My Data Zero

Starknet’s Private KYC Demo Reopens The KYC Data Privacy Debate

KYC data privacy

Written by

Sorab Ghaswalla

in

Last week, the blockchain firm StarkWare demonstrated something that sounds almost contradictory: a way to complete identity verification without handing over your identity.

Using its Starknet network, the company showed how someone scanning a passport could prove a single fact — “I am over 18,” “I hold a valid credential” — while the actual document data never leaves their control. The system uses what’s called as “zero-knowledge” proofs to let users prove specific attributes without revealing their full passport details or address.

As StarkWare put it bluntly: “Every identity database becomes a liability the moment it exists.”

That line is the real story. It’s worth pondering over if you’ve ever opened a bank account, applied for a credit card, or signed up for a brokerage account anywhere in the world.

The Pattern We’ve Normalized For KYC Data Privacy

KYC data privacy is a topic not many concentrate on. Every time you complete the Know Your Customer (KYC) process today, you hand over a bundle: a passport or national ID, proof of address, a photo, sometimes bank statements or tax ID numbers. The institution doesn’t need most of that file forever. It needs to confirm one or two facts at that moment: that you’re real, that you’re an adult, that you live where you say you do. But the convention is “send everything,” and once sent, that document sits in someone’s database, often for years, often duplicated across whichever outsourced verification vendor the institution used.

This is precisely the design flaw StarkWare is pointing at: “Identity checks today ask for your whole document when they only need one fact.”

Every bank, broker, telecom provider, and lending app that has ever onboarded you is now a place where your ID scan could leak. StarkWare cites a roughly 79% rise in data breaches in the US over five years as the backdrop for why this matters now, and breach-cost trends look similar across most major economies.

What “Private KYC” Actually Does

The mechanics are simpler than the cryptography sounds. A user scans their passport; the phone’s camera and NFC chip confirm the document is genuine and signed by its issuing authority. The user then encrypts that identity data to their own wallet, and a few specific attributes — not the document — get registered publicly.

The next time a company needs to verify your identity, it checks a secure digital proof against a trusted registry. The company only gets an answer to the specific question it asked—such as whether you’re eligible or verified—without seeing or storing your personal data. Instead of sharing your full identity, you share only what’s necessary.

This isn’t only a crypto idea — it’s already becoming law in Europe

Here’s what makes this more than a blockchain curiosity: regulators are independently arriving at the same conclusion.

Under the EU’s revised digital identity law, every EU member state must make a compliant digital identity wallet available to citizens by December 31, 2026, built on three design rules: selective disclosure, no centralized data system, and user-controlled access.

In practice, only necessary personal data will be shared, applying data minimisation and selective disclosure by design — so a bank or broker could confirm you’re over 18 or a verified resident without ever holding your full ID file. This is meant to support identity verification and KYC processes without exposing unnecessary personal data.

So the underlying idea — prove the fact, not the file — is being tested from two completely different directions: a crypto-native demo, and a binding EU regulation with a hard 2026 deadline. That convergence is a stronger signal than either alone.

Three pitfalls before this reaches your everyday banking

  1. “Demo” and “mandated” are not “live.” StarkWare’s system is a proof-of-concept with no rollout timeline. Even the EU’s wallet, despite a legal deadline, is still in pilot and interoperability testing across member states. Businesses connecting to the EU wallet may largely buy “access-as-a-service” from identity verification vendors — meaning a new layer of intermediaries, not necessarily fewer of them.
  2. Selective disclosure isn’t automatically un-traceable. Researchers reviewing the EU wallet’s technical design have flagged that the lack of untraceability safeguards for attestations and identity data compromises privacy — proving one fact repeatedly to different verifiers can still create a pattern that links back to you, even if no single verifier sees your full document.
  3. The trust still has to live somewhere. Whether it’s a blockchain registry or a government-backed wallet, something initially certifies your document is genuine. Verification still depends on a qualified attestation provider confirming attributes like name or age — if that issuing layer is compromised, the risk hasn’t disappeared, it’s relocated.

What to do in the Meantime

Where KYC data privacy is concerned, until “prove the fact, not the file” reaches your everyday bank or broker — wherever you live — the practical defense is mundane: ask vendors why they need a full document rather than just a fact; favor institutions that mask or tokenize your ID number rather than storing the full image; and treat every KYC submission, anywhere in the world, as a future breach you can’t fully take back.

What is India’s DigiLocker?

It’s a wallet, but not the same kind of wallet as Starknet’s demo or the EU’s model. Here’s the distinction.

DigiLocker is a document wallet, not a selective-disclosure identity wallet; at least not yet, in practice.

What DigiLocker actually does: it’s a government-run cloud locker where issuers (RTOs, UIDAI, CBSE, universities, income tax department) push verified documents directly into your account, and you share them via QR code or link.

Documents shared through DigiLocker are legally treated at par with physical certificates under IT Act amendments. It has roughly 300+ million users and covers 1,500+ document types from 150+ issuers. That’s genuinely useful as it kills the photocopy-and-courier problem.

The practical difference for you as a user:

The WhatDigiLocker (today, typical use)EU Digital Identity Wallet / Starknet demo
What gets sharedUsually the full documentJust the specific attribute (e.g., “over 18”)
What verifier receivesA complete ID copyA proof, not the underlying data
Architecture originDocument digitization, retrofitted with VC supportBuilt from the ground up around selective disclosure

That said, this is shifting:

  • DigiLocker has started issuing documents as verifiable credentials, and providers building on top of it note that selective disclosure allows users to share only the information required, not their entire identity, and credentials can be stored in digital lockers or wallets giving users full control over what they share. So the capability is being layered in.
  • It’s also explicitly being positioned in that global category. One industry comparison places DigiLocker alongside the EU’s mandated digital identity wallets as one of the world’s largest digital credential platforms, even though the two were built on different philosophies.

Reference:

StarkWare / Starknet Private KYC (news peg)

  1. https://99bitcoins.com/news/presales/starkware-private-kyc-strk-price-analysis/
  2. https://cryptonews.net/news/security/33054795/
  3. https://www.bitget.com/amp/news/detail/12560605474725
  4. https://crypto.news/starkware-wants-kyc-checks-without-full-passport-exposure/
  5. https://cryip.co/starkware-launches-private-kyc-on-starknet-using-zero-knowledge-proofs/
  6. https://www.mexc.com/news/1169163
  7. https://www.bizinsider.org/starkware-introduces-private-kyc-to-address-personal-data-breaches/
  8. https://www.gncrypto.news/news/starkware-private-kyc-starknet-zk-proofs/
  9. https://www.kucoin.com/news/flash/starkware-launches-private-kyc-to-reduce-personal-data-breach-risk
  10. https://www.cryptobreaking.com/starkware-launches-private-kyc-to/

EU Digital Identity Wallet / eIDAS 2.0 (regulatory parallel)

11. https://yousign.com/blog/eidas-2-0-digital-identity-wallet-compliance-requirements

12. https://www.zyphe.com/resources/blog/eidas-2-eu-digital-identity-wallet-kyc-compliance-guide

13. https://arxiv.org/pdf/2501.07209

14. https://www.entrust.com/resources/learn/eidas-2

15. https://www.kennedyslaw.com/en/thought-leadership/article/2026/the-european-digital-identity-framework-introducing-the-new-eu-digital-identity-wallet/

16. https://arxiv.org/pdf/2601.19837

17. https://digital-strategy.ec.europa.eu/en/policies/eudi-regulation

18. https://sumsub.com/blog/eidas-europe/

19. https://en.wikipedia.org/wiki/EU_Digital_Identity_Wallet

20. https://www.signaturit.com/blog/eidas-2-regulation/

DigiLocker (India context — for the follow-up Q&A, not the global article itself)

21. https://everycred.com/blog/verifiable-credentials-digilocker/

22. https://www.digilocker.gov.in/web/about/about-digilocker

23. https://apps.apple.com/ca/app/digilocker/id1320618078

24. https://www.dock.io/post/digital-id-wallet

25. https://righttoinformation.wiki/digilocker

26. https://digilocker.resultscisceboard.org/

27. https://www.kotak.bank.in/en/stories-in-focus/accounts-deposits/savings-account/what-is-digilocker.html

28. https://en.wikipedia.org/wiki/DigiLocker

29. https://blog.digilocker.gov.in/digilocker-a-digital-wallet-for-your-important-documents/

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts