Current cryptocurrency regulations pose multiple systemic risks

Recently I’ve looked through crypto exchanges and discovered drastic mismanagement of security which is ingrained in current regulations regarding how identity verification (KYC) is performed. Identity verification basically relies on requirement of sending scan of identity document, which is complete absurd even on first glance if someone is aware that physical identity documents were intended, designed and are suitable to only face to face verification of identity. Such face to face scenario contains basically 2 elements: verification of an actual document, and visual verification of person bringing document, and reliability of verification of identity relies on both of these elements, not just one.

[image source] CC0 Public Domain

ID can be used only in direct verification (for example as it happens in bank office), online equivalent of such verification is possible only with proper certified signature (for example just like many countries recently introduce IDs with digital part, which is basically built around digital signature technology), in any case scan or photo of ID cannot be used nor perceived as proof of identity. Alternatively, proper verification of identity is typically done by bank transfer and/or postal mail verification.

Identity documents contain protections against counterfeiting, and these physical forms of protections ensure validity of document, thus verification of identity by sending scan of ID is invalid (it does not contain anti-counterfeiting protection), from cryptography point of view it is no verification at all (I would say that it is just an file with image containing some pixels basically). Maybe currently ID scans are statistically highly correlated with an actual identity, however there are no technical reasons to extrapolate that into indefinite future if such practice will be widespread.

Currently exist technologies making possible to:

• take high resolution photo of ID by small hidden camera
• generating scan-like version from this photo by use of AI
• it is surely affordable for large organizations
• it could be used for something much worse than just stealing millions worth of crypto – to make illicit or compromising transactions on behalf of inconvenient for someone group of individuals in order to send them basically to jail when authorities will be unable to differentiate such victims from actual criminals which have managed to delete all track of their operations from their personal devices

It is also obvious risk of losing privacy and risk of identity theft, additionally making hacking into crypto exchanges significantly more profitable (with current system, it would be profitable even if value of all crypto coins would fall to exact 0). Large scale identity theft poses significant systemic risk to whole society and economy, much larger than possible to steal value of cryptocurrencies.

Also, people are forced to get used to sending scans of their ID documents and perceive it as something normal (when it isn’t – it is simply very dangerous pathology), and not only expose themselves to accidental sending their ID scans to malicious phishing webpage, but also such situation causes watering down of reliability and legitimacy of ID documents itself.

If I would want to use crypto for legal operation, compromising own ID is unacceptable for me, however for psychopaths which would want to offer or order murdering someone it doesn’t seem to be relevant, also larger crime organizations may use forced victims to legitimize their operations anyway. While introduction of identity verification is surely needed to reduce risk of use of cryptocurrency to illicit activity, verification by sending scan of ID should be prohibited, since it opens much more opportunities of illicit activity than it is able to prevent. Currently, it basically looks like nothing more than scam.