An Argument Against KYC Bitcoin That Everyone Can Understand

The reasons that KYC should ne'er beryllium the default are evident erstwhile examined from a lens of information and privacy.

This is an sentiment editorial by Heady Wook, privateness advocator and contributor to Bitcoin Magazine.

Introduction

In the Bitcoin achromatic paper, Satoshi Nakamoto cited the request for a currency strategy implicit the net without the request for a trusted third-party. A fewer months later, Nakamoto introduced the Bitcoin web to the world. In artifact zero (the “genesis block”) of the Bitcoin blockchain, the pursuing connection was included: “The Times 03/Jan/2009 Chancellor connected brink of 2nd bailout for banks.” On 1 hand, the punctuation references a UK quality piece outlining Chancellor Alistair Darling’s information of a 2nd bailout for banks, which meant pumping billions much British pounds into the economy. On the different hand, the punctuation references Nakamoto’s vexation and distrust of the accepted fiscal strategy and, much broadly, trusted 3rd parties. This is made wide successful the achromatic insubstantial abstract and the archetypal paragraph’s opening lines. In different conception of the achromatic paper, Nakamoto compares the accepted concern privateness exemplary with Bitcoin’s privateness model. In Bitcoin’s model, trusted third-parties are nary longer liable to safeguard an individual's privateness by limiting entree to information. In fact, nary idiosyncratic accusation is required astatine all. With Bitcoin, individuals tin support privateness simply by “keeping nationalist keys anonymous.” In an aboriginal Bitcoin forum post, Nakamoto wrote:

“We person to spot them with our privacy, spot them not to fto individuality thieves drain our accounts […] placing spot successful the strategy head to support their accusation private. Privacy could ever beryllium overridden by the admin based connected his judgement telephone weighing the rule of privateness against different concerns, oregon astatine the behest of his superiors. […] It’s clip we had the aforesaid happening for money. […] without the request to spot a 3rd enactment middleman, wealth tin beryllium unafraid and transactions effortless. […] The effect is simply a distributed strategy with nary azygous constituent of failure. Users clasp the [private] keys to their wealth and transact straight with each other.”

Nakamoto was acrophobic astir trusting 3rd parties with some privateness and money. Specifically, Nakamoto cited a fewer points of nonaccomplishment of the accepted concern privateness model: atrocious actors oregon individuality thieves, deficiency of head integrity, and authoritative demands from “superiors,” specified arsenic a government. One manifestation of these failures is showcased by the agelong past of currency-debasing governments (see: The Bitcoin Standard) and includes the lawsuit cited wrong the genesis block. Alluding to Bitcoin, Nakamoto suggested these issues are solved with “a distributed strategy with nary azygous constituent of failure.”

Bitcoin has been a agelong clip coming. The speech astir “private,” “sovereign” oregon “electronic” currency had gone connected by others astatine slightest a decennary earlier Bitcoin’s inception. For instance, “A Cypherpunk’s Manifesto” discusses anonymous transaction systems connected the internet, “The Sovereign Individual” predicts a backstage and permissionless net currency, and “Cryptonomicon” describes an anonymous integer gold. Nakamoto designed Bitcoin with specified properties: Bitcoin is pseudonymous, it tin beryllium utilized privately and it is permissionless. However, “know your customer” regulations¹ (KYC) person proven to beryllium pervasive, persistent and problematic for users looking to payment from specified properties.

Along with bitcoin's terms enactment from 2020 done 2021, bitcoin companies person experienced tons of growth. Coinbase, for example, reported reaching implicit 35 cardinal users successful implicit 100 countries by the extremity of 2020. Furthermore, successful 2022 Coinbase took retired a 60-second Super Bowl advertisement featuring a floating QR code which reached implicit 20 cardinal hits wrong conscionable 1 minute. Surojit Chatterjee, main merchandise serviceman astatine Coinbase, went truthful acold arsenic to telephone it "historic and unprecedented.” However, Coinbase is lone 1 of galore palmy companies. According to CoinGecko, Coinbase ranks sixth successful presumption of the astir trusted exchanges with Binance (#1), OKX, FTX, KuCoin and Huobi Global (#5) respectively taking the lead. Together, these exchanges person KYC'd millions upon millions of users. These monolithic KYC efforts are successful nonstop opposition with the pseudonymous, permissionless, P2P, currency strategy with nary 3rd parties developed by Nakamoto. Furthermore, KYC creates honeypots of idiosyncratic accusation and gives emergence to a permissioned societal system.

KYC Creates Honeypots Of User Information

Every clip an idiosyncratic signs up for an speech oregon related work they are apt asked to KYC themselves — that is, supply personally identifiable accusation (PII). PII typically consists of a selfie, drivers license, societal information number, address, email and telephone number. PII is usually stored by an extracurricular service, specified arsenic Prime Trust. When Nakamoto said, “We person to spot them with our privateness [and] spot them not to fto individuality thieves drain our accounts,” the notation to “them” tin beryllium thought of arsenic exchanges and their spouse work providers. All these 3rd parties travel with inherent risks, specified arsenic atrocious actors (e.g. insider job; BitThumb, 2019), deficiency of head integrity (e.g. BitConnect exit scam) and susceptibility to authorities demands (e.g. IRS forces compliance). When Nakamoto references “identity thieves,” helium refers to information breaches successful which hackers summation entree to and nett from PII, either by straight stealing funds, selling the PII to funny parties oregon extortion. Given each the PII provided, KYC creates a honeypot of idiosyncratic accusation that is ripe for exploitation.

Data breaches person go much and much prevalent implicit the years:

• 2016 Data Security Incident
• T-Mobile Data Breach Exposed The Personal Info Of More Than 47 Million People
• A Hacker Gained Access To 100 cardinal Capital One Credit Card Applications And Accounts
• U.S. Postal Service Exposes 60 Million Users successful API Snafu
• Equifax Data Breach May Affect Nearly Half The U.S. Population
• Target Settles 2013 Hacked Customer Data Breach For $18.5 Million
• JPMorgan Chase Hacking Affects 76 Million Households
• CVS And Walmart Canada Are Investigating A Data Breach
• Sony Pictures Website Hacked, 1 Million Accounts Exposed
• 235 Million Instagram, TikTok And YouTube User Profiles Exposed In Massive Data Leak

According to Statista, information breaches person accrued implicit 500% from 2005 done 2020. Furthermore, according to the Cost of Data Breach Report, 80% of each information breaches successful 2019 included lawsuit PII (name, recognition paper information, wellness records and outgo information). Data breaches may besides include much delicate types of PII, specified arsenic societal information number, driver’s licence fig oregon biometrics.

All trusted-required third-parties are susceptible to a information breach, including bitcoin companies. For instance, see the Ledger hack of July 2020. In an official connection by the Ledger CEO, “1 cardinal email addresses had been stolen arsenic good arsenic 9,532 much elaborate idiosyncratic accusation (postal addresses, name, surname and telephone number).” That aforesaid year, the Ledger lawsuit database was dumped onto Raidforum, a database sharing and marketplace forum. Thereafter, respective Ledger users reported phishing attempts, extortion and threatening emails, including threats of kidnapping and violence, specified arsenic murder.

Reddit idiosyncratic Cuongnq received a phishing email prompting him to “download the latest mentation of Ledger Live” and to travel the instructions to acceptable up a “new PIN” for his wallet. Another Reddit user, Silkblueberry, received an email stating that hackers had videos of him “masturbating to porn” and that they would station the videos publically unless helium sent them bitcoin arsenic payment. Silkblueberry saw done the ploy. However, the hackers resorted to much utmost measures, threatening to subordinate his email with “child porn sites” and framework him arsenic a “child predator” if helium did not nonstop them $500 successful bitcoin. Yet different user received a telephone call from an chartless antheral demanding payment. The antheral threatened helium would “show up to [his] house, kidnap [him], and ‘stab to death’ immoderate relatives surviving astatine [his] address” if helium did not nonstop a outgo by midnight that night.

The Ledger hack is 1 illustration that illustrates however damaging an exploited KYC honeypot tin be. Still, immoderate mightiness suggest that KYC services are needed due to the fact that they connection an casual on-ramp for newcomers and that vulnerability is worthy the risk. To this, 1 tin constituent to the galore non-KYC alternatives known to sphere idiosyncratic privateness and security. Furthermore, these non-KYC alternatives person go easier implicit clip with the assistance of respective guides and resources. These non-KYC alternatives include: (1) Using decentralized peer-to-peer exchanges like Bisq Network oregon Hodl-Hodl to bargain bitcoin; (2) buying privately from a bitcoin ATM; (3) buying oregon selling face-to-face oregon selling goods and services astatine a bitcoin meetup; and (4) mining for bitcoin at home.

Others mightiness mention the usage of bitcoin successful transgression enactment and suggest KYC provides individuals with the bid of caput that 1 is not inadvertently supporting illicit activity. However, bitcoin’s usage successful transgression enactment is tiny compared to that of the U.S. dollar. In 2017 during a judiciary committee hearing, Deputy Assistant Secretary of the Office of Terrorist Financing and Financial Crimes, Jennifer Fowler, testified that “although virtual currencies are utilized for illicit transactions, the measurement is tiny compared to the measurement of illicit enactment done accepted fiscal services.” Given the differences successful volume, it is improbable 1 whitethorn inadvertently enactment transgression enactment by buying non-KYC bitcoin. This becomes adjacent much improbable erstwhile 1 buys oregon sells peer-to-peer astatine a section bitcoin meetup oregon buys from a bitcoin ATM.

Bitcoin was designed successful portion arsenic pseudonymous, yet determination is an alarming level of KYC taking spot which wholly undermines this property. Millions of users each implicit the satellite are tying their individuality to their bitcoin and each 1 of them is contributing to the instauration of honeypots of idiosyncratic information. This remains existent adjacent successful the look of overwhelming grounds that information breaches person go astir an mundane occurrence. Rather than sacrificing pseudonymity, taking connected further hazard oregon contributing to the problem, users should alternatively beryllium portion of the solution and instrumentality backmost their pseudonymity, trim risks and support PII by utilizing non-KYC alternatives.

KYC Gives Rise To A Permissioned Social System

The Bitcoin web is simply a permissionless currency strategy extracurricular the power of immoderate 3rd party. However, the bulk of individuals are not utilizing bitcoin this way. Instead, individuals person go reliant connected third-party KYC services, specified arsenic bitcoin exchanges, output platforms and hosted mining, among others. Not lone does KYC undermine your pseudonymity, it besides undermines your transactional privacy. This is existent adjacent aft taking custody of your bitcoin. Unlike carnal cash, wherever a slope cannot way what you bash with it aft withdrawal, a third-party, specified arsenic an exchange, is able to track what you bash with your bitcoin aft it has been withdrawn. That is, until the due privateness measures are taken, specified arsenic participating successful a coinjoin².

Even if an individuality tin beryllium obfuscated from an individual’s bitcoin transactions, the KYCing 3rd enactment inactive retains each the user's personally identifiable accusation (PII), including name, address, selfies and full acquisition amount. Armed with PII and the quality to spy connected transactional behavior, KYC gives emergence to a permissioned societal system. There are galore examples for however KYC gives emergence to a permissioned societal strategy (e.g. limits and restrictions; intrusive verification measures; address whitelisting; and state interventions). This conception focuses connected CoinJoin arsenic an illustration of a forbidden behaviour wrong a permissioned societal system. CoinJoin was selected fixed the important relation it plays successful mundane privacy.

Since Bitcoin is simply a nationalist ledger, it is good practice to “make each walk a CoinJoin.” This is existent for 2 reasons. First, CoinJoining limits immoderate inferences a spying third-party mightiness beryllium capable to gully up from one’s transaction history. Second, CoinJoining protects others from peering into one’s idiosyncratic finances. Reason 1 is important because, arsenic discussed above, a KYCing third-party tin way what 1 does with their bitcoin and CoinJoining tin assistance users summation forward-looking privacy. Reason 2 is important because, dissimilar currency oregon debit/credit cards wherever a merchant ( the payee) cannot adjacent into a payer’s finances (e.g. slope relationship totals), with bitcoin payee’s tin adjacent into a payer’s finances — astatine least, the UTXO being spent. This is akin to handing retired one’s slope connection with each transaction.

If you instrumentality a infinitesimal to ponder immoderate of the situations that whitethorn originate from specified a situation, you volition rapidly recognize the implications this has connected privacy. One caricatured illustration is put forth by Samourai Wallet: “Imagine if your religion pastor was capable to spot your OnlyFans subscription erstwhile you spot a dollar measure into the offering plate.” The dollar measure present represents a emblematic bitcoin transaction. A CoinJoin would person provided the idiosyncratic successful this illustration the privateness needed to debar this awkward concern by obfuscating the payment’s transaction history. In different much utmost example, ideate paying idiosyncratic a tiny magnitude but utilizing a ample UTXO (akin to taking retired an tremendous golden coin conscionable to shave a tiny information off). The idiosyncratic receiving the outgo would beryllium capable to spot that the payer holds a important magnitude of bitcoin. This mightiness spot the payer astatine a higher hazard for a five-dollar wrench attack. A CoinJoin would person breached up a ample UTXO into smaller UTXOs, reducing the payee's quality to find a payer’s holdings; they lone spot that you’re spending from pouch change. Given these examples, it becomes wide that Bitcoin lacks indispensable qualities recovered successful carnal currency that CoinJoin tin marque up for. Despite the benefits that CoinJoin provides users, KYC third-party services run connected the mendacious premise that CoinJoining is malicious oregon risky and prohibit its use. With CoinJoin prohibition arsenic a communal signifier among immoderate of the astir fashionable exchanges, a permissioned societal strategy has efficaciously designated CoinJoins arsenic “bad.”

Take BlockFi for example. They person a “prohibited uses” page stating the intent to support “a argumentation of strict regulatory compliance” and truthful prohibits deposits and withdrawals to oregon from: Mixing services, peer-to-peer and different exchanges which bash not person KYC, gambling sites and acheronian nett marketplaces. Furthermore, BlockFi “retains the close to instrumentality funds and freeze/close accounts arsenic necessary.” BlockFi is lone 1 of galore exchanges known to prohibit oregon emblem CoinJoins. For instance, successful 1 of the much utmost examples, Reddit idiosyncratic Bujuu reported his speech relationship was closed owed to the “amount and frequency” of his CoinJoin transactions. The exchange, Bitvavo, claimed Bujuu posed an “unacceptable risk” and closed his relationship arsenic a measurement of mitigation. Later Bujuu said, “It kinda bugs maine that I'm not allowed to bash what I privation with my BTC, that it's each being monitored.” CoinJoin prohibition is possibly 1 of the clearest examples of however KYC gives emergence to a permissioned societal system.

Several different users person reported milder experiences. One idiosyncratic claimed, “@bottlepay [has] rejected my incoming btc transaction owed to the coins having been successful samourai wallet and/or mixed with @SamouraiWallet #Whirlpool / If you person sent mixed coins you volition get stung.” This idiosyncratic reported this contented upon the deposit of funds which demonstrates a backward-looking investigation connected his coin’s history. A akin level of intrusion has been reported by others. For instance, different idiosyncratic received an email from Paxos stating, “We noticed that a BTC withdrawal from your relationship has perchance been sent to a known bitcoin mixing service. This benignant of transaction is not permitted connected the platform. Please corroborate whether the funds person been sent to a mixing service.” This clip the contented arose upon the withdrawal of funds which demonstrates a forward-looking investigation connected the coin’s history. Furthermore, Riccardo Masutti claimed “@bitwala sent [him] an email 3 days agone astir a mates of post-CoinJoin transactions that happened astir 6 MONTHS AGO” and Kristapsk claimed helium received “an email from @BitMEX astir [an] aged #Bitcoin deposit transaction (last summer) that ‘may beryllium connected with enactment that is against 1.1(a) of the HDR Terms of Service.’, it was @joinmarket coinjoin.” These past 2 examples show the extent of concatenation investigation conducted by KYCing 3rd parties.

Taken together, 1 tin spot however pervasive a permissioned societal strategy tin be. Users privation to reap the benefits of a CoinJoin yet CoinJoining is considered prohibited behaviour by galore large third-party KYC exchanges (or related services). This wide distaste for CoinJoin, on with blatant concatenation analysis, places individuals who KYC successful a susceptible position. Individuals who KYC are prohibited from exercising basal privateness rights oregon they look punitive measures if they do. In either case, KYC’d individuals are being spied on. Any tenable idiosyncratic would hold this is not a bully presumption to beryllium in, particularly erstwhile participating successful an autarkic and alternate currency strategy with nary 3rd parties. Despite the wide benefits that CoinJoin has to offer, the existent presumption is that CoinJoins are excessively “risky.” On a CoinJoin sheet astatine the Bitcoin 2022 conference, Craig Raw, laminitis of Sparrow Wallet, said:

“If we usage the tools [i.e. CoinJoin] that we person today, it changes the mindset of radical and it changes however nine views it. If CoinJoin becomes a wide utilized happening today, past that volition alteration the mode that nine views it and I deliberation that it is important not to hold excessively agelong and to really usage the tools because… it changes the mode that the rules and regulations of the satellite volition form.”

According to Raw, CoinJoin normalization is simply a relation of its use. Therefore, individuals indispensable instrumentality it upon themselves to workout their rights to privacy. This cannot beryllium accomplished from wrong a permissioned system, nor volition it beryllium granted. Rather, CoinJoin normalization indispensable beryllium accomplished extracurricular of a permissioned system, specified arsenic wrong the Bitcoin web arsenic it was designed to beryllium utilized — without permission.

Conclusion

KYC creates honeypots of idiosyncratic accusation and gives emergence to a permissioned societal system. When you KYC, you indispensable supply a batch of delicate idiosyncratic accusation which contributes to the honeypot. This enactment unsocial is capable to negate pseudonymity fixed an individuality has been associated with your bitcoin holdings. Furthermore, individuals indispensable spot that 3rd parties volition support delicate accusation safe. Further, erstwhile you KYC, you voluntarily participate into a permissioned narration with a 3rd party. That is, you indispensable abide by the rules acceptable successful spot by the 3rd enactment oregon perchance look punitive measures, specified arsenic plus seizure, relationship closure oregon frozen assets. Given the important relation it plays successful mundane privacy, CoinJoin is an illustration of a forbidden behaviour wrong a permissioned societal system. Upon introspection of the grounds it becomes wide that KYC so creates honeypots of idiosyncratic accusation and gives emergence to a permissioned societal system.

References

1 “KYC” refers to the confirmation of individuality of an relationship holder via the postulation of documents (e.g. driver's license, societal information number, employment record, selfies, etc; Federal Reserve, 1997) by fiscal third-party services (e.g. bitcoin exchanges) connected behalf of the Internal Revenue Service (Internal Revenue Service, 2000).

2 CoinJoin “is a trustless method for combining aggregate bitcoin payments from aggregate spenders into a azygous transaction to marque it much hard for extracurricular parties to find which spender paid which recipient oregon recipients” (Bitcoin Wiki, 2015). In different words, CoinJoin is simply a privateness instrumentality that obfuscates transaction past by undermining the communal input heuristic. This efficaciously and reliably provides users with forward-looking transactional privateness astatine the exertion furniture with nary changes to the main bitcoin protocol.

This is simply a impermanent station by Heady Wook. Opinions expressed are wholly their ain and bash not needfully bespeak those of BTC Inc oregon Bitcoin Magazine.