WORBLI is one side-chain or sister-chain of the EOS mainnet, aiming to provide a platform for various on-chain financial services, and which has significant potential to facilitate mass-adoption for EOS and crypto in general.
Read more about that in one of my earlier articles.
After a 3 weeks delay, the WORBLI user portal is now live, and you can now sign up and apply for a Worbli account. So let’s have a look at the process and how the foundation is handling our precious personal information:
1) What data is actually requested and how it needs to be delivered?
Maybe the easiest way is to just to share what the KYC forms looks like:
So wow, that KYC process is really thorough! In addition to your passport and name details, which are the common information pieces provided for most crypto use cases, with worbli you also need to provide your full postal address, phone number and age. In the telegram channel they said, that the phone and address data are checked for validity. As regards the postal address this is said to be done against public databases. If these are not available or trustworthy, KYC is either not possible or might take a very long time. Anyhow currently the seem to have issues with that verification, which caused quite few discussions in their telegram.
As regards to be uploaded documents, there are three options: passport, drivers license, id. I have no idea for which countries which id’s are eligible:
Beyond that also asking for phone number and birth date feels a bit much, but on the other hand, this is minimum standard procedure with every bank and many other financial service providers. So it might be a lot compared to your standard KYC on crypto exchanges, but nothing out of the question if you try to open a bank account.
2) Is your KYC data safe?
This is one of the major issues when i analysed worbli more closely, and that has been discussed in their telegram channel intensively. The issue is, if all KYC info is with one entity, this entity, in our case the WORBLI Foundation becomes a focal point of attack, and secure storage and handling of data is absolutely critical. They have recently uploaded a video interview with their governance, director of WORBLI governance:
The core informations of this video is:
- In short term, KYC information will be stored off-chain, but will be encrypted, and only decrypted again, if the user permits a dapp to access this data.
- In longer term they intent to encrypt the KYC data with the user’s kay, so large scale hacks get very difficutl to perform.
- KYC data will NOT be stored onchain, because this way it would become immutable (and thus fail to be GDPR (European Data Protection) compliant), and also with evolving cracking methods, KYC could be uncovered and thus eventually all information exposed.
- For the so called Share-drop (which actually is no drop at all), they promise to delete all information that would let them analyse which eos account signs up for worbli after being processed
- No solution is available for the possibility to reverse-calculate (via time-stamps and share-drop amounts), which worbli account corresponds to which eos account. So in theory your worbli account can be traced back.
- Not relevant here, but important as well:
This things are really reassuring, they demonstrate that the WORBLI team is taking those issues seriously and taking the appropriate measures. In my view this is mayby one of the most important of a set of many videos released by WORBLI. As reassuring this is, what i still miss, is that this information is provided as a written announcement, or be included in their terms, which aren’t, because that’s the thing that’s binding when you want to use Worbli.
2) Will Worbli handle your data responsibly?
First of all, those terms cover a lot of stuff which is standard (waivers of software liability etc.), the terms are pretty straight forward, and cover well, what is required by blockchain, kyc processes and GDPR: you need to accept KYC/AML for using your account, you must grant the permission for your content to be public, that your identity is revealed to authorities if demanded, and that you need to stick to (legal) uses of the blockchain. So if you are skeptic about KYC, you certainly won’t like those terms.
I will pick out just a few important chapters or such that are problematic in my eyes:
Platform Terms – 3.1. Licenses: Here they take the right, to alter, rearrange and even possibly relicense and sell you content. At first sight that really sounded the alarm bells with me, and discussed with the WORBLI Team. Whereas i am waiting for an update from them, realising that the platform terms only cover the Worbli Website and Helpcenter (and not the blockchain itself), make this point less critical. Although i still believe this excessive chapter should be just removed.
Network Terms –are actually regulating the Worbli Blockchain itself, and what users and dapps may do with it.
4.2 Licenses, Account opening: You need to declare that you will not give others access to your KYC compliant account, which although unexpected makes a lot of sense.
6. Ownership: Here we learn, that the Worbli foundation takes ownership of the blockchain itself. This is quite uncommon in the crpyto space where, the blockchain mostyl is considered no ones property. Even the EOS consitution calls for “No fiuciary”. Of course Worbli is a project that conciously is launched in a centralised. manner.
9. No other permitted uses: This is more or less an exclusion, that as a user you should not, fork the network or, copy or use its infrastructure for other purposes. this is pretty straight forward, if it was not for point 9.4.
WORBLI reserves the right to change, suspend, deprecate, limit, or disable access to the Network, or any part thereof, at any time without notice. In no event will WORBLI be liable for the removal of or disabling of access to any of the foregoing. WORBLI may also impose limits and restrictions on the use of or access to the Network, may revoke Your access to the Network at any time without notice or liability to You and in its sole discretion.
This is quite problematic as it allows the foundation, to exclude any user they choose from using the network, without the need for any reason or justification, this is certainly meant to counter abuses described in chapter 9, but actually doesn’t mention any goal or criteria, so these are really prone to abuse, especially as in Chapter 11. – Use of the network clearly describes what is permissible and what not, so any access restriction should be tied to these criteria defined.
Finally the data policy, is really a piece well done and covers the spirit of GDPR (european data protection), in the sense that it is clear and easily readable. It describes which data they are using, in the end nothing surprising there, althought they could go a bit lighter, on collecting metadata, e.g user location, when using the service (2.3.9.), or that they use the information if your services and preferences for marketing purposes. This might be inconvenient, but certainly nothing which isn’t industry standard, and you can be sure that the likes of Facebook and Google do a lot more data analysis.
Being compliant to GDPR, they also assert you the access to all information stored about you as well as the right to delete your data upon request. This is of course European law, but still acknowledging it, is an important thing.
All in all, with the two exceptions of claiming the right to sell your (user portal content) and the possibility to kick out any user at mere will which are problematic, those terms are pretty straight forward. As i already said, what i also miss, is more information how user data is secured, since Todor’s explenations are not actually terms, and the actual data protection mentions, are quite shallow.
The new information available demonstrates that the team is taking those matters seriously, and also in general they have really ramped up their communication, their lively telegram channel is a very useful ressource, and the founders and team are active their personally. The video interview shared above is especially reassuring, as it adresses so many critical points with KYC and claiming their sharedrop.
I haven’t performed KYC yet, as there still seem to be quite few launch glitches, so i decide to wait a bit further, until those are resolved. But more importantly i have got the impression, not to overly expose myself, by going through KYC with them.
Update 26.11.2018 – Domenic on current KYC issues an the 10% sharedrop bonus:
Will you apply for a Worbli account? What are your thoughts on their governance update and terms?