Privacy-focused Aleo users concerned after KYC documents leak
Decentralized blockchain platform Aleo experienced a significant privacy breach on Feb. 25, as KYC documents of some users were mistakenly shared with others. Aleo, known for its commitment to zero-knowledge (ZK) cryptography, relies on a third-party protocol for its Know Your Customer (KYC) process, raising questions about the security of personal data on the platform.
A Surprising Email Exchange
Emir Soytürk, an Aleo user, reported receiving an email containing KYC documents, including selfies and ID card photos of another individual. This incident has sparked concerns over the platform’s data security and privacy measures. Another user, Selim C, corroborated this claim, stating he also received another person’s KYC documents.
KYC and Privacy Concerns on Blockchain
To engage with Aleo’s services, including claiming rewards, users are required to complete KYC, Anti-Money Laundering (AML) requirements, and pass the Office of Foreign Assets Control (OFAC) screening. This process, conducted through HackerOne, involves the collection of unencrypted user data, posing a significant risk to privacy.
The Irony of Privacy-focused Platforms
The leak is particularly ironic for a platform like Aleo, which prioritizes privacy and security through the use of ZK-proof cryptographic techniques. These techniques aim to ensure transaction confidentiality without revealing sensitive information, offering users enhanced privacy.
Mike Sarvodaya, founder of Galactica, a layer-1 blockchain infrastructure, commented on the incident, highlighting the paradox of a privacy-centric platform using a third-party for unencrypted data collection. According to Sarvodaya, this incident underscores the need for secure data storage and proof systems, such as those based on ZK or fully homomorphic encryption (FHE), to protect Personally Identifiable Information (PII).
Looking Forward
Despite the setback, the Aleo Foundation is preparing for the mainnet launch in the coming weeks, aiming to enhance privacy in crypto transactions. This incident serves as a reminder of the ongoing challenges in ensuring data privacy and security in the blockchain space.