Skip to main content

LocalBitcoins’ New KYC Rules Raise Privacy Concerns

Can an exchange with KYC/AML be “decentralized”?
LocalBitcoins will enforce strict KYC/AML regulations in September 2019. Does privacy still matter?

LocalBitcoins will enforce strict KYC/AML regulations in September 2019. Does privacy still matter?

Updated with comments from LocalBitcoins

Beginning September 1, 2019, legacy peer-to-peer bitcoin exchange LocalBitcoins will extend its know-your-customer/anti-money laundering (KYC/AML) requirements and, as a consequence, limit user ability to retain privacy. 

According to an official blog post published on June 18, 2019, the exchange has teamed up with identity verification technology provider Onfido, and a new account tier system will be established. Depending on the amount a user trades each year on the exchange, they will have to provide specific data regarding their identity.

For instance, somebody who trades less than $1,109 (1,000 euro) in a year will have to provide their full name, country of residence, email address and phone number. A user who trades beyond this threshold will be required to provide ID verification and full KYC info. Furthermore, proof of residence and additional ID verification will become compulsory for anyone who trades bitcoin worth more than $22,180 (20,000 euros) per year.

Losing Privacy at LocalBitcoins

Earlier this year, LocalBitcoins also removed offers for in-person cash trades and enforced its first batch of KYC requirements

The new measures at LocalBitcoins, which is based in Helsinki, stem from Finland’s Act on Virtual Currency Service Providers, which comes into full effect in November 2019. 

In its early days, the Finnish exchange was a pioneer in its field, empowering individuals to make pseudonymous bitcoin-to-fiat trades. More recently, it’s been reported that Venezuelans used the peer-to-peer service to trade almost 20 billion bolívars in July 2019 alone as a salvation from their own crumbling fiat economy. In the context of these new KYC/AML additions, it’s very likely that people in countries with authoritarian regimes will no longer have access to services — or will have to limit their trades to amounts less than 1,000 euros per year.

The Decentralized Exchange Perspective on AML/KYC

As such, it’s fair to ask if LocalBitcoins still truly qualifies as a “decentralized exchange.” To answer the question, we spoke with representatives from Hodl Hodl, a peer-to-peer bitcoin exchange that has worked to maintain access for Iranian investors even as they have been excluded from LocalBitcoins, and Bisq, a decentralized bitcoin exchange that recently launched the space’s first DAO. LocalBitcoins did not respond to multiple requests for comment.

“LocalBitcoins has never been a decentralized exchange, because user funds have always been stored in their wallets,” Hodl Hodl CEO Max Keidun told Bitcoin Magazine.

A Bisq contributor who requested anonymity largely agreed, adding a little more context. They told Bitcoin Magazine:

“Decentralization has become a buzzword which tends to contribute more noise than signal in a sentence. The only way I can see LocalBitcoins being ‘decentralized’ is in its sourcing of offers, since they come from many people who are not a part of the LocalBitcoins company (as opposed to a single order book maintained by the company). However, that’s really no different from the way Facebook and Twitter source their media, and calling them ‘decentralized social media’ would be ridiculous.”

The two representatives were also asked why privacy matters and to what extent KYC/AML data collection can be a honeypot for user information. 

“In the digital age, data privacy matters a lot,” Keidun said. “If you take a look at the recent Binance leak of KYC/AML data, you will realize that it’s harmful for users to have their personal data (such as ID, photos, addresses) publicly available. I think it’s also dangerous because if your data is leaked from a cryptocurrency exchange then you might deal with a lot of bad actors who assume you may own a lot of bitcoins. The KYC data often includes proof of residency, so thieves can simply come to your place and try to steal something from you or harm you in other ways.”

Again, the two exchange spokespeople saw eye to eye, as the Bisq representative outlined similar concerns around data privacy:

“Data privacy is everything. It allows a user to maintain control over their property. Isn’t that part of what Bitcoin is all about? We spend so much effort on ‘not your keys, not your coins’ but not on ‘not your machine, not your control.’ In general, data privacy enables people to keep potentially great ideas alive when those in charge are wrong, so that the rest of humanity may prosper when the time for those ideas has come. Without data privacy, Bitcoin could never reach its potential.”

Finally, we asked the two exchange representatives to answer the question “Are KYC/AML-compliant exchanges data honeypots?”

Keidun answered in the affirmative.

“Many exchanges are more concerned about securely stored assets that they neglect the ethical and safe storage of KYC/AML documents,” he said. “I think KYC is a honeypot for user information and there’s nothing you can do about that as a user.”

To illustrate his point, Hodl Hodl’s CEO pointed to a rising trend in hacks through which bad actors obtain personal information instead of funds.

“Hackers have figured out that they can blackmail exchanges with the confidential KYC/AML data they steal, and ultimately this is detrimental for both the user and the exchange itself,” he continued. “If providing personal data was optional on these services, then I’m sure that 99.9 percent of users would avoid filling in any form.”

The Bisq representative indicated a similar pessimism around the safety of user data on exchanges.

“Whatever can get hacked will get hacked if there’s a sufficient motive, and the only asset that is perhaps more valuable than a whole lot of bitcoin is a honeypot of data about people who own a whole lot of bitcoin,” they explained. “For customers, not only is there the potential of identity theft, but extortion, physical harm and who knows what else. Why take the chance?”

While LocalBitcoins embraces a stricter set of KYC/AML rules that are enforced by its jurisdiction, Hodl Hodl and Bisq remain alternatives that don’t collect such data and aim to maximize users’ financial sovereignty. For now, bitcoin traders who want to maintain a level of pseudonymity will have to consider them as alternatives to LocalBitcoins.

Update - September 2, 2019: A LocalBitcoins representative contacted Bitcoin Magazine and issued the following statement:

"LocalBitcoins does not buy or sell bitcoins as a company. All trades happen between our users themselves, and in that sense we do not identify as a centralised exchange. However, traders use their LBC wallet to send BTC in and out when selling or buying coins.

“Our user base has requested better verification measures to prevent fraud and promote a safer trading environment, even before AML regulatory changes. LocalBitcoins wants to provide a safe platform for users and with added security and KYC policies complies with the AML regulation in Finland.

“LocalBitcoins takes data security and privacy matters seriously. All personal and KYC/AML data is handled in accordance to EU General Data Protection Regulation (GDPR). We are open about what we do with users’ data in our Privacy Policy and have high standards in data protection processes and technical controls.”