Is this level of governance and sophistication really typical of vendors in this space? Sprawling enterprises I can imagine losing track of the odd place or two where the credentials are used, but a vendor who only does one thing, specifically a high-trust thing like this?

Even if they don’t have the wherewithal to be thorough in-house, am I confused to imagine that such a firm would have to carry insurance, which would tend to bring in specialists to make sure this kind of remediation is done right?

Not to say that your vendors have to be perfect, but if they have a known credential leak for 18 months that's pretty negligent.

We have various private companies taking copies of our ID; in the UK, you'll have scans of your passport/driving licence taken for various reasons.

We shouldn't have to trust them to get it right; and I suppose the threat for them is fines if they don't, but it's not good enough.

Probably, a more solid solution would be to offer a government ID service where these companies check against a central database that already holds your information and then they have to keep nothing.

If I hire a car, I provide the rental agency a code that gives them temporary access to my driving record to ensure it meets their requirements, it's a one-time code and I request it when required and provide it to them; something similar could be adopted for other purposes if they have a legal requirement to verify your identity.

They’re not in the business of being trustworthy or secure, it’s just another software shop trying to grow product.

> which would tend to bring in specialists to make sure this kind of remediation is done right?

Ideally, sure. In reality an insurance company has many thousands of customers, they can’t possibly do any real assurance beyond basic compliance. Managing access and credentials is a hard problem for well staffed security teams, let alone a single compliance auditor.

Maribel again with Uber Support. Thank you for your patience while I took a further look at the deletion request. Unfortunately, we are unable to delete all of your information on the account due to security measures. Please visit our Privacy Notice for more details, specifically the sections titled E. Data retention and deletion. As of May 12, 2024, your account was marked for deletion. Keep in mind that deleting your driver account is permanent and will automatically delete your rider account as well. Any credits associated with your accounts will be lost. Additionally, I want to emphasize that we have strict security measures on the platform to ensure that your personal information and your safety are secured. Your understanding is appreciated.

First, because they're probably just outright lying to imply they're taking security as a paramount priority. They're likely following minimal guidelines to cover their own asses legally.

Second, because it's physically impossible for them to guarantee data security. It's like making a promise to a child that they're never going to die. A security breach is a matter of probability, not a door you can close and forget about. A society that allows companies to make absolute assurances about security at all is endangering itself. But it also means that levels of security and due diligence are difficult to quantify because we don't even conceive of it as a probabilistic issue.

(I also just watched the new Ashley Madison doc and it's really sticking with me that they made up fake certificates of security while putting virtually no effort into the real thing, and actively chose to play chicken with their users' data when they had the option of closing up shop - an extraordinarily clear case of being blinded by greed, especially as the payout was obviously forfeit if the hackers followed through. Both of these choices should have legally put much of the blame for the fallout and suicides on the CEO.)

But more generally, GDPR has multiple legal bases for processing other than consent, and for any other than consent the processor might still be able to process data despite the right to be forgotten. And IME big company data processors tend to interpret these exceptions quite liberally, hoping people won't have the means to challenge their decision.

1. Develop features at any cost, over-collect data, neglect security

2. Hacker gets in, pick the entirety of the data made readily available, credit card numbers, social security numbers, prod credentials, sexual orientation predictions that the company made on their customers for some reason, all of the pay history of the company, instagram creds of the ceo's girlfriend, and takes a dump in their bathroom

3. Try to shush the story

4. It gets exposed by an independent journalist in Kazakhstan who just reads /r/leaks

5. "we recently discovered that a malicious individual got access to a few logs on a random test server. Oops! So far we didn't find proof that it was used. Rest assured that security is our utmost priority. We love security here at ACME corp. Our teams have matching 'security' shirts, and every thursday we pray to Glombo, the security god. As a gesture to our customers we offer everyone a free 2 week trial of our 'security+' package ($15.99/M after trial, don't forget to cancel). Once again, sleep well knowing your data is safe with us!".

6. 6 months later the security gap is half plugged by an intern developing a novel password management system that encrypts passwords in base64

7. Go to 1. because no-one cares

One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.

Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.

Or even just coordinating the 50 states’ motor vehicle commissions or whatever since they are also verifying identities to issue drivers’ licenses and state identification cards.

Verification could have been done using government data, but Tories have to also make a profit off of everything so they instead chose to give every civil service applicants data away to companies with a track record of data leaks.

I don't recall which it was now, but I had to choose from a bunch of providers (I selected Post Office) when I registered for something Gov related a few years back. I don't remember what now since I haven't used it since, but PO still has the details and provides auth for a government service for me. Insanity.

Even in banking, where the government mandate thorough KYC/ID vetting, no APIs are made available by the government to actually verify a copy of ID is legitimate. So you're left looking at whether it "looks" correct.

For better or worse, of course, but there's an argument to be made that the refusal of the govt to provide "ID verification as a service" is pro-privacy.

It has little to do with "monied interests". It is primarily the product of nigh insurmountable legal and political hurdles.

Having a mandatory Federal ID would require a Constitutional amendment, but since the States have refused to do it voluntarily it seems exceedingly unlikely that a super-majority of States would ratify an amendment that forces them to do it.

Yes I know if this happens it will become of those "technically not mandatory but in practice yes" things.

But that is a ridiculously weak argument, there are tons of ways the Federal Government can mandate the unified ID. For example, it can be tied to the Social Security number. The government can (quite reasonably) argue that it needs to positively identify people to be able to correctly track their SS contributions.

Why this hasn't been done yet? Probably because nobody cares about that. Real ID gets postponed time after time, exactly for the same reason.

A Social Security Number is not an ID expressly as a matter of law, because it can’t be legally. The many loopholes the Federal government tried to use to backdoor a national ID were shutdown by the Supreme Court repeatedly. The US can only have a mandatory national ID system if the individual States, in aggregate, decide to create one. Thus far, they have shown no interest. Real ID is not a unified ID because the Federal government cannot compel it.

As with most persistent problems, the “obvious” solutions are not being ignored because no one has cared or no one has tried but because there are fundamental technical reasons they don’t work.

The same thing Congress does to add a workaround for any law it's constitutionally forbidden to enforce on the States. A "voluntary" program where states that don't agree to the ID law don't get any federal highway funds that year.

This has been extensively tested and the Supreme Court is fine with it, e.g. [0]

Alternatively, enforcement through military means - Congress hasn't authorized the use of force against dissenting states since the 1860s, but the threat is always there.

Or paramilitary means, where an armed federal law enforcement group seizes control of state installations that aren't aligned with aspects of federal law. The DEA and ATF have a blueprint to follow here.

Or financial means, where Congress orders federally-regulated banks not to engage with customers that don't respect its ID policies.

There are other levers to pull, too. It's not that the States don't have any power, but in practice they are allowed the powers that the federal government chooses not to centralise - the opposite of how it works in theory, where the federal government governs only to the extent the States allow.

[0] https://en.wikipedia.org/wiki/National_Minimum_Drinking_Age_...

So, note to self: do not move back to the US from overseas to these states or they won't believe I am American.

I don't believe you're correct. WA accepts all kinds of identification. I can't find anything in the RCWs to mention the exclusivity of WA identification for ANY purposes.

> A Social Security Number is not an ID expressly as a matter of law, because it can’t be legally.

Yet it is an ID (although not a strong one), and it's used for that purpose by the IRS. You can't be legally employed without an SSN (with several narrow exceptions).

Males in the US are also required to register with the Selective Service, which also requires an SSN.

All this has been upheld by the SCOTUS, the government just needed to show that it had a legitimate need for the ID system.

> As with most persistent problems, the “obvious” solutions are not being ignored because no one has cared or no one has tried but because there are fundamental technical reasons they don’t work.

Really? Have you lived in Europe, in countries like Estonia? It somehow managed to do the technically impossible.

If a company needs to implement age verification, they're not going to limit their market to the set of US citizens with passports if the federal government were to offer an ID (passport) verification service. They're going to want state-run ID verification services, or, as in the case here, a private company contracted to do it for all ID types.

Then again, if the federal government (or my state government, even) offered an ID verification service directly, I would be more likely to use a product that offered it as an option, vs. one that only offered some private company's shoddy ID verification service.

But this feels vaguely analogous to the municipal broadband fights. Private ID verification companies would certainly lobby against states or the feds building their own ID verification services.

As a heuristic, when something obvious and simple, like a national ID, has inexplicably never existed across every political administration, it is unlikely to be an oversight. This has been playing out for a very long time, it is unfortunate that most Americans are not familiar with the legal history.

It is similar to why people were surprised the government didn’t even try to enforce lockdowns during COVID anywhere in the US. Freedom of travel was thoroughly adjudicated across many cases by the Supreme Court covering almost every circumstance imaginable. Any prohibitions on freedom of movement are subject to the “strict scrutiny” standard, same as freedom of speech. Any politician attempting to do so would have invited instant wrath and injunctions from the judicial system, and their legal advisors knew it.

> Article 1, § 8, clause 4, of the United States Constitution specifically grants Congress the power to establish a "uniform Rule of Naturalization."

http://hrlibrary.umn.edu/immigrationlaw/chapter2.html

> This passport function, recognized since 1835, is one of the privileges and immunities of American citizens protected by the Fourteenth Amendment.

https://www.yalelawjournal.org/forum/citizenship-passports-a...

Ideally, national (voter) ids should be free and obtainable with minimum effort.

Except they definitely won't be. See: the entire south. Election integrity can be maintained without voter IDs as evidenced by the fact that we have a couple centuries of successful elections without them. The concept exists only as a way to disenfranchise voters.

* checked either at registration time or polling time

There’s zero credible evidence that it is needed and clear evidence that it will be used to disenfranchise voters.

It’s a feel-good “common-sense” issue but that juice ain’t worth the squeeze.

What we do have evidence of is deliberate voter disenfranchisement. Things like limiting where and when voters can register to places that are hard for minorities to reach. Or moving polling locations at the last minute.

You’re attempting to solve a problem that has no evidence of existing with a solution that will definitely benefit proven abusers.

/s

When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part. When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.

At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.

They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.

Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.

One of many, many shitty things introduced by the Patriot Act that we now just live with.

Likely the issue is that they just didn't think of this possible case, and there's no way to delete the ID information, and the CS person didn't want to go through the extra work to find someone who could approve it and/or get it done.

> Recordkeeping. Section 326 of the Act requires reasonable procedures for maintaining records of the information used to verify a person's name, address, and other identifying information. The proposed regulation sets forth recordkeeping procedures that must be included in a bank's CIP. Under the proposal, a bank is required to maintain a record of the identifying information provided by the customer. Where a bank relies upon a document to verify identity, the bank must maintain a copy of the document that the bank relied on that clearly evidences the type of document and any identifying information it may contain.6 The bank also must record the methods and result of any additional measures undertaken to verify the identity of the customer. Last, the bank must record the resolution of any discrepancy in the identifying information obtained. The bank must retain all of these records for five years after the date the account is closed.

They didn't complete the application, though, and so were never a customer of the bank. So this shouldn't apply.

Principled lawyer who knows about tech here: This won't happen.

1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)

Legislation could establish a standard of care here and make this kind of thing gross negligence, but that hasn't really happened yet.

It's also not obvious they owe a duty of care to anyone in the first place, without which negligence is impossible (at least regular old negligence) - this also needs legislative fixing unless you want to end up arguing about it forever.

2. Damages are basically all speculative - what is your actual injury here, and how much can you prove the value of it. Lots of people on HN love to say how much X or Y is worth. What can you actually prove in terms of real loss?

It's fun to argue speculative loss (ie the value of your personal information maybe being stolen in the future, etc), but most cases are about real loss.

In practice where it's too hard to calculate we often end up with statutorily set damages. That also hasn't happened here.

Sorry to burst your bubble - without a bunch of legislation here, nothing is going to happen outside of the regular old class action lawsuits and $5 coupons.

how hard it is to find a single company which does it right to testify? and then defense would have to find experts and several other legal counsels from similarly sized companies willing to testify that they also "do it wrong as a norm", with the extremely high risk of being included in the malpratice claim if the defense fails.

At this point, it's pretty safe to just assume that any personal data any company has about you will be leaked sooner or later.

I imagine it is the same for data. The longer it is available, the more likelihood of it getting out of the company.

The federal and state governments hand out these IDs in the first place. Shouldn't they be the ones to verify them?

I think our whole industry is rotten and we need to drastically rethink a lot of what we do. This is unacceptable and it shouldn't be this hard. We need a reckoning.

While litigation seems appealing, the answer here is legislation.

> "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements...

> 2. Driver's license number or California Identification Card number.

https://en.wikipedia.org/wiki/California_Senate_Bill_1386_(2...

Imagine if, until relatively recently, a social security number was a truncated MD5 hash of your name and birthday. That's the flavor of the problem here.

Perhaps it's making the same mistake as SSNs in that people use public or easily generated information to verify identity in the first place.

Companies are also incentivized to do it to prove their actual active user counts versus bots.

I think that I'm either out-of-touch or far enough outside the bubble to be able to provide an objective viewpoint, but:

Needing to verify government issued ID to create an account for high-in-the-clouds pure "lifestyle" services such as Twitter and TikTok? Fuck me, is this how far we've come? Is this the destination anyone actually wanted to reach?

The services you register at love to ID you. Government pretents it tries to protect minors, but I simply do not believe them. And if so, this certainly would not be the way, on the contrary, they expose them to additional threats.

I don't know about this company specifically, but I know it's common for the government to essentially act as an incubator for tech companies, so the concerns probably weren't unwarranted.

I guess even with the switch, some people probably verified prior so it likely has some impact on X still -- and maybe this is actually what moved the needle internally, since the users were calling it out as a concern for quite some time.

I had no clue uber and tiktok used them though, so that's good to know - thankfully I haven't given them my biometrics as of yet.

Stripe is Headquartered in US / and I believe Ireland - not Israel. Sorry for the confusion.

Slow down. Don’t trust vague statements that don’t cite sources. Look for the nuance in the situation. Be curious and try to learn, don’t just follow the crowd.

Also, it’s fucking weird to me to assume that all Israeli private businesses are unethical. Sure, there’s probably some. Sure, their tax dollars are fungible with the government actions you consider unethical.

But aren’t you penalizing the secular tech entrepreneurs of Israel by divesting from anything related to the country? These are the same demographic that spent every weekend for most of 2023 protesting their own government’s attempt to become more subservient to the Netanyahu coalition.

There are no "secular tech entrepreneurs of Israel", in the same sense that there are no private businesses in China. Every adult citizen is required to do military service for the constitutionally non-secular state, and military/government-backed paramilitary operatives routinely disguise themselves as civilians, including running whole tech businesses as front operations. Any given Israeli technology company might not happen to be a government (and therefore religious) organ at the moment, but it can become one at a moment's notice with no notification and no recourse.

> These are the same demographic that spent every weekend for most of 2023 protesting their own government’s attempt to become more subservient to the Netanyahu coalition.

Plenty of people in North Korea or Iran or Russia protest against their governments too. But we don't, and shouldn't, let that persuade us to keep doing business with people in those countries.

> AU10TIX is a subsidiary of ICTs International, a company established by former members of the Shin Bet and El Al airline security agents.

Ron Atzmon, the founder of AU10TIX, spent his military service with the Shin Bet's notorious unit 8200. Which also produced the infamous Israeli Pegasus spyware used by repressive regimes like Saudi Arabia to spy on citizens.

https://www.mintpressnews.com/identity-verification-or-data-...

No one is entitled to your or my business. A boycott is about voting with your wallet. It's not exactly withholding humanitarian aid as a famine looms.

If such companies feel that they are being unfairly singled out, they're free to demonstrate their opposition to the the actions of their government.

Generally speaking though, the net impact of a boycott may even be negligible when it comes to Israel because of our government's largesse towards Israel's military industrial complex. Whatever little money is witheld by a boycott from a small minority of voters in the West is dwarfed by the many billions in taxpayer money that Western governments commit towards ensuring that the IDF has more F-16s per capita than anywhere else on earth.

The point is to create repercussions for a country, that's going to affect someone, sure, but that's the point. Same as why people don't generally care about random Chinese or Russian companies when people decide to boycott those.

Ethics are relative and have tradeoffs. How many innocent people are you willing to hurt to change the behavior of the IdF / Israel’s Oslo Area C policies / Netanyahu’s government coalition?

If you are too sloppy with the splash damage, how are you any different than the IdF or Hamas? Would you even punish Stripe for Israel’s military/government behavior because you read some unsourced comment on social media?

I would rather target boycotts to the most precise entity, within reason, so the entity knows what they are being punished for and what change in behavior would change the boycott to a non-boycott.

If you don’t set an objective standard, then you will always be subject to your own emotions or a mob mentality.

People’s grandmothers in Russia who can’t get their chemo drugs right now are no different than if your grandma couldn’t get her meds because Bush invaded Iraq.

you misunderstood OP. He meant the previous authenticator for X was autotix which was Israeli and then they switched to Stripe which is NOT.

It may be stored in the us but accessed by people in lcol areas.

Obviously, not everyone who writes code needs a development license (what, I'm going to get licensed to write a blog or put up a site with fruit jokes?"), but if your business is going to involve personally-identifiable information, then you need actual engineering, and the folks that do that engineering need certification. This is a similar mechanism to how engineering licensing even started (in the US anyway), where Wyoming basically got tired of water infrastructure being built by people who didn't know what they were doing.

Licensing could also help provide individual engineers with leverage against managers or C-suite folks who want to move fast & break things. When you're in a professional class with exclusive sign-off capabilities, it's easier to be say "we have to do this right or it's my ass, back off" and should the company says "fine, you're fired", goes ahead with managing the PII, and a leak like this happens, the company's liability goes way way up. That situation overall tends to improve the leverage that skilled workers (like those who know how about database management for PII and endpoint configuration) have to do things right. There's a number of pitfalls that can happen with licensing as well, but I'd be curious to see if a push for something like this emerges over the next few years.

That's actually a very likely outcome. The startling statistic is that roughly half of professions require occupational licensing. In some places, you need licensing to become a florist. In several states, being an interior designer or a gas pump attendant requires a permit. Software engineering is an absolute outlier as far as highly-paid jobs go.

I don't think this is right, but that's the world we're living in and we should stop fooling ourselves. There's a lot of SWEs who are talking about wanting some helpful, laser-focused regulation. Well, it's coming wholesale, and a fruit joke website is not going to be exempt.

Definitely not a stretch for other (“important”) areas to start receiving such attention in the future.

Freaking nightmare with this licensing crap. But if you'll let me run a licensing company and make mine the compulsory one that everyone has to use I'm good for it.

I'll call it Certified Software Engineer LLC.

When it comes to handling private data like medical records, driver's licences, etc. -- yeah, I'd be in favour that companies over a certain threshold have to hire licensed coders for these tasks. It may be a loss of freedom for a few specific coders, but it'd be a benefit to everyone else's privacy.

And no license will give you leverage towards the c-suite.

Understandably not everyone who needs to verify your identity is going to implement MitID, I can understand X not wanting to do that for the limited amount of users they have in Denmark. It's simply not worth the cost. What I don't get is why more countries doesn't have this. The US sure seem like it would benefit greatly from having a standardized, safe and secure online ID (MitID may or may not be as secure as it could be).

That's why social security numbers are abused as a form of national ID number. The closest thing we have is the "Real ID" standard for state IDs/driver's licenses (well, ignoring passports). [1]

So right now government solutions are done individually by states (if at all), usually as some form of "wallet" / "mDL" (mobile driver's license) phone app.

All the state ID databases are supposed to be able to talk to each other, eventually, so maybe some day a big state's system will allow verifying IDs from other states but there might be political issues that block that.

I guess the other option is that a big state's system (like say California's OpenCred[2]) gets popular enough for all the other states to implement it. But I'm not hopeful.

[1] https://en.wikipedia.org/wiki/Real_ID_Act

[2] https://www.dmv.ca.gov/portal/ca-dmv-wallet/opencred-for-dev...

All I really want is to obtain a link by posting a key and some identifier, redirect the user there, have them log in, redirect them back and send my webhook a code that represents that user on my website.

A registered business would be able to (for example) request/buy age restriction.

Ideally non EU citizen could also obtain a digital ID.

That way I can stay blissfully ignorant about who you are and where you live. All I want is a single account per user (in stead of 100 000 and/or captchas)

This is unacceptable. If you want my ID, you'd better disclose who you're sharing my ID with. And ideally give me a choice of providers.

This sounds good I guess but would be pretty annoying in practice for basically no upside for the business. I could see having 2 providers that are both randomly used so that we can continue business when one has an outage. But even then I would not be showing the option to my customers. The vast majority of users would be more confused by the options than happy about having options, and likely hurt conversion.

Why would, say, offering both "Verify ID with CLEAR" and "Verify ID with ID.me" create confusion then? Lots of people already use CLEAR at stadiums and airports.

And a lot of people - particularly students and veterans - already use ID.me to verify their ID (so far, largely for the purpose of eligibility for relevant student/veteran pricing, but it could be used to verify their ID in general).

How is this possible, when the journalist accessed the data to confirm it contained PII?

Each day I am more and more interpreting "we see no evidence" as "we didn't really look." That way their statement can be technically correct, without divulging any evidence that might be used against them when users sue for damages.

They see no evidence of it because there were no log entries telling them so.

Why there weren't, on the other hand, is a question far outside the scope of such statements.

Any service that claims otherwise is lying or will get sued to oblivion very quickly.

They have your data anyway, it's much harder to impersonate somebody this way, it doesn't require the verifying company to hire any workers to do the verification, you could even do it without the site you're verifying yourself at learning anything about you.

Both banks and carriers somehow manage to at the same time make identity verification incredibly painful and obscure, without actually protecting me against identity theft.

It also seems like it would make it even harder to switch banks and phone providers than it already is.

I've been seeing more and more carrier based verification, but it's hidden in the disguise of 2 factor auth.

Cash App and Capital One are two examples I can give concretely that do this, as I've been locked out of my account a few times until I can get my husband to read me back the 2fa code (cell carrier has a pre-marriage last name for me and refuses to update it).

I imagine this also works with other vendors. All you need is 1 company with a weak process.

I've spent ~20 years working in and around finance, on the trading side. If your lawyers aren't paranoid about KYC, that's a major red flag.

Do you mean you expect me to give my banking site/app credentials to X?

PayPal used two small (less than $1) transactions and the verification that I own the bank account was verified by correctly identifying the two transaction values.

Plaid, I believe, uses 3rd party auth with some banking institutions that support it, to pull read-only data from my bank account on my behalf.

South Korea and Estonia use government-issued digital certificates that private institutions can use.

There are lots of ways to deal with high assurance authentication, but very few are popular in the US.

No no. Over here (Poland), the way this works is that you get a big list of banks, you click on one, get redirected to their site, log in there, complete any 2FA they need you to complete, are given the typical oAuth "this application wants to access this sort of data" consent screen, and then are redirected back if you consent.

This is mostly used for fast online bank transfers, which we often use for online payments instead of credit cards, but there's also a system to use this for ID verification.

Banks in the US depend on government-issued ID and information contracted from credit bureaus (3 big companies that are effectively data brokers about consumer lending behavior). We have federated identity, but in a weird, ineffective way.

Every once in a while, someone bold makes a political proposal to make our authentication / identity proof systems simpler, but then people realize the privacy implications (and religious fundamentalists point to the “mark of the beast” part of the Bible) and then the proposal doesn’t go anywhere.

Carriers in the US don't all require ID, so they're not particularly useful for identity verification.

In Finland it is common for many online shops to handle payment, and authentication, using a banking account.

You never hand over your actual banking credentials, instead it is something akin to OAUTH2 - so you're at a merchant site and you'll see "Pay with Online BanK" with logos to click for whichever bank you have an account with. Exactly the same as "Login with Google/Github/Facebook/etc".

I changed my name last year, and due to other integrated services many companies automatically updated their records when the change became legal. These kind of integrations seem common and thus far "secure".

Based on my experience with (non-PayPal) financial institutions in the past year, this is going away. For now, it appears you can still force them to fall back to this when providing your login credentials does not work, but who knows how much longer.

if you don't know id.me, it's the new gatekeeper to your ID for any interaction with the USA govt in the near future. If you still don't have one, you are just not poor enough. But the time will come. enjoy.

The fact that these sites are now forcing users to submit to these identity disclosures simply because of some potentially fabricated rationale is really concerning.

All of that with the nonchalant attitude of these data service providers, I'm deeply concerned.

Leaked account holder info: name & address, email, phone, unencrypted SSN/TIN, DOB, fintech platform

Leaked account info: status, type, balance, last activity, opened date, account number, daily limits

_Papers, Please_ by Lucas Pope. _Engage and Evade_ by Asad L. Asad.

For example for AirBnB (well, granted some "conciergerie" service belonging to AirBnB, in France: but even if it's top-end it's still AirBnB) they wanted me to record a video of me of 20 seconds.

They're not the only ones to do that: I've seen other sites asking these vids.

The more regulated stuff, like brokers, banks, etc. shall ask what's legally required: proof of address (a utility bill), scan of the driving license, etc. but nothing more (at least in my experience).

But the non-regulated players: they invent stuff. They make up shit, apparently on the spot.

At some point they'll ask a blood and urine sample to "verify my identity".

Which would be okay'ish, I guess, if they weren't so incompetent as to invariably leak those data when a hacker shows them who can code.

I take it the KYC/AML will have to be modified to prevent anything more than what is legally required from being collected.

The US Federal Constitution, back in 1787, immediately authorized a government-run postal service. If a similar scenario was echoed today, I think it would/should contain a government-run identity service.

Governments already have a compelling interest to identify people for the purposes of the legal system, property ownership, etc. With all that happening anyway, might as well have an API that allows for attestation and Single-Sign-On.

___

P.S.: Not having it isn't really an option, since it's a void that will still get filled, just differently... Either with a hodgepodge of half-broken systems, or an abusive private monopoly, and no accountability or good appeals process.

Hell, they didn't even white-label it behind a .gov domain and UI, which means they're training taxpayers to fall for phishing scams by disclosing their most sensitive data to any dang company with a spiffy web page and plausible-sounding domain name and a "Trusted By The IRS!" image sticker.

It's not that a national identity service is a bad idea, it's a good idea and the US should have it, like it should have nationalized healthcare, education, UBI and gun control that's actually effective. It's that the United States government specifically can't be trusted to implement it at any level and in any way that won't lead to undesirables in mass graves. We just can't have nice things here.

> They're not the only ones to do that: I've seen other sites asking these vids.

So basically they're trying to do a "liveness" check, probably under the assumption that videos are too hard to fake (and hopefully they compare the ID documents against the video). Honestly, that seems legitimate to me. With data leaks and generative AI, it's going to be increasingly hard to do the kind of identity verification tasks online that we take for granted.

I predict there will soon be a huge necessity and demand for in-person notaries to verify identities for online services. Want to open a bank account online and there's no branch nearby? Go to some ID verification business with a ticket number from the sign up workflow, they check your documents, and then they tell the bank if you checked out or not.

I worked for a company that required these videos in one of the markets they served. Some countries have decent digital ID solutions already in place, but in many it's just a picture of a driving license or such that is so easily faked/stolen. Kind of a shame how in many countries officially identifying yourself online is not implemented/implemented badly enough that no-one uses it, so instead we have this poor uploading pictures of private documents and videos of yourself fallback.

Not sure how rigid it is through. Probably just a glace at a driver's license / id card?

Anyhow, a good extra revenue stream for classic postal services.

They have been regulated for a reason. Without regulation they will also do all kind of stuff. (They still do a lot of really harmful stuff, but not as much as they could otherwise)

I was buying an iPhone from a cell carrier for their bundled cell plan deal. They used Stripe for payment processing. Stripe asked me to upload my driver license/passport and took a video of my face so their “AI” could verify my identity. I’ve been a customer with the carrier for years so my profile and credit card info were with them already.

The data collection was unbelievably intrusive. Really, I could just walk down to an Apple store to get the phone and went with another cell carrier. I did exactly that. Stopped the transaction and took my business elsewhere.

At least where I live, governments don't really let a third party validate the info on a passport or even on a driver licence outside of a few regulated entities like banks - so they aren't doing anything useful with these photos, except storing them for the inevitable leak.

i genuinely struggle to recall an active effort to continuously train, test, and improve security that had any impact across any company i've worked at. it's super costly work that feels like a pure expense to folks who don't know any better.

i recall substantially longer discussions - at the company i worked at that handled people's banking credentials and is part of one of the largest financial institutions in the world - about how we could spin "the disks that your secure data is stored on are encrypted at the OS level" to sound as secure as possible without lying. far, far fewer meaningful discussions were had about how to audit for real security issues or train folks to write more secure code or build more secure systems.

i know that anecdotes aren't evidence but i've really met very few folks in my time in engineering who had experiences different from mine.

They all spy on each other's citizens. When it's not possible to do it directly, they will use covert means a la NSA slurping up data via transit lines, etc.

It being an Israeli startup makes your data no less safe from spying eyes than doing business with a UK startup or any other allied nation.

Everyone spies on everyone. Does Israel have a law like China's which mandates coöperation? It was my understanding they have a forcefully independent judiciary.

...yes?

From the content of your comment, it seems you're not not up to date on the development of Israel's internal government structure and balance of separation of powers, which has changed a lot over the last five years. But from the tone of your comment, it also sounds like you're going for a snarky dismissal rather than a good faith discussion, so I'm not sure talking about this further is going to do much good.

That's actually not the whole story, but regardless, judging by the tone of your responses here and your recent comment history, I don't think any discussion here on this topic is going to be fruitful.

I mostly read that as Paul calling for the head of tyrants, which is a positive thing for any country. If you read that as "dissolution of Israel", are you presuming Israel won't survive without its tyrants?