Unravelling the KYC Dilemma: Pursuing Identity Harmony in Web3 Communities

zCloak Network
11 min readJun 23, 2023

--

by White Cloak Labs

Our identity, a tapestry woven with personal details, is the cornerstone of access to societal resources such as banking, voting, and property rights. Ideally, this identity, inherently ours, should be under our complete control, free from the need for central intermediaries for validation or storage. This idea hasn’t fully manifested yet, but we are unequivocally edging toward it.

Web3 Regulatory Puzzle: KYC’s Role and Impact of Emerging Regulations

The advent of Web3, the decentralized web, has prompted intricate regulatory challenges globally. Enabled by blockchain technology, Web3 offers users superior control over personal data and supports direct interactions. However, this decentralization raises issues concerning investor protection, privacy, disclosure, and jurisdiction.

Initially, regulatory attention centered on cryptocurrencies, leading to significant action from regulatory institutions like the U.S. SEC and the CFTC. They focused on regulating cryptocurrencies and ICOs to mitigate fraud and establish protective frameworks for investors.

Today, as Web3 evolves, regulatory complexities grow. A critical balance is sought between curtailing illegal activities, ensuring consumer protection, and nurturing innovation. For instance, while blockchain’s security benefits users, it could inadvertently aid illegal activities by obscuring transaction trails.

Furthermore, the decentralized nature of Web3 triggers jurisdictional dilemmas. As control and law enforcement become ambiguous on a decentralized internet, discussions around Web3 becoming a self-governing jurisdiction have emerged.

Within this changing landscape, Know-Your-Customer (KYC) protocols have become vital. KYC involves the collection and validation of personal information to ensure regulatory compliance and deter illegal activities. In the boundary-less Web3 industry, KYC helps platforms meet international regulations, thereby preserving the ecosystem’s integrity.

Additionally, KYC mitigates threats such as Sybil attacks and fraud in the Web3 landscape. By enforcing identity verification, KYC safeguards against identity theft and ensures that only authenticated users can access specific services, crucial in contexts like decentralized finance (DeFi).

In summary, KYC protocols in Web3 are indispensable, enabling regulatory compliance, deterring threats, and managing access control. KYC adoption helps build a secure and trustworthy Web3 ecosystem.

Looking ahead, ongoing legal debates and new regulations will shape Web3’s regulatory future. Recent regulations from Hong Kong and Beijing’s Web3 white-paper indicate a significant shift in the regional regulatory landscape.

Hong Kong’s regulations, with more stringent standards for Web3 platforms, may necessitate stronger KYC procedures. Beijing’s white-paper, acknowledging Web3 as an “unavoidable trajectory for future Internet development,” suggests policy support and technological acceleration to stimulate the Web3 industry.

The concurrent implementation of Hong Kong’s regulations and Beijing’s white-paper suggests a coordinated effort to regulate and promote the Web3 industry. These developments will significantly impact the Web3 landscape, demanding stricter compliance from platforms and promoting industry growth. The future of Web3 regulation hinges on these resolutions, potentially constraining or fostering Web3’s progress.

Problems With KYC for Web3 Communities

Web3 communities, hallmarked by their advocacy for decentralization, demand elevated privacy and autonomy in their digital operations. They perceive conventional KYC processes as a substantial encroachment on these values. These communities place high importance on user privacy and data sovereignty, viewing the broad data collection required by KYC as a potential threat to their personal information security. The centralized paradigm of KYC procedures is in direct conflict with their pursuit of decentralization and trustlessness.

At its core, KYC involves users submitting detailed personal information, potentially including biometric data. Such extensive data collection unsettles privacy-focused Web3 users, who fear potential misuse or data breaches. Moreover, KYC’s reliance on centralized entities for data collection and validation is antithetical to Web3’s philosophy of eliminating dependence on centralized authorities.

The disconnect also extends to jurisdictional differences. KYC regulations are usually national or regional, contrasting with Web3’s global operation. This division between local compliance requirements and Web3’s borderless nature presents challenges for platforms to ensure multi-jurisdictional regulatory compliance.

Additionally, KYC procedures’ intricacy can impede the frictionless experiences valued in Web3 communities. The comprehensive document submission, verification processes, and compliance checks can be time-consuming and burdensome.

Moving forward, the onus lies in reconciling personal control of identity data with the safety demands of our increasingly digital world. It’s crucial to find a balance that addresses Web3 communities’ concerns while ensuring regulatory adherence. The exploration of innovative solutions like decentralized identity frameworks and privacy-enhancing technologies could lead to a more inclusive and privacy-oriented digital environment.

How Does zCloak Protect User Privacy and Data Control?

The discussion around user privacy and data control, central to the discourse between traditional KYC procedures and Web3 communities, finds a promising solution in zCloak’s approach, harnessing decentralized Identifiers (DIDs) and verifiable credentials (VCs).

At the heart of zCloak’s approach are VCs, allowing users to validate essential personal attributes without jeopardizing sensitive data. Users’ data is attested, and available for selective disclosure or as zk-proofs to others when needed. This approach preserves user privacy while assuring businesses of their customers’ authenticity, a stark contrast to conventional KYC procedures that necessitate extensive data and risk user privacy.

Notably, zCloak is an infrastructure provider, not a KYC company. It facilitates the issuance and verification of VCs in a manner that respects privacy. Adhering to W3C standards, users hold their credentials in a zkID Wallet, deployed on their devices, ensuring their data is stored locally and under their control. Computations occur on users’ devices, and core data is encrypted end-to-end, further safeguarding privacy and data control.

By adhering to these principles, zCloak establishes a privacy-centric environment where users can trust that their personal data remains confidential and under their own management.

Preserving Privacy and Security through Varied Disclosure Methods

zCloak’s VC solution effectively safeguards user privacy and maintains data integrity through three core disclosure methods: Selective Disclosure, Digest Disclosure, and Zero-Knowledge Proofs (ZKPs). Each of these practices seamlessly interplays, forming a robust framework to protect user data while upholding the authenticity of their credentials.

Selective Disclosure empowers users to control their data. Within a single credential, users can choose to disclose only the necessary information, ensuring the rest remains private. For instance, when a user is required to confirm their place of birth, they only need to disclose that particular information without providing their name or date of birth.

Similarly, Digest Disclosure substitutes direct data sharing with a unique cryptographic digest, a value derived from the data. Importantly, this digest can’t reconstruct the original data, allowing users to verify possession of specific credentials without revealing the underlying data. For example, a user can demonstrate that they hold a valid passport from a specific country, without revealing any detailed information contained within their passport.

ZKPs, the final piece of this triad, level up data security. By leveraging mathematical and cryptographic operations, ZKPs confirm information without disclosing the information itself. A user, for instance, can prove they meet a service’s age requirement without providing their exact age or birth date, and the verifier can confirm the claim’s truth without gaining additional information about the user. This allows users to prove their credentials’ validity without revealing them, essential for Web3’s KYC processes.

These disclosure techniques redefine privacy and data security. Through ZKPs, users control their personal information, can confirm their identity, and minimize data exposure during verification. ZKPs also offer an additional security layer as verifiers don’t receive detailed information, eliminating sensitive information interception or misuse risk.

In KYC processes, ZKPs strike a balance between the need for verification and privacy and data control importance. For example, users can verify their country of residence for tax purposes without disclosing their exact address.

Through these techniques, zCloak’s VC solution upholds privacy and data control while meeting KYC requirements. This paves the way for user-centered identity verification processes that respect privacy, contributing to a fairer and more secure digital environment.

Securing data integrity

zCloak is dedicated to safeguarding user data integrity by implementing a comprehensive procedure that combines data validation with advanced cryptography. This technique does more than just verify user data validity; it also confirms the accuracy of the computational algorithms being used.

In its commitment to ensuring data integrity, zCloak, serving as an infrastructure provider, offers a suite of extensive tools that aid attesters in the validation of user credentials. Furthermore, zCloak allows multiple attesters on the same network. This facilitates different parties to confirm the same credentials, offering claimers and verifiers a wider range of options. By adopting a consensus-driven approach to attestation, zCloak enhances the resilience and trustworthiness of the overall verification process.

With attested credentials, users can run a ZK program on their devices to prove relevant attributes during KYC processes. Their wallets support the necessary algorithms and come with an integrated zk-STARK-based Virtual Machine (VM). As the zk-STARK VM runs the program, it generates a STARK proof in real-time, certifying the correct program execution without exposing sensitive data.

By guaranteeing computational trustworthiness and providing a resilient infrastructure to confirm data validity, zCloak upholds data integrity while maintaining user privacy. This approach aligns perfectly with the Web3 principles, where data integrity and privacy are paramount. Through this method, zCloak actively participates in creating a more secure digital environment that respects personal privacy.

zCloak’s Paradigm Shift in Empowering Privacy and Data Control

zCloak’s framework signifies a major departure from traditional data control paradigms, empowering individual users to manage their identity information. This shift aligns with Web3 communities’ principles, offering a practical, user-centric solution to data control issues.

The comprehensive design of zCloak’s approach enhances data control and significantly bolsters user privacy. It enables authentication without unnecessary personal data disclosure, giving users a proactive role in protecting their privacy. Users control not just the data they share but also the entities they share it with, reinforcing individual privacy without compromising identity verification effectiveness.

Leveraging DIDs and VCs based on globally accepted standards, zCloak’s unique solution addresses both KYC procedures and Web3 communities’ concerns. It facilitates effective identity verification while prioritizing user privacy and data control. This marks a significant shift from traditional systems where centralized entities often control data. In zCloak’s framework, users become the custodians of their data, aligning with Web3 principles, and contributing to a more secure and privacy-preserving digital environment.

Enabling Interoperability in Web3 Identity Verification

zCloak’s infrastructure plays a significant role in enhancing Web3’s interoperability, providing a decentralized, privacy-focused means for identity verification. This framework allows for the creation of custom credential content, catering to specific verification needs across various entities including businesses, government organizations, and individuals, hence promoting wide-ranging interoperability.

Moreover, zCloak supports the utilization of tailor-made ZK programs for credential validation, which gives verifiers the ability to set their unique validation criteria. This increases system adaptability and furthers interoperability across diverse verification needs.

To encourage the widespread use of ZK proofs, zCloak offers a zero-code ZK program generator. This intuitive tool allows for the creation of ZK programs without the need for coding knowledge, broadening accessibility and fostering interoperability of KYC processes within Web3 communities.

By amalgamating these components, zCloak fosters a more interconnected identity verification environment within Web3. The flexibility of custom credential content, the inclusivity of multiple attesters, support for custom ZK programs, and the provision of a zero-code ZK program generator collectively establish a decentralized, privacy-preserving approach. These actions aim to reconcile KYC requirements with Web3 ideals, furthering a more integrated identity verification landscape.

Navigating Decentralization, Trustlessness, and Compliance

In the Web3 realm, zCloak addresses privacy and data control, bridging KYC procedures and Web3 communities while emphasizing decentralization and trustlessness principles at the heart of Web3. A key shift is user-owned identities, enhancing autonomy in line with Web3.

zCloak leverages Arweave’s decentralized storage for DIDs, promoting permanent, tamper-proof data that is owned and managed by users. This approach reinforces Web3 principles, fostering a secure, trustworthy digital identity landscape.

Trustlessness is upheld in zCloak’s identity verification via verifiable credentials (VCs). Through cryptographic protocols, users can validate their identity, eliminating the need for intermediaries and preserving privacy.

These measures aim to create a digital identity landscape converging KYC requirements and Web3 ideals. The goal is to empower individuals in identity verification while upholding Web3’s principles of decentralization, trustlessness, and privacy.

Privacy-Driven Audibility and Compliance

zCloak strategically meets identity verification’s audibility and compliance needs while prioritizing user privacy and control. Owing to a host of technical solutions that bolster their security and verifiability, VCs issued by zCloak can undergo independent verification.

Cryptographic security is at the heart of this approach. Each VC, digitally signed with the issuer’s private key, can be validated using the issuer’s public key, affirming authenticity and resistance to tampering.

zCloak uses Zero-Knowledge Proofs (ZKPs) with VCs, letting users validate credentials without exposing them, which enables third-party verification without direct data access.

Decentralized Identifiers (DIDs), managed by the users, bolster this strategy. DIDs allow third parties to authenticate a VC by associating the information contained within the VC to a user’s DID (public key). To enhance the permanence and verifiability of these DIDs, zCloak stores them on the decentralized Arweave network.

This infrastructure, coupled with immutable credentials and independent verification capability, streamlines regulatory compliance, especially important in areas like Anti-Money Laundering (AML).

zCloak also aids compliance by enabling users to control information disclosure according to specific regulations. This allows users to reveal only necessary information, protecting their privacy.

In summary, zCloak balances regulatory compliance demands with user privacy and control. By integrating cryptographic security, standard adherence, and user-centric data management, it helps businesses meet compliance obligations while preserving user privacy, fostering a compliance-friendly and privacy-conscious identity verification approach.

Conclusion

In conclusion, zCloak serves as a robust infrastructure provider with an unwavering focus on user privacy and data control. Committed to user-controlled data, zCloak doesn’t access or centrally store user data, ensuring personal information stays confidential and user-controlled.

zCloak’s use of DIDs and VCs, based on widely accepted standards, offers a robust solution reconciling KYC procedures and Web3 community concerns. Users can verify their identities securely, with the assurance that sensitive data is protected and inaccessible to zCloak or any central data storage system.

zCloak’s VC solution incorporates selective disclosure, digest disclosure, and ZKP to boost privacy and data security. These measures allow users to disclose only essential information, provide cryptographic digests instead of sensitive data, and authenticate credentials without revealing extra data, effectively mitigating data exposure risks.

Additionally, zCloak’s infrastructure promotes interoperability with its provision for customized credential contents, multiple attesters, and custom ZK programs for validation. This flexibility encourages a decentralized, privacy-preserving approach to identity verification within Web3 communities, while maintaining zCloak’s position as an infrastructure provider without access to user data.

zCloak sets a new precedent in navigating identity verification complexities with its unwavering commitment to user privacy and data control. It empowers individuals, secures their information, and upholds decentralization principles, paving the way for a more secure, privacy-focused, user-centric digital identity ecosystem within Web3.

Finally, zCloak recently achieved a milestone by developing the zk-SBT smart contract and launching it on Optimism’s testnet. The zk-SBT represents significant progress in preserving privacy while demonstrating personal attributes, like being an adult from Asia without revealing personally identifiable information. The zk-SBT’s design ensures privacy and enables interoperability with any smart contract on the same chain, making it a pioneering solution for utilizing private identity information in a blockchain environment. A more detailed article on zk-SBT will follow. Stay tuned!

White Cloak Labs is a series of research articles powered by zCloak Network, with the intention of explaining various technology, technical terms or definitions, international standards, and any topic related to zCloak’s research purposes. We hope this series will help people understand the tech side of zCloak and the Web3 world more easily. Stay tuned for more!

--

--

zCloak Network
zCloak Network

Written by zCloak Network

zCloak Network is a Real-World Identity (RWI) infrastructure for Web3. Website: zcloak.network; Product: zkid.app