return to table of content

ID verification service for TikTok, Uber, X exposed driver licenses

neilv
59 replies
22h44m

Of course they leaked the data. Any seasoned techie could've seen that coming from the start.

One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.

Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.

throwaway48476
42 replies
21h50m

The problem is there are zero consequences for leaks. Customers should be owed automatic compensation for the companies giving their data away.

lotsofpulp
38 replies
21h46m

That is needlessly complicated. The problem is the US federal government does not provide identity verification API as an infrastructure service. And they easily could using the USPS’s physical locations and their workflow in processing US passport applications, which already involves identity verification.

Or even just coordinating the 50 states’ motor vehicle commissions or whatever since they are also verifying identities to issue drivers’ licenses and state identification cards.

throwaway48476
31 replies
21h36m

There are monied interests that do not want a tight American ID system.

jandrewrogers
25 replies
19h23m

It is more that the Federal government is Constitutionally prohibited from mandating such a thing, the most they can do is ask nicely and hope for compliance. Coordinating the several dozen States, which can do it, is like herding cats. This is further complicated because there are large factions of both Democrats and Republicans that are against it for a litany of unrelated reasons, so the resistance to it is robust and bipartisan.

It has little to do with "monied interests". It is primarily the product of nigh insurmountable legal and political hurdles.

cyberax
22 replies
16h29m

Where does it say in the Constitution that the Fed can't operate a unified ID system?

jandrewrogers
17 replies
16h1m

The Federal government can build one but they can’t require it or make people use it, and an ID you can opt out of is useless. Only the States have that authority. This is settled law with a lot of precedent, and largely the reason the US has no national ID system no matter which politician runs the country. Courts have consistently held this to be outside the narrow Constitutional authority of the Federal government.

Having a mandatory Federal ID would require a Constitutional amendment, but since the States have refused to do it voluntarily it seems exceedingly unlikely that a super-majority of States would ratify an amendment that forces them to do it.

cyberax
4 replies
12h30m

I don't believe that this is actually unconstitutional. The whole argument about the Fed not being able to set up a Federal ID hinges on the Tenth Amendment, saying that it's not a specifically delegated power.

But that is a ridiculously weak argument, there are tons of ways the Federal Government can mandate the unified ID. For example, it can be tied to the Social Security number. The government can (quite reasonably) argue that it needs to positively identify people to be able to correctly track their SS contributions.

Why this hasn't been done yet? Probably because nobody cares about that. Real ID gets postponed time after time, exactly for the same reason.

jandrewrogers
3 replies
11h32m

What you believe isn’t backed up by the long history of a national ID in the US. Your legal theory would have to explain, for example, why some States today (e.g. Washington) do not recognize or accept any Federal IDs, like passports, only State IDs. This is strictly in line with the Constitution, it is entirely permissible for States to reject Federal IDs for all legal purposes. What would compel a State to recognize any new Federal ID in the future if they already have the power to disregard Federal IDs in theory and practice?

A Social Security Number is not an ID expressly as a matter of law, because it can’t be legally. The many loopholes the Federal government tried to use to backdoor a national ID were shutdown by the Supreme Court repeatedly. The US can only have a mandatory national ID system if the individual States, in aggregate, decide to create one. Thus far, they have shown no interest. Real ID is not a unified ID because the Federal government cannot compel it.

As with most persistent problems, the “obvious” solutions are not being ignored because no one has cared or no one has tried but because there are fundamental technical reasons they don’t work.

withinboredom
0 replies
5h1m

why some States today (e.g. Washington) do not recognize or accept any Federal IDs, like passports, only State IDs.

So, note to self: do not move back to the US from overseas to these states or they won't believe I am American.

dmurray
0 replies
6h34m

What would compel a State to recognize any new Federal ID in the future if they already have the power to disregard Federal IDs in theory and practice?

The same thing Congress does to add a workaround for any law it's constitutionally forbidden to enforce on the States. A "voluntary" program where states that don't agree to the ID law don't get any federal highway funds that year.

This has been extensively tested and the Supreme Court is fine with it, e.g. [0]

Alternatively, enforcement through military means - Congress hasn't authorized the use of force against dissenting states since the 1860s, but the threat is always there.

Or paramilitary means, where an armed federal law enforcement group seizes control of state installations that aren't aligned with aspects of federal law. The DEA and ATF have a blueprint to follow here.

Or financial means, where Congress orders federally-regulated banks not to engage with customers that don't respect its ID policies.

There are other levers to pull, too. It's not that the States don't have any power, but in practice they are allowed the powers that the federal government chooses not to centralise - the opposite of how it works in theory, where the federal government governs only to the extent the States allow.

[0] https://en.wikipedia.org/wiki/National_Minimum_Drinking_Age_...

HWR_14
0 replies
4h3m

I don't believe any state does not accept a US passport as ID, and would need to see a source on that. A quick google returns no results.

sneak
2 replies
12h42m

Perhaps you didn’t hear about “Real ID”. You need it to fly, and it involves data sharing/matching with the federal government. They did a back door federal ID system by simply integrating with all of the state ID systems.

jandrewrogers
1 replies
12h14m

The Federal integration is optional, it cannot be compelled, and many States have opted to not implement it. The only thing the Real ID does is compel uniform standards for how States implement ID, it does not compel them to share their databases.

sneak
0 replies
7h48m

All 50 states, DC, and 5 territories are all issuing Real ID-compliant IDs. It’s also required by TSA to fly from 7th May of next year.

bcrosby95
2 replies
15h12m

Everything you say is true of state IDs too. They are not mandated. They are useful because some people choose to have them. Some people would also choose to have a federal id.

kelnos
0 replies
11h34m

Sure, but in the US, many many many more people have a state-issued ID than a federal one (a passport).

If a company needs to implement age verification, they're not going to limit their market to the set of US citizens with passports if the federal government were to offer an ID (passport) verification service. They're going to want state-run ID verification services, or, as in the case here, a private company contracted to do it for all ID types.

Then again, if the federal government (or my state government, even) offered an ID verification service directly, I would be more likely to use a product that offered it as an option, vs. one that only offered some private company's shoddy ID verification service.

But this feels vaguely analogous to the municipal broadband fights. Private ID verification companies would certainly lobby against states or the feds building their own ID verification services.

explaininjs
0 replies
12h46m

Indeed. We call them “passport holders”.

pbhjpbhj
1 replies
11h17m

You didn't answer the question.

Perhaps you could cite the main precedents and/or quote the US constitution?

blendergeek
0 replies
5h0m

The tenth amendment would be a good place to start. As others have out throughout this thread, the Constitution has a whitelist of powers allowed to the federal government. All other powers are outside it's purview.

alpinisme
1 replies
15h53m

Are there any example rulings that you can share to illustrate this how courts have “consistently held” this?

jandrewrogers
0 replies
15h22m

Not off-hand but it goes back to at least the early 20th century. There have been many attempts at a national ID system via technical loopholes but the courts have not looked kindly on them. It is the reason a Social Security Number is explicitly not to be used as an ID in law, so as to maintain its legality. It is the reason that every part of the Real ID Act that involves the Feds aggregating a centralized ID database from the States is strictly optional (and many States have opted to opt out of that). The Supreme Court has already ruled that Federal regulatory and taxation power cannot be used to induce States to comply, as that would be an end-run around Constitutional limits on Federal authority. Whether I like it or not doesn’t matter, I recognize that this is the reality.

As a heuristic, when something obvious and simple, like a national ID, has inexplicably never existed across every political administration, it is unlikely to be an oversight. This has been playing out for a very long time, it is unfortunate that most Americans are not familiar with the legal history.

It is similar to why people were surprised the government didn’t even try to enforce lockdowns during COVID anywhere in the US. Freedom of travel was thoroughly adjudicated across many cases by the Supreme Court covering almost every circumstance imaginable. Any prohibitions on freedom of movement are subject to the “strict scrutiny” standard, same as freedom of speech. Any politician attempting to do so would have invited instant wrath and injunctions from the judicial system, and their legal advisors knew it.

lotsofpulp
0 replies
15h53m

It doesn’t have to be mandatory. Just offering it means businesses will use it to offload liability, and only accept customers that sign up for it.

grotorea
0 replies
3h43m

Is a legally mandatory ID is required to solve this problem? The Federal government could create a voluntary one and/or coordinate the state IDs system into a modern digital ID system, then Uber and banks could use that instead of letting an SSN number or photo of ID being enough to commit identify fraud. If someone don't want to use the system, that's between the client and Uber.

Yes I know if this happens it will become of those "technically not mandatory but in practice yes" things.

philipov
2 replies
6h22m

The constitution doesn't say what the federal government is disallowed from doing. The constitution says what the federal government is allowed to do, and they are not allowed to do anything it doesn't say.

withinboredom
1 replies
5h4m

If this is the case, how are they allowed to issue passports?

philipov
0 replies
4h38m

Good question! I think the short answer is because the Supreme Court has interpreted the constitution as having granted that power. It is not an open-and-shut case, however, and stems from the constitution's grant of power for Congress to control the Rule of Naturalization, and from the 14th amendment. A conservative reading of the constitution, however, might imply that Congress does not have the power to bar entry to foreign nationals.

Article 1, § 8, clause 4, of the United States Constitution specifically grants Congress the power to establish a "uniform Rule of Naturalization."

http://hrlibrary.umn.edu/immigrationlaw/chapter2.html

This passport function, recognized since 1835, is one of the privileges and immunities of American citizens protected by the Fourteenth Amendment.

https://www.yalelawjournal.org/forum/citizenship-passports-a...

HWR_14
0 replies
4h7m

They can operate a national ID system. For instance SSNs and passports. They can also force states to do things (like RealID).

mschuster91
0 replies
11h21m

Coordinating the several dozen States, which can do it, is like herding cats.

... or a matter of finding the correct leverage. Drinking age 21, for example, got bullied through by threatening to cut highway budgets [1].

[1] https://en.wikipedia.org/wiki/National_Minimum_Drinking_Age_...

kelnos
0 replies
11h36m

I don't think you need to really coordinate all the states. Each state can provide their own ID verification system. Yes, it's a pain that every product wanting to use it will have to do 50 different integrations rather than one, but ultimately things will converge to a more or less standardized API (or a few of them).

Of course it's dumb that taxpayers will have to pay for 50 of these things through their state taxes instead of one of them through their federal taxes.

Then again, what's most likely to happen is that the states will outsource it to a private company like this one, and we're no better off.

MiguelX413
3 replies
21h31m

What are they?

kevin_thibedeau
2 replies
21h25m

Agriculture and food processors want their undocumented workers.

simondotau
1 replies
20h51m

The transition to documented humanoid robots might take less than a decade.

SoftTalker
0 replies
15h21m

Only if they are cheaper than a human. Which seems unlikely, for this kind of work.

KoftaBob
0 replies
6h12m

What are these monied interests, and what incentive do they have to prevent a "tight American ID system"?

csthrowathrow
2 replies
11h22m

A friend applied for a job in the UK civil service - you were required to verify your identity by giving data to a third party, for profit company (and paying for the privilege). All of the companies had recently had significant data breaches. One of them - right there on the government provided guidance - lied about the company (Post Office) to imply a historied bastion of trust. It was blatant.

Verification could have been done using government data, but Tories have to also make a profit off of everything so they instead chose to give every civil service applicants data away to companies with a track record of data leaks.

m11a
0 replies
54m

I do honestly think the real reason for this outsourcing is because the Passport Office and DVLA don't provide their databases for identity verification purposes, even to other government agencies, aside from say the security services and police.

Even in banking, where the government mandate thorough KYC/ID vetting, no APIs are made available by the government to actually verify a copy of ID is legitimate. So you're left looking at whether it "looks" correct.

For better or worse, of course, but there's an argument to be made that the refusal of the govt to provide "ID verification as a service" is pro-privacy.

alias_neo
0 replies
4h37m

Exactly this. Even non-civil servants are required to sign up with one of these services for certain government ID accounts.

I don't recall which it was now, but I had to choose from a bunch of providers (I selected Post Office) when I registered for something Gov related a few years back. I don't remember what now since I haven't used it since, but PO still has the details and provides auth for a government service for me. Insanity.

lttlrck
1 replies
14h11m

Why co-opt USPS and not ID.me ?

lotsofpulp
0 replies
13h32m

Because the US government already owns the USPS. And you need physical offices and employees everywhere to verify people in person.

mindslight
0 replies
12h46m

And one of the major causes of that problem is that there is no US equivalent to the GDPR, even as the current ID systems are being abused quite thoroughly. Until we have something like the GDPR to prevent companies needlessly demanding personal information, simply making ID verification easier would mean even more places asking for identifying information, using it to build even more surveillance databases, and eventually leaking it all. For starters, imagine that every website currently using SMS login nags as an excuse for collecting phone numbers would switch over to requiring full legal names, inescapable ID verification, and then hard linking their collection of dossiers with the rest of the surveillance industry.

swatcoder
0 replies
21h45m

Are you suggesting that bulk-buying a year of Experian credit report access for the few people who haven't already won a subscription from some other leak isn't a consequence? Or that being able to see your own credit report isn't compensation enough? Heresy!

/s

ignoramous
0 replies
20h50m

zero consequences

Zero fucks given: "None of those companies responded to multiple requests for comment from 404 Media."

AdamN
0 replies
6h51m

There should be nothing to leak. The record of verification should be a signature saying what was verified and how and when and nothing about the underlying documents/images/data off of which the verification was based.

gotodengo
6 replies
21h26m

For various reasons I started to open a bank account with Mercury, before deciding to use another provider.

When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part. When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.

At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.

They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.

Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.

input_sh
4 replies
13h42m

Yes, their hands are tied. KYC requires the banks to keep the data for five years after account termination.

One of many, many shitty things introduced by the Patriot Act that we now just live with.

TeMPOraL
2 replies
13h32m

I understood GP to have started but not finished the process of opening account. Does KYC still require banks to keep the data in this case?

input_sh
1 replies
10h2m

IANAL, so I'm not gonna attempt to interpret it, but here's how it's phrased:

Recordkeeping. Section 326 of the Act requires reasonable procedures for maintaining records of the information used to verify a person's name, address, and other identifying information. The proposed regulation sets forth recordkeeping procedures that must be included in a bank's CIP. Under the proposal, a bank is required to maintain a record of the identifying information provided by the customer. Where a bank relies upon a document to verify identity, the bank must maintain a copy of the document that the bank relied on that clearly evidences the type of document and any identifying information it may contain.6 The bank also must record the methods and result of any additional measures undertaken to verify the identity of the customer. Last, the bank must record the resolution of any discrepancy in the identifying information obtained. The bank must retain all of these records for five years after the date the account is closed.
kelnos
0 replies
8h1m

a bank is required to maintain a record of the identifying information provided by the customer.

They didn't complete the application, though, and so were never a customer of the bank. So this shouldn't apply.

kelnos
0 replies
8h2m

GP was never their customer, though. They started filling out the application to open an account, got past the ID verification step, and then decided not to complete the new account process.

Likely the issue is that they just didn't think of this possible case, and there's no way to delete the ID information, and the CS person didn't want to go through the extra work to find someone who could approve it and/or get it done.

pylua
0 replies
16h47m

They are probably outsourcing to a vendor who will do god knows what with it

ryandrake
2 replies
22h11m

Problem is, "Evil Hackers" always get the blame rather than the negligent companies, who play the victims. They trot out all the usual flawed analogies about locked doors and burglars, to excuse their negligence, and it works! So, the only legislation we ever see is to be Tougher And Tougher On Hackers instead of holding these clown companies responsible for the data they act as custodians of.

singleshot_
0 replies
21h33m

For negligence to arise there must be, inter Alia, duty and proximate harm. I think you’ll find the identity services have a duty to their contractual partner, the website, but not to the victim whose identity was stolen. And there’s a circuit split as to whether any of these people were even harmed.

While litigation seems appealing, the answer here is legislation.

arp242
0 replies
16h54m

Sometimes there's probably negligence involved; sometimes not. You don't know without having access to the specifics. Always blaming "negligent companies" is just as wrong as always blaming "evil hackers".

JohnFen
1 replies
21h27m

Any seasoned techie could've seen that coming from the start.

At this point, it's pretty safe to just assume that any personal data any company has about you will be leaked sooner or later.

withinboredom
0 replies
4h54m

I mean, if you live forever and cannot die by any means, your odds of getting stuck somewhere approaches 100% (fall in a pit, landslide, fall overboard on a boat, stuck in the sun, lost in space, etc).

I imagine it is the same for data. The longer it is available, the more likelihood of it getting out of the company.

hot_gril
0 replies
17h0m

It's kinda impossible to give out DL, SSN, etc to so many companies and not have it leak. If these theoretical lawsuits scared companies enough, they might pay some centralized third party to handle the verification for them, but bad things follow from that.

The federal and state governments hand out these IDs in the first place. Shouldn't they be the ones to verify them?

fullspectrumdev
0 replies
5h1m

Honestly, I hope Ron Wyden (I think his name is, US politician) takes this up - he has previously done excellent work calling companies to be accountable for such invasive and insecure practices

DannyBee
0 replies
20h3m

"One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence."

Principled lawyer who knows about tech here: This won't happen.

1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)

Legislation could establish a standard of care here and make this kind of thing gross negligence, but that hasn't really happened yet.

It's also not obvious they owe a duty of care to anyone in the first place, without which negligence is impossible (at least regular old negligence) - this also needs legislative fixing unless you want to end up arguing about it forever.

2. Damages are basically all speculative - what is your actual injury here, and how much can you prove the value of it. Lots of people on HN love to say how much X or Y is worth. What can you actually prove in terms of real loss?

It's fun to argue speculative loss (ie the value of your personal information maybe being stolen in the future, etc), but most cases are about real loss.

In practice where it's too hard to calculate we often end up with statutorily set damages. That also hasn't happened here.

Sorry to burst your bubble - without a bunch of legislation here, nothing is going to happen outside of the regular old class action lawsuits and $5 coupons.

2OEH8eoCRo0
0 replies
21h30m

make one of these companies truly pay for their gross negligence.

I think our whole industry is rotten and we need to drastically rethink a lot of what we do. This is unacceptable and it shouldn't be this hard. We need a reckoning.

ryandrake
19 replies
1d

It's gotten to the point where if a company requires you to upload something to verify your identity, you should treat it as if that something is being posted visibly to the public internet, and decide based on that whether it is worth providing. Companies repeatedly demonstrate their inability to secure personal data that they obtain and store, while always issuing press releases about how "we take security very seriously."

TacticalCoder
11 replies
22h25m

And the real scary stuff is that they demand more than the law requires. They're not just doing the minimal KYC/AML stuff (which is already a huge endeavor btw): they're going out of their way to get as much infos as they can.

For example for AirBnB (well, granted some "conciergerie" service belonging to AirBnB, in France: but even if it's top-end it's still AirBnB) they wanted me to record a video of me of 20 seconds.

They're not the only ones to do that: I've seen other sites asking these vids.

The more regulated stuff, like brokers, banks, etc. shall ask what's legally required: proof of address (a utility bill), scan of the driving license, etc. but nothing more (at least in my experience).

But the non-regulated players: they invent stuff. They make up shit, apparently on the spot.

At some point they'll ask a blood and urine sample to "verify my identity".

Which would be okay'ish, I guess, if they weren't so incompetent as to invariably leak those data when a hacker shows them who can code.

I take it the KYC/AML will have to be modified to prevent anything more than what is legally required from being collected.

Terr_
5 replies
21h32m

I dimly recall some sci-fi quantum-technobabble book where a character is reminiscing that a collapsed government's most important duties were (A) identity and (B) official timekeeping.

The US Federal Constitution, back in 1787, immediately authorized a government-run postal service. If a similar scenario was echoed today, I think it would/should contain a government-run identity service.

Governments already have a compelling interest to identify people for the purposes of the legal system, property ownership, etc. With all that happening anyway, might as well have an API that allows for attestation and Single-Sign-On.

___

P.S.: Not having it isn't really an option, since it's a void that will still get filled, just differently... Either with a hodgepodge of half-broken systems, or an abusive private monopoly, and no accountability or good appeals process.

space_fountain
2 replies
20h31m

Obama briefly pitched the idea of this. A lot of people worried that the government providing services with the ability to verify identities would kill anomenlty online and it died.

pphysch
1 replies
20h9m

And yet anonymity/privacy is already dead for the average consumer, and we don't get to benefit from a public, reputable SSO service...

Terr_
0 replies
45m

For example, the IRS's free online filing thingy this year involves a third-party private company doing the ID checking and proprietary facial recognition database shit.

Hell, they didn't even white-label it behind a .gov domain and UI, which means they're training taxpayers to fall for phishing scams by disclosing their most sensitive data to any dang company with a spiffy web page and plausible-sounding domain name and a "Trusted By The IRS!" image sticker.

akira2501
1 replies
20h30m

a government-run identity service.

Sponsored and standardized, maybe, /run/ definitely not.

These entities love creating things like "No Fly Lists" I can only imagine what their greedy little hands would do with the authority to strip one of the ability prove their identity.

krapp
0 replies
20h11m

I wanted to step in and make fun of the Mark of the Beast people and paranoid gun owners who always freak out about things like this but then I considered what half the country would do if they had control over the immutable legal identities of gay and transgendered people, and I realize they might actually have a point.

It's not that a national identity service is a bad idea, it's a good idea and the US should have it, like it should have nationalized healthcare, education, UBI and gun control that's actually effective. It's that the United States government specifically can't be trusted to implement it at any level and in any way that won't lead to undesirables in mass graves. We just can't have nice things here.

tivert
2 replies
22h13m

For example for AirBnB (well, granted some "conciergerie" service belonging to AirBnB, in France: but even if it's top-end it's still AirBnB) they wanted me to record a video of me of 20 seconds.

They're not the only ones to do that: I've seen other sites asking these vids.

So basically they're trying to do a "liveness" check, probably under the assumption that videos are too hard to fake (and hopefully they compare the ID documents against the video). Honestly, that seems legitimate to me. With data leaks and generative AI, it's going to be increasingly hard to do the kind of identity verification tasks online that we take for granted.

I predict there will soon be a huge necessity and demand for in-person notaries to verify identities for online services. Want to open a bank account online and there's no branch nearby? Go to some ID verification business with a ticket number from the sign up workflow, they check your documents, and then they tell the bank if you checked out or not.

jamesrr39
0 replies
20h20m

So basically they're trying to do a "liveness" check, probably under the assumption that videos are too hard to fake (and hopefully they compare the ID documents against the video). Honestly, that seems legitimate to me. With data leaks and generative AI, it's going to be increasingly hard to do the kind of identity verification tasks online that we take for granted.

I worked for a company that required these videos in one of the markets they served. Some countries have decent digital ID solutions already in place, but in many it's just a picture of a driving license or such that is so easily faked/stolen. Kind of a shame how in many countries officially identifying yourself online is not implemented/implemented badly enough that no-one uses it, so instead we have this poor uploading pictures of private documents and videos of yourself fallback.

bbarnett
0 replies
20h24m

Canada Post has a service like this. They already need to do identity verification for some types of packages (certified/registered mail with mandatory Post Office pick up), so it's a natural extension.

Not sure how rigid it is through. Probably just a glace at a driver's license / id card?

Anyhow, a good extra revenue stream for classic postal services.

cute_boi
0 replies
19h17m

Even facebook is telling to upload video. What a dystopia ....

Frieren
0 replies
22h11m

The more regulated stuff,

They have been regulated for a reason. Without regulation they will also do all kind of stuff. (They still do a lot of really harmful stuff, but not as much as they could otherwise)

ww520
3 replies
21h28m

The amount of data collected is truly getting out of hand.

I was buying an iPhone from a cell carrier for their bundled cell plan deal. They used Stripe for payment processing. Stripe asked me to upload my driver license/passport and took a video of my face so their “AI” could verify my identity. I’ve been a customer with the carrier for years so my profile and credit card info were with them already.

The data collection was unbelievably intrusive. Really, I could just walk down to an Apple store to get the phone and went with another cell carrier. I did exactly that. Stopped the transaction and took my business elsewhere.

trollbridge
2 replies
18h25m

And, of course, a picture of your passport and driver licence proves absolutely nothing, except that you're able to upload a picture of a passport and a picture of a driver licence. Uploading a video of your face proves that, well, you have a face. It would be trivial to make the photo and video match with easily accessible technology.

At least where I live, governments don't really let a third party validate the info on a passport or even on a driver licence outside of a few regulated entities like banks - so they aren't doing anything useful with these photos, except storing them for the inevitable leak.

ww520
1 replies
15h3m

Yes. There's a reason hotels refuse to accept the photo copy of a driver license on paper or in phone as the ID for the check-in guests. Similarly hotels refuse to accept photo copy of credit cards. It's so easy to Photoshop an ID these day.

blitzar
0 replies
12h0m

It's so easy to Photoshop an ID since the 80's

bangaroo
0 replies
23h38m

i mean i have worked in the industry (including a long stint in fintech!) for something like 20 years now and i genuinely have yet to work at a place that didn't just nod knowingly at the need for it.

i genuinely struggle to recall an active effort to continuously train, test, and improve security that had any impact across any company i've worked at. it's super costly work that feels like a pure expense to folks who don't know any better.

i recall substantially longer discussions - at the company i worked at that handled people's banking credentials and is part of one of the largest financial institutions in the world - about how we could spin "the disks that your secure data is stored on are encrypted at the OS level" to sound as secure as possible without lying. far, far fewer meaningful discussions were had about how to audit for real security issues or train folks to write more secure code or build more secure systems.

i know that anecdotes aren't evidence but i've really met very few folks in my time in engineering who had experiences different from mine.

anon291
0 replies
22h11m

I mean... realistically, everyone should just assume their data is public, because if it's not for private companies, most states have had their systems hacked and data taken.

akira2501
0 replies
20h31m

They take the security of their cash flow very seriously. Which is partly why the anti-regulation vibe in Silicon Valley bums me out so much. The writing is literally on the wall here.

astroid
15 replies
1d

Didn't X switch to Stripe already? There was a huge uproar over people protesting Palestine being concerned about having their ID (with home address), biometrics (which they admitted to collecting), and other info to a company with such direct ties to Israel.

I don't know about this company specifically, but I know it's common for the government to essentially act as an incubator for tech companies, so the concerns probably weren't unwarranted.

I guess even with the switch, some people probably verified prior so it likely has some impact on X still -- and maybe this is actually what moved the needle internally, since the users were calling it out as a concern for quite some time.

I had no clue uber and tiktok used them though, so that's good to know - thankfully I haven't given them my biometrics as of yet.

octopoc
14 replies
1d

Oh wow didn’t know that stripe has Israeli ties. Thanks for the heads up—I’ll try to shop around for a more ethical alternative. May not be able to though—launch is imminent!

thephyber
11 replies
23h38m

So you commented without verifying the fact was true? And it turns out it isn’t.

Slow down. Don’t trust vague statements that don’t cite sources. Look for the nuance in the situation. Be curious and try to learn, don’t just follow the crowd.

Also, it’s fucking weird to me to assume that all Israeli private businesses are unethical. Sure, there’s probably some. Sure, their tax dollars are fungible with the government actions you consider unethical.

But aren’t you penalizing the secular tech entrepreneurs of Israel by divesting from anything related to the country? These are the same demographic that spent every weekend for most of 2023 protesting their own government’s attempt to become more subservient to the Netanyahu coalition.

rchaud
2 replies
22h8m

But aren’t you penalizing the secular tech entrepreneurs of Israel by divesting from anything related to the country?

No one is entitled to your or my business. A boycott is about voting with your wallet. It's not exactly withholding humanitarian aid as a famine looms.

If such companies feel that they are being unfairly singled out, they're free to demonstrate their opposition to the the actions of their government.

thephyber
1 replies
21h45m

I’m not opposed to voting with your feet/wallet. I encourage it.

But make sure your vote is targeted to what behavior you want to change.

If you want to train behaviors in a child, you need to react+respond immediately and proportionately. You don’t wait six months to reward a desirable behavior. To be most effective, You try to reward/punish immediately and you let them know why.

If you avoid Stripe because you mistook them for some other company which is based in Israel, which had no real ability to affect their government’s policies, they won’t interpret that as “we are being punished for supporting Israel’s unethical policies”. They will interpret that correctly as an irrational consumer noise in the data. If you want to enact change, let your target know why you want them to change, in what way, and then do it to the person/people most authorized/responsible for enacting the change.

rchaud
0 replies
20h37m

In this case the person who brought it up was wrong and acknowledged it.

Generally speaking though, the net impact of a boycott may even be negligible when it comes to Israel because of our government's largesse towards Israel's military industrial complex. Whatever little money is witheld by a boycott from a small minority of voters in the West is dwarfed by the many billions in taxpayer money that Western governments commit towards ensuring that the IDF has more F-16s per capita than anywhere else on earth.

Levitz
2 replies
23h1m

You can draw that type of criticism with any boycott though. Does whoever cleans the office at Lockheed Martin deserve to be punished for the actions of the company?

The point is to create repercussions for a country, that's going to affect someone, sure, but that's the point. Same as why people don't generally care about random Chinese or Russian companies when people decide to boycott those.

thephyber
0 replies
22h15m

Moving companies is far lower friction than changing nationality.

Ethics are relative and have tradeoffs. How many innocent people are you willing to hurt to change the behavior of the IdF / Israel’s Oslo Area C policies / Netanyahu’s government coalition?

If you are too sloppy with the splash damage, how are you any different than the IdF or Hamas? Would you even punish Stripe for Israel’s military/government behavior because you read some unsourced comment on social media?

I would rather target boycotts to the most precise entity, within reason, so the entity knows what they are being punished for and what change in behavior would change the boycott to a non-boycott.

If you don’t set an objective standard, then you will always be subject to your own emotions or a mob mentality.

sneak
0 replies
12h36m

That’s just because they haven’t thought about it enough. Sanctions are unjust.

People’s grandmothers in Russia who can’t get their chemo drugs right now are no different than if your grandma couldn’t get her meds because Bush invaded Iraq.

ChemiSpan
2 replies
23h8m

penalizing the secular tech entrepreneurs

During the divestment against South African apartheid, anyone was a fair target.

And yes Israel has been labeled an apartheid state by all the major human rights groups, including Amensty, HRW, and Israel's own Btselem. Linking the 3 reports below, in case you are interested in reading.

https://www.amnesty.org/en/latest/campaigns/2022/02/israels-...

https://www.hrw.org/report/2021/04/27/threshold-crossed/isra...

https://www.btselem.org/publications/fulltext/202101_this_is...

thephyber
1 replies
21h52m

I also noticed you missed the most important thing about the GP comment of my reply: he misread which whether the relevant company was on the unethical side of the equation and seemed willing to divest without any skepticism or curiosity.

ChemiSpan
0 replies
21h7m

It's true though, AU10TIX is connected to Israeli intelligence which seems to be a reason why X switched to Stripe. I think the confusion was whether it was Stripe or AU10TIX.

AU10TIX is a subsidiary of ICTs International, a company established by former members of the Shin Bet and El Al airline security agents.

Ron Atzmon, the founder of AU10TIX, spent his military service with the Shin Bet's notorious unit 8200. Which also produced the infamous Israeli Pegasus spyware used by repressive regimes like Saudi Arabia to spy on citizens.

https://www.mintpressnews.com/identity-verification-or-data-...

lmm
0 replies
13h25m

But aren’t you penalizing the secular tech entrepreneurs of Israel by divesting from anything related to the country?

There are no "secular tech entrepreneurs of Israel", in the same sense that there are no private businesses in China. Every adult citizen is required to do military service for the constitutionally non-secular state, and military/government-backed paramilitary operatives routinely disguise themselves as civilians, including running whole tech businesses as front operations. Any given Israeli technology company might not happen to be a government (and therefore religious) organ at the moment, but it can become one at a moment's notice with no notification and no recourse.

These are the same demographic that spent every weekend for most of 2023 protesting their own government’s attempt to become more subservient to the Netanyahu coalition.

Plenty of people in North Korea or Iran or Russia protest against their governments too. But we don't, and shouldn't, let that persuade us to keep doing business with people in those countries.

ignoramous
0 replies
20h26m

penalizing secular tech entrepreneurs

"If you kept the small rules [like secularism], you could break the big ones [like occupation]."

ganeshkrishnan
0 replies
20h38m

Oh wow didn’t know that stripe has Israeli ties.

you misunderstood OP. He meant the previous authenticator for X was autotix which was Israeli and then they switched to Stripe which is NOT.

astroid
0 replies
1d

To clarify, Stripe does not - Au10tix does, which they moved away from.

Stripe is Headquartered in US / and I believe Ireland - not Israel. Sorry for the confusion.

qchris
13 replies
19h40m

I sometimes think that situations like this are eventually going to lead to legally-required professional licensing for certain tasks in software development.

Obviously, not everyone who writes code needs a development license (what, I'm going to get licensed to write a blog or put up a site with fruit jokes?"), but if your business is going to involve personally-identifiable information, then you need actual engineering, and the folks that do that engineering need certification. This is a similar mechanism to how engineering licensing even started (in the US anyway), where Wyoming basically got tired of water infrastructure being built by people who didn't know what they were doing.

Licensing could also help provide individual engineers with leverage against managers or C-suite folks who want to move fast & break things. When you're in a professional class with exclusive sign-off capabilities, it's easier to be say "we have to do this right or it's my ass, back off" and should the company says "fine, you're fired", goes ahead with managing the PII, and a leak like this happens, the company's liability goes way way up. That situation overall tends to improve the leverage that skilled workers (like those who know how about database management for PII and endpoint configuration) have to do things right. There's a number of pitfalls that can happen with licensing as well, but I'd be curious to see if a push for something like this emerges over the next few years.

doe_eyes
3 replies
19h34m

Obviously, not everyone who writes code needs a development license

That's actually a very likely outcome. The startling statistic is that roughly half of professions require occupational licensing. In some places, you need licensing to become a florist. In several states, being an interior designer or a gas pump attendant requires a permit. Software engineering is an absolute outlier as far as highly-paid jobs go.

I don't think this is right, but that's the world we're living in and we should stop fooling ourselves. There's a lot of SWEs who are talking about wanting some helpful, laser-focused regulation. Well, it's coming wholesale, and a fruit joke website is not going to be exempt.

envp
2 replies
19h14m

There’s already regulation affecting SDLC practices in the financial industry (SSDF in the US, DORA in the EU).

Definitely not a stretch for other (“important”) areas to start receiving such attention in the future.

renewiltord
1 replies
18h10m

So we can look at the software they produce and see if it's better. From what I can see they suck at it. There was that error where Citibank sent hundreds of millions to the wrong guys and that was totally due to software designed like a monkey did it.

Freaking nightmare with this licensing crap. But if you'll let me run a licensing company and make mine the compulsory one that everyone has to use I'm good for it.

I'll call it Certified Software Engineer LLC.

mcmcmc
0 replies
16h17m

The real value of licensing is enforcing liability, not that licensed professionals are necessarily better. With florists/stylists etc it’s more rent seeking than actually needed, but again… think of bridges.

crooked-v
2 replies
18h32m

I'd be all for it if it finally gets the industry past all the stupid leetcode algorithm interviews.

m463
0 replies
18h26m

"secure this code against mitm attacks"

logicchains
0 replies
12h17m

If engineering licensing organisations were in charge of hiring, the leetcode questions would be replaced with UML-diagram-drawing questions.

userbinator
1 replies
18h17m

That's the dystopian situation which Richard Stallman envisioned in "Right to Read". Do not want. I'd rather have these periodic gaffs than the alternative.

throwawayk7h
0 replies
18h10m

There's "right to code" and then "right to read," and these are different. Engineers have these sorts of licencing requirements because we don't want bridges to collapse. Doesn't stop people from tinkering with engineering on their own or even working as engineers in certain roles.

When it comes to handling private data like medical records, driver's licences, etc. -- yeah, I'd be in favour that companies over a certain threshold have to hire licensed coders for these tasks. It may be a loss of freedom for a few specific coders, but it'd be a benefit to everyone else's privacy.

tgv
0 replies
5h54m

And then there'll be even more offshoring.

robben1234
0 replies
18h52m

But there are already regulations and companies with their executives are being held accountable against it. Does it matter how many badges the person designing the system is wearing if it complies with regulations and passes an audit? The problem with leaks to me looks like more of the nature of lax enforcement and few consequences when found in the wrong.

raxxorraxor
0 replies
5h5m

Licenses of this kind would be a huge waste and if so, you would need to certify management, which likes to skimp on security. For engineers you either have special training or you accept the degree. Government cannot do much more.

And no license will give you leverage towards the c-suite.

niij
0 replies
17h37m

In the optimistic case the future won't require any of this licensing because there won't be private information to steal. There are solutions for identity verification without including scans of actual documents. Maybe smartcards will come out in the US at some point.

miki123211
13 replies
23h56m

I'm surprised identity verification by logging into your bank and/or carrier isn't more common in the US.

They have your data anyway, it's much harder to impersonate somebody this way, it doesn't require the verifying company to hire any workers to do the verification, you could even do it without the site you're verifying yourself at learning anything about you.

thephyber
9 replies
23h49m

identity verification by logging into your bank

Do you mean you expect me to give my banking site/app credentials to X?

PayPal used two small (less than $1) transactions and the verification that I own the bank account was verified by correctly identifying the two transaction values.

Plaid, I believe, uses 3rd party auth with some banking institutions that support it, to pull read-only data from my bank account on my behalf.

South Korea and Estonia use government-issued digital certificates that private institutions can use.

There are lots of ways to deal with high assurance authentication, but very few are popular in the US.

miki123211
5 replies
23h34m

Do you mean you expect me to give my banking site/app credentials to X?

No no. Over here (Poland), the way this works is that you get a big list of banks, you click on one, get redirected to their site, log in there, complete any 2FA they need you to complete, are given the typical oAuth "this application wants to access this sort of data" consent screen, and then are redirected back if you consent.

This is mostly used for fast online bank transfers, which we often use for online payments instead of credit cards, but there's also a system to use this for ID verification.

thephyber
2 replies
21h39m

Oh. In Single-Sign On / OAuth terminology, the bank’s website is the Identity Provider (IdP).

Banks in the US depend on government-issued ID and information contracted from credit bureaus (3 big companies that are effectively data brokers about consumer lending behavior). We have federated identity, but in a weird, ineffective way.

Every once in a while, someone bold makes a political proposal to make our authentication / identity proof systems simpler, but then people realize the privacy implications (and religious fundamentalists point to the “mark of the beast” part of the Bible) and then the proposal doesn’t go anywhere.

miki123211
1 replies
20h11m

The interesting part about this is that such a system wouldn't necessarily need to come from the government. There are companies that need verification and want to do it cheaply and with little friction, and there are banks and carriers who could make some extra money on it.

Aloisius
0 replies
19h15m

There are thousands of banks in the US. Getting them to agree on anything is beyond difficult.

Carriers in the US don't all require ID, so they're not particularly useful for identity verification.

rchaud
0 replies
22h27m

Same system is used in Canada to authenticate indviduals who are logging into the government tax portal, or submitting their tax returns electronically through a tax preparation software.

baobabKoodaa
0 replies
23h22m

Same thing is very common here in Finland.

derf_
1 replies
23h40m

> PayPal used two small (less than $1) transactions and the verification that I own the bank account was verified by correctly identifying the two transaction values.

Based on my experience with (non-PayPal) financial institutions in the past year, this is going away. For now, it appears you can still force them to fall back to this when providing your login credentials does not work, but who knows how much longer.

thephyber
0 replies
21h37m

It was pretty good trick for validating ownership of a bank account back in 1998, but I’m happy they are moving to something else. There are far better options, and most banks are capable of much higher assurance validation now.

stevekemp
0 replies
23h28m

Do you mean you expect me to give my banking site/app credentials to X?

In Finland it is common for many online shops to handle payment, and authentication, using a banking account.

You never hand over your actual banking credentials, instead it is something akin to OAUTH2 - so you're at a merchant site and you'll see "Pay with Online BanK" with logos to click for whichever bank you have an account with. Exactly the same as "Login with Google/Github/Facebook/etc".

I changed my name last year, and due to other integrated services many companies automatically updated their records when the change became legal. These kind of integrations seem common and thus far "secure".

residentraspber
1 replies
23h30m

Been working in the Fintech space for the past 3 years and what I've learned is that deep down no bank trusts any other. No other bank wouldn't trust that a random bank actually correctly verified the persons identity before giving them an account.

I imagine this also works with other vendors. All you need is 1 company with a weak process.

hermitdev
0 replies
20h44m

Probably a lot of it is due to know your customer (KYC) rules. I am not allowed to take your word that you've done your due diligence; I have to do my own.

I've spent ~20 years working in and around finance, on the trading side. If your lawyers aren't paranoid about KYC, that's a major red flag.

lxgr
0 replies
18h49m

Why on earth would I want to trust either to hold the keys to being able to identify myself?

Both banks and carriers somehow manage to at the same time make identity verification incredibly painful and obscure, without actually protecting me against identity theft.

It also seems like it would make it even harder to switch banks and phone providers than it already is.

derbOac
13 replies
17h54m

This all feels like some Orwellian nightmare to me. Things like TikTok and X shouldn't require any ID verification in my mind; the rest of this fiasco just underscores all the other reasons why this is a bad idea.

SoftTalker
6 replies
15h17m

Neither should Uber. I never needed to show ID to hail a cab. You just stood at the corner and waived your arm. Are we talking about Uber drivers here? That makes some sense. But passengers? (I don't know, I don't use Uber).

sneak
4 replies
12h39m

Why does it make sense for drivers?

tirpen
0 replies
7h14m

Because a company should know the identities of the people who work for them.

taormina
0 replies
1h48m

Because you need a valid driver's license to drive, so if I'm contracting you to do any amount of driving, an extremely standard practice is to see if your license is good.

mrWiz
0 replies
1h50m

Ensuring that their drivers have a valid drivers license at least makes a little sense.

HaloZero
0 replies
12h19m

Drivers are background checked but honestly they probably get more abuse and attacks than passengers. After all there's no accountability on riders but there is accountability on the drivers.

Grimblewald
1 replies
16h21m

The thing with all these leaks is that ID's are rapidly becoming worth less and less for the sake of actually proving your identity. Part of me believes a lot of this is intentional to try force people into using bio-metric ID like iris scans or finger prints to verify, since physical ID's are so widely leaked and so thoroughly distributed to criminals that they're no longer trustworthy documents.

r0ks0n
0 replies
13h10m

that's a bit off the wall, don't you think?

BLKNSLVR
1 replies
17h41m

I agree wholeheartedly, and I'm going to go a bit further...

I think that I'm either out-of-touch or far enough outside the bubble to be able to provide an objective viewpoint, but:

Needing to verify government issued ID to create an account for high-in-the-clouds pure "lifestyle" services such as Twitter and TikTok? Fuck me, is this how far we've come? Is this the destination anyone actually wanted to reach?

raxxorraxor
0 replies
5h9m

Is this the destination anyone actually wanted to reach?

The services you register at love to ID you. Government pretents it tries to protect minors, but I simply do not believe them. And if so, this certainly would not be the way, on the contrary, they expose them to additional threats.

macic
0 replies
11h45m

Exactly. You should NEVER give these companies your ID for exactly this reason.

heavyset_go
0 replies
16h35m

Several states passed legislation that requires age verification for social media, and this is how it's implemented.

Companies are also incentivized to do it to prove their actual active user counts versus bots.

alwa
12 replies
1d

It says the company claimed that the credential leak was discovered and remediated 18 months ago, meanwhile the leaked credentials were still working as of a month ago.

Is this level of governance and sophistication really typical of vendors in this space? Sprawling enterprises I can imagine losing track of the odd place or two where the credentials are used, but a vendor who only does one thing, specifically a high-trust thing like this?

Even if they don’t have the wherewithal to be thorough in-house, am I confused to imagine that such a firm would have to carry insurance, which would tend to bring in specialists to make sure this kind of remediation is done right?

EasyMark
6 replies
16h4m

Why are they keeping a copy is what I’d like to know. It’s enough to know they check it, and verified it, so then they can delete it. Why keep copies at all ??or at least blank out critical parts that aren’t public knowledge. This is so stupid.

chefandy
2 replies
6h59m

If you need to check someone's government ID, you probably expect to have to go to court or otherwise deal with the government over it at some point. Being able to show why you thought it was someone, not simply that you thought it was someone, is important.

hiatus
0 replies
3h55m

Even notaries don't need to keep copies of licenses or selfies on hand for court, just their notarial register.

alias_neo
0 replies
4h42m

You're right, and I think it's wrong to do it this way.

We have various private companies taking copies of our ID; in the UK, you'll have scans of your passport/driving licence taken for various reasons.

We shouldn't have to trust them to get it right; and I suppose the threat for them is fines if they don't, but it's not good enough.

Probably, a more solid solution would be to offer a government ID service where these companies check against a central database that already holds your information and then they have to keep nothing.

If I hire a car, I provide the rental agency a code that gives them temporary access to my driving record to ensure it meets their requirements, it's a one-time code and I request it when required and provide it to them; something similar could be adopted for other purposes if they have a legal requirement to verify your identity.

olalonde
1 replies
15h34m

Probably because government regulations require it. I know it's a requirement for AML/KYC which many of these companies are subject to.

42lux
0 replies
7h37m

Maybe but why are they still hot?

rblatz
0 replies
15h34m

Retention policies are likely set by the client. That’s how it works with the vendors I’ve worked with in this space, but I haven’t worked with this specific vendor.

dragonwriter
2 replies
16h44m

Its not a high-trust thing, these vendors exist largely because it gives the organizations with direct relations with consumers a step of removal when a breach occurs; they are blame-outsourcing firms.

judge2020
1 replies
15h13m

Sure, but companies also don’t want to deal with building the system themselves (especially if you want to support multiple countries) and dealing with potentially doing something wrong like violating anti-discrimination laws.

lesuorac
0 replies
6h18m

Surely you have some reasonability to vet your supply chain.

Not to say that your vendors have to be perfect, but if they have a known credential leak for 18 months that's pretty negligent.

wepple
0 replies
20h7m

but a vendor who only does one thing, specifically a high-trust thing like this?

They’re not in the business of being trustworthy or secure, it’s just another software shop trying to grow product.

which would tend to bring in specialists to make sure this kind of remediation is done right?

Ideally, sure. In reality an insurance company has many thousands of customers, they can’t possibly do any real assurance beyond basic compliance. Managing access and credentials is a hard problem for well staffed security teams, let alone a single compliance auditor.

jdp23
0 replies
1d

Yes, it's very typical. There are almost never any consequences for actions like this.

smittywerben
9 replies
23h58m

I could be wrong here but I want to say that a driver's license ID number would even be protected under the pre biometric data privacy laws.

tptacek
3 replies
22h19m

Until pretty recently drivers license ID numbers in many states were effectively public, and if your license was issued at least 10 years ago, it probably still is.

smittywerben
2 replies
21h21m

California was among the first to include driver's license numbers among personal information. The earliest I can find for my state is 2019. I'd not be surprised if some double standards continue to exist where the DMV itself is selling your personal information.

"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements...

2. Driver's license number or California Identification Card number.

https://en.wikipedia.org/wiki/California_Senate_Bill_1386_(2...

tptacek
1 replies
20h53m

I don't mean simply that the DMV might sell your information; I mean that given your name and some basic information, I can potentially just generate your valid ID. Millions of drivers license IDs are essentially public. It's always a little weird to me to see people treating them like hazmat. I sort of get why? Hazmat whatever you can? But an Illinois drivers license for a 40-year-old is public.

Imagine if, until relatively recently, a social security number was a truncated MD5 hash of your name and birthday. That's the flavor of the problem here.

smittywerben
0 replies
15h55m

Huh, wow, I never thought about how our licenses are encoded. I agree that it is disproportionate relative to the other records.

Perhaps it's making the same mistake as SSNs in that people use public or easily generated information to verify identity in the first place.

SoftTalker
3 replies
15h19m

Nope. It was pretty common to have them and/or your SSN printed on your personal checks, and if they weren't, the merchants would often ask to see ID and write the numbers on the check themselves.

quesera
1 replies
4h17m

Not that many years ago, it was common for your drivers license ID number to be the same as your SSN!

SoftTalker
0 replies
2h30m

Yep. My SSN was also my student ID number when I was in college.

pbiggar
7 replies
1d

Having an Israeli company running security for US companies is absurd. Their startups are an extension of the Israeli military, and most founders were in Unit 8200 (the group that made the AI-bombing systems Lavender and Where's Daddy).

robcohen
6 replies
1d

Why is it absurd? I'm not following.

JumpCrisscross
3 replies
1d

Because Israeli intelligence freely and brazenly spies on civilians from allied countries

Everyone spies on everyone. Does Israel have a law like China's which mandates coöperation? It was my understanding they have a forcefully independent judiciary.

kevingadd
0 replies
23h11m

"Everyone spies on everyone" isn't an argument in favor of using companies with known ties to the military or intelligence, though...

codedokode
0 replies
23h50m

This means we should use national solutions and services instead of someone's else.

chimeracoder
0 replies
23h58m

It was my understanding they have a forcefully independent judiciary.

That may have been true ten or fifteen years ago, but is extremely not true today.

Alupis
0 replies
1d

Oh how quickly we've forgotten the Snowden Leaks.

They all spy on each other's citizens. When it's not possible to do it directly, they will use covert means a la NSA slurping up data via transit lines, etc.

It being an Israeli startup makes your data no less safe from spying eyes than doing business with a UK startup or any other allied nation.

joshribakoff
6 replies
4h32m

Uber wouldn’t delete my data when I demanded them to, they just hung up on me rudely. I escalated to the CEO and they sent me this message explaining why and assuring my fears of a data leak were “unfounded”:

Maribel again with Uber Support. Thank you for your patience while I took a further look at the deletion request. Unfortunately, we are unable to delete all of your information on the account due to security measures. Please visit our Privacy Notice for more details, specifically the sections titled E. Data retention and deletion. As of May 12, 2024, your account was marked for deletion. Keep in mind that deleting your driver account is permanent and will automatically delete your rider account as well. Any credits associated with your accounts will be lost. Additionally, I want to emphasize that we have strict security measures on the platform to ensure that your personal information and your safety are secured. Your understanding is appreciated.

BiteCode_dev
4 replies
3h36m

Plus, they can delete all your informations, because GDPR mandates it in Europe.

hnbad
2 replies
3h9m

GDPR allows retaining any information necessary for complying with legal requirements (e.g. taxes). But that exception is to be interpreted as narrowly as possible.

m11a
0 replies
1h3m

GDPR also allows for processing for a company's "legitimate interests", which is supposed to be a balancing test, but Uber could argue it needs to process ID documents to ensure safety on its platform. If the company refuses to delete, the only option you have is to escalate to a data supervisory authority and have them adjudicate on it.

But more generally, GDPR has multiple legal bases for processing other than consent, and for any other than consent the processor might still be able to process data despite the right to be forgotten. And IME big company data processors tend to interpret these exceptions quite liberally, hoping people won't have the means to challenge their decision.

Kevcmk
0 replies
1h22m

Pro tip, sites don't have the means/motivation to challenge a user's assertion that they're in France (GDPR) or California (CCPA). Just pick a Paris address and demand a GDPR Data Subject Request (DSR) to delete your data.

wil421
0 replies
2h55m

A website I went to had a delete my data link. I wondered what would happen if I put I was in Europe even though the website doesn’t cater to non-USA users. They still told me they would not be deleting my data because they had to keep records for x number of years due to legal requirements such as law enforcement and financial reporting.

digging
0 replies
2h53m

I genuinely think it should be a legal liability to make a claim such as "we have strict security measures on the platform to ensure that your personal information and your safety are secured."

First, because they're probably just outright lying to imply they're taking security as a paramount priority. They're likely following minimal guidelines to cover their own asses legally.

Second, because it's physically impossible for them to guarantee data security. It's like making a promise to a child that they're never going to die. A security breach is a matter of probability, not a door you can close and forget about. A society that allows companies to make absolute assurances about security at all is endangering itself. But it also means that levels of security and due diligence are difficult to quantify because we don't even conceive of it as a probabilistic issue.

(I also just watched the new Ashley Madison doc and it's really sticking with me that they made up fake certificates of security while putting virtually no effort into the real thing, and actively chose to play chicken with their users' data when they had the option of closing up shop - an extraordinarily clear case of being blinded by greed, especially as the payout was obviously forfeit if the hackers followed through. Both of these choices should have legally put much of the blame for the fallout and suicides on the CEO.)

gurchik
4 replies
23h24m

While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited.

How is this possible, when the journalist accessed the data to confirm it contained PII?

Each day I am more and more interpreting "we see no evidence" as "we didn't really look." That way their statement can be technically correct, without divulging any evidence that might be used against them when users sue for damages.

notaustinpowers
1 replies
22h20m

It's even a more blatant lie because 404media found the credentials in a Telegram group. So, yeah, there's no way this wasn't exploited by multiple people.

schwarzrules
0 replies
16h59m

that statement really bothered me. they can of course say that they don't see any evidence of exploitation, but this kind of personal data is valuable to bad actors because they can take it from au10tix and then use it to exploit other services or the individuals directly. au10tix would never know about that exploitation.

ThePowerOfFuet
1 replies
22h55m

Each day I am more and more interpreting "we see no evidence" as "we didn't really look."

They see no evidence of it because there were no log entries telling them so.

Why there weren't, on the other hand, is a question far outside the scope of such statements.

treeFall
0 replies
20h52m

See no evidence, hear no evidence

mrweasel
3 replies
11h23m

While we complain about it a lot, more and more I have come to appreciate the Danish governments online ID solution (MitID). It's certainly not perfect, but it does allow you to do ID verification, without exposing PII to companies.

Understandably not everyone who needs to verify your identity is going to implement MitID, I can understand X not wanting to do that for the limited amount of users they have in Denmark. It's simply not worth the cost. What I don't get is why more countries doesn't have this. The US sure seem like it would benefit greatly from having a standardized, safe and secure online ID (MitID may or may not be as secure as it could be).

anal_reactor
0 replies
11h0m

EU is working on this, but it's going to take a lot of time before the system actually works for all member countries.

Brybry
0 replies
10h43m

The US has no national ID and for historical ideological reasons the pushes for a national ID fail.

That's why social security numbers are abused as a form of national ID number. The closest thing we have is the "Real ID" standard for state IDs/driver's licenses (well, ignoring passports). [1]

So right now government solutions are done individually by states (if at all), usually as some form of "wallet" / "mDL" (mobile driver's license) phone app.

All the state ID databases are supposed to be able to talk to each other, eventually, so maybe some day a big state's system will allow verifying IDs from other states but there might be political issues that block that.

I guess the other option is that a big state's system (like say California's OpenCred[2]) gets popular enough for all the other states to implement it. But I'm not hopeful.

[1] https://en.wikipedia.org/wiki/Real_ID_Act

[2] https://www.dmv.ca.gov/portal/ca-dmv-wallet/opencred-for-dev...

6510
0 replies
10h57m

I haven't looked into it much but if the EU digital identity turns out something nice and usable the platforms should love implementing it. (Not holding my breath)

All I really want is to obtain a link by posting a key and some identifier, redirect the user there, have them log in, redirect them back and send my webhook a code that represents that user on my website.

A registered business would be able to (for example) request/buy age restriction.

Ideally non EU citizen could also obtain a digital ID.

That way I can stay blissfully ignorant about who you are and where you live. All I want is a single account per user (in stead of 100 000 and/or captchas)

treeFall
2 replies
21h12m

Why are US citizens biometric identities being sent to Israel? Aren't there laws about sensitive information like this leaving US data centers?

sundbry
0 replies
20h41m

Good question. I was required to submit ID to Au10Tix for an Azure vendor account, and noticed that was outsourcing the data to Israel.

pylua
0 replies
16h43m

You would be surprised. Banking companies / their vendors for instance will outsource to india and Poland. Some of the people in Poland are citizens of Belarus. Us customer data is all over the world (account numbers / ssn / other personal info ).

It may be stored in the us but accessed by people in lcol areas.

brw
1 replies
22h21m

This is the original article (as mentioned by Gizmodo) which I submitted to HN yesterday, but it got killed immediately because of the signup wall. It went into the second chance pool (https://news.ycombinator.com/item?id=26998308) just now but not before another article on the same matter was submitted it seems. Not sure what the procedure is in that case. I'll ask dang.

dang
0 replies
21h40m

Ah ok since this is the original article we'll merge the other thread hither. Thanks!

leni536
2 replies
19h55m

Does the ID verification service retain personal information after verification? If so, why?

Mindwipe
0 replies
5h41m

Because it has to or there's no verifiable audit trail that any verification was ever performed.

Any service that claims otherwise is lying or will get sued to oblivion very quickly.

Grimblewald
0 replies
16h19m

so that they can sell it of course. Naturally they have to claim it was leaked afterwards, but that sale is a hefty bit of cash, all for zero repercussions? if you're an amoral megacorp, its a no brainer.

stefan_
1 replies
23h16m

Why on earth are these identity verification companies storing this data? Once the verification is done, the data must surely be promptly deleted?

toast0
0 replies
22h8m

I imagine they save the data in case there's a question about a verification. Then they can go back to the archive and say we got these images, we took steps X and Y to validate them, so we were good. If they destroy the verification images, they wouldn't be able to defend a verification claim. OTOH, they wouldn't have to worry about the security of storage for those images. (They'd still need to worry about security of the images during processing)

steelframe
1 replies
14h21m

I had to use one of these services once after I lost the MFA app for a domain registrar when switching phones. I wouldn't be at all surprised if my driver's license has been compromised from that company's S3 bucket (or wherever they're stuffing the images) since then. Regardless I was super-annoyed to have to jump through that hoop. The subsequent emails from them pleading with me to re-enable MFA have since gone straight to the bit bucket.

Throw_Away_1049
0 replies
5h37m

Just yesterday I had to do this for the first time with Robinhood. Driver’s License and face scan. No clue why. I had access to my email and phone but it required it.

dinglestepup
1 replies
1d

"Our customers’ security is of the utmost importance"

They don't even have 2FA enabled for logging into such a sensitive portal?

asadm
0 replies
21h9m

Users aren't their customers, Israeli govt / Mossad is.

diebeforei485
1 replies
1d

I've noticed that companies are generally happy to say they use (for example) Plaid to handle your bank account details, but often bury or hide who is handling your passport details.

This is unacceptable. If you want my ID, you'd better disclose who you're sharing my ID with. And ideally give me a choice of providers.

aketchum
0 replies
21h2m

And ideally give me a choice of providers.

This sounds good I guess but would be pretty annoying in practice for basically no upside for the business. I could see having 2 providers that are both randomly used so that we can continue business when one has an outage. But even then I would not be showing the option to my customers. The vast majority of users would be more confused by the options than happy about having options, and likely hurt conversion.

totorovirus
0 replies
7h23m

this is why we need zero knowledge proof

matrix87
0 replies
14h57m

I wonder if companies like coinbase use these authenticators as some kind of liability shield

lizardking
0 replies
1d1h

My understanding is that X has moved on from AU10TIX to using stripe.

heavyset_go
0 replies
16h41m

It's going to be fun when there's repeated incidents like this each week because every site will require your driver's license to prove you're 18 so you're allowed to post on the internet.

hanniabu
0 replies
23h22m

High-profile fintech partners: Mercury, Stripe, Affirm, Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn, TabaPay, and previously worked with Wise and Rho, though both have since migrated to other bank partners

Leaked account holder info: name & address, email, phone, unencrypted SSN/TIN, DOB, fintech platform

Leaked account info: status, type, balance, last activity, opened date, account number, daily limits

frugalmail
0 replies
20h30m

Recently there was mass infringement by the Democrat politicians or government reps of our 1st Amendment rights indirectly through social media as proven by the #TwitterFiles.

The fact that these sites are now forcing users to submit to these identity disclosures simply because of some potentially fabricated rationale is really concerning.

All of that with the nonchalant attitude of these data service providers, I'm deeply concerned.

charles_f
0 replies
3h48m

Security theater cycle at this is stage:

1. Develop features at any cost, over-collect data, neglect security

2. Hacker gets in, pick the entirety of the data made readily available, credit card numbers, social security numbers, prod credentials, sexual orientation predictions that the company made on their customers for some reason, all of the pay history of the company, instagram creds of the ceo's girlfriend, and takes a dump in their bathroom

3. Try to shush the story

4. It gets exposed by an independent journalist in Kazakhstan who just reads /r/leaks

5. "we recently discovered that a malicious individual got access to a few logs on a random test server. Oops! So far we didn't find proof that it was used. Rest assured that security is our utmost priority. We love security here at ACME corp. Our teams have matching 'security' shirts, and every thursday we pray to Glombo, the security god. As a gesture to our customers we offer everyone a free 2 week trial of our 'security+' package ($15.99/M after trial, don't forget to cancel). Once again, sleep well knowing your data is safe with us!".

6. 6 months later the security gap is half plugged by an intern developing a novel password management system that encrypts passwords in base64

7. Go to 1. because no-one cares

callalex
0 replies
23h49m

What are the chances that anyone goes to prison for this? If the answer is “none” this will just keep happening.

bux93
0 replies
4h17m

LinkedIn is badgering me to "verify" my identity using some app I've never heard every time I log on. I won't, because this will inevitably happen, and Microsoft will shrug and blame the outside company.

benreesman
0 replies
11h24m

Jesus, let’s skip the foreplay and let the under-endowed cousins of someone important off with a warning and get tough on crime with some normal people.

inb4 the usual chorus of people who are rabid originalists when it’s a tech titan but concerned with the budget when it’s a kid who hasn’t invented Reardon Steel yet.

edit: I apologize for the low value comment. as someone who had their community devastated by synthetic opioids and spent all day reading people defend the Sackler family I was just lashing out at rich evil people and I apologize for the negative-signal comment.

StiffFreeze9
0 replies
17h22m

Beyond any ID theft - Oppress homeless who lost papers and can't navigate replacing them. Under pay and abuse hard-working immigrant families.

_Papers, Please_ by Lucas Pope. _Engage and Evade_ by Asad L. Asad.

AzzyHN
0 replies
14h29m

Shocker.