Refund policy - why no refund?

I understand that there is no refund in safecoin when you purchace PUTs.
Why is that? I don’t mean at the technical way, I mean at the ideology.

For undeleteable immutable kind of data, it’s obvious that there could be no refund.
For structured data, although it’s not ideal, you may(I think) deliver it as a “payment”. It’s not ideal since you create an underground structured data market.
For temp immutable data, it’s disaster. It discourage people from using it.

For example, in public file sharing, people would prefer using structured data since they could be “refund” this way. They should use temp immutable data if they want to keep this privilege, but SAFE won’t let them.

Do you agree?
Am I wrong in technical details?

This is all possible, however, it would mean the network remembering your data, so signed by you. That couples a lot of info which can then be easily tied back to you via graph analysis etc. So the “cost” of refunds can lead to a pretty invasive privacy issue. So technically we could tie all your data together, but it’s not on our radar and likely will never (I hope). Not that there may not be other routes to this, but I just add this as an example of a potentially unintended consequence. These are what we need to watch.


Thanks for your answer! But I still have questions.

I do not know the very low details of the PUT protocol, but couldn’t it be solved with consensus group?
The user shell ask the consensus group for refund. Once consensus reached, “history” is deleted then.

I don’t understand how retriving PUT from safecoins does not sucrifice privacy but the reverse does.

Additionally, could the refund request be in form of blind signature?
In blockchain it is hard(if not impossible) since there is a graph. In SAFE consensus mechanism, maybe it’s possible.

This is the problem, if the group knows this is your data so does everyone else.

Possibly, blind sig is no problem, however who does the network send the refund back to?

Don’t get me wrong there are solutions to this, but we are not working on them just yet. It would involve every ID is a wallet and connecting those securely at the user end only.



I wish that it will be solved some day.

1 Like

I’m not sure why it would be desirable to give refunds of immutable data deletes. The facility for people receiving resources (i.e., the ability to store and retrieve data [PUT and GET], messaging and all else the network does are supported by people supplying resources to the network [storage/compute/bandwidth]. Users pay for their usage of all the network’s features by purchasing PUTs. This is proper exchange dynamics that should let the network continue to function in a way that balances economically.

Providing a refund would also require more complexity and thus resources (not to mentions security holes), which would basically cause PUTs to be more expensive (fewer PUTs per safecoin), so really the User pays either way.

Of course, if you’re providing resources to the network in terms of storage/compute/bandwidth, you’ll be earning the safecoin you’re using to pay for PUTs–and hopefully notably more than you spend on using the network. Seems to me that the economic balance is struck already, so no “refund” needed or appropriate.

My humble opinion.

1 Like

If safecoin can be refunded it provides incentives for hackers to compromise accounts. The hacker would delete all the user data, send the refund to themselves, and receive economic benefit from hacking accounts.

Doing so depends on being able to send the refund anywhere. If the refund location is specified beforehand to prevent the hacker sending it to themselves, there is still (as @dirvine says) a privacy issue.

On the other hand, a partial refund may be desirable to encourage clearing of data that is no longer in use, freeing network resources for other data. But not if it comes at the cost of the above two items.

At least, that’s how I see it; maybe it’s more nuanced than this.


Couldn’t it be solved very easily though? With just one pair of extra (and optional) numbers stored.

At PUT time, we may give a challenge/response to be used to authenticate a possible refund requests later, something like HMAC(challenge, key) => response. If I want a refund, I just send the key and an anonymous wallet address with my request, and if the key gives the correct response for the challenge, the refund is granted.

The key should be generated from a secret (stored in the account) and the block’s ID (again: HMAC(block_id, secret) => key); this way, we don’t have extra data to remember with each block we upload.

1 Like

Yes or use SQRL based key derivation tools etc. where you send your refund address signed by a verified creation key (the SQRL one). It’s not an impossible task, but not on the in house radar right now. I suspect after launch proper this will be something that is hotly debated and will see some kind of implementation.


Apart from the technicalities, economics of the network, and the privacy issues that I share being valid and the #1 priority, I also think some refund could be considered in order to keep the network clean and ‘green’, specially if storing data in the network is charged only once. I imagine people would leave lots of unusable data forever requiring an increasing amount of resources over time. As an example, people already keep a lot of recordings in their DVRs they don’t ever watch, until they don’t have more space and are forced to delete some of them.

On the other hand giving a full refund is not fair, you used the network to store data for some period of time, why would you be fully refunded if a service was effectively provided to you? But providing a partial refund should encourage people, at least to some of us, to delete whatever is not needed anymore.


I won’t reply on tech, since I don’t know, but I disagree about fairness.

When people are paying cloud storage service, they usually pays proportional to the capacity they wish and the time they use it.
The same with SAFE refund - when people use the network, they should be able to change their resource.

As for the reality usage, as in current clouds as far as I know, the very most huge data does change rarely.

If SAFE could, storing data were magically cost nothing, but SAFE does it for encouraging vaults and stabling the network. It is stabling the network even with refund.

If you afraid from hacking DOS kinda attacks, you can force data structure to be at least for minimum period of time (I know timestamping is not going to happen, but there must be alternative similar way).

1 Like

I think there’s another interesting point underlying this…

Currently the upload agreement is ‘data stays forever’. Would it be better to have an upload expiry of, say, 200 years? This is (for the uploader) essentially forever, even factoring in future generations who may wish to salvage their data. The user may choose to expire earlier, and pay less. This makes ‘time’ a scarce resource, along with storage, bandwidth, cpu etc.

Philosophically and architecturally it’s significantly different to the current design of the safe network.

Ownership in the real world is subject to durability (ie things must be maintained at some cost), but safe claims to remove all maintenance overhead by storing forever at a one-time cost. I think the ideas of long-lived-impermanence and rental and refund seem quite natural. Admittedly it requires some concept of time (the lack of which is an attractive elegance of the safe network), but I can see the merit to the idea of long-lived rental as the norm. It lends itself to the idea of refunds quite naturally.

I like the simplicity of buy-once-keep-forever, but the economic sustainability of that model is not as easy for me to grasp.


I would hope that public data is permanent since one of the early concepts was that SAFEsites never become unavailable. If people can delete their public data then we end up with the current situation of websites lasting typically a few years or less. Those research papers no longer available and so on.

Its not cloud storage, for some it will be a secure storage system. That includes any hacker getting access to your account and not being able to delete all your backups, research papers and information being supplied to the public. Imagine the efforts used to hack into competitor’s accounts to delete their secure backups, or delete information the competitor doesn’t want public, or whistle blower sites, or hack someone who uploads a LOT and collect their refunds.


At the moment the concept is to pay for “forever” storage and by many indicators pay less for that than 1 years worth of storage on cloud.

The payment isn’t JUST for storage, it includes all the benefits that come with storing on SAFE such as the security (2 fold), noone can delete your data on you, cheaper and so on

And lastly there is ALREADY a storage alternative on SAFE that can be deleted and space reused. While not a refund as such, its not paying more to reuse the space you free up from deleting. I am sure someone will write an APP to make this easy. (use SDs to store your files rather than immutable storage)


I don’t think you are disagreeing with me, I’m suggesting that a full refund would be unfair.


I will for sure be 100% supporting public data is forever. I Think that is a very important thing, otherwise Alexandria’s library III will happen (II being current net).


If multiple people (e.g. you who so likes the thing that you want it to stay available forever) “uploads” (i.e. choose to pay for, even if it’s technically already uploaded) the same thing, then it doesn’t matter if the original uploader asks for a refund because the data is still paid for, so it doesn’t get removed.

People who want to publish their “library” “public document” and such would just use immutable data, leave the choice for the uploader, right? If you want to keep it immutable, you may upload it by yourself!

And about SAFE goal - I don’t claim it focused on storage, I say that most of the network resource is de-facto storage. And storage&coin is what that really stabling the network, the infrastructure.

Here are another scenario which is not storage. In an online SAFE social network, blogs, etc. People add their own “unimportant”(by the view in history as you said) data to SAFE. I don’t want them to think twice before spending their coins(this is why I want FULL refund). This will encourage people to upload as many things as possible(videos, ideas, …), which make free data much more available.

How cool is the idea that a coin can be turned into data, and data can be turned into coin immediately, just like a energy become material and vice versa.
If SAFE will do this, it will be very attractive, and not just “a place for security-freak people”(as may be viewed by them).

As I said before, it won’t hurt the miners, both since most data is rarly get changed, and since the prize is determined corresponding to the global difficulty or such similar mechanism.

seeing as the idea of a refund is to help the network, then should the original uploader get anything?

Every thing that is implemented should help the network. So in my opinion any refunds should be there to encourage people to use the network and to free up resources to make the network more efficient. Although archive nodes/vaults will really go a long way to removing the need to remove immutable data.

Also there should not be anywhere near 100% refund since the data got stored for a period of time. Also studies show that the initial period of creation/upload represents the greatest usage of any data. People don’t watch old cat vids as much as the new ones : - )

Much truth :smirk_cat: Which doesn’t mean I approve.

More importantly, refunds would introduce the familiar concept of “storage space.”

If I have much stuff and want more, I may have to throw away something first. Or, get a bigger house. Safe makes it frictionless, but it’s still about storing stuff, and when it’s about storage space, should it be digital or physical, we’re used to be able to reuse it over and over again; it’s how we look at “space” and technology won’t change this assumption.

I believe that the ability to reclaim storage and use it for something else would give users a sense of familiarity that is more important than technical arguments. We deal with different kinds of storage spaces everyday; we know how this works. Nobody wants to be told it doesn’t work that way anymore. There’s a reason why our gadgets use physical metaphors for their user interface.