Coinbase Faces Lawsuit Over Alleged Unauthorized Biometric Data Collection

Illinois residents have filed a class-action lawsuit against Coinbase, accusing the cryptocurrency exchange of illegally collecting and sharing their biometric data without consent. The lawsuit, filed on May 13, claims violations of the Illinois Biometric Information Privacy Act (BIPA) and the Illinois Consumer Fraud and Deceptive Business Practices Act. BIPA is a law that protects the privacy of individuals’ biometric data, such as fingerprints or facial recognition.

• Class-action lawsuit filed against Coinbase for unauthorized biometric data collection.
• Alleged breaches of Illinois privacy laws and consumer fraud statutes.
• Third-party vendors implicated in the sharing of user data.
• Zero-knowledge proof technology suggested as a privacy-preserving alternative.

The lawsuit alleges that Coinbase requires users to upload a government-issued ID and a selfie for identity verification, which are then analyzed by third-party facial recognition tools without users’ explicit consent. The data is allegedly shared with vendors such as Jumio, Onfido, Au10tix, and Solaris, raising significant privacy concerns.

The plaintiffs are seeking damages of $5,000 for each reckless or intentional violation of BIPA, and $1,000 for each negligent violation. They also demand that Coinbase cease its alleged data practices and cover court costs. This legal action follows over 10,000 arbitration demands filed against Coinbase, which were dismissed due to the company’s failure to pay the required fees.

This isn’t Coinbase’s first dance with legal troubles. In May 2023, a similar lawsuit regarding facial recognition during the onboarding process was filed against them. More recently, a data breach involving bribed customer support agents led to six additional class-action lawsuits between May 15 and May 16. Coinbase’s ongoing legal issues highlight the challenges of maintaining user privacy and security in the crypto world.

Nanak Nihal Khalsa, co-founder of Holonym, a company focusing on privacy and identity solutions, commented on the situation. He stated, “The Coinbase breach proves what we’ve known all along, KYC without zero knowledge is a privacy time bomb. You can’t collect and warehouse millions of user identities without eventually becoming both a target and a liability.” Khalsa advocates for the adoption of zero-knowledge proof technology, which allows users to prove their identity without revealing personal details, as a way to enhance privacy in the crypto industry.

At no point during the verification process are Coinbase users asked to consent to the collection of their biometric information, notified that their biometric data will be collected by an unrelated third party, nor provided with any information about the process.

Zero-knowledge proof technology is like the secret agent of the crypto world. It lets you verify information without spilling the beans, similar to proving you know a secret without revealing what the secret is. This technology could revolutionize how we handle identity verification, allowing users to maintain their privacy while still complying with regulatory requirements.

But let’s not forget the irony here. Coinbase, a company dealing in decentralized currencies, is facing heat for centralized data collection practices. It’s like trying to mine Bitcoin with a shovel—inefficient and out of touch with the spirit of the technology. The crypto industry prides itself on privacy and decentralization, yet here we are, dealing with the fallout of a company that seems to have forgotten those principles.

Coinbase’s legal troubles underscore a broader issue within the crypto industry: the balancing act between security and privacy. As regulatory scrutiny over data handling practices intensifies, the industry may need to look towards innovative solutions like zero-knowledge proofs to protect users’ biometric data while ensuring compliance.

Key Takeaways and Questions

• What is Coinbase being sued for?

  Coinbase is being sued for allegedly violating the Illinois Biometric Information Privacy Act (BIPA) by collecting and sharing users’ biometric data without consent during its identity verification process.

• What specific biometric data was collected?

  The lawsuit mentions the collection of facial data through selfies and government IDs, which were analyzed by third-party facial recognition tools.

• What are the potential penalties Coinbase faces?

  The plaintiffs are seeking damages of $5,000 for each reckless or intentional violation of BIPA, $1,000 for each negligent violation, plus an order to stop the alleged data practices and cover court costs.

• How has Coinbase responded to previous legal issues?

  Coinbase faced similar lawsuits in May 2023 and was involved in a recent data breach that led to six class-action lawsuits, highlighting ongoing legal and privacy challenges.

• What alternative to traditional KYC processes was suggested?

  Nanak Nihal Khalsa suggested using zero-knowledge proof technology, which allows users to prove their identity without revealing personal details, as a future solution to privacy concerns in identity verification.

As the crypto industry continues to evolve, the balance between security and privacy remains a critical issue. While Coinbase navigates these legal challenges, the broader conversation about how to protect users’ biometric data while ensuring compliance with regulations is just beginning. And while we’re on the topic of privacy, let’s not forget the irony of a company dealing in decentralized currencies facing such centralized data collection issues. It’s like trying to mine Bitcoin with a shovel—inefficient and out of touch with the spirit of the technology.