Before all, there is no “outlandish” industry practice I am trying to expose here, just my own observations and my own thoughts on why I have an issue with this, and why I posted this on my blog to help others exercise their discretion.
Commentary
Someone referred me to try out a cryptocurrency exchange (I have absolutely zero experience with cryptocurrency as an disclosure), and I picked one of the exchanges they recommended as friendly to U.S. based banks and customers, Kraken.
I know cryptocurrency exchanges have pretty strict KYC/AML policies, however what I did not expect is the long term storage of biometric data, up to years AFTER you close your account (which may very well be because of serious security concerns).
The reason why I have such big issue is clear, if someone online provides my correct DOB and SSN, you might still have some reservations on whether they are the real me. However if they got their hands on my biometric data (driver’s license photo, a selfie, etc.), they can easily impersonate me.
And yes, regular banks and some financial services do retain such data (except the “live selfie”, which can be used to authenticate as me against many similar IDVs out of context), however the cryptocurrency industry is littered with scandals and data breaches where “proofs” of security are sometimes questionable or even outright false. While the loss of cryptocurrency is usually finite and is largely an elastic risk (depending on how much you are willing to put into it), the loss of your identity is not, and when that loss potentially includes your biometric data, the risk is even higher. This is why I refuse to have such platforms be in control of my biometric data long term.
And note that while Plaid hold the data, they are only the data processor, the Data Custodian is Kraken. This is clearly stated in Plaid Biometric Data Policy and Release Agreement, which means hypothetically let’s say it is X years later and there is a concerning leadership change at Kraken, and you decide with close your account, they can still hold the data for up to 3 years after you close your account. Additionally, since Kraken is the Custodian, it is fully within their rights to migrate the entirety of the data to somewhere else.
Transcript
The name of the agent is replaced with “Jane” for privacy reasons.
Welcome to Kraken Support! I am Kai, your virtual assistant. 🐙
How can I help you today? 😊
Hi, your Bio-metrics Policy mentioned:
Kraken will permanently destroy an individual’s Biometric Data when the lawful purposes for collecting or obtaining such Biometric Data have been satisfied, or within 3 years of the individual’s last interaction with Kraken, whichever occurs first.
What does “satisfied” mean? Please be more specific, is it soon after I complete my verification, as long as I have an accounts with you, or something else?
Chat with a specialist 🧑💻
A specialist should get back to you within 77 minutes. I’ve transferred your request to a specialist who can provide more detailed assistance regarding our Biometric Data Policy. They’ll be with you shortly. Thank you for your patience! 😊
For a smoother support experience, we suggest to continue chatting with us via our mobile apps, where you’ll be notified as soon as we reply.
https://support.kraken.com/hc/en-us/articles/360001332083
I will be away from by browser so please answer clearly and we don’t have to waste each other’s time going back and forth. Please answer clearly the number of days for my TX, US based account where you or Plaid may store my biometric photo, including ID card photo and my selfie.
If any answer is greater than 365 days or the lifetime of my account, I respectfully request my account to be closed, thanks. I have privacy and security concerns over the cryptocurrency exchange ecosystem as a whole and I would prefer we do not proceed.
Hi, thank you for reaching Kraken support! My name is Jane, let us work together with your concern today. Please allow me few minutes to review the conversation above. Hi, thank you, nice it is much less than the 77 minutes the agent said, but yes, please see above
Jane:
Thank you for your patience as we handle an increased volume of support requests.
Could you share the original notification you receive or article you saw for this, please?
https://www.kraken.com/legal/biometrics-policy Section “Retention Schedule”
3 years AFTER I closed my account is unacceptable to me. This is why I am asking for clarification on what the “whichever occurs first” actually means.
And the verification UI didn’t clearly list the number of items I must transmit to you before I actually start providing PII to you, please understand I have my reservations and want to understand the whole lifecycle before I start providing any PII or Biometrics
Jane:
Thank you for waiting.
Also as a notification, I may post the transcript of this chat online for other people to reference, because other users might have the same confusion on what that sentence actually means This is not a threat, just you know it is Texas, recording law, blah blah
Jane:
Your question’s answer is regarding the retention of you biometrics that we will permanently destroy your Biometric when the lawful purposes for collecting or obtaining it is fulfilled which is your use of it, or or within 3 years of the individual’s last interaction with Kraken, whichever occurs first. It is either you ask to remove it, or we will remove it within 3 years if not asked to remove.
Please see more information here: https://www.kraken.com/legal/privacy/us-notice
you ask to remove it
So if I verify right now, I can ask for it (my ID photo and selfie if required) to be removed as soon as it succeeded, right? And it would be deleted immediately is what you are implying?
You can keep my legal name and DOB and/or SSN on file, but you must delete my biometrics is what I am asking
The issue is clear, if someone comes to you with a valid DOB/SSN you wouldn’t trust that they are that person. However, if my driver’s license photo got leaked they could easily steal my identity online, and it is impossible to “revoke” a drivers license photo. That is why I do not consent to any long term storage of such photos.
Jane:
I understand where you are coming from, but rest assured that Kraken protects Biometric Data using the reasonable standard of care within our industry and in a manner that is the same as or more protective than the manner in which we store, transmit, and protect other confidential and sensitive information, such as personal information, account access credentials, and financial information.
Yes, but I still need a clear answer whether this data can be promptly deleted, from your previous wording I interpreted it as I can request it to be deleted as soon as I become verified and you will delete it shortly without reservation, am I correct?
Jane:
The ID and other materials for verifying your account is not removed from your account as this is used for future reference like future verification if needed like verifying transactions if it encounter error.
We retain your documents while you have your Kraken account opened, and some time after you have closed your account. We are unable to manually delete them until we can lawfully do so.
Okay, thanks for the help, we cannot proceeed then, but thanks for the help anyways, I hope you have a nice day
(A UI suggestion I made to Kraken to clearly list the items needed for verification on the UI, I forgot to save this message)
(I closed my account and the UI kicked me out)
(Messages I received through email after my online session has been invalidated, do they really think I was bluffing with my bottom line?):
Jane:
Thank you for your suggestion. We have it on the website regarding verification advising what are needed for the account to be verified. Please see it here: https://support.kraken.com/en-us/articles/201352206-Verification-level-requirements
We also provide you more details of which documents to provide to verify account here: https://support.kraken.com/hc/en-us/articles/360000672203-Document-requirements-for-verification
May I ask if you are still there? I want to make sure we are able to assist you with your issue.
Please let me know if you are still available to chat.
It seems you are already away from your screen. It seems you are already away from your screen. I’ll let you go for now but kindly note that we are here 24/7. If you do have any additional questions or if you need any clarification, please do not hesitate to let us know.
We’ll be here to help you! Thanks for contacting Kraken. 🐙