To submit, or not to submit

Why you should think twice before handing your identity over to a KYC (know your customer) database.

Image created by the author.

Human intuition is an incredible tool. There are so many things we encounter in our day-to-day lives that are so deep and complex we’re unable to fully comprehend them at our current stage of cognitive development.

Online data collection is a perfect example. You have no clue what’s going to happen to your name, email address, location, biometrics and whatever else you submit when you sign up for an app or service.

Yet you make decisions about this all the time.

When you land on a create account page, a contact form, or an enter payment details page, you consciously or subconsciously conduct a quick assessment about how much you trust this company or platform, you put that against how much you really want the thing that lies just beyond the data collection wall, and you decide whether or not to submit.

I myself was in one of these situations just the other day.

The following is a quick retro on my decision making process, what my intuition was telling me, why I decided to override it, and the mounting consequences of making the wrong choice in these situations.

The email

First email from BlockFi.

On August 17th, I receive an email from the crypto exchange, BlockFi notifying me that they were finally allowing me to withdraw my funds, which had been stuck there for almost a year.

BlockFi was once a massive crypto bank worth over $3 billion, but at some point FTX.US bought a controlling stake in it. And so in November of 2022, down it went with the collapse of the whole FTX empire. It shut down operations, disabled customer withdraws and filed for bankruptcy.

The amount of assets I had in BlockFi was not that significant but also not exactly forgettable. Having followed along with the bankruptcy processes at other defunct crypto firms like Celsius and Voyager, I didn’t have high hopes of ever recovering those funds.

So the email came as a pleasant surprise.

The withdraw request

Second email from BlockFi: Withdraw request received.

The withdraw seemed simple enough.

I selected the asset I wanted to transfer, entered the amount and entered my wallet address. I put in only a small amount at first in order to test and make sure everything went smoothly, a habit I’ve formed after many hard lessons.

Shortly after, I receive an email confirmation with a summary of the withdraw but no funds arrived in my wallet. It’s not uncommon for transfers from centralized exchanges to take a long time, so I’m too concerned about it and go about my day.

‘Shotgun KYC’

Third email from BlockFi requesting identity verification.

A couple hours later I receive another email from BlockFi saying that in order to complete the withdraw request, I need to submit identity verification.

This scammy trick is called “shotgun KYC” and is well known in the crypto community.

Its when an exchange lets you transfer as much funds as you want into your account with very little friction but when you try to transfer funds out, you get hit with an onerous identity verification process that can take a very long time.

Users of various exchanges have reported waiting months for KYC to process, or even having their accounts frozen indefinitely.

“Shotgun KYC” coined by odell in 2019.

To submit, or not to submit

Form from BlockFi’s third party KYC provider.

I won’t dance around it, I submitted.

Six pieces of sensitive personally identifying information, my government ID and a liveness check (biometric face scan).

In retrospect, here are the reasons why:

• In this case, there was a plausible reason for the identity verification beyond financial surveillance, which was that the law firm may have needed to verify that the person making the withdraw was in fact the legal holder of the claim
• It said in the email that it could take up to 90 days to process the withdraw and I knew that it could potentially take months, so I wanted to get in line ASAP
• There was enough funds at stake that for me it was worth the risks

Different people will place different monetary values on their data. If you’re a billionaire, then the payout required for you to do a full KYC and incur those risks may be in the millions, or it may not be worth it at all.

For me, the threshold is much lower.

The important thing to understand is that you should be placing a monetary premium on your data.

Over time, the probability of the platform either selling it to a third party or getting hacked is about 100 percent, so you need to be compensated for that.

The risks

Lies.

When I read that sentence in the email from BlockFi, I just rolled my eyes. I’m fully aware that its a pernicious lie. That submitting to KYC exposes individuals to a whole host of attacks that they would never have to worry about otherwise.

To name a few:

1. If your account gets hacked it contains more than enough information for a thief to steal not just your funds, but your identity. Depending on your net worth relative to how much you keep on the exchange, your KYC information may be worth far more than your funds. Once a hacker gains access to your account, all that info is often downloadable straight from the settings menu, usually under privacy.
2. If the exchange gets hacked the customer data is an increasingly ripe target for attack. Exchanges face immediate legal, repetitional and financial ruin for losing customer funds, but customer data not so much. I have yet to see any business compensate customers directly for losing their data in a hack.
3. If the exchange shares your data the possibilities for where your data can end up are infinite. This one is by far the scariest because exchanges can and do make your data available to analytics firms, other financial institutions and government agencies. Most now outsource the entire KYC process to a third party. For example this one claims to house KYC data for over 1000 platforms.

I didn’t even know there were 1000 crypto platforms.

Once these third parties have your data, you completely lose control over it and forfeit any right to recourse in the event it gets compromised.

And it will be compromised, it’s only a matter of time.

The hack

Fourth email from BlockFi notifying me my data was hacked.

On August 24th (just seven days after the first email), I receive an email from BlockFi saying that the vendor they use for KYC experienced a data breach and that an unspecified boat load of client data had been harvested by an unauthorized third party.

You really can’t make this shit up.

With the timing, I think it’s safe to assume the attacker already had access to the systems in question.

They were probably just biding their time, waiting in the tall grass for BlockFi to open withdraws and compel tens of thousands of people to submit their data. Then strike.

These are often highly sophisticated actors.

Final thoughts

In hindsight, had I known my data would be compromised immediately would I have submitted?

Actually, yes. I’ve already submitted and had my KYC data hacked a bunch of times. If that wasn’t the case, maybe it would be a different calculation, but as it is I don’t really give a shit anymore.

But for those who’s biometrics and government IDs haven’t already been harvested, bought and sold on the dark web several times over, it’s important to understand that submitting to KYC is an extremely risky endeavor.

At best, it vastly increases the surface area to have your identity stolen. At worst, it’s a tool for mass financial surveillance. All the three letter agencies have backdoors and are using this data in crazy ways that you would likely never agree to if given the choice.

Bottom line: Your data is only secure when it never gets collected at all.

So next time you’re staring at one of these forms, recognize the value of what’s being requested, trust your intuition, and if the reward isn’t big enough, bounce.

—

Thanks for reading until the end. I work in crypto and think about it non-stop. You can find me on twitter @dappbeast