KYC stands for "Know Your Customer". It's a regulatory procedure implemented by certain companies operating in the Bitcoin sector. The aim of this procedure is to verify and register the identity of their customers, with the stated aim of combating money laundering and the financing of terrorism.

In practical terms, KYC involves collecting various personal data from the customer, which may vary according to jurisdiction, but generally includes ID, a photograph, and proof of address. This information is then verified and stored for future use.

This procedure has become mandatory for all regulated exchange platforms in most Western countries. This means that anyone wishing to exchange state currencies for bitcoin via these platforms must comply with KYC requirements.

This procedure carries risks to the privacy and security of users. In this chapter, we will examine these risks in detail and analyze the specific impacts of KYC and identification processes on the privacy of Bitcoin users.

The first risk associated with KYC is that it offers a privileged entry point for blockchain analysis. As we saw in the previous section, analysts can cluster and track activity on the blockchain using transaction patterns and heuristics. Once they have succeeded in clustering a user's on-chain activity, all they need to do is find a single entry point among all his transactions and keys to fully compromise his confidentiality.

When you perform a KYC, you provide a high-quality entry point for blockchain analysis, as you associate your receiving addresses used when withdrawing your bitcoins from an exchange platform with your full, verified identity. In theory, this information is known only to the company to which you provided it, but, as we'll see below, the risk of data leakage is real. Moreover, the mere fact that a company holds this information can be problematic, even if it does not share it.

So, if you don't take other steps to limit the aggregation of your activities on the blockchain, anyone with knowledge of this KYC entry point can potentially link all your activity on Bitcoin to your identity. From that company's perspective, your use of Bitcoin compromises confidentiality.

To illustrate this with a comparison, it's as if your banker at Bank X not only had access to all your transactions with Bank X, but could also observe your transactions with Bank Y and all your cash transactions.

Remember from the first part of this course: Bitcoin's confidentiality model, as conceived by Satoshi Nakamoto, is based on the separation between the user's identity and their public and private key pairs. Although this layer of confidentiality is no longer sufficient today, it is still prudent to limit its degradation as much as possible.

The second major problem with KYC is that it reveals to the state that you have owned Bitcoin at some point in time. When you buy bitcoins through a regulated entity, it becomes possible for the state to be aware of this possession. At the moment, this may seem trivial, but it's important to remember that your country's political and economic future is not in your hands.

Firstly, the state can quickly adopt an authoritarian stance. History is full of examples of policies that have undergone abrupt changes. Today, in Europe, Bitcoiners can write articles about Bitcoin, take part in conferences, and manage their wallets in self-custody. But who can say what tomorrow holds? If Bitcoin suddenly becomes public enemy number one, being associated with it in government files could prove problematic.

Then, in the face of severe economic crises, the state might consider seizing bitcoins held by citizens. Perhaps tomorrow, bitcoiners will be perceived as crisis profiteers and will be taxed excessively for their capital gains, especially in light of fiat currency devaluation.

You might think this isn't a problem, as your bitcoins are mixed and, therefore, untraceable. However, tracing is not the issue here. The real issue is that the state knows you've owned bitcoin. This information alone could be enough to incriminate you or hold you to account. You could try to claim that you've spent your bitcoins, but that would have to be reflected in your tax return, and you'd get caught. You could also say you lost your keys in a boating accident, but beyond the Twitter joke, do you really think that would be enough to exonerate you?

Therefore, it is essential to consider the risk that the state may become aware of your BTC ownership, even if that risk appears remote today.

Another problem posed by KYC in terms of state supervision is the mandatory reporting by regulated platforms. Although I'm not familiar with regulations in other jurisdictions, in France, Prestataires de Services sur Actifs Numériques (PSAN) are required to report to the financial supervisory authorities any suspicious movement of funds.

In France in 2023, 1,449 suspicious acts were reported by PSANs. For the time being, the majority of these acts are related to crime. However, the authorities are also asking regulated platforms to report any suspicious Bitcoin transactions solely on the basis of their structure. If you carry out a collaborative transaction, or even just a transaction with a slightly atypical pattern, and this transaction occurs not far from the withdrawal of your Bitcoins from these platforms, you could find yourself reported to the authorities. Even in the absence of malfeasance and in the legitimate exercise of your rights, such reporting could lead to increased checks and surveillance, inconveniences you would have avoided without KYC.

Another problem with KYC is that it requires all your personal data to be stored on the servers of a private company.

Recent events have reminded us that no one is immune to financial or IT failures. In 2022, Celsius customers suffered the consequences. Following the company's bankruptcy, the names of the creditors and the amount of their assets were made public by the American courts during the administrative proceedings.

Just over two years ago, a major cryptocurrency cybersecurity company was compromised, resulting in the theft of its customers' personal data. Although this incident was not directly linked to the purchase of bitcoins, such a risk also remains for exchange platforms. There is, therefore, a definite risk associated with personal data.

It's true that we already entrust many of our personal data to private companies. However, the risk here is twofold, since this data not only identifies you, but is also linked to activity on Bitcoin. Indeed, when a hacker gains access to a customer's data on an exchange platform, they can reasonably assume that these customers possess Bitcoins. This risk is heightened by the fact that Bitcoin, like any other valuable asset, attracts the attention of thieves.

In the event of a data leak, at best, you could be the target of targeted phishing attempts. In the worst case, you could find yourself at the center of physical threats to your home.

In addition to the specific risks associated with Bitcoin, there are also dangers related to the transmission of identity documents. Indeed, in the event of a data leak, it is possible to become a victim of identity theft. So the stakes are not just limited to protecting the confidentiality of transactions, but also concern the personal security of each individual.

It's essential to deconstruct some of the preconceived notions about KYC that we frequently encounter on Twitter or in our exchanges with bitcoiners.

First of all, it's inaccurate to think that protecting your privacy for Bitcoins acquired via KYC is pointless. Privacy tools and methods on Bitcoin are varied and serve different purposes. Using coinjoin transactions on Bitcoins acquired via KYC, for example, is not a bad idea. Of course, you need to be careful with regulated exchange platforms to avoid having your account frozen or banned, but from a strictly technical point of view, these practices are not incompatible. Coinjoin has the effect of breaking a coin's history, thus helping you to thwart certain chain analysis risks associated with KYC. Although it doesn't eliminate all risks, it does represent a significant benefit.

Confidentiality on Bitcoin should not be viewed in a binary way, as a distinction between "anonymous" bitcoins and others that are not. Owning Bitcoins acquired via KYC does not mean that all is lost; on the contrary, the use of confidentiality tools can prove even more beneficial.

Conversely, acquiring bitcoin via a non-KYC method does not guarantee perfect confidentiality, nor does it exempt you from the need to take other protective measures. If you hold non-KYC bitcoin but reuse receiving addresses several times, your transactions may be traced and aggregated. The slightest link to the world outside Bitcoin could compromise the only layer of confidentiality you have. Therefore, it's essential to consider all the privacy-enhancing tools and methods related to Bitcoin as complementary. Each technique addresses a specific risk and can add an extra layer of protection. So owning non-KYC Bitcoin doesn't mean you don't need to take other precautions.

I'm sometimes asked whether it's possible to "go back" after performing a KYC, and as you can imagine from the preceding paragraphs, the answer is nuanced. The simplest way to avoid the risks associated with KYC is to refrain from using it when acquiring bitcoins. We'll look at this subject in greater depth in the next chapter. However, if KYC has already been carried out and bitcoins have been purchased, are there ways to mitigate the risks involved?

When it comes to the risk of tracing your transactions, using coinjoin is a solution. We'll look at this method in detail later in the course, but you should know that coinjoin enables you to break the history of a coin and prevent it from being traced past-present and present-past. Even for BTC obtained via a regulated platform, this technique can prevent its traceability.

However, coinjoin does not erase the second risk associated with KYC: the fact that the state may be informed of your possession of bitcoins. Indeed, even if your coins are no longer traceable, the State, depending on the jurisdiction, may have access to your crypto-asset transfer declarations. As this risk is not technical, but administrative, there are no Bitcoin-specific solutions to eliminate it, apart from not exposing yourself to KYC in the first place. The only legal approach to mitigating this risk is to sell your Bitcoins acquired via regulated platforms on regulated platforms, then repurchase them via KYC-free means. By selling and declaring the transfer, the authorities should see that you no longer own them.

Regarding the risk of leaking your personal data and identity documents, this is a danger external to Bitcoin, and there is no technical solution to mitigate it. Once your data has been revealed, it's difficult to undo the operation. You can try to close your account on the platform, but this does not guarantee the deletion of your KYC data, especially when identity verification is outsourced. Verification of the complete deletion of your information is impossible. There is therefore no solution to completely prevent this risk and ensure that it no longer exists.

Sometimes, some bitcoiners tend to extend the term "KYC" to any BTC exchange involving a wire transfer or credit card payment, as these means can also reveal the origin of the payment, just as a KYC would. However, KYC should not be confused with key identification. On a personal note, I must admit that my perception of this subject has evolved over time.

KYC refers specifically to a regulatory procedure implemented by certain companies to verify and register the identity of their customers. It's a binary thing: when acquiring your bitcoins, you either do KYC or you don't. However, key identification, which concerns the link between a facet of a user's identity and on-chain activity, is not as binary but rather represents a continuum. Indeed, in the context of bitcoin acquisition or transfer, such identification is always possible to varying degrees.

For example, if you buy bitcoins on a regulated platform in Switzerland, KYC is not required. However, your keys may be identified, as the purchase was made via your bank account. This is where the first two risks associated with KYC - facilitation of on-chain tracing and exposure to state surveillance - can also manifest themselves in an exchange without KYC. If the Swiss entity reports suspicious transactions to the authorities in your country, they can simply check the bank account used for the purchase to discover your identity. So, buying without KYC on regulated platforms is rather high on the risk scale for key identification.

However, avoiding regulated platforms and opting for P2P acquisition methods does not totally eliminate the risk of key identification, but merely reduces it. Let's consider the example of a purchase on Bisq or another peer-to-peer (P2P) platform. To pay your counterparty, you'll probably use your bank account. If the authorities question the person you've traded with and ask for your name, we're back to risks 1 and 2. Although these risks are much lower than when buying on a platform without KYC, and even lower than when buying with KYC, they are still present to a lesser extent.

Finally, even if you acquire your bitcoins through a physical exchange for cash, you're not totally anonymous. The person you exchanged with has seen your face, which is part of your identity. Although minimal in this example, there is still a possibility of key identification.

In conclusion, when bitcoins are exchanged for other assets, be it a purchase in state currency or a sale against a real good, there is always some form of key identification. Depending on the chosen exchange method, this identification may vary in intensity. It is essential not to confuse this identification with KYC, a well-defined regulatory process. However, there is a link between KYC and the identification spectrum, as KYC is positioned at the higher end of the spectrum, systematically facilitating the identification of user keys by authorities.