Your money or your life?
As Iago says in Shakespeare Othello, “who steals my purse steals garbage; it’s something, nothing” before continuing to state (wildly, but he spoke long before the internet age) that “whoever steals me my reputation is robbing me of what does not enrich it and makes me really poor. ”If only that was the case, but in our modern world, it is quite clear that stealing good names from people in fact greatly enriches people. thieves and impoverishes their victims.
You can own this cartoon! It is available as a non-fungible token from OpenSea!
If a highway holds you back and demands your money or ID, what do you have to hand over?
Iago’s speech came to my mind when I read that Faruk Fatih Özer, founder of Turkish cryptocurrency exchange Thodex, who disappeared in April with $ 2 billion worth of cryptocurrency from the exchange, had leaked not only with clients’ cryptocurrencies, but also with their identities. As David Gerard so eloquently put it, Özer paid the most “careful attention” to money laundering compliance and took with it the Know-Your-Customer (KYC) data of hundreds of thousands of people. users. This data included scans of customers’ national identity cards, proving once again that identity digitization does not replace digital identity.
Mr Özer is now apparently in Albania. According to the latest press reports, he is in hiding with the manager of a food supply company. Turkey has arrested 62 people who are trying to find him and seek to extradite him. Who knows, they can be successful. But I have no doubt that Albanian organized criminal groups are already using scans of Turkish citizens’ ID cards to do no good.
Now, of course, the reason Mr Özer had clients’ personally identifiable information (PII) in such large quantities was because regulators had forced him to obtain it. So maybe it should be up to the regulators to fix the problem! But what are they going to do? What will happen to everyone whose identity has been stolen in this way? Will they all be given a new identity as part of a large national witness protection program while their old identities are revoked? Will the authorities give everyone a new name and number, cancel their old identity cards and send them new ones?
Well, of course not. Insane Customer Due Diligence (CDD) requests continually force us to pass our sensitive personal information to every Tom, Dick and Faruk on the internet doing nothing to help us when our personal information is inevitably compromised, as it should when it is. are broadcast. on the web at the request of regulators.
I hate giving free advice, but here’s what should happen …
Me: hello crypto exchange, I would like to open an account.
Exchange: ok, please login to your bank.
Bank. Hello Dave, someone wants to know who you are. Can I tell them?
Me: yes, but don’t give them any personal information.
Bank: ok exchange, here is a tamper-proof crypto message that contains a unique identifier for this client 1H3XBZQ29J to confirm that this is a real person that we have already performed due diligence on, that he is over 18 years old and that he resides in this country.
Trade-in: cool, thanks the bank, here’s $ 5 for your troubles and hello aboard the 1H3XBZQ29J.
Now, no one on the exchange knows who 1H3XBZQ29J is so when the exchange is hacked, as is usually the case, or massively cheated by employees, your personal information is not included. Simple. If the transaction analysis shows that 1H3XBZQ29J is sending huge sums of money to a shady businessman or corrupt politician, then law enforcement officers can ask a judge for a warrant, bring it to the bank and say “hey, that’s 1H3XBZQ29J” and the bank will tell them “this is Dave Birch”.
Names and numbers
We don’t want to remove CDD, but we don’t need personal information to meet legitimate law enforcement needs. The United States Office of Foreign Assets Control (OFAC), which enforces economic and trade sanctions, is currently looking for tools to track virtual currency transactions, such as those involving Bitcoin, to help build cases against individuals. , entities or organizations. that could appear on the “Specially Designated Nationals List” and I see no reason why this could not be expanded to include a “Specially Designated Cryptographic Identifier List” so law enforcement officers can tell a exchange “sorry but 1H3XBZQ29J is on the sanctions list so you can’t do business with them anymore”.
The key point here is that national security, law enforcement and the world of commerce have not been compromised because the exchange does not know who 1H3XBZQ29J is. There is no reason for the exchange to know who I am, as long as they know someone knows who I am. A regulated financial institution knows who 1H3XBZQ29J and that’s good enough.
By the way, using names as identifiers for due diligence purposes seems pretty pointless anyway. Anyone can change their name to anything, because names are attributes, not identifiers. In the UK, for example, hundreds of convicted sex offenders have paid £ 15 to change their names by voting document so as not to appear in court records searches. This only reinforces my prejudice that there is no earthly reason to store a person’s name in the records of anything. A ledger should be a place to store unique items, which uniquely identify a legal entity such as a person: some biometric data, for example, or a unique cryptographic key that has been previously authenticated by them. A name should only be treated as a slightly interesting attribute: it does not identify anyone.
So back to the question. Is it better for crooks to steal your money or your identity?
Think about it. You wake up in the morning and due to a North Korean cyber attack all your bank accounts are reset. What are you doing? As well as emailing your congressman unnecessarily to complain about his myopia in not developing a digital identity infrastructure, you would just use a credit card or get a loan from the bank, borrow money. money to friends or would apply to the government cyberattack assistance program. about your business.
But now, suppose instead that you wake up and Earth has gone through the tail of a mysterious commentary and your identity is gone. Now you are absolutely screwed. You go to the bank to get money and you can’t prove who you are, so they won’t give it to you. Now you can have some cash for a few days, but when your money runs out, you are on your own.
To paraphrase the Fabulous Furry Freak Brothers (there’s one for my teenage audience to think about), identity will get you through times without money better than money will get you through times without identity.