When A Cartoon Gorilla Is NOT Your Identity

March 2, 2023
March 2, 2023 Kate Neale

When A Cartoon Gorilla Is NOT Your Identity

Consider the deeper issues of your identity being truly captured by an NFT identity token

So you bought an NFT in your likeness or perhaps as a gorilla, a cat or other obscure expression of self that you found relevant and you use it as your profile pic. You’ve chosen an image by which you choose to be identified, just like a logo and TM. But what of your REAL identity, the one you want to protect? You might need a non-transferable non-fungible identity token (AKA a KYC/KYB Token)…or do you?

NFTs offer a useful tool as a unique digital deed of ownership, but as we surge forth into an increasingly complex technology-driven existence, the complexities of owning, proving and securing your identity are at best opaque for most people. We can consider KYC/KYB and Badge tokens as an entry-level attempt to give plausible confirmation of identity, but the issue is much more complex.

The decentralised global financial environment is still being navigated, and mitigating the vulnerabilities and liabilities of human nature (criminal intent) is a critical element of secure trade, personal or commercial. Authenticated identity foils cat-fishing, money laundering and marketplace sales scams – which is WHY some people DON’T want to be authentically identified.

Transitioning From Traditional to DeFi Progresses

We find ourselves traversing the benefits and hindrances of highly regulated financial markets, to a complex landscape of wildly independent and unregulated financial facilities. There is so much innovation around, and regulators are scrambling to protect and control, but sometimes the solution can be found in elements of the past. Asking a random question that only the account holder is likely to know the answer to comes to mind.

A prime example of how the regulation and legislation that control business operations still prevail, is the FTX disaster, which despite the business operating a decentralised, unregulated facility of technology, it was not actually operating free of the law. Once FTX began operations as a registered business, its operators were subject to fiduciary duty, fair trade, law of torts etc. FTX and its operators will be answerable to those laws even in the absence of specific regulations around its crypto exploits.

The ongoing need for transactions to be secure and for each party to be validated is obvious. Are you dealing with a bot or a human, is the person real, fake or a clone? Hacking activities have led to rampant identity theft. Perhaps the only safe identikit is biological, but if you’ve volunteered your DNA to a heritage platform, that’s now open to compromise too.

Privacy Is The Big Issue At Hand

The challenge is to disclose enough information to participate while obscuring enough information to remain safe from criminal activity. If you think Meta is intrusive flowing ads reflecting your interests, remember there are myriad other tracers and trackers working in the background of your online activity, and they are getting more complex in their deployment and what it takes to evade them. Crimes of the future have not been identified yet, but the mechanism has.

Putting identity credentials on chain can be a double edge sword when AI and machine learning start driving the bus, as there is no discretion or human discernment indulged. If a KYC token or any other digital identikit is created on hijacked documentation, there’s nowhere to go to refute the validity, which perhaps might necessitate some real-world verification should remain part of the protocol.

“If you’re using a crypto account there are already probably some linkages between the account and its associated data to your natural person. This might be because you have made this association known to others (by “proving control” through publishing a signature on twitter, for example), or because blockchain analytic providers like Chain Analysis or TRM Labs can figure it out with enough off-chain and on-chain data sources. There are also little-publicized data crumbs left by today’s web3 stack, such as major node RPC providers like infura logging IP addresses, front-ends fingerprinting in-browser wallets for their own analytics purposes, and native wallets creating mountains of interceptable and analyzable traffic through non-standardized transports.” Source: link below

Plus the NFT nature of the token does not preclude the potential for the token to be sold, just as a passport or driver’s license is sold. Though the owner of the token, passport or license is not likely the seller because of the likely exposure to criminal activity, this does not exclude black market sales.

Enter The PII (Personally Identifiable Information) Custodian Services

PII custodian services issue KYC/KYB tokens as a symbol of proven identity, once real-world documentation has been validated and the person is cleared of international sanctions lists or law enforcement watch lists.

The PII custodian transfers the identity token to the customer’s crypto wallet but might continue to control the NFT in the event of changes to the customer’s status, allowing the PII custodian to burn the NFT or update it as needed.

A KYC (Know Your Customer) or KYB (Know Your Business) token is on-chain immutable, and in simplest terms acts like a company seal stamp, conferring ‘it’s official’ by virtue of the stamped document. These tokens do not reveal the details, but their validity rests on proof of a real-world identity having been established through authenticated documentation via a third party, ie. PII custodian service.

The KYC/KYB tokens are tightly controlled by the issuer and are specifically created to verify and authenticate identity with authority while maintaining the privacy of the verifying details.

By contrast, a badge token is self-issued and controlled and makes outright claims to the owner’s identity with a record of what they’ve done, what is known about them or how they have identified themselves in their Web3 persona. These tokens serve the purpose of identification in more relaxed environs such as gaming.

Examples of what KYC/KYB tokens can be used to:

  • Validate the identity of parties participating in a transaction or committee
  • Validate that a person is not on a sanctions list or a resident of a sanctioned country
  • Allow automated ongoing validity checks on participants, members or investors to ensure compliance and minimise exposure to criminal elements
  • Comply with the OpenVASP travel rule protocol, sharing relevant originator and beneficiary information from virtual asset transactions with the aim of preventing money laundering, terrorist financing, and other fraud activity
  • Participate in gaming, gambling or other online activities that require the participant is over 18
  • Validate that the job applicant’s resume or dating profile is authentically theirs

Examples of what Badge tokens can be used to:

  • Participate in select gaming activities
  • Gain entry to events
  • Receive prizes, trophies and drop tokens to the connected wallet
  • Show and receive credentials and accolades the owner wants to share & be known

The subject of identity protection and verification is fascinating and a critical component of future trade security. It’s a field of ongoing endeavour as the complexities of innovative technology, regulation and the ingenuity of humans produce new challenges daily.

I was moved to write about this having read an article in the Hedera blog that goes into much deeper detail about the issues, but I hope this gets you thinking.

For those of you thinking ‘what about soul-bound tokens’, I offer the following excerpt from a more detailed discussion of identity tokens:

“Neither kind of Identity Token described above realizes the Soulbound Token vision as it has been articulated:

  • There is a limited number of ways available to strongly and immutably connect an NFT to a natural person. Available options might include ingraining a person’s biometrics or a high value identifier (i.e. passport #) into the Token’s data but these approaches come with privacy challenges, and at a minimum are best supported through decentralized offchain identity architectures like those proposed by the Verifiable Credentials community. So if the data is not strongly tied to your natural person, what we are really left with is that you as a natural person have friends, family, acquaintances that strongly associate your crypto account with your natural person, and that crypto account in turn has data in the form of NFTs associated with it. However in today’s environment, for most users their crypto accounts are not strongly associated with their natural persons and are trivially easy to share or sell. Furthermore, to maintain a minimum level of on-chain privacy and pseudonymity, many people prefer to have multiple long-term crypto accounts on top of countless transient accounts (often custodial) in an attempt to disassociate their on-chain transactions from their person or at least create “plausible deniability” as to their dissociation. Identity Tokens therefore inhabit a grey area between total anonymity, and crypto accounts being strongly associated with an individual user.
  • A key requirement of Soulbound tokens is support for Social Recovery. There is some early work on Social Recovery standards (check out the DeRec proposal by Swirlds Labs) but nothing mature and widely adopted as of yet at the protocol level, or even at the smart contract/standardized-interface level.
  • The more expansive features of the DeSoc vision of Soulbound tokens would need to support the disclosure of PII on-chain, whether through zero-knowledge proofs, trusted intermediaries, account abstraction, and/or some other mechanism. In the current environment it is generally accepted that direct PII should be kept off-chain from a privacy and regulatory perspective. Probably the closest path we have to supporting PII on-chain is the development of off-chain wallets and architectures that hold PII as credentials that can present zero knowledge proofs (ZKP) on-chain, or exchange of credentials between parties through entirely off-chain architectures such as Verifiable Credentials. The potential connection between data held in these off-chain wallets and a “soulbound token” still needs to be defined.

So the simple response on why we are calling these non-transferrable NFTs “Identity Tokens” and not “Soulbound tokens” is because the ecosystem is not ready for Soulbound tokens as they have been defined to date by their proponents.

If you’ve read to this stage, I guess your interest is piqued. If you would like to know more follow the link to this article from Hedera, which elaborates in more technical detail the challenges involved in securing our identity going forward and how they are addressing them.

Contact Wanted Consulting

Wanted Consulting works with people at the forefront of innovation and change.
If you're seeking astute business acumen and highly effective marketing expertise with creative and practical production skills, this is the resource you've always wanted.