Tell HN: Coinbase keeps photos of your ID indefinitely
I verified my identity with Coinbase in 2017. I recently submitted a privacy access request and Coinbase sent me back unredacted photos of my ID, as well as previous addresses and phone numbers I no longer possess.
I’m not sure if this is due to regulation, I’ve worked with ID verification and sensitive data was redacted after 30 days. Indefinite retention seems pretty dangerous. There have been quite a few reports of Coinbase account takeovers, so this provides a vector for bad actors to gain full copies of your ID. Not to mention the data being leaked if Coinbase itself is hacked.
18 comments
[ 3.0 ms ] story [ 51.5 ms ] threadhttps://bsaaml.ffiec.gov/manual/Appendices/17 > A bank must retain the identifying information about a customer for a period of five years after the date the account is closed, or in the case of credit card accounts, five years after the account becomes closed or dormant.
https://www.investopedia.com/terms/k/knowyourclient.asp
There are similar KYC regulations and data retention laws in Europe.
> The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted and organisations do have an obligation to do so, except in the following cases:
...
> there is a legal obligation to keep that data;
https://commission.europa.eu/law/law-topic/data-protection/r...
https://www.gov.uk/guidance/money-laundering-regulations-you...
I assume most civilised jurisdictions have similar requirements.
In the UK the limit to sue someone in the vast majority of cases is 6 years, so I would keep anything I could need to counter a civil suit or to sue for 6 years after the fact in any case. I expect it's similar in other countries.
Have a new number, so had to update 2FA. It gave me one try to update my 2FA, but the message never arrived, and now I am locked out again.