Topic: Trezor implements Address Ownership Proof Protocol, more regulation less privacy - page 2. (Read 357 times)

I gotta say, I didn't expect this move. Somehow, I thought the govs wouldn't go as far as to demand KYC on basically any kind of ownership of Bitcoin... Exchanges is one thing, but not being able to withdraw freely is another... Very disturbing news, and that's happening in well-developed countries, so others are likely to follow. I wonder why cash is still being ignored. People can exchange it from hands to hands freely, without any documentation and often even without limits of sums. Here's a report called "Why is cash still king" from the European Police Office (2015), and it says
It's unfair that cryptos face such strict regulations when cash is still the key to illegal activities and is barely regulated.

I don't like the direction where the wind is blowing to but looks like this soon will be a world wide spread. I don't think this will affect those who are more privacy concern, at least not for now. I don't know any CEX exchange not requiring KYC process of verification before you can withdraw anything (or maybe small amours below 50$) so privacy and CEX cannot go together.

Paper wallets and offline cold wallets are the way.

this is not about trezor asking for your real life ID. its not about putting anything identifiable into a bitcoin transaction/blockchain.
its about a wallet that signs using a keypair which they want the withdrawal to go to, signing a 'session token' that the exchange gives to the exchange logged in users so that the exchange can see the person (logged in) requesting the withdrawal owns the address the withdrawal is going to
..
the way it works is exchanges with this scheme implemented has a API call where a wallet talks to the exchange on a different protocol from the bitcoin network to send the exchange a message that include a bitcoin address and a signature(signing for a message that includes the session token of the exchange login).

for emphasis, this is not adding anything special into a blockchain transaction.. its all done at API level (secret messages between peered software connections)

(the pro)
that way an exchange knows that the person getting the withdrawal is the person that logged into the exchange to make the request.

(the con)
ofcourse associating exchange login session via a token with a withdrawal address via these api messages means the exchange knows a little more about you. because inside the exchange they do ask for your ID when doing market orders. and so they can associate a real life ID to the withdrawal address.
but then again they kinda already did assume this.

(the pro)
it does not reveal anything outside of the exchange-wallet secret peer connection. meaning its not showing any ID in the bitcoin transaction itself

(pro)
you are then free once you get your withdraw to your local wallet to spend it to anyone you please and to move it to any wallet you please that does not do these api calls
it seems more of a protection to ensure only logged in users gets the withdrawal, or where an exchange is doing arbitrage an exchange-exchange can identify each other and share data (at API call level) not at bitcoin transaction level.

(con)
it seems more like posturing to pretend its extra security and only the withdraw requester(logged in user) gets the withdraw. but we all know hackers can play silly games, especially if they had access to the log-in details.

(con)
exchanges that implement this means that users have more of a headache when trying to withdraw as they need to prove the withdrawal address is that of the user logged in that is requesting the withdrawal.

(con)
hackers getting access to someones log-in can still ask for a withdrawal and sign the 'session token' to say they own the address for the withdrawal and know the session token for that login. thus they still can steal funds

(con)
chain analysis services where exchanges share customer data can see that if a withdrawal address is customer 'alice' and the other exchange getting a deposit has an id for 'alice' then all the taint of bitcoin transactions from the withdrawal to the deposit (inbetween on the blockchain) must also belong to alice. even if she has 'sweeped' addresses into new addresses in her local wallet

(con and pro)
if 'alice' used a mixer to sever the taint, it just appears as 'alice' using 2 separate stashes of funds.
the withdrawal association ends at the withdrawal. and the deposit association begins at the deposit
this could be wrongly seen as alice laundering. or alice having 2x the amount of assets. becasue the exchanges cannot link the 2 stashes
..
overall..
because hackers can still log-in and request a withdrawal. and then just sign a session token. its not really stopping hackers taking peoples balance.
..
because its not extra data on the bitcoin transaction its not revealing anything at the blockchain level. but is simply just making users have a headache when asking for a withdrawal.
..
users cant just withdrawal to a lambo dealership to buy a car, they need to withdraw to a local wallet and then spend the funds in the local wallet with whomever they want.
.
i dont see it as privacy invasive. as its not adding anything new to the blockchain data. and its assumed that withdrawals are associated with the logged in user anyway. i think its just posturing to meet some regulation of ensuring the withdrawal is going to a logged in user(even if a hacker is said user)

Oh man and I thought putting the bitcoin into your wallet is itself the ownership for us.

So what will happen to the “not your keys not your bitcoins” pledge ? Is it not what we always learnt on this forum. I always knew government will some way another gonna let down the whole crypto ecosystem this way.

Don’t know after this I have started to think that government could just go and hire private companies to take down the whole privacy chain with them. You know like connecting with the wallet companies and paying them to option out for this KYC address stuff.

This is crazy rude.

 I wish it was only for Switzerland, but sadly it looks like there other countries such has the Netherlands, Singapore and many more are thinking implement it. You can be sure if it is "accepted" as the norm it will be done by many more countries.

From their own website: https://www.21analytics.ch/travel-rule-regulations/

Already set:

* Canada
* Germany
* Gibraltar
* Singapore
* Switzerland

Planned soon:
* Japan
* Lichtenstein
* New Zealand
* South Korea
* UK

I believe they do these to help regulators as well as user since this is a requirements on there country. Besides this feature is only implemented on Switzerland so that there own residents that using non Swiss exchange will automatically track for regulatory purposes. The country is implementing full regulation so I don't think this is a wrong move for them.

I believe the OP should clarify the content that this news is only for Swiss.

We keep coming back to the fact that centralization and decentralization do not mix well with each other. When you try to use centralized exchanges with decentralized bitcoin, that is what you get! A lot of invasive and restrictive measures. That goes with any other centralization, like using a centralized payment processor to send/receive bitcoin.

For example this news does not affect me at all since I'm not using any centralized exchanges and my wallet doesn't come from a centralized company!

However, such measures are not entirely new. It sounds to me that some exchanges are blacklisting bitcoins coming from mixers or crypto casinos, although I just looked it up and I can't find anything. If my memory is right, I guess more and more measures will be taken in the years to come, and the privacy space will depend a lot on people's reaction, which I don't have much confidence in, by the way.

I'm not a specialist but I see two things

Yes of course sadly it can be generalized. I could see in the future if you withdraw or used your coin to an address you do not own or that is not KYC that you get blacklisted and or your exchange account would be frozen.

Also it looks like the State (does not matter the country) want to micromanage and know it all even for trivial amount of money like 1000$ in this case or the 600$ mandatory reporting to IRS in the US. People do not realize but what they are doing now can be totally fine and legal and from one day to the other becoming illegal. This could put you on the wrong side of the fence even if you personally did not change.

Snowden in his book had a good point. Law are not supposed to make the state efficient. It should be as inefficient as possible. For instance requiring a warrant ensure you can't just go randomly inside someone's home, but you need reasonable proof of suspicion of wrong doing. We are moving to a society were you are no longer innocent until proven otherwise but you have to actively KYC, etc to prove you are not a criminal. This is backward and is seriously harming human freedom.

You can also imagine be prevented to get out of a country just because you have some money in bitcoin since you could escape and go potentially anywhere.

I would be interested to know the opinion of those who have been in this field for a longer period of time and have more technical knowledge.

It is clear that the authorities want to KYC everything. Before Bitcoin and cryptos appeared, they dreamed of the disappearance of cash and being able to control absolutely all economic transactions.

Now with cryptos they would also want to.

Do you think this measure can be generalized?

I think there will always be a space for privacy, but the problem is if it becomes smaller and smaller.

I am surprised that wallet want to involve in address ownership proof protocol, is it hard than individual to give their address to the exchange they are using? Noncustodial wallet should remain noncustodial wallet. What I see about this is a marketing strategy for trezor for people in the country to buy their hardware wallet, or may be trends or what is currently going on in the country but trezor should not have done anything.

BlueWallet and Sparrow Wallet was initially part of the list[1] as well; but they seem to have backpedalled after the (understandable) public outrage. Check their recent Tweets[2][3].

---

EDIT: Trezor update[4]:

---

[1] https://aopp.group/
[2] https://twitter.com/bluewalletio/status/1486805550608392194
[3] https://twitter.com/SparrowWallet/status/1486785866739728386
[4] https://twitter.com/Trezor/status/1487091879883722755

EDIT: They appear to have reverted it  (source: https://blog.trezor.io/a-decision-on-aopp-789540c2930b). I leave the original text bellow:


Apparently certain countries such as The Netherlands implemented a new rule/requirement. You cannot withdraw your coin from an exchange to an address they do not KYC.

If you want to self custody, you must prove you "own" an address before you can send anything. After the fucking OFAC compliant blocks we now have AML compliant transactions.

The protocol is called AOPP (short for Address Ownership Proof Protocol) and you can find all the details on their official website here: https://aopp.group/

If you look at the company behind this protocol 21analytics.ch they have some screenshots featuring their product. This combined with something like chainalysis can have devastating consequences for privacy. What is even more surprising is we have not only trezor implementing this bullshit but also sparrow and bluewallet....

Source: https://www.coindesk.com/tech/2022/01/27/trezor-adopts-swiss-travel-rule-protocol-for-private-crypto-wallets/

Some clarification / edit:
Yes for now its only for a few countries such as the Netherlands , Switzerland, Singapore, etc. But lets not be fooled, this will become normalized and more and more common.