The whole mixer discussion and also the ever-tightening regulations of Bitcoin/cryptocurrency services let me think about if KYC at least could be more friendly. Particularly, if there are practices and methods which don't allow hackers to steal the identity of the service users, or to link different personal data together.
Of course in general I strongly prefer
non-kyc services (
for well-known reasons - read this excellent thread by 1miau). But in particular for the fiat-Bitcoin on- and offramping step the services are limited, above all in some lesser-known currencies.
In reality, not the KYC data collecting itself is the most problematic step, but the verification process, which often involves images and videos of the user and his/her documents.
So here I want to collect methods and "best" or "least worst" practices which at least make it more difficult to facilitate identity theft.
-
Offline verification services. In some countries "old-style" verification methods exist, like Postident in Germany. In these cases you go to a store, show your ID document, and the store employee thus confirms to the service provider that you are the person you impersonate. Sometimes, a copy of your ID document or passport has to be delivered, which makes the whole process a bit more vulnerable if this is stored digitally, but on the whole I think these methods are still preferrable because a black-and-white passport copy has often low resolution and would not be useful for a criminal trying to get an online KYC verification with your data.
-
Proving ownership of a bank account (added Aug. 2024). The service provider sends a very small amount of money (a few cents) to the user and attaches a message. The user has to provide that message to the service. Doing that twice with at least 30 days between first and second time should be safe enough to deter most attempts to "game" that method, e.g. with a stolen bank account.
-
Registration without email or phone. While email addresses or phone numbers seem not to matter that much if you have to submit an ID photo, selfie or video, they are elements which could be linked to the rest of your data, making the construction of a fake identity easier. Thus, a registration based, for example, on a public key/private key pair (like on the Nostr network), is a little bit less dangerous.
-
Selfies with dates and service names on paper (to link the photo/video to the registration date and the service). This is actually quite common, but I guess with the advent of AI imagery tools it is less efficient than it was before. (Edit: There are variants like a
Street selfie where even more items are required to be present in the selfie like a sign with the street address, but these seem overly intrusive and carry other dangers, so I don't want to point out them as "good" examples here, even if they might make an identity theft more difficult too).
-
Transparency - it should be clear who does the KYC verification and who stores the personal data - the service provider itself or a third party, and data about the third party should be provided in the ToS of the service (Providers located in countries where the GDPR or other restrictive data protection laws exist should offer this).
Do other such methods exist which still allow an trustable verification making identity theft difficult? Are there examples in the Bitcoin/crypto service world?
I could imagine methods based on cryptography, where an image for example can only be considered valid if the user signs it digitally together with a message that links it to a service and date. It would be basically the "digital variant" of the third method mentioned above. But the problem here is that this would have to be an universal standard, because the photo could also be used on another service which requires it.