It’s been almost three weeks since Fractal ID was subject to a data hack. Since then, our team has been working around the clock to mitigate the negative impacts of the attack for users whose data was accessed and rapidly implement stronger security measures. You can read the post mortem here.
It has been a painful experience for everyone. It never should have happened, and I’m sorry for the burden the attack has placed on our users.
I’ve spent the last seven years hyper-focused on building solutions to tackle the complexities of identity in web3. It’s always been our mission to contribute to a user-owned internet that keeps data safe. We aimed to be a part of the solution, but we fell short and exposed the weaknesses of a centralized KYC system. It’s shaken us, our partners and users, and has driven us to bolster the security of our systems, which we’ve shared in detail in our last post. But more importantly, it has caused us to face the root of the problem head-on.
Today, we want to shed light on the radical changes we’re bringing to Fractal ID to ensure this kind of attack cannot happen again. It’ll be a process to rehaul our systems, and it’s important to understand what got us here in the first place—why established KYC practices became the norm and how this has shaped the way our industry has dealt with user identity.
Let’s start with the obvious question: why do we store user data? Regulators worldwide want to enforce accountability. Financial service providers are asked to ensure access to their users’ data. If ordered by a judge or audited, only the full data will do, not a zero-knowledge proof or a reference to an identity wallet. KYC solutions are needed to satisfy this requirement by verifying a user’s identity and providing access to user data. And it’s not just in web3. Because of the role they play, KYC providers have become giant honeypots of user information, but they don’t need to be.
Early last year Okta, the biggest identity verification provider in the world valued at $16bn, was hacked by a malicious party that impacted all of their customers. That’s right, all customers. Earlier this year, identity giant World-Check was breached, leaving 5.3m users potentially impacted. If these massive companies can’t keep their user data secure, who can we trust? The answer is that you can’t trust anyone. The system is inherently flawed because no one is using a trustless system. Consumers are forced to come to terms with the idea that hacks are inevitable unless we change the system.
In web3, we don’t as easily accept this reality. But the truth is, while we embrace the ideology of decentralization, we have not adopted decentralized identity. We have gotten comfortable with the status quo. Why? Because decentralized identity is hard, and a tradeoff not many want to make. A few examples to bring this reality to life: decentralized identity means interoperability, but that’s against the interest of crypto exchanges that act like web2 players, wanting to keep their users in their walled gardens. Everything centralized will have a better UX (at first), appealing to both web3 native and mainstream users. Because of this, nearly all user data in web3 is stored centrally.
In web3, there is a standard for dApps to be built on trustless systems, but this same requirement is not applied to how we handle user data. It’s been proven time and time again that we cannot be trusted with our data. Centralized data storage, no matter the resources behind it, is vulnerable. It’s a harsh reality, and many hide behind the idea there is a regulatory necessity to store data centrally, but this isn’t true and we know there is an alternative.
To meet regulatory requirements, data needs to be accessible. This means that access to user data needs to be guaranteed, but we can achieve this by allowing control of the data to remain with the user. We can leverage the security of a third-party decentralized storage solution to deliver data sovereignty to the user — ownership and control of their information. It’s the only way to mitigate attacks like the one we suffered. Remove the honeypot of centralized data storage and hackers have nothing to exploit. This is the alternative. This is what Fractal ID will become: dataless.
How? We will delete our user data to the fullest extent possible, and expect to have this complete in one year. We will stop storing most user personal information and instead only store log files and metadata to document the identification process. Fractal ID is moving quickly to develop the technical specifications needed to achieve this future state. We are not leaving our partners and clients alone in this process. Soon we will share a specific roadmap of how we can dramatically reduce data storage in Fractal ID while helping our customers remain compliant and secure. We are more confident than ever that true systems change is needed. Anything short of going dataless would be a bandaid.
We built Fractal ID to offer a solution that the industry needs. KYC was a good place to start in order to build towards decentralized identity systems. KYC isn’t sexy, and it’s not an easy business. Competition is fierce, prices are low and good service means losing money. The security needed to store data and the cost of compliance are usually not factored into the low fee structure. KYC operators are needed by the customers we serve, but deeply disliked by web3 users. And we understand why. The way KYC is done today is riddled with inefficiencies and puts users at risk of data exposure, overreach and gatekeeping. But it is necessary to have safeguards for users and operators in web3, as it’s a nascent ecosystem with immense amounts of capital flowing through relatively underdeveloped systems. KYC is needed if we want our decentralized applications to reach beyond the echo chamber that web3 is today. While we can’t change the need for KYC, we can change how we do KYC: seamless, privacy-preserving and aligned with the ethos of web3 that positions the user at the center of control. This is why we keep going.
Since 2017, I have been driven by the conviction that identity is the missing link in web3. Without proper decentralized identity, we cannot truly adopt open systems and a user-owned internet. I don’t see web3 as an opportunity for revolution. I see it as a tool to transform the current financial system— an evolution that leads to an inclusive, open-source system that is unrecognizable to today’s reality. Decentralized identity is a critical part of enabling this evolution, one that can bring open source and self-custodial solutions to users, first within DeFi, and eventually enter the realm of everyday financial applications.
What we’re proposing is a radical change. A change we should have been bolder to make earlier, without compromise. This new direction doesn’t mitigate the consequences of the attack. It will be little solace to our impacted users. But we are not stopping, because we believe we can create a new standard for KYC in web3. It’s the right thing to do, and more importantly, it’s what is needed to free our industry of the limitations of traditional practices. We are bolstering our leadership and engineering teams to make this happen (more on this later). As we deliver on the commitment to go dataless and enhance the security of our systems, it’s our earnest hope that we can earn back the trust of our community and be measured by the changes this new endeavor will bring.