Binance KYC fiasco shows again that personal data is not private

I was at it again yesterday.

I had to drive across town to give ID documentation to a law firm I'm instructing. They took my documentation, photocopied it and filed it somewhere in their back office. Great... yet another company I need to trust with my 'personal' data.

Yet I understand that, as with numerous other entities, the law firm in question needed the ID to comply with regulations.

When we hear of data breaches, I think it is easy to forget that entities like Binance (or legal firms) don't want the headache of managing hundreds or thousands of people's personal data from across the globe. It is done, for the most part, to comply with local laws, to prove that businesses have done their due diligence and ultimately for business owners to avoid going to prison for facilitating possible criminal activity.

Yet in complying with the law, these businesses create another avenue through which our personal data can be compromised. Whenever we hand over our personal data, be it online or at a local bar wanting ID, we risk it falling into the wrong hands.

For me, it is obvious the ID system is clearly broken. Especially when people are required to take photos of themselves holding their passport and a piece of paper with the date on it as 'proof' of identification.

Then repeat this process or similar processes, for various other online services they interact with. We live in an age where people can manipulate words spoken on video. Manipulating photos of someone waving a document and scrap paper would appear to be child's play.

I find it ironic. We are warned to treat 'everything they do online as public'. Yet we are often required to upload our ID documents online and expected to be outraged when personal data input online is compromised.

To my mind, my ID documents are not private. They are public documents, issued by public bodies. We are then required to expose these documents over and over again, online and offline. This is the antithesis of private information.

In and of itself, I do not have a problem with ID documents being de fact public. We live in a world where it is the norm to get 'tagged' in photos on a weekly basis.

The problem arises when an entity relies on an ID document as if it was private.

Hardcopy ID documents can be forged. Softcopy ID documents can be hacked. The question becomes what additional steps can be taken to verify someone is who they say they are. Ultimately the problem is less about criminals getting hold of ID documents but an over-reliance of ID documents alone in some quarters.

For example in the Crypto space, if an Exchange is relying on your ID documents before allowing you to withdraw fiat to a Bank Account of exacting the same name and having done some additional checks such as the original source of funds etc; then I can understand ID documents being part of the puzzle. However, if an Exchange wants your ID documents before upping your BTC daily withdrawal limit from 2 BTC to 100 BTC then, for me this is an academic exercise.

Ultimately I don't have the answers. However, we are kidding ourselves if we believe our ID documentation is not vulnerable, almost from the moment it is issued. The question is, knowing that fact, what measures can we take to protect ourselves from misuse of our ID?

_{Image by Gerd Altmann from Pixabay}