I totally see the vibe you were going for, but I think that vibe is one that typically maxes out at a handful of friends using it.
This is my whole point – by getting an account manager and building that relationship you quickly, and massively, change the level of trust compared to a credit card number you stuck in a landing page.
Bitcoin will not help you here. At all.
The problem is the easy way to accept cryptocurrency is with a custodial wallet, and then they can be the same kind of jerks as PayPal et al. The premise of cryptocurrency was that it should be decentralized and as yet, it's... not.
It's a little harder to scam/dupe someone with cash (especially in the US with USD because of the centralization) and you have the government to help if you receive counterfeit money. That's the part that makes bitcoin fully decentralized and a pain in the ass to deal with other people and trust - nobody wants to help you if you get scammed with bitcoin. You're completely on your own and wholly responsible for anything that goes wrong.
There's nothing stopping you from meeting with someone and sending them bitcoin to their non-custodial wallet to buy their old patio set. There's also nothing stopping you from making a craigslist ad to trade your cash for someone's bitcoin from their non-custodial wallet. Well, except for fear and how sketchy it would be to stand around waiting for a confirmation before handing over the cash. I can admit the fear and sketchiness goes to 11 though and if that never changes bitcoin will never go mainstream because cash will always be better.
How is this any different?
If you give someone a stack of hundred dollar bills and they rip you off and disappear where you can't find them, you're out of luck.
If someone commits fraud and you do know who they are, that's still illegal even if you paid them in Bitcoin.
The primary difference is that you can send someone Bitcoin over the internet. And then if they're on another continent your local law enforcement isn't going to have much to say about it and their local law enforcement may not care.
But in many cases that doesn't really matter. How many times do you actually pay anything to disreputable nobodies over the internet? It's mostly established merchants with known reputations that they're not inclined to sully just to rip someone off for a couple bucks, regardless of whether the customer can do a charge back.
It's not the irreversibility that's the problem. It's the UX, or the regulatory overhead, or the network effect. It has to get to the point that Netflix says "hey, Mastercard is charging us 3% and we could avoid that with Bitcoin, why are we leaving money on the table"?
How many people who use bitcoin would use this product? How many want to use this product and don't know how to use bitcoin? How many people CAN use bitcoin for THIS purchases?
We're never going to switch to bitcoin for daily purchases but that doesn't mean it shouldn't be an option for people.
I am yet to see any viable usecase of this bitcoin mania that is legitimate and doesn’t need tons of energy waste to accomplish its goal.
For almost 15 years of bitcoin it has completely failed and we have no use for it.
So yes, we should never switch to bitcoin for daily purchases (because it fails at that) and we should never switch to an ‘alternative’ like bitcoin if that said alternative is even worse than the current system, which it is.
Just because viable usecases don't exist today isn't proof that they'll never exist and isn't a reason to stop development. If we gave up on hard problems because we didn't solve them in 15 years we wouldn't have the AI we have today.
Been using them for a few companies the past year and a half, and migrated more and more of my stuff over to them, it offers the simplicity and clarity of "stripe at the beginning" while already being backed and owned by a major bank (BPCE, 2nd biggest banking group in France). They don't have all the bells and whistles of current Stripe, but for most projets we don't need that anyway.
And there is no bullshit about random overnight account closure with no recourse.
"Not all eggs in the same basket" ?
Is it possible to predict this in advance? Can't these companies just do it any old time they feel like it? There's always a first.
Or is there good regulation in France?
In terms of regulation though, short of explicit chargeback or disputed charges, they will never hold your money hostage.
Which is why I added that they're already backed and owned by a major bank, so it's not at risk of changing overnight after being acquired. For reference they exist since 2012 and have over 16k merchant account, including some big names in France (Veepee, Lastminute.com, ...) including some big names in business I feel like Stripe wouldn't touch (Dorcel store / adult toys and movies, Winamax and Pokerstar / online betting and poker, ...).
Processors take note, this is the way. btw, in person-to-person processing deals (which can provide APIs in most cases) this is just how it works.
Note for business owners: Those annoying merchant services calls you get as a business owner, yes, those are the people to speak to. A bit of research into what interchange is, and what those rates are, and you can write your own contracts. It is exceedingly simple and as fine-grained as you'd like to make it (we are nerds, after all). Merchant services partners ultimately want to make money, and if you have an understanding of fee structures, you will find someone local to you who will sign you on favorable terms for both parties, it's free money for them.
I can't seem to find any mention on their website about this.
It's worrying that this concentration of wealth and such services acting as gatekeepers and essentially deciding whether you can run your business or not are not properly regulated yet.
I mean, it certainly plays into hands of big corporations, who don't want to see new players and challengers on the market.
The way things seem to be going is talented people shouldn't run their own business, but rather be employees of big corporations and help shareholders buy new private jets and so on.
In my opinion, company like Stripe shouldn't be allowed to block small business like that.
If there are illegal activities being done, then that is for the courts to decide (but they still do not get to take away the electronic money account and receiving/sending capability of anyone, just the money assuming conviction).
If the government owned a transaction system and you used that exclusively then they'll know everything you bought and sold. It's already an honour system so it's not like you're eliminating cash or even need to. Paranoid people could continue to use cash and the tax system would work exactly the same for those people. The government transaction system would be a convenience for most of the population.
I'm spitballing here - my comment may not even make sense in context.
You can't just give up at the first sign of a payment issue, otherwise you're no better than google ;)
doesnt have to be a big mega highly paid lawyer
Update: I have reached out to the nice Stripe employee who volunteered their email, let's see what happens.
It's been pointed out a few times that my marketing says the site won't die, and me killing it would be very ironic. This is 100% true, and I have decided to leave the site up even if Stripe decides to ultimately close my account. Luckily, our infrastructure costs are very low (<$5 month currently).
I created this site when Google Play Music went down and lots of people were complaining about Google killing yet another product. I don't want to do the same thing to my users.
Finally, I would like to take this opportunity to plug a similar service that I am completely unrelated to. I saw its author post on HN and they seem like they are also a one-man-shop: https://asti.ga This service is different in that it lets you hook it up to your own cloud storage. I am only now realizing why this is such a brilliant idea.
Our messages go to /dev/null with the rest of the plebs.
Let me be also very clear. When you are going through underwriting, you will feel at times that this was a colossally bad idea, but it pays off its trouble in gold.
Rate wise, I pay about 2.8% + 0.15c. Obviously different mechanisms (dipped vs typed vs internet) have different rates. There are no monthly gateway fees. The underwriting took about 3 weeks, but again I was very prompt in answering followup questions. I did not feel any additional headaches that I already did not anticipate due to the underwriting process. They did ask for a lot of documentation (that I totally expected them to ask and in my opinion is very relevant), licensing and such but again I am operating in a VERY regulated industry. They did want some clarification of business processes since they were not 100% familiar with selling guns online and in person. But I will say, they were very interested in understanding my requirements and help me do things according to the published laws and guidelines. Feel free to write to me at my hn_username at 80386 dot org if you want to chat. I would love to help with this if you are interested.
You do not need to mix your bank and payment processor. For example, my credit/debit card stack is USBank + Elavon but I bank with Navy Federal. I don't even have a checking account with USBank.
Also, they just failed a basic sniff test. I called their 800 number to ask if they would work with a firearms business and reached a voicemail. They say department is available between 8AM and 8PM Eastern. It is just after 6PM eastern right now. That does not instill a lot of confidence.
When I saw your headline though, I almost choked on my coffee. We use Stripe too, but as you mention we aren't a locker, we just connect to the user's pre-existing cloud storage (including self hosted if you have that Internet accessible). That said these kind of corporate decrees are often pretty unsubtle and we could easily get caught up in this. I've had enough "policy" nightmares with Paypal and Google to instill a sense of dread when these black box titans change their mind about something and expect you to dance to their tune.
> This service is different in that it lets you hook it up to your own cloud storage. I am only now realizing why this is such a brilliant idea.
I should mention it's not my idea originally - I purchased the service almost two years ago from this guy: https://koenvh.nl/en/ . Funny story really: https://community.asti.ga/discussion/378/astigas-new-owner
I get that this provides additional value on top of the Backblaze consumer offering, but at the same time, that seems like a massive markup for the underlying storage, for people who have large music collections (ie, the people most likely to want a service like this).
I guess you could just put all your music on a Personal Backup account and use whatever music player you want, but the whole point is that you're kind of paying money for the web UI, for it to be always online and available, etc. I don't even know if Personal Backup will let you do things like shallow copies of subsets of your backups, which would be necessary to get music on multiple devices. Why copy your 1TB music collection to 5 computers? How do you get it on mobile, etc.
But I didn't realize that Backblaze B2 had a completely different pricing scheme. This makes more sense now.
As the post says - they use B2: https://www.backblaze.com/b2/cloud-storage-pricing.html
I think the only difference is I didn't put in the effort to make it look nice and didn't try to make a commercial service out of it.
But it did get me thinking about whether there's a market for people who have their own AWS account and are willing to run software in their own instances. But not corporate stuff, but things you might have had on your PC in the 90s: catalog of media, simple task list, etc.
TBH the first sign of adversity and you're already looking to call it quits. Its not a real big selling point
And thanks for not closing it back up if you find another payment provider!
I would actually bet that open sourcing it is the best thing you could do for it if you end up wanting to grow the business, especially with how niche it is. There are people like me who wouldn't even consider using the service with it being closed, but it being open gets my attention. It would be absolutely bad ass if the official hosting solution could:
- Let me put in a backblaze token and bucket name
- Store all my uploads in the aforementioned bucket, in a format that I could switch back and forth between open source and hosted versions
I self host a ton of stuff but I'd gladly pay $10 to $15 a year for that service so I can easily switch to self-host in the future but don't have to manage yet-another-service. Given that the bulk of the expense would be backblaze and that would be paid for directly by me, that's almost entirely profit margin for you.
I can see really neat future ideas along this line too, like possibly even point a (to be created in the future) desktop app like Strawberry straight at the bucket and have it play/download my music!
At their scale, not everything goes through human oversight.