This is an opinion editorial by Heady Wook, privacy advocate and contributor to Bitcoin Magazine.
Introduction
In the Bitcoin white paper, Satoshi Nakamoto cited the need for a cash system over the internet without the need for a trusted third-party. A few months later, Nakamoto introduced the Bitcoin network to the world. In block zero (the “genesis block”) of the Bitcoin blockchain, the following message was included: “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.” On one hand, the quote references a UK news piece outlining Chancellor Alistair Darling’s consideration of a second bailout for banks, which meant pumping billions more British pounds into the economy. On the other hand, the quote references Nakamoto’s frustration and distrust of the traditional financial system and, more broadly, trusted third parties. This is made clear in the white paper abstract and the first paragraph’s opening lines. In another section of the white paper, Nakamoto compares the traditional finance privacy model with Bitcoin’s privacy model. In Bitcoin’s model, trusted third-parties are no longer responsible to safeguard an individual’s privacy by limiting access to information. In fact, no personal information is required at all. With Bitcoin, individuals can maintain privacy simply by “keeping public keys anonymous.” In an early Bitcoin forum post, Nakamoto wrote:
“We have to trust them with our privacy, trust them not to let identity thieves drain our accounts […] placing trust in the system administrator to keep their information private. Privacy could always be overridden by the admin based on his judgment call weighing the principle of privacy against other concerns, or at the behest of his superiors. […] It’s time we had the same thing for money. […] without the need to trust a third party middleman, money can be secure and transactions effortless. […] The result is a distributed system with no single point of failure. Users hold the [private] keys to their money and transact directly with each other.”
Nakamoto was concerned about trusting third parties with both privacy and money. Specifically, Nakamoto cited a few points of failure of the traditional finance privacy model: bad actors or identity thieves, lack of administrator integrity, and authoritative demands from “superiors,” such as a government. One manifestation of these failures is showcased by the long history of currency-debasing governments (see: The Bitcoin Standard) and includes the event cited within the genesis block. Alluding to Bitcoin, Nakamoto suggested these issues are solved with “a distributed system with no single point of failure.”
Bitcoin has been a long time coming. The conversation about “private,” “sovereign” or “electronic” currency had gone on by others at least a decade before Bitcoin’s inception. For instance, “A Cypherpunk’s Manifesto” discusses anonymous transaction systems on the internet, “The Sovereign Individual” predicts a private and permissionless internet currency, and “Cryptonomicon” describes an anonymous digital gold. Nakamoto designed Bitcoin with such properties: Bitcoin is pseudonymous, it can be used privately and it is permissionless. However, “know your customer” regulations1 (KYC) have proven to be pervasive, persistent and problematic for users looking to benefit from such properties.
Along with bitcoin’s price action from 2020 through 2021, bitcoin companies have experienced lots of growth. Coinbase, for example, reported reaching over 35 million users in over 100 countries by the end of 2020. Furthermore, in 2022 Coinbase took out a 60-second Super Bowl ad featuring a floating QR code which reached over 20 million hits within just one minute. Surojit Chatterjee, chief product officer at Coinbase, went so far as to call it “historic and unprecedented.” However, Coinbase is only one of many successful companies. According to CoinGecko, Coinbase ranks sixth in terms of the most trusted exchanges with Binance (#1), OKX, FTX, KuCoin and Huobi Global (#5) respectively taking the lead. Together, these exchanges have KYC’d millions upon millions of users. These massive KYC efforts are in direct contrast with the pseudonymous, permissionless, P2P, cash system with no third parties developed by Nakamoto. Furthermore, KYC creates honeypots of user information and gives rise to a permissioned social system.
KYC Creates Honeypots Of User Information
Every time an individual signs up for an exchange or related service they are likely asked to KYC themselves — that is, provide personally identifiable information (PII). PII typically consists of a selfie, drivers license, social security number, address, email and phone number. PII is usually stored by an outside service, such as Prime Trust. When Nakamoto said, “We have to trust them with our privacy [and] trust them not to let identity thieves drain our accounts,” the reference to “them” can be thought of as exchanges and their partner service providers. All these third parties come with inherent risks, such as bad actors (e.g. insider job; BitThumb, 2019), lack of administrator integrity (e.g. BitConnect exit scam) and susceptibility to government demands (e.g. IRS forces compliance). When Nakamoto references “identity thieves,” he refers to data breaches in which hackers gain access to and profit from PII, either by directly stealing funds, selling the PII to interested parties or extortion. Given all the PII provided, KYC creates a honeypot of user information that is ripe for exploitation.
Data breaches have become more and more prevalent over the years:
According to Statista, data breaches have increased over 500% from 2005 through 2020. Furthermore, according to the Cost of Data Breach Report, 80% of all data breaches in 2019 included customer PII (name, credit card information, health records and payment information). Data breaches may also include more sensitive types of PII, such as social security number, driver’s license number or biometrics.
All trusted-required third-parties are susceptible to a data breach, including bitcoin companies. For instance, consider the Ledger hack of July 2020. In an official statement by the Ledger CEO, “1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number).” That same year, the Ledger customer database was dumped onto Raidforum, a database sharing and marketplace forum. Thereafter, several Ledger users reported phishing attempts, extortion and threatening emails, including threats of kidnapping and violence, such as murder.
Reddit user Cuongnq received a phishing email prompting him to “download the latest version of Ledger Live” and to follow the instructions to set up a “new PIN” for his wallet. Another Reddit user, Silkblueberry, received an email stating that hackers had videos of him “masturbating to porn” and that they would post the videos publicly unless he sent them bitcoin as payment. Silkblueberry saw through the ploy. However, the hackers resorted to more extreme measures, threatening to associate his email with “child porn sites” and frame him as a “child predator” if he did not send them $500 in bitcoin. Yet another user received a phone call from an unknown man demanding payment. The man threatened he would “show up to [his] house, kidnap [him], and ‘stab to death’ any relatives living at [his] address” if he did not send a payment by midnight that night.
The Ledger hack is one example that illustrates how damaging an exploited KYC honeypot can be. Still, some might suggest that KYC services are needed because they offer an easy on-ramp for newcomers and that exposure is worth the risk. To this, one can point to the many non-KYC alternatives known to preserve individual privacy and security. Furthermore, these non-KYC alternatives have become easier over time with the help of several guides and resources. These non-KYC alternatives include: (1) Using decentralized peer-to-peer exchanges like Bisq Network or Hodl-Hodl to buy bitcoin; (2) buying privately from a bitcoin ATM; (3) buying or selling face-to-face or selling goods and services at a bitcoin meetup; and (4) mining for bitcoin at home.
Others might cite the use of bitcoin in criminal activity and suggest KYC provides individuals with the peace of mind that one is not inadvertently supporting illicit activity. However, bitcoin’s use in criminal activity is small compared to that of the U.S. dollar. In 2017 during a judiciary committee hearing, Deputy Assistant Secretary of the Office of Terrorist Financing and Financial Crimes, Jennifer Fowler, testified that “although virtual currencies are used for illicit transactions, the volume is small compared to the volume of illicit activity through traditional financial services.” Given the differences in volume, it is unlikely one may inadvertently support criminal activity by buying non-KYC bitcoin. This becomes even more unlikely when one buys or sells peer-to-peer at a local bitcoin meetup or buys…