I recently received an email requesting that I complete and submit the W-8BEN form. I have filled out the PDF, but I am unsure about the way to submit it back to the team.
The instructions imply sending it via email (to Finance_SNO@storj.io), but I am concerned about the security risks. The W-8BEN form contains highly sensitive Personally Identifiable Information, I am not comfortable sending this information as a plain, unencrypted email attachment.
Could someone from the team or experienced SNOs clarify the following:
Encrypted Attachments: Does the finance team accept password-protected ZIP files? My plan is to send the encrypted file in one email and the password in a separate email.
Cloud Links: Alternatively, is it acceptable to send a secure, temporary download link (e.g., Google Drive/OneDrive) instead of a direct attachment?
Confirmation: After sending the document, will there be a confirmation email to verify that the form has been received and processed successfully?
I want to ensure I follow the correct procedure to remain compliant while keeping my personal data secure.
The form contians a legal name, address, country of tax residence, and a signature. For most non-US persons there is no SSN on it. A foreign tax identifier, if provdied, is not an authentication secret. Possession of the docuemnt does not enable tax filing, account access, credit fraud, or identity takeover.
This is routine adminstrative identity data with a limited abuse surface.
I agree that email is not optimal: it sticks around and gets forwarded. That makes it a poor defualt for signed identity documents.
Storj could provdie a standard signing and submission path using a common platform such as DocuSign or simliar. There are plenty of those nowdays. They don’t, and it’s not a big deal.
Either way, labeling a W-8BEN as high-impact identity exposure is inaccurate.
Requests Name, Address, Country, DOB, Tax No’s and contains valid email address. That’s a good start to credential stealing / takeover.
Way to much information to be transmitted possibly unencrypted IMO.
Isn’t the communication betweeen email providers tsl encrypted? So only them could read the email content? Am I mistaken?
The password protected zip isn’t secure. It can be cracked by bruteforce easy. Or at least it used to.
I don’t see a secure way to send something only by email. If the email provider concerns you, than no matter what you use and in how many emails you send the info, it could see and access all the stuff your destination can. So, why bother?
One possible secure way I see: send decryption keys by telegram/signal/etc or at least by one email provider and the encrypted message by another email provider.
I’m not an expert in these encryped comunications, so maybe there are simpler ways.
It’s almost universally encrypted. But smtp allows to downgrade to plaintext connection if that’s the best common denominator between points. The concern is purely theoretical. Especially for public record data.
In most cases, only transport between servers is encrypted (which can silently fall back to unencrypted). EMails are often stored in plain text.
EMail is not considered a legal document, cannot be used as evidence, and should never be used to transmit sensitive data.
Maybe when you hit this point, it’s time to setup an “SNO Account”, and register your Nodes with this account, and provide relevant Tax documents in a secure manner (and trust that Storj are storing it appropriately)
By email has to be the laziest most insecure way possible.
Now, if I change operator.email and/or operator.wallet prior to hitting $600, do I avoid this requirement?
SSN is also not meant to be a secret. It’s an ID number. It’s being used as a secret but it’s wrong usage. I don’t treat mine as one. Instead, I have frozen my credit report. My SSN now is entirely useless. Even if you know it — you can’t do any to t with it.