Recently, GALXE (previously Project Galaxy) introduced its passport program, claiming to be the ‘universal identity for web3’. It is also said that the passport is a type of Soulbound token (SBT), a vague social prototype brought forward in the famous DeSoc paper. For anyone who wants to get this passport, KYC is needed for verification, along with a $5 processing fee. (The fee is exempted for the first 100k appliers.)
This announcement raises concerns about privacy since the mandatory KYC requires users to upload their personal documents and connect this critical information to a wallet address. More concerns argue that whether SBT should come in the form of a KYC-ed passport.
In this article, I want to argue that: (1) KYC is not the only ‘inevitable’ choice for verifying any on-chain identity, many methods actually work quite well, and (2) a ‘passport’ is not a proper form of personal document under a decentralized ethos, out of both historical reasons and potential risks for web3 users.
Many more ways to identify a person other than KYC-only
Various projects have shown that a range of methods can be pushed further to verify or help build one’s identity, some of which include:
-
On-chain transaction data. For example, Nansen uses public transaction data to give different wallets various labels, which potentially could develop further into labeling and portraiting identities. By analyzing frequency, members, and objects involved in transactions, some wallets are tagged with ‘Smart Money’, ‘Depositor’, ‘Pool Creator’ etc. These tags are reputations to tell us who they are and what these identities look like, at least on the market side. Therefore, transaction data that is public and transparent could directly help verify and build a digital identity.
-
NFT and community. BAYC introduces to us a new gameplay between NFTs and communities, that the possession of an NFT is integrated with the membership of a club. Property rights doubled with social connections not only help secure its floor price and long-term popularity, but also create a much stronger proof of identity. A person can prove one’s identity not only by transaction data shown on-chain, but also by social interactions with other club members and by contributions to the NFT community such as derivative projects. These experiences can be recorded in POAPs or SBTs, joining forces to make a smarter identification process.
-
Zero-knowledge proof. Polygon released its Polygon ID in Q1 2022, using zero-knowledge protocols to verify identities on-chain as well as to protect user privacy. Zero-knowledge cryptography goes beyond any KYC or KYB and also potentially provides a verification process that is more scalable and developer-friendly.
From the cases shown above, we can see that there are many (potential) ways to verify identity without undermining the private and decentralized ethos. KYC is not a must choice for an ID service company, for the method itself was born from the pre-web3 world, where financial institutions try to solve the problem of compliance coming from a central government’s regulation.
It is ridiculous to see that a crypto-native company would ‘proactively’ embrace this web2 method to make itself more attractive to centralized regulators. And it is also disturbing to see that a KYC-ed passport can become one of the possible types of SoulBound Token (SBT) which first appeared in a paper envisioning a decentralized society.
In the following section, I would argue that the passport as a form of document is in itself related to centralization and therefore leads us far away from the decentralized vision.
Do we need passports in web3? Explain why a passport is a buck being passed to us
The concept of having a passport to prove one’s identity is both young and artificial (only about a hundred years), and we should not take it as a natural condition when experimenting with web3 identification services. We should go back to its humble days to demystify and see if we really need an official identification document.
A piece of history: The birth of the modern passport is deeply related to border control during WWI. In order for governments to control the mobility of people, no matter coming in or escaping outwards, only a few entry/exit points are left open while hundreds of miles of borderline are closed. Freedom of movement across borders thus became a past, and every traveler started to hold a document that lists name, height, photo, and other bio-data to prove that they are harmless (like what people do with livestock). Though full of controversy, these ‘temporary’ war measures keep running after the war ends and even till nowadays. And ICT advancement in recent decades arms the passport with more descriptive and imitate bio-data, such as fingerprints.
Back to Galxe, I don’t think that using a passport in a decentralized network will do good. The reasons are as follows:
-
A passport presumes that every identity is suspicious, it also assumes that people cannot prove their identity on their own or by their friends or families. In this way, the passport issued by a central government becomes the only trustful way to prove that their identities are innocent. Therefore, authorities rather than my mom and dad become the person to prove that I am I, that my identity is ‘legal and harmless’ (while also atomic). But what about people before the invention of the passport? Do they travel across countries ‘illegally’? If not, then the risk of losing one’s identity is fictional, and the guilt is artificial.
-
Since the crime of not proving one’s identity is invented rather than by nature, both imposter and compliance become proper businesses. For example, when it is the paperwork rather than Alice herself becoming the only source of trust, anyone who steals the paper could easily enjoy her identity, no matter for mortgage or for immigration, hassle-free.
-
In order to solve the above identity theft problems (compliance), companies tend to require even more personal information from users, such as facial recognition, fingerprints, passphrase questions, and even more official documents, rolling a personal info snowball. Yes, the company may comply with laws perfectly in this stricter and stricter way, but the price of privacy is always paid by the very users themselves.
-
Therefore, when Galxe uses a passport as the form of an identity document, it would also see the same troubles, namely imposters and compliance, just as any centralized governmental documents do. Additionally, because the passport is stored in a wallet, anyone who stole the key off-chain can impersonate the owner smoothly, and take control of both property and identity easily without being recognized.
-
Ever since its birth, passport is a tool more to restrict movement than to aid it. Re-applying this form of document to a web3 service means reducing mobility and liquidity, and fixation to a centralized company (since private info is linked to the Galxe account through KYC). It is against the decentralized ethos and even pushes us, users, back to Web2 big tycoons.
-
Digital twin or digital parasite? If an identity document is trustful only when another identity document (government ID) is submitted and checked, then this identity is only secondary to our real-life identity, a parasite rather than a parallel twin.
Above are all the disadvantages that a KYC-ed passport would confront. Though KYC can help the company quickly solve the problems of compliance, it would cost the identity freedom to a decentralized future.
Conclusion
Since the concept of Soulbound Tokens (SBT) is invented, many attempts and discussions try to instantiate the concept in different ways. Among them, using a KYC-ed passport may be the one method that faces less pressure from governments nowadays, but the merit is at a cost of a more centralized or even web2-styled identification process. When the validity of identity is endorsed only by a single company rather than by users’ everyday activities and interactions, I could not see any decentralized future for identity coming.
I suppose that when a company wants to help build any on-chain identity based on SBTs, it in fact provides a filter to pick personal data out of the massive chaotic data ocean. It is like approaching the final portrait of a stranger only through his/her friends’ words. Different filters mean that various companies can provide identifications focusing on various fields. Therefore, identification is not a one-way-only business, but can be expanded into multiple dimensions. I would love to see more ideas and creativity on SBTs and digital identity, no matter those in web3 applications, in metaverses, or back in real physical life.
If you have any comments on this piece, I would definitely love to hear! You can contact me through Twitter DMs.