The hashing privacy thing is cool. I hope that a company like Blockscore can implement it.
Going forward, the Namecoin protocol - or something like it - can define systems for identity that mesh well with the needs of US business' KYC/AML procedures. Services like onename.io are compelling, but from a security and privacy standpoint; are far worse than the doomsday scenario people clamored over when the rumor spread that CoinApex was trying to build govcoin.
Here are some criteria I think will serve as a starting point for taking back consumer privacy control:
-Define a protocol for hashing identity information (CIP info like name, dob, social, etc.) so that it can be indexed and referenced
-Have a method for salting it such that the owner of the identity can grant and revoke access to the hash for their information with a builtin TTL for data requests
-Apply this methodology to the extant identity databases (government, public record, private)
-Form a responsible group to advocate for adoption whom are motivated by the interests of individual privacy
Ultimately I believe privacy can be enhanced by orders of magnitude while not stepping on the toes of law enforcement's abilities. Applying some of the basic principles of hashing and salting can help us avoid the current scenario. Here is what some current KYC/AML systems look like for massive corporations (not just bitcoin startups):
-Company A is required to do XYZ crime preventative measure which compels them to collect ABC data from their users.
-The data is neither encrypted nor hashed in the web browsing session, on the wire, or in the database of company A. Sometimes it may be hashed in the database of company A using hashing algorithms which are deprecated due to operator ignorance. Sometimes it cannot be hashed via modern tools because laws REQUIRE that it be hashed via deprecated algorithms (this also happens for government organizations, not just private industry.)
-The data is often tied to financial data such as credit card number, bank account details, or access to balances for online banking, paypal, etc. Giving an ideal target for an attacker.
-Typically the data is cross-referenced with company B. It is often sent without encryption, and in the rare chance that it is encrypted - dated algorithms are used. In the ultra rare chance that modern technology is used, in my experience, the decrypted data is NEVER a hash of the user's private information - it is always plaintext. Company B is cross referencing for company A the plain text private information and not a hashed version.
-Company B responds to company A that the identity pairs with an identity in their system (the matching is far from robust, more of a "it's probably him")
-Company A can proceed with whatever it was they wanted to facilitate for the end user
Need I mention that various company As and various company Bs have different protocols, data sets, etc. requiring that each user needs to upload this private information EVERY time they want to interact with a new company. There are some unified approaches, but almost always come from a centralized company and/or are not used by any substantive percentage of the market.
I hope it is as glaring obvious to others as to why this is a problem, especially as we move more of our finances and identity online.
Topic: Why I worked on CoinValidation (Read 1817 times)
Alex,
I think you've done some great work and I am actually very curious about your findings.
-Aaron
I think you've done some great work and I am actually very curious about your findings.
-Aaron
If you’re unfamiliar with CoinValidation, that about sums it up… It was never clear to begin with. There are several reasons for why it’s not straight forward, and below I’ll attempt to sort it all out. First let me say the following:
CoinValidation.com was an attempt to innovate in what we thought may be the most controversial side of Bitcoin; the identity layer. It is not a specific technology, the idea of whitelisting/blacklisting/xlisting whatever is totally off-base and was a rumor. Here is what CV really is:
It’s a thinktank.
It was an attempt by a small group of people to solve one of Bitcoin’s largest problems: no one was creating new technology in the identity layer of Bitcoin. We did not specifically want to endorse or profit from some piece of tech like blockchain analysis or whitelisting, etc. We simply wanted to explore what was possible. We found some interesting things, like tech that could reduce the risk of privacy loss in the standard KYC model. But that all went unheard because people thought we were trying to hurt user privacy or to affect fungibility.
People thought that we were building a for-profit startup focused on selling tech and user data wholesale… In fact, we were trying to do the exact opposite of that. It could best be described as a thinktank for the KYC and regulatory side of Bitcoin – which we had become familiar with during our time at Bitinstant.
Some of the ideas we explored and want to continue to explore:
Here are some of the realizations we’ve had in exploring the above questions:
We stopped working on exploring these concepts because
I continue to work on innovations on the regulatory front, but for obvious reasons – not at the level I probably should.
Still, here is what I believe is possible for companies:
Now the fact that it is possible - doesn’t mean I’m endorsing it. Working with regulations here in the US is not some lofty philosophical decision for me. Businesses are going to work within that framework regardless of my thoughts on it because that is what the market will dictate. I’m simply trying to help navigate that landscape responsibly. Even though my personally philosophies are often in line with those of libertarianism.
People are going to buy their Bitcoins in the most efficient and effective way possible to them. The path the masses take to acquire and use Bitcoins will be the one which has the best user experience, closely parallels what they are used to, and costs the least. The masses don’t care about Ayn Rand or crypto anarchy.
We can push the boundaries of what is possible if we can stop fighting and solve real problems. Problems like this:
Real change takes real work, and it’s not going to get done if the people innovating are ostracized for thinking outside the box. Creating real change is a massive undertaking. The challenge of navigating the Bitcoin legal landscape is going to take a lot of hard work and cooperation. Please feel free to comment with your questions about regulation here in the US – we have a lot of experience in this space and want to share what we’ve learned.
Of course CV failed at reaching minds with what we thought was very important information. But failing is how we learn sometimes, and I’m grateful that there are those in the community who see that what we work on is valuable. Thank you.
CoinValidation.com was an attempt to innovate in what we thought may be the most controversial side of Bitcoin; the identity layer. It is not a specific technology, the idea of whitelisting/blacklisting/xlisting whatever is totally off-base and was a rumor. Here is what CV really is:
It’s a thinktank.
It was an attempt by a small group of people to solve one of Bitcoin’s largest problems: no one was creating new technology in the identity layer of Bitcoin. We did not specifically want to endorse or profit from some piece of tech like blockchain analysis or whitelisting, etc. We simply wanted to explore what was possible. We found some interesting things, like tech that could reduce the risk of privacy loss in the standard KYC model. But that all went unheard because people thought we were trying to hurt user privacy or to affect fungibility.
People thought that we were building a for-profit startup focused on selling tech and user data wholesale… In fact, we were trying to do the exact opposite of that. It could best be described as a thinktank for the KYC and regulatory side of Bitcoin – which we had become familiar with during our time at Bitinstant.
Some of the ideas we explored and want to continue to explore:
- How can Bitcoin companies comply with US regulations from a legal/tech standpoint?
- What can Bitcoin companies do differently vs. typical financial companies, but still be compliant?
- What is possible with blockchain analysis?
- How can Bitcoin companies communicate patterns of fraud to each other?
- How can ownership of assets be proven?
- Can something like the MIT PGP database exist for Bitcoin addresses?
- Is it unethical to build technology that enables Bitcoin businesses to tie into legacy systems?
- How sensitive is the Bitcoin community to a group of people experimenting with what’s possible?
Here are some of the realizations we’ve had in exploring the above questions:
- We facilitated the first underwriting of a mortgage to a bank as a proof of concept.
- Bitcoin companies can comply with the regulations, and yes it is very limiting.
- There are sophisticated ways that Bitcoin companies can communicate fraud patterns to each other.
- That kind of communication could prevent another Mt. Gox type of failure, which is inevitably going to happen because it is not being addressed.
- Blockchain analysis can be really scary.
- Bitcoin is not anonymous in most contexts.
- We designed a new way of hashing KYC data so that five points of attack can be reduced to two.
- We found ways for companies to satisfy BSA requirements without having to store or transmit user information.
We stopped working on exploring these concepts because
- No profit model translates to no funding.
- The community tried to burn us at the stake.
- I realized that I am not the best at public relations, and it’s hard to convey what I want to convey.
I continue to work on innovations on the regulatory front, but for obvious reasons – not at the level I probably should.
Still, here is what I believe is possible for companies:
- Satisfy regulatory requirements here in the US if they want to.
- Do it in a way that risks user privacy much less than what is currently in place in the Bitcoin ecosystem.
- Have a system with less fraud, better consumer protection and AML, and less privacy loss than what exists in traditional financial AND current Bitcoinland.
Now the fact that it is possible - doesn’t mean I’m endorsing it. Working with regulations here in the US is not some lofty philosophical decision for me. Businesses are going to work within that framework regardless of my thoughts on it because that is what the market will dictate. I’m simply trying to help navigate that landscape responsibly. Even though my personally philosophies are often in line with those of libertarianism.
People are going to buy their Bitcoins in the most efficient and effective way possible to them. The path the masses take to acquire and use Bitcoins will be the one which has the best user experience, closely parallels what they are used to, and costs the least. The masses don’t care about Ayn Rand or crypto anarchy.
We can push the boundaries of what is possible if we can stop fighting and solve real problems. Problems like this:
- Why are users giving their KYC information to shady companies?
- Why is the community trusting $700 million to one dude with an exchange written in PHP in Japan?
- What is being done to prevent that from happening again?
- Why is multi-sig not in full effect on every wallet valued greater than $1000?
- Why is the community already satisfying most of the regulatory requirements, kicking and screaming that they exist, and then doing almost nothing to realistically change it?
Real change takes real work, and it’s not going to get done if the people innovating are ostracized for thinking outside the box. Creating real change is a massive undertaking. The challenge of navigating the Bitcoin legal landscape is going to take a lot of hard work and cooperation. Please feel free to comment with your questions about regulation here in the US – we have a lot of experience in this space and want to share what we’ve learned.
Of course CV failed at reaching minds with what we thought was very important information. But failing is how we learn sometimes, and I’m grateful that there are those in the community who see that what we work on is valuable. Thank you.
Jump to: