Thoughts on Sumsub?

[mynameGeoff]

Hey homies, hope you've all been well! Have you been drinking enough water lately?

I wanted to drop in and see what our audience's sentiment was towards this company:
https://sumsub.com/

 

They also have a fairly popular YouTube channel as well for what that's worth:

https://www.youtube.com/@Sumsubcom

 

To my understanding, Sunsub does identify verification for companies and business similar to https://www.id.me/ for US citizen or https://verified.me/ for Canadians.

 

Doing some quick Googling online, review sites seems mixed on the service but not sure how accurate they are since the service is geared towards businesses than consumers:
https://www.gartner.com/reviews/market/online-fraud-detection/vendor/sumsub/product/sumsub
https://ca.trustpilot.com/review/sumsub.com

Would love to get opinions from everyone and see where people's heads were at on Sumsub. As always, we appreciate your input with any and all sponsors

[TechuntrTM]

At a quick glance im unsure, to be honest I think it'd probably be smart to just stay away from any ads that involve bitcoin or nft's. Generally a sore point lately it seems.

[Crunchy Dragon]

Doesn't seem like a terrible company, although I might venture to guess that it may be a little over the heads of us mortals, as the service is aimed more at corporations and businesses.

 

I like their stance against fraud, I'm just not sure how relevant it would be to this community. Most of the people here just need MFA, a password manager, Malwarebytes, sometimes a good VPN, and common sense to be safe online.

 

2 hours ago, TechuntrTM said:

At a quick glance im unsure, to be honest I think it'd probably be smart to just stay away from any ads that involve bitcoin or nft's. Generally a sore point lately it seems.

Sumsub isn't about cryptocurrency(although they do list it as a selling point), they're about fraud prevention. Fraud prevention can definitely extend to NFTs and cryptocurrency, but that's not the main drive behind the company.

[TechuntrTM]

52 minutes ago, Crunchy Dragon said:

Doesn't seem like a terrible company, although I might venture to guess that it may be a little over the heads of us mortals, as the service is aimed more at corporations and businesses.

 

I like their stance against fraud, I'm just not sure how relevant it would be to this community. Most of the people here just need MFA, a password manager, Malwarebytes, sometimes a good VPN, and common sense to be safe online.

 

Sumsub isn't about cryptocurrency(although they do list it as a selling point), they're about fraud prevention. Fraud prevention can definitely extend to NFTs and cryptocurrency, but that's not the main drive behind the company.

Ok, that makes sense, but I also agree with your point of the viewer base not being really the right demographic.

[Spotty]

So it seems the idea behind it is if you want to sign up to a website such as say an online gambling website or a crypto exchange, instead of that website handling the ID Verification SumSub will do it and just pass along the ID Verified status to the website. The idea in principal isn't necessarily bad. Having lots of different websites storing personal information on you isn't particularly a good thing and for the businesses setting up those systems and the red tape can be a significant hurdle. However, if you're having one trusted platform doing all of the verification then you really need to trust them. In order to be verified you're handing over a lot of sensitive personal information, including name, address, date of birth, phone number, ID documentation, biometrics (face scanning), and more. Basically everything somebody would need to commit identity theft and fraud. Even if SumSub are completely ethical there is still the potential for data breaches - just look at what happened to LastPass. Having all of your critical personal information and identity documents exposed could be catastrophic.

 

I'm also curious whether services that are legally required to store and/or verify personal information of their users such as financial/crypto exchanges or gambling websites are even allowed to use third party identity verification services or if they're legally required to hold that information themselves.

Do the businesses that are using SumSub for verification have access to any of the personal information, if so, what?

What happens if law enforcement gets involved and requests user identity data from the business?

 

It seems SumSub also gathers a lot of information about users from the businesses as well. SumSub advertises that they monitor user transactions on the businesses service (such as monitoring finance/crypto trades) and that they can even monitor users gambling behaviour. Why are they gathering this information? What are they using it for?

In general, what is SumSub doing with the personal information and tracking data they collect? Do they sell that data?

 

It would be interesting to know what information they store on users, how they store it, when they delete it, how easy it is for users to delete their data. For example are identity documents such as photos of drivers licences or passports destroyed after the user is successfully verified or are copies of that data stored indefinitely?

 

Which country or countries are SumSub storing or sharing data within? Which countries are their data centres located?

What about businesses operating in countries that have data residency laws that require businesses to collect and store data inside the country?

 

From a business standpoint, if you were a business that used SumSub to verify your users identities what would happen if you wanted to terminate your agreement with SumSub? Would you be able to get a copy of your customers personal information so you could migrate to a different ID verification system or do ID verification yourself? Without it the business would lose access to all of their identity verification, which may result in them being locked in to doing business with SumSub indefinitely. What happens to those businesses if SumSub goes out of business?

 

What if SumSub decides they don't like the business you do. What if you're a porn website that uses it to verify actor/model IDs & ages and then SumSub decides that it morally objects to gay porn and cuts you off from its services. Credit card companies and payment processors (like paypal, stripe) do stuff like that all the time and it can significantly impact a business.

 

If you were a startup business who is required to do identity checks for your users then it may be tempting to go with an off the shelf ready made ID verification solution like SumSub, but my concern would be getting locked in to using their system with no way to migrate out if you wanted to switch to a different solution or build your own. I would be cautious about being reliant on a third party.

 

 

As for the SumSub company itself, I have some concerns about where they are actually located and who the directors are. The Co-Founder names listed on the website About Us page do not appear to be their real legal names. The business filings and registrations list their real legal names. Considering their company is based on the principal of verifying real identities it seems strange to me that they're not using their real legal names on their company website.
They claim to be based in the UK, and they are a registered business in the UK, but it seems that they're maybe based out of Cyprus? The UK company is owned by a Cyprus based company and the directors country of residence is listed as Cyprus. SumSub Ltd is registered as a business in Cyprus as well, along with several other companies they are registered as directors of operating from Cyprus. I'm not sure if they actually have offices in the UK that they're actually operating from or if it's just a shell company with a mailing address in the UK so they can register as a UK business and claim to be based in the UK. It's possible that they are actually operating multiple offices internationally, but to me if the directors are located in Cyprus, the businesses are registered in Cyprus and owned by Cyprus based companies, and they have offices in Cyrpus then it seems to me that they're based in Cyprus, not UK.

This goes back to where users are handing over large amounts of personal information and ID documentation and need to trust who they are sending it to. Where the company is based and operating from and where the user personal data is being sent and shared with is very important. Cyprus might not have the same laws and regulations for protecting private data that somewhere like the UK has. They need to be absolutely transparent about where the company is based and where the data is being sent, and I'm not convinced they are being transparent.

 

I'm quite happy if SumSub would like to respond to or clarify any of the concerns I listed.

[Crunchy Dragon]

7 hours ago, Spotty said:

They need to be absolutely transparent about where the company is based and where the data is being sent, and I'm not convinced they are being transparent.

This irked me a little bit as well. Transparency is one of the huge reasons why I started migrating from Google to Proton.

[dogwitch]

for me. seeing some stuff does not play nice with proton.

i salt my data(that goes into the public) heavily

[meatyseagull]

I wouldn't feel comfortable with the ethics of pushing a product/service which has specifically intends to be used for gambling services. It's too closely affiliated with profiting off of human harm for my liking. For example, the superannuation fund I'm with will not invest in Amcor, a packaging company, because they do cigarette packaging.