Why I said "on-chain KYC" may be a misguided path for Web3
Recently, Galxe (formerly Project Galaxy) announced the launch of Galxe Passport. Galxe claims that the project serves as a universal identity for users in Web3 and can store identity information securely and anonymously. This activity also borrows the popular "soul binding", and Galxe Passport will exist in the form of SBT in the wallet.
However, after its launch, this project has triggered extensive discussions in the community, and the discussions on this activity have continued to spread and expanded to similar tracks.
After the actual experience, Odaily found that the casting of Galxe Passport requires the user to provide ID, such as ID card, passport and other documents. If you are not the first 100,000 minted users, this SBT even requires users to pay $5 at their own expense as an authentication fee.
There is no doubt that Galxe Passport is trying to collect user identity information and perform KYC verification for wallet addresses.
secondary title
SBT is naturally suitable for KYC?
Some time ago, V God published an article about "soul binding", which brought NFT into a new field that no one has set foot in. While many viable use cases for SBT have been proposed, such as trusted reputation data, certificates of skill, better POAP, etc. But these more practical use cases are still mostly experimental and far from reality.
At present, the most widely used SBT use cases are probably Binance BAB and Galxe Passport. And the two are highly similar: they are both on-chain KYC.
The characteristics of SBT determine that it can be used to store or prove certain information. From a formal point of view, this token is practical and convenient for KYC.
Currently, Web3 lacks native on-chain KYC solutions. When the project side conducts "real person" authentication, more Web2-based verification methods will be used to indirectly realize real person authentication. Examples include authenticating Twitter accounts, Discord accounts, and more. At the bottom, this relies on the centralized Web2 infrastructure and has certain limitations.
secondary title
Does the wallet address need KYC?
When the project parties are trying to issue KYC to our wallet address, a more critical question may be worthy of our attention: Do wallet addresses need to be KYC?
Throughout the crypto world, KYC is of sufficient necessity. This is for many fields such as compliance, supervision, investor protection, etc.
Decentralization is the cornerstone of the encrypted world, and the account system built with wallet addresses as IDs has been operating stably for a long time. The words "trustless" and "decentralization" are not just words. With the long-term efforts of the builders, the encrypted natives have really built a free world on the chain that does not require bank cards and passports. Smart contracts, DeFi, NFT, technological advancements allow the decentralized world to run smoothly.
secondary title
Worse than asset theft is identity theft
KYC certification of the wallet address is not a once-and-for-all solution. There may even be the exact opposite negative consequences.
On the centralized platform KYC, nothing too bad seems to be happening. But this is precisely due to "centralization", not the inherent advantages of KYC.
After KYC on the centralized platform, once a security incident such as password loss occurs, users can freeze and lock the account by themselves based on their identity, and can also confirm the final ownership of the account. After KYC, the user is "verified". Although the data is kept by the centralized platform, relying on the centralized process, the ownership and identity of the user cannot be questioned, and all centralized data can be frozen, retrieved, and canceled.
For the platform, the platform can also grasp the identity of the user, meet compliance requirements, confirm the authenticity of the user, eliminate robot interference, and so on. It is not a bad thing to perform KYC certification on a centralized platform.
But what happens when this set of processes is put on the chain? The ownership of the wallet is not guaranteed by a centralized institution based on identity documents, but is fully controlled by the private key. This also means that KYC has almost lost its greatest meaning: confirming the authenticity of users.
Although SBT is non-transferable and cannot be traded, the wallet address can be shared. With the help of smart contract wallets, wallet addresses can even be used for ownership transactions.
If the user uses a non-KYC on-chain address, the result is almost disastrous. For the project side, first of all, the user data obtained by the agreement may be distorted. Because the actual controller of the address can be changed, the actual behavior of the user on the chain and the behavior of the bound address may be quite different.
secondary title
What questions?
In addition, the issue of data security also deserves enough attention. After the user performs operations such as KYC on the chain, where is the identity information stored?
In the future, with the evolution of technology (and the improvement of KYC requirements of the project party), do we need to submit our fingerprints, faces, and certificates to the project party? Undoubtedly, the transmission and storage of these data is still Web2. Although we have obtained SBT as a data credential, the risk of data security is still a Web2 problem. In addition, the project party still has a huge moral hazard for user data-no one knows how these data will be used by the project party.
There is no doubt that on-chain KYC is a Web2-style data collection action that uses Web3 to encapsulate data credentials. This is a far cry from the Web3 concept that users have data sovereignty.
And in the crypto world, we usually have more than one wallet. A single address cannot represent a user, and faces risks such as changing addresses and losing private keys. The result of encapsulating user identity information in a specific on-chain address is distorted. The data behavior of addresses on a single chain often cannot fully represent the user itself.
Although the encrypted world needs a trusted identity system, a more reliable DID. But is it really the best choice to perform KYC on the wallet address? The confrontation between identifying and forging false identities has been going on all the time, but no project dares to risk the world's disgrace by asking users to "receive airdrops with their ID cards."
That's what Web3 promises - a free, open, permissionless decentralized internet.
