Several months following a serious data breach, cryptocurrency exchange platform Coinbase is leaning on cryptographic privacy tools as a potential solution to the drawbacks of the current financial crime laws. Paul Grewal, Chief Legal Officer for Coinbase, points out that the U.S. Bank Secrecy Act, overseeing financial reporting and Know-Your-Customer (KYC) rules, are archaic. As proposed by Grewal, lawmakers should consider modernizing these laws, allowing the deployment of zero-knowledge proofs (ZKPs), a privacy tool offering verifiable facts about users without revealing their whole data.
Weaknesses of Current Regulations
Grewal points out that the prevailing version of the Bank Secrecy Act remains rooted in decades-old prerequisites, reflecting compliance protocols based on paperwork and a financial system characterized by slow funds movement. This poses an inconvenience for consumers who must regularly go through the KYC process, and their personal data become attractive targets for cybercriminals.
As Grewal explains, companies are legally required to keep your data for long periods and share it with bureaucrats. Considering the risks associated with storing sensitive information, zero-knowledge proofs can significantly reduce this risk, allowing users to prove their identity while maintaining privacy. Law enforcement agencies would still maintain the power to subpoena full records if necessary, according to Grewal.
Data Breach Incident
This renewed focus on privacy comes on the heels of a massive data breach at Coinbase at the end of last year. Approximately 70,000 of its users were affected after third-party contractors accessed unauthorized data, including ID images, bank account information, and, in some instances, passport details. The incident was discovered in January, but it wasn’t made public until May. Coinbase rejected the extortionists’ $20 million ransom demand and severed all ties with the involved vendor.
To resolve the breach, the exchange began a bounty program offering $20 million for any useful information related to the breach. The company also committed to compensating those users who were affected. It is estimated that the breach resolution might cost Coinbase between $180 million and $400 million, but there’s no sign the company has identified the perpetrator yet.
Real-world Use of ZKP
Despite these incidents, Omar Azhar from Matter Labs, a company behind the ZKsync network, affirmed that zero-knowledge proofs are already in use. Azhar says that the technology already exists as a proven method using both ZK and blockchain-based verifiable credentials for identity verification. As an example, he mentioned the government of Buenos Aires, which uses verifiable credentials on ZKsync via QuarkID.
Structural Issues in the Crypto Industry
David Carvalho, founder and CEO of Naoris Protocol, argues that the Coinbase incident underlines a more profound issue in the crypto industry. Centralized systems and single points of failure are incredibly vulnerable areas, eliciting the attention of cybercriminals increasing their exploitation skills. Carvalho recommends cryptocurrencies to adopt a decentralized security approach, where data and sensitive information are safeguarded by a decentralized system instead of human gatekeepers.
Calls for Overhauling Legacy Systems and Adopting ZKPs
However, even with cryptographic technology available, a significant hurdle remains before mass adoption can occur. Hon Ng, chief legal officer at Bitget, noted that the Bank Secrecy Act’s current form offers little room for flexibility, insisting that institutions should have comprehensive knowledge about their customers. Furthermore, Edwin Mata, CEO of tokenization firm Brickken, highlighted the potential legal ambiguity and implementation costs that come with a system prioritizing user confidentiality. To make significant changes, new standards, updated laws, and incentives for institutions to ditch their legacy systems must be established. Without these steps, the benefits of innovation might be limited to niche cases instead of catalyzing systemic change.
Note: The aftermath of the Coinbase data breach brought issues related to privacy and data protection, legal, and practical barriers to the forefront. This article has been updated to include expert commentary and further context concerning these areas.
