Bitcoin KYC Argument That Everyone can Relate To…

Examined through the lens of security and privacy, the reasons why KYC should never be the default are obvious.

INTRODUCTION

In the Bitcoin white paper, Satoshi Nakamoto cited the need for an internet-based cash system that did not require a trusted third party. A few months later, Nakamoto introduced the world to the Bitcoin network. The following message was included in block zero (the “genesis block”) of the Bitcoin blockchain: “The Times 03/Jan/2009 Chancellor on verge of second bank bailout.” On the one hand, the quote alludes to a UK news article describing Chancellor Alistair Darling’s consideration of a second bailout for banks, which would involve injecting billions of additional British pounds into the economy. On the other hand, the quote alludes to Nakamoto’s dissatisfaction with and mistrust of the traditional financial system and, more generally, trusted third parties. This is made clear in the white paper’s abstract and the opening lines of the first paragraph. In another section of the white paper, Nakamoto compares the traditional model of financial privacy with Bitcoin’s model of privacy. In Bitcoin’s model, reputable third parties are no longer responsible for protecting an individual’s privacy by restricting information access. In fact, no personally identifiable information is required. Individuals can maintain their privacy with Bitcoin by “keeping public keys anonymous.” In an early Bitcoin forum post, Nakamoto penned the following:

“We must entrust them with our privacy and have faith that they will not allow identity thieves to drain our accounts […] placing faith in the system administrator to protect their privacy.” Privacy could be overridden at any time at the discretion of the administrator, who would weigh the principle of privacy against other concerns, or at the direction of his superiors. […] It is time we had the same currency. […] without the need to rely on a third party intermediary, money can be kept safe and transactions made simple. […] A distributed system without a single point of failure is the result. Users hold the [private] keys to their funds and transact with one another directly.”

Nakamoto was hesitant to entrust third parties with his privacy and his funds. Specifically, Nakamoto cited several failings of the traditional model of financial privacy: bad actors or identity thieves, a lack of administrator integrity, and authoritative demands from “superiors” such as the government. The long history of currency-debasing governments (see The Bitcoin Standard) exemplifies one manifestation of these failures, as does the event referenced in the genesis block. Nakamoto, alluding to Bitcoin, suggested that these problems could be resolved by “a distributed system with no single point of failure.”

Bitcoin has long been anticipated. Others had discussed “private,” “sovereign,” and “electronic” currency for at least a decade prior to Bitcoin’s inception. “The Sovereign Individual” predicts a private and permissionless internet currency, and “Cryptonomicon” describes anonymous digital gold. Nakamoto designed Bitcoin with the following attributes: Bitcoin is pseudonymous, can be used privately, and does not require permission. Nonetheless, “know your customer” regulations1 (KYC) have proven to be pervasive, persistent, and problematic for users seeking to take advantage of such properties.

Alongside the price movement of Bitcoin from 2020 to 2021, Bitcoin companies have experienced tremendous growth. By the end of 2020, Coinbase expects to have over 35 million users in over 100 countries. In addition, in 2022 Coinbase ran a 60-second Super Bowl advertisement featuring a floating QR code that received over 20 million hits in less than one minute. Coinbase’s chief product officer, Surojit Chatterjee, described it as “historic and unprecedented.” Coinbase is, however, only one of many successful businesses. According to sources, among the centralized exchanges Coinbase ranks sixth among the most trusted cryptocurrency exchanges, behind Binance (#1), OKX, FTX, KuCoin, and Huobi Global (#5), and among the De-centralized exchanges coinbaazar is fast coming up. Together, these exchanges have verified the identities of countless millions of users. These massive KYC efforts stand in stark contrast to Nakamoto’s anonymous, permission less, P2P, cash system with no third parties. In addition, KYC generates honeypots of user information and spawns a permission-based social system.

KYC CREATES HONEYPOTS OF USER INFORMATION

When an individual registers for an exchange or related service, they will likely be required to provide KYC information, or personally identifying information (PII). Typically, PII includes a selfie, a driver’s licence, a social security number, an address, an email address, and a telephone number. Typically, a third-party service, such as Prime Trust, stores PII. When Nakamoto stated, “We must entrust them with our privacy and have faith that they will not allow identity thieves to drain our accounts,” he was referring to exchanges and their partner service providers. All of these third parties carry inherent risks, such as bad actors (e.g., insider attack; BitThumb, 2019), lack of administrator integrity (e.g., BitConnect exit scam), and government demand sensitivity (e.g. IRS forces compliance). When Nakamoto refers to “identity thieves,” he is referring to data breaches in which hackers gain access to PII and profit from it through direct theft, the sale of PII to third parties, or extortion. Given all of the PII provided, KYC creates a honeypot of exploitable user information.

Data breaches have become increasingly common over time:

• Data Security Incident in 2016

• A data breach at T-Mobile exposed the personal information of more than 47 million individuals

• A hacker gained access to 100 million Capital One credit card accounts and applications.

• U.S. Postal Service API Error Exposes 60 Million Users

• Nearly half of the U.S. population could be impacted by the Equifax data breach

• Target Pays $18.5 Million To Settle 2013 Customer Data Breach Due To Hacking

• The JPMorgan Chase Cyberattack Affects 76 Million Homes

• CVS and Walmart Canada are conducting an investigation into a data breach

• The Sony Pictures website was hacked, exposing 1 million user accounts

• In a massive data breach, 235 million Instagram, TikTok, and YouTube user profiles were exposed

From 2005 to 2020, data breaches have increased by over 500%, according to Statista. Moreover, according to the Cost of Data Breach Report, customer PII was compromised in 80% of all data breaches in 2019. (name, credit card information, health records and payment information). In addition to more sensitive types of PII, such as social security numbers, driver’s licence numbers, and biometrics, data breaches may also involve them.

All trusted-required third parties, including Bitcoin companies, are susceptible to a data breach. Consider, for instance, the Ledger hack of July 2020. According to an official statement by the CEO of Ledger, 1 million email addresses and 9,532 pieces of more detailed personal information (postal addresses, names, surnames, and phone numbers) were compromised. In the same year, the Ledger customer database was uploaded to the database-sharing and marketplace forum Raidforum. Several Ledger users subsequently reported phishing attempts, extortion, and threatening emails, including kidnapping and murder threats.

Reddit user Cuongnq received a phishing email instructing him to “download the most recent version of Ledger Live” and set up a “new PIN” for his wallet. Silkblueberry, another Reddit user, received an email stating that pornographic videos of him masturbating were in the possession of hackers who threatened to release them unless he paid them in Bitcoin. Silkblueberry recognised the deception. If he did not send them $500 in Bitcoin, however, the hackers threatened to link his email to “child porn sites” and frame him as a “child predator.” Unknown man demanded payment from yet another user via telephone. If he did not send a payment by midnight that night, the man threatened to “show up at [his] house, kidnap [him], and’stab to death’ any relatives living at [his] address.”

The Ledger hack is a prime example of how damaging a compromised KYC honeypot can be. Nonetheless, some may argue that KYC services are necessary because they provide an easy on-ramp for newcomers and that the risk is worthwhile. There are numerous non-KYC alternatives that are known to protect individual privacy and security. In addition, these non-KYC alternatives have become simpler over time thanks to the availability of numerous guides and resources. Non-KYC alternatives include: (1) purchasing Bitcoin through decentralised peer-to-peer exchanges such as Bisq Network or Hodl-Hodl; (2) purchasing Bitcoin privately from a Bitcoin ATM; (3) buying or selling face-to-face or selling goods and services at a Bitcoin meetup; and (4) mining Bitcoin at home.

Others may cite the criminal use of Bitcoin and suggest that KYC provides individuals with the peace of mind that they are not inadvertently funding criminal activity. In contrast to the U.S. dollar, however, the use of Bitcoin in criminal activity is minimal. Jennifer Fowler, Deputy Assistant Secretary of the Office of Terrorist Financing and Financial Crimes, testified in 2017 during a judiciary committee hearing that “although virtual currencies are used for illicit transactions, the volume is small compared to the volume of illicit activity through traditional financial services.” Given the differences in volume, it is unlikely that purchasing non-Know Your Customer (KYC) Bitcoin will inadvertently fund criminal activity. When buying or selling peer-to-peer at a local Bitcoin meetup or from a Bitcoin ATM, this is even less likely.

Bitcoin was designed in part to be pseudonymous, but the current level of Know Your Customer (KYC) procedures completely undermines this property. Millions of users around the world are associating their identities with their Bitcoins, and each of them contributes to the creation of user information honeypots. This remains true despite the overwhelming evidence that data breaches have become practically commonplace. Rather than sacrificing pseudonymity, assuming additional risk, or contributing to the problem, users should be a part of the solution by reclaiming their pseudonymity, reducing risks, and protecting personally identifiable information by using non-KYC alternatives.

KYC GENERATES A PERMITTED SOCIAL SYSTEM.

The Bitcoin network is permission less, third-party-uncontrolled cash system. However, the majority of people do not use Bitcoin in this manner. Individuals rely on third-party KYC services, including Bitcoin exchanges, yield platforms, and hosted mining, among others. KYC not only compromises your pseudonymity, but also your transactional privacy. This is true even after you have taken possession of your Bitcoin. In contrast to physical cash, in which a bank cannot track what you do with it after withdrawal, a third party, such as an exchange, can track what you do with your Bitcoin after withdrawal. That is, until appropriate privacy measures are taken, such as joining a coinjoin2 network.

Even if an individual’s identity can be concealed through Bitcoin transactions, the KYCing third party retains all personally identifiable information (PII) about the user, including name, address, selfies, and total purchase amount. KYC spawns a permission-based social system with access to PII and the capacity to spy on transactional behaviour. There are numerous instances in which KYC spawns a permissioned social system (e.g. limits and restrictions; intrusive verification measures; address whitelisting; and state interventions). This section examines CoinJoin as an illustration of a prohibited behaviour within a permissioned social system. The selection of CoinJoin was based on the significance of its role in everyday privacy.

Since Bitcoin is a public ledger, it is recommended to “make every transaction a CoinJoin.” This is true due to two factors. First, CoinJoining restricts the conclusions an eavesdropping third party could draw from one’s transaction history. Second, CoinJoining prevents others from prying into an individual’s financial information. The significance of the first reason stems from the fact that, as discussed previously, a KYCing third party can track a user’s Bitcoin transactions, and CoinJoining can help users achieve prospective privacy. Unlike cash or debit/credit cards, where a merchant (the payee) cannot see a payer’s finances (e.g., bank account balances), with Bitcoin payee’s can see a payer’s finances — or, at least, the UTXO being spent. This is equivalent to sharing one’s bank statement with each transaction.

If you take a moment to consider some of the situations that could result from such a circumstance, you will quickly recognise the privacy implications of this. Samourai Wallet provides one satirical illustration: Imagine if the pastor of your church could see your OnlyFans subscription when you place a dollar bill in the collection plate. The dollar bill in this illustration represents a typical Bitcoin transaction. By obscuring the payment’s transaction history, CoinJoin would have given the user in this example the necessary privacy to avoid this awkward situation. Consider the extreme case of paying someone a small sum while using a large UTXO (akin to taking out an enormous gold coin just to shave a tiny portion off). The recipient of the payment would be able to verify that the payer possesses a substantial amount of Bitcoin. This may increase the payer’s risk of a five-dollar wrench attack. A CoinJoin would have divided a large UTXO into smaller UTXOs, reducing the payee’s ability to determine the payer’s holdings; the payee only sees that you’re spending pocket change. Given these examples, it is evident that Bitcoin lacks essential characteristics of physical currency that CoinJoin can compensate for. Despite the benefits CoinJoin provides to users, KYC third-party services prohibit its use on the false assumption that CoinJoining is malicious or risky. A permissioned social system has effectively labelled CoinJoins as “bad” due to the prevalence of CoinJoin prohibition among the most popular cryptocurrency exchanges.

Consider BlockFi as an example. They have a “prohibited uses” page that states their intention to maintain “strict regulatory compliance” and prohibits deposits and withdrawals to or from mixing services, peer-to-peer and other exchanges that lack KYC, gambling sites, and dark web marketplaces. In addition, BlockFi “retains the right to return funds and freeze/close accounts as appropriate.” BlockFi is just one of the many known exchanges that prohibit or flag CoinJoins. In one of the most extreme cases, Reddit user Bujuu reported that his exchange account was closed due to the “quantity and frequency” of his CoinJoin transactions. Bitvavo claimed that Bujuu posed a “unacceptable risk” and closed his account as a precautionary measure. Later, Bujuu stated, “It kind of annoys me that I can’t do whatever I want with my BTC because it’s all being monitored.” The prohibition of CoinJoin is arguably one of the clearest illustrations of how KYC gives rise to a permissioned social system.

Several other users have reported less severe side effects. One user claimed, “@bottlepay rejected my incoming btc transaction because the coins were in samourai wallet and/or mixed with @SamouraiWallet #Whirlpool / If you sent mixed coins, you will be punished.” This user reported this issue upon depositing funds, demonstrating a retrospective examination of his coin’s history. Others have reported an identical level of intrusion. For example, another user received an email from Paxos stating, “We observed that a BTC withdrawal from your account was possibly sent to a well-known Bitcoin mixing service. This transaction type is prohibited on the platform. Please confirm if the funds have been transferred to a mixing service.” This demonstrates a forward-looking analysis of the coin’s history, as the issue arose due to the withdrawal of funds. In addition, Riccardo Masutti asserted that “@bitwala sent [him] an email three days ago about a couple of post-CoinJoin transactions that occurred almost six months ago,” and Kristapsk asserted that he received “an e-mail from @BitMEX about [an] old #Bitcoin deposit transaction (last summer) that’may be connected with activity that is against 1.1(a) of the HDR Terms of Service’, it These last two examples illustrate the depth of chain analysis performed by third-party KYCing entities.

One can see how pervasive a permissioned social system can be when all factors are considered. Users want to reap the benefits of a CoinJoin, despite the fact that CoinJoining is prohibited by many of the largest third-party KYC exchanges (or related services). This widespread dislike for CoinJoin, coupled with the blatant chain analysis, puts individuals who KYC in a precarious position. KYC individuals are prohibited from exercising fundamental privacy rights or face punitive action if they do so. In either case, KYC-compliant individuals are spied upon. Any reasonable person would agree that this is a precarious situation, particularly when participating in a decentralised and alternative cash system with no third parties. Despite the obvious advantages of CoinJoin, it is currently believed that CoinJoins are too “risky.” Craig Raw, founder of Sparrow Wallet, remarked on a CoinJoin panel at the Bitcoin 2022 conference, “The future of cryptocurrency is decentralised.”

“If we use the tools we have today [such as CoinJoin], it changes the way people think and how society views it. If CoinJoin becomes widely used today, then that will alter how society perceives it, and I believe that it is important not to wait too long to use the tools because… it alters how the world’s rules and regulations will form.”

According to Raw, the normalisation of CoinJoin is dependent on its usage. Therefore, individuals are responsible for exercising their privacy rights. This cannot be done within a restricted system, nor will permission be granted. CoinJoin normalisation must occur outside of a permissioned system, such as within the Bitcoin network as it was intended to be used — without permission.

CONCLUSION

KYC generates honeypots of user information and gives rise to a social system with restricted access. When performing Know Your Customer checks, you are required to provide a substantial amount of sensitive personal information, which contributes to the honeypot. Given that an identity has been associated with your Bitcoin holdings, this action is sufficient to negate pseudonymity. Moreover, individuals must have faith that third parties will safeguard sensitive information. In addition, when you verify your identity, you voluntarily establish a relationship with a third party. In other words, you must adhere to the rules established by the third party or you may be subject to punitive measures such as asset seizure, account closure, or frozen assets. CoinJoin is an example of a prohibited behaviour within a permissioned social system due to the essential role it plays in everyday privacy. Upon inspection of the evidence, it is evident that KYC creates honeypots of user data and gives rise to a permissioned social system.

“This work is licensed under CC BY 4.0. To view a copy of this license”, visit Creative Commons — Attribution 4.0 International — CC BY 4.0