The argument against bitcoin with KYC

In Bitcoin whitepaper, Satoshi Nakamoto pointed out the need to create a cash system,operating over the Internet without the need for a trusted intermediary.

A few months later, he introduced the Bitcoin network to the world.The following message was included in the Bitcoin blockchain's block of genesis: "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks."On the one hand, this quote refers to a British news article about how the ChancellorAlistairDarling reviewssecondA package of bank bailouts, that is, the injection of billions of British pounds into the economy.On the other hand, the quote points to Nakamoto's frustration and distrust of the traditional financial system and, more broadly, trusted intermediaries as such.This is clearly stated in the whitepaper annotation at the beginning of the first paragraph.In another section, Nakamoto compares the privacy model of traditional finance to that of Bitcoin.In the Bitcoin model, trusted intermediaries are no longer responsible for protecting a person's privacy by restricting their access to information.In fact, no personal information is required at all.In one of the first posts on the Bitcoin forum, Nakamoto wrote:

"We have to trust them with ourprivacy, trust them not to allow identity thieves to drain our accounts… trust the system administrator with the safety of our data. The administrator may revise or revoke confidentiality at any time based on his or her own judgment weighing the principle of confidentiality against other concerns and priorities, or at the direction of superiors… It's time to do the same for money… without the need to trust a trusted intermediary, money can be secure and transactions easy… The result is a distributed system with no single point of failure. Users store [private] keys to their money and transact with each other directly.”

Nakamoto was worried about the need to trustto third parties both privacy and money. In particular, Nakamoto cited several points of failure in the privacy model of traditional finance: unscrupulous actors or identity thieves, unscrupulous administrators, and the demands of «superior» (eg governments). One manifestation of how these risks play out is demonstrated by the long history of governments devaluing currencies (Ammous, 2018) and includes the event mentioned in the genesis block. Speaking of Bitcoin, Nakamoto proposed solving these problems with a «distributed system with no single point of failure»

Bitcoin didn't suddenly appear out of nowhere.Ideas of «private», «sovereign» or «electronic» money had been discussed by many enthusiasts for at least a decade before the advent of Bitcoin. For example, Cypherpunk's Manifesto (1993) discusses anonymous transaction systems on the Internet, The Sovereign Individual (1997) predicts the emergence of private and Internet currencies without access levels, and Cryptonomicon (1999) describes anonymous digital gold . Nakamoto created Bitcoin with the following properties: Bitcoin is pseudonymous, can be used privately, and has no access restrictions. However, KYC policies [1] are a common and ongoing problem for those who wish to take advantage of these Bitcoin properties.

[one]«KYC»meansconfirmation of the account owner's identity withusing documents (driver's license, social security number, employment history, selfies, etc.) with third-party financial services (for example, bitcoin exchanges) on behalf of the Internal Revenue Service or other government organizations.

With the price of BTC rising in 2020–2021.Bitcoin companies have also experienced great growth. Coinbase reported in August 2021 that by the end of 2020 its user base had reached more than 35 million users in more than 100 countries. And in 2022, Coinbase released a 60-second commercial for the Super Bowl (an iconic sporting event in the United States with extremely expensive and status advertising slots) with a QR code floating across the screen, which in just one minute collected more than 20 million clicks to the exchange page. Surojit Chatterjee, Coinbase's chief product officer, even called the event "historic and unprecedented." But Coinbase is just one of many successful companies. At the time of writing, Coinbase is in the top ten of the list of the most trusted crypto exchanges from CoinGecko (the list is topped by twelve exchanges with the same maximum “trust rating”, and probably a couple of weeks ago FTX was also there - counterparty risk is realized quickly ). All these exchanges combined have identified millions and millions of users using KYC. This massive KYC effort directly contradicts Nakamoto's idea of ​​a pseudonymous, open, peer-to-peer (p2p) and trustless cash system. Moreover, KYC creates honeypots (literally “pots of honey”) with information about users that are vulnerable and attractive to attackers and gives rise to a social system with different levels of access.

KYC creates «honeypots» with information about users

Whenever a person creates an account onexchange or other similar centralized service, he will most likely be asked to provide identification data (ID) for KYC. Such ID typically includes a selfie, driver's license, social security number, residential address, email and phone number and is usually stored by a third party, such as Prime Trust. When Nakamoto said, “We have to trust them with our privacy, trust them not to let identity thieves drain our accounts,” it «they» should also be extended to intermediary Bitcoin services. The involvement of third parties involves inherent risks of misconduct (by the company or its individual employees) and vulnerability to government requirements (in terms of compliance or the ability of the system to operate). When Nakamoto talks about «identity thieves», he is referring to data leaks in which «hackers» gain access to user IDs and can profit from them through direct theft of funds, sale of this data to interested parties, or extortion. Given the completeness of user-provided identifiers, KYC practices create «honeypots» with user information, ready for hacking and misuse.

Over the years, data leaks have become more and morewidespread and increasingly widespread. According to Statista, from 2005 to 2020, the number of data breaches increased by more than 500%. According to the «Cost of Data Breach Report» (PDF) from IBM Security, 80% of all data breaches in 2019 involved user IDs (i.e. name, credit card information, medical records, payment information, etc.). Data breaches can also affect more sensitive types of ID: social security number, driver's license or biometric data.

All trusted third parties are at riskdata leaks, and Bitcoin companies are of course no exception. Consider the July 2020 Ledger hack as an example. In an official statement, the company's CEO said that "1 million email addresses were stolen, as well as 9,532 more detailed personal data (mailing address, first name, last name and phone number)." That same year, Ledger's customer database was posted on Raidforum, a database exchange and sales forum. Since then, several Ledger users have reported phishing attempts, extortion, and threatening emails, including threats of kidnapping and violence, including murder.

Reddit user Cuongnq received a phishing scama letter in which he was asked to «download the latest version of Ledger Live» and follow the instructions to set up a «new PIN» for your wallet. Another Reddit user, Silkblueberry, received an email saying that hackers had videos of him "masturbating to porn" and that they would release the videos publicly unless he sent them the equivalent of $500. in BTC. Silkblueberry didn't fall for the trick. However, the hackers increased the pressure by threatening to link his email to «child porn sites» and present him as a «pedophile and child abuser» if he does not send them the required $500 dollars in bitcoins. Another user received a phone call demanding payment from an unknown man. The man threatened that he would come to the user’s home, kidnap him and “kill everyone who was in the house” if he did not send the required amount by 00:00 that same night.

The Ledger hack is just one example.showing what the consequences of a hack or leak from «honeypot» with KYC data. Some might, however, suggest that KYC services are necessary because they lower the barrier to entry for newbies and some additional risk is worth it. To this end, there are a number of KYC-free alternatives that focus on user privacy and security. And over time, these KYC-free alternatives become easier to use with user guides and information resources. Such alternative solutions include: (1) using decentralized p2p exchanges to purchase bitcoins; (2) private purchase via Bitcoin ATM; (3) face-to-face buying/selling or trading of goods and services at Bitcoin meetups; and (4) mining.

Others may refer to the use of Bitcoinin criminal activity and suggest that KYC gives people confidence that they are not supporting any illegal activity. But the use of Bitcoin in criminal activity is minor compared to the use of the US dollar. Statistics speak to this, and in 2017, during a hearing before the US Senate Judiciary Committee, Jennifer Fowler, an official from the Terrorism Financing and Financial Crimes Administration, stated (PDF) that «although virtual currencies are used for criminal financial transactions, their volume is small compared to criminal transactions through traditional financial services. Given the difference in volumes, the likelihood of accidentally contributing to criminal activity by buying Bitcoin without KYC is, frankly, small. And this becomes even less likely when purchasing through a Bitcoin ATM or, even more so, when mining.

Bitcoin was intended to be pseudonymous, but the currentthe alarming spread of KYC completely undermines this property. Millions of users around the world have personal data tied to their bitcoins, and each of them contributes to the creation of «honeypots» with information about users. This remains true even as data leaks have become an almost everyday occurrence. Instead of sacrificing their own pseudonymity, taking on additional risks and contributing to the problem, user initiative should be part of the solution: users should regain their pseudonymity, reduce risks and protect their own data by choosing alternative solutions without KYC.

KYC gives birth to a social system with controlled access

The Bitcoin network is an open system for everyonecash, not under the control of any third parties. However, most people do not use Bitcoin in this way. Instead, people began to rely on centralized KYC services - exchanges, yield generation platforms and cloud mining, among others. KYC undermines not only the pseudonymity of users, but also the confidentiality of their transactions. This is true even after bitcoins are taken into self-custody. Unlike physical money, where a bank cannot track what a person does with it after withdrawal, in digital currencies a third party, such as an exchange, can track what a person does with their bitcoins after withdrawal. At least, unless you take additional privacy measures, such as participating in CoinJoin [2], for example. But even if a user's personal data can be separated from their Bitcoin transaction history, the third party with KYC still stores all of their identification data (ID), including name, address, selfie and total purchase amount. Having user IDs and the ability to «spy» behind their transactions, KYC generates a social system with restrictions on access levels. There are many examples of how KYC leads to a social system with controlled access (limits and restrictions, intrusive verification measures, white lists of addresses and government intervention). In this part of the article I want to talk about CoinJoin as an example of a healthy practice in the interests of users, but prohibited in a social system with controlled access. I chose Coinjoin based on the important role it can play in everyday privacy.

[2] CoinJoin- Thiskind of mixing, «trustless» join methodmultiple Bitcoin payments from different senders in a single transaction to make it difficult for an outside observer to determine which sender sent the payment to which (or which) recipients. In other words, CoinJoin is a privacy tool that hides transaction history, undermining the heuristic of shared ownership of inputs. This effectively and reliably provides users with application-level privacy without changing the underlying Bitcoin protocol.

Since the Bitcoin blockchain ispublic registry form, it is good practice to conduct every spend through CoinJoin. This is true for two reasons: first, CoinJoin limits any conclusions that an outside observer can draw from your transaction history, and second, it protects users from others having access to your financial information. The first reason is important because, as stated above, a third party with KYC can track what a person does with their Bitcoins, and CoinJoin can provide privacy to the user. The second reason is important because, unlike cash or debit and credit cards, where the merchant (i.e. the payee) cannot look into the payer's finances (i.e. bank account details), with Bitcoin the payeecando it. It's like having a bank statement for every transaction you make.

If you think about it for a second, it’s easyunderstand the privacy implications of such practices. One cartoon example was given on the Samourai Wallet blog: “Imagine if your church pastor could see your OnlyFans subscription when you put a dollar in the offering plate.” The dollar bill is used here as a metaphor for a regular Bitcoin transaction. CoinJoin in this example, by masking the transaction history, would provide the user with the necessary confidentiality and allow him to avoid this awkward situation. Or another example, more extreme: imagine that you pay someone a small amount, but use a large UTXO in the transaction. The recipient of the transaction will be able to see that the sender owns a significant amount of BTC, and this may expose the sender to increased risk. A CoinJoin transaction would break a large UTXO into smaller ones, which would reduce the ability of the recipient to determine the amount of savings of the sender of the transaction. It is clear from these examples that Bitcoin lacks essential qualities of physical cash that CoinJoin is able to make up for. Despite the benefits provided to CoinJoin users, third-party KYC services operate under the false premise that CoinJoins are malicious or risky and prohibit its use. Given the prevalence of banning CoinJoin transactions among the most popular exchanges, the controlled access social system effectively defines them as «bad» practice.

Take BlockFi for example.The service has a Prohibited Uses page, which states that the service adheres to a “strict regulatory compliance policy” and therefore prohibits deposits and withdrawals of funds to or from mixing services. peer-to-peer and other exchanges without KYC, gambling sites and darknet marketplaces. In addition, BlockFi «reserves the right to return funds and freeze/close accounts as necessary». And BlockFi is just one of many services that prohibit or flag the use of CoinJoin. In one of the more extreme examples, Reddit user Bujuu reported that his account on the exchange was closed due to the «quantity and frequency» CoinJoin transactions. The exchange (Bitvavo) said Bujuu posed an «unacceptable risk» and closed his account as a mitigation measure. Bujuu later said: “It’s annoying that I can’t do what I want with my BTC, that someone is watching it.” The CoinJoin bans are perhaps one of the clearest examples of how KYC engenders a controlled access social system.

Other users have reported slightly moremild cases. One tweeted: «@bottlepay rejected my incoming BTC transaction due to coins being in Samourai Wallet and/or being mixed in Whirlpool». Marty reported a problem with depositing funds, which indicates a retrospective analysis of the history of his coins. Similar levels of intervention have been reported by others. One Paxos user received the following email from the exchange: «We noticed that a BTC withdrawal from your account was potentially sent to a well-known mixing service. This type of transaction is not permitted by the platform rules. Please confirm whether you have sent funds to the mixing service. This time the problem arose during the withdrawal of funds, which indicates an analysis of the further movement of coins. Moreover, one of the users claimed to have «received an email from Bitwala (now Nuri) about a couple of transactions after CoinJoin that occurred 6 months ago», and another wrote that he received an email from BitMEX about an old one (~8 month) BTC deposit transaction, which «may involve activities contrary to clause 1.1(a) of the terms of service» - this was Joinmarket CoinJoin. The last two examples show the depth of blockchain analysis performed by centralized KYC services.

Everything taken together shows howa social system with controlled access can be all-pervasive. Users have a healthy desire to reap the benefits of CoinJoin, but this is seen as a risky and prohibited practice by many large KYC exchanges and similar services. This general opposition to CoinJoin, along with the blatant on-chain analysis of user coins, leaves millions of users of these services in a vulnerable position. First, they are denied the basic right to privacy. In addition, if they try to exercise this right, they face penalties. And secondly, the users of these KYC services are, in fact, being monitored. Any reasonable person would agree that this is not a very healthy situation, especially when it comes to participating in an independent and alternative monetary system that does not need such trusted intermediaries in principle. Despite the obvious benefits that CoinJoin can offer users, the prevailing opinion of the largest centralized services is that CoinJoins are too «risky». On a CoinJoin panel at the 2022 Bitcoin Conference, Craig Rowe, founder of Sparrow Wallet, said:

"If we use more tools(like CoinJoin) that we have today, it will change the perception of such tools in the eyes of people and the community as a whole. If CoinJoins become widespread, it will change how the community feels about them, and I think it's important not to wait too long and really start using these tools as it affects how rules and norms are shaped in the world."

According to Rowe, the normalization of CoinJoin is largelyprevalence depends on its use. Therefore, people should take care of the exercise of their rights to privacy and privacy. This cannot be done from a controlled access system: it will not provide such an opportunity. Rather, the normalization of CoinJoin should be implemented outside of this system: for example, in the Bitcoin network as it was intended - free, open and without access levels.

Conclusion

In this article I argue that KYC practicescreates «honeypots» (centralized points of vulnerability) with user data and gives rise to a social system with controlled access. While going through KYC, users are forced to provide a large amount of sensitive personal information, contributing to the emergence of such “honeypots”. This action alone is enough to negate the pseudonymity of the network, since in this way the user's identity is associated with the bitcoins he owns. Additionally, users once again have to trust third parties to keep sensitive information about them safe. Also, by agreeing to KYC, a person voluntarily enters into a controlled access relationship with a third party. That is, the user undertakes to comply with the rules established by the third party, otherwise risk facing punitive measures on its part, such as the seizure or freezing of assets or account closure. Given the important role that CoinJoins play in everyday privacy, I have included them as an example of prohibited behavior in an access-controlled system. And my arguments confirm that KYC does indeed create «honeypots» with user data and a social system with controlled access, with severe consequences for user privacy.

 

</p>