Of course they leaked the data. Any seasoned techie could've seen that coming from the start.
One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.
Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.
The problem is there are zero consequences for leaks. Customers should be owed automatic compensation for the companies giving their data away.
That is needlessly complicated. The problem is the US federal government does not provide identity verification API as an infrastructure service. And they easily could using the USPS’s physical locations and their workflow in processing US passport applications, which already involves identity verification.
Or even just coordinating the 50 states’ motor vehicle commissions or whatever since they are also verifying identities to issue drivers’ licenses and state identification cards.
There are monied interests that do not want a tight American ID system.
It is more that the Federal government is Constitutionally prohibited from mandating such a thing, the most they can do is ask nicely and hope for compliance. Coordinating the several dozen States, which can do it, is like herding cats. This is further complicated because there are large factions of both Democrats and Republicans that are against it for a litany of unrelated reasons, so the resistance to it is robust and bipartisan.
It has little to do with "monied interests". It is primarily the product of nigh insurmountable legal and political hurdles.
Where does it say in the Constitution that the Fed can't operate a unified ID system?
The Federal government can build one but they can’t require it or make people use it, and an ID you can opt out of is useless. Only the States have that authority. This is settled law with a lot of precedent, and largely the reason the US has no national ID system no matter which politician runs the country. Courts have consistently held this to be outside the narrow Constitutional authority of the Federal government.
Having a mandatory Federal ID would require a Constitutional amendment, but since the States have refused to do it voluntarily it seems exceedingly unlikely that a super-majority of States would ratify an amendment that forces them to do it.
I don't believe that this is actually unconstitutional. The whole argument about the Fed not being able to set up a Federal ID hinges on the Tenth Amendment, saying that it's not a specifically delegated power.
But that is a ridiculously weak argument, there are tons of ways the Federal Government can mandate the unified ID. For example, it can be tied to the Social Security number. The government can (quite reasonably) argue that it needs to positively identify people to be able to correctly track their SS contributions.
Why this hasn't been done yet? Probably because nobody cares about that. Real ID gets postponed time after time, exactly for the same reason.
What you believe isn’t backed up by the long history of a national ID in the US. Your legal theory would have to explain, for example, why some States today (e.g. Washington) do not recognize or accept any Federal IDs, like passports, only State IDs. This is strictly in line with the Constitution, it is entirely permissible for States to reject Federal IDs for all legal purposes. What would compel a State to recognize any new Federal ID in the future if they already have the power to disregard Federal IDs in theory and practice?
A Social Security Number is not an ID expressly as a matter of law, because it can’t be legally. The many loopholes the Federal government tried to use to backdoor a national ID were shutdown by the Supreme Court repeatedly. The US can only have a mandatory national ID system if the individual States, in aggregate, decide to create one. Thus far, they have shown no interest. Real ID is not a unified ID because the Federal government cannot compel it.
As with most persistent problems, the “obvious” solutions are not being ignored because no one has cared or no one has tried but because there are fundamental technical reasons they don’t work.
So, note to self: do not move back to the US from overseas to these states or they won't believe I am American.
The same thing Congress does to add a workaround for any law it's constitutionally forbidden to enforce on the States. A "voluntary" program where states that don't agree to the ID law don't get any federal highway funds that year.
This has been extensively tested and the Supreme Court is fine with it, e.g. [0]
Alternatively, enforcement through military means - Congress hasn't authorized the use of force against dissenting states since the 1860s, but the threat is always there.
Or paramilitary means, where an armed federal law enforcement group seizes control of state installations that aren't aligned with aspects of federal law. The DEA and ATF have a blueprint to follow here.
Or financial means, where Congress orders federally-regulated banks not to engage with customers that don't respect its ID policies.
There are other levers to pull, too. It's not that the States don't have any power, but in practice they are allowed the powers that the federal government chooses not to centralise - the opposite of how it works in theory, where the federal government governs only to the extent the States allow.
[0] https://en.wikipedia.org/wiki/National_Minimum_Drinking_Age_...
I don't believe any state does not accept a US passport as ID, and would need to see a source on that. A quick google returns no results.
Perhaps you didn’t hear about “Real ID”. You need it to fly, and it involves data sharing/matching with the federal government. They did a back door federal ID system by simply integrating with all of the state ID systems.
The Federal integration is optional, it cannot be compelled, and many States have opted to not implement it. The only thing the Real ID does is compel uniform standards for how States implement ID, it does not compel them to share their databases.
All 50 states, DC, and 5 territories are all issuing Real ID-compliant IDs. It’s also required by TSA to fly from 7th May of next year.
Everything you say is true of state IDs too. They are not mandated. They are useful because some people choose to have them. Some people would also choose to have a federal id.
Sure, but in the US, many many many more people have a state-issued ID than a federal one (a passport).
If a company needs to implement age verification, they're not going to limit their market to the set of US citizens with passports if the federal government were to offer an ID (passport) verification service. They're going to want state-run ID verification services, or, as in the case here, a private company contracted to do it for all ID types.
Then again, if the federal government (or my state government, even) offered an ID verification service directly, I would be more likely to use a product that offered it as an option, vs. one that only offered some private company's shoddy ID verification service.
But this feels vaguely analogous to the municipal broadband fights. Private ID verification companies would certainly lobby against states or the feds building their own ID verification services.
Indeed. We call them “passport holders”.
You didn't answer the question.
Perhaps you could cite the main precedents and/or quote the US constitution?
The tenth amendment would be a good place to start. As others have out throughout this thread, the Constitution has a whitelist of powers allowed to the federal government. All other powers are outside it's purview.
Are there any example rulings that you can share to illustrate this how courts have “consistently held” this?
Not off-hand but it goes back to at least the early 20th century. There have been many attempts at a national ID system via technical loopholes but the courts have not looked kindly on them. It is the reason a Social Security Number is explicitly not to be used as an ID in law, so as to maintain its legality. It is the reason that every part of the Real ID Act that involves the Feds aggregating a centralized ID database from the States is strictly optional (and many States have opted to opt out of that). The Supreme Court has already ruled that Federal regulatory and taxation power cannot be used to induce States to comply, as that would be an end-run around Constitutional limits on Federal authority. Whether I like it or not doesn’t matter, I recognize that this is the reality.
As a heuristic, when something obvious and simple, like a national ID, has inexplicably never existed across every political administration, it is unlikely to be an oversight. This has been playing out for a very long time, it is unfortunate that most Americans are not familiar with the legal history.
It is similar to why people were surprised the government didn’t even try to enforce lockdowns during COVID anywhere in the US. Freedom of travel was thoroughly adjudicated across many cases by the Supreme Court covering almost every circumstance imaginable. Any prohibitions on freedom of movement are subject to the “strict scrutiny” standard, same as freedom of speech. Any politician attempting to do so would have invited instant wrath and injunctions from the judicial system, and their legal advisors knew it.
It doesn’t have to be mandatory. Just offering it means businesses will use it to offload liability, and only accept customers that sign up for it.
Is a legally mandatory ID is required to solve this problem? The Federal government could create a voluntary one and/or coordinate the state IDs system into a modern digital ID system, then Uber and banks could use that instead of letting an SSN number or photo of ID being enough to commit identify fraud. If someone don't want to use the system, that's between the client and Uber.
Yes I know if this happens it will become of those "technically not mandatory but in practice yes" things.
The constitution doesn't say what the federal government is disallowed from doing. The constitution says what the federal government is allowed to do, and they are not allowed to do anything it doesn't say.
If this is the case, how are they allowed to issue passports?
Good question! I think the short answer is because the Supreme Court has interpreted the constitution as having granted that power. It is not an open-and-shut case, however, and stems from the constitution's grant of power for Congress to control the Rule of Naturalization, and from the 14th amendment. A conservative reading of the constitution, however, might imply that Congress does not have the power to bar entry to foreign nationals.
http://hrlibrary.umn.edu/immigrationlaw/chapter2.html
https://www.yalelawjournal.org/forum/citizenship-passports-a...
They can operate a national ID system. For instance SSNs and passports. They can also force states to do things (like RealID).
... or a matter of finding the correct leverage. Drinking age 21, for example, got bullied through by threatening to cut highway budgets [1].
[1] https://en.wikipedia.org/wiki/National_Minimum_Drinking_Age_...
I don't think you need to really coordinate all the states. Each state can provide their own ID verification system. Yes, it's a pain that every product wanting to use it will have to do 50 different integrations rather than one, but ultimately things will converge to a more or less standardized API (or a few of them).
Of course it's dumb that taxpayers will have to pay for 50 of these things through their state taxes instead of one of them through their federal taxes.
Then again, what's most likely to happen is that the states will outsource it to a private company like this one, and we're no better off.
What are they?
Agriculture and food processors want their undocumented workers.
The transition to documented humanoid robots might take less than a decade.
Only if they are cheaper than a human. Which seems unlikely, for this kind of work.
What are these monied interests, and what incentive do they have to prevent a "tight American ID system"?
A friend applied for a job in the UK civil service - you were required to verify your identity by giving data to a third party, for profit company (and paying for the privilege). All of the companies had recently had significant data breaches. One of them - right there on the government provided guidance - lied about the company (Post Office) to imply a historied bastion of trust. It was blatant.
Verification could have been done using government data, but Tories have to also make a profit off of everything so they instead chose to give every civil service applicants data away to companies with a track record of data leaks.
I do honestly think the real reason for this outsourcing is because the Passport Office and DVLA don't provide their databases for identity verification purposes, even to other government agencies, aside from say the security services and police.
Even in banking, where the government mandate thorough KYC/ID vetting, no APIs are made available by the government to actually verify a copy of ID is legitimate. So you're left looking at whether it "looks" correct.
For better or worse, of course, but there's an argument to be made that the refusal of the govt to provide "ID verification as a service" is pro-privacy.
Exactly this. Even non-civil servants are required to sign up with one of these services for certain government ID accounts.
I don't recall which it was now, but I had to choose from a bunch of providers (I selected Post Office) when I registered for something Gov related a few years back. I don't remember what now since I haven't used it since, but PO still has the details and provides auth for a government service for me. Insanity.
Why co-opt USPS and not ID.me ?
Because the US government already owns the USPS. And you need physical offices and employees everywhere to verify people in person.
And one of the major causes of that problem is that there is no US equivalent to the GDPR, even as the current ID systems are being abused quite thoroughly. Until we have something like the GDPR to prevent companies needlessly demanding personal information, simply making ID verification easier would mean even more places asking for identifying information, using it to build even more surveillance databases, and eventually leaking it all. For starters, imagine that every website currently using SMS login nags as an excuse for collecting phone numbers would switch over to requiring full legal names, inescapable ID verification, and then hard linking their collection of dossiers with the rest of the surveillance industry.
Are you suggesting that bulk-buying a year of Experian credit report access for the few people who haven't already won a subscription from some other leak isn't a consequence? Or that being able to see your own credit report isn't compensation enough? Heresy!
/s
Zero fucks given: "None of those companies responded to multiple requests for comment from 404 Media."
There should be nothing to leak. The record of verification should be a signature saying what was verified and how and when and nothing about the underlying documents/images/data off of which the verification was based.
For various reasons I started to open a bank account with Mercury, before deciding to use another provider.
When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part. When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.
At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.
They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.
Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.
Yes, their hands are tied. KYC requires the banks to keep the data for five years after account termination.
One of many, many shitty things introduced by the Patriot Act that we now just live with.
I understood GP to have started but not finished the process of opening account. Does KYC still require banks to keep the data in this case?
IANAL, so I'm not gonna attempt to interpret it, but here's how it's phrased:
They didn't complete the application, though, and so were never a customer of the bank. So this shouldn't apply.
GP was never their customer, though. They started filling out the application to open an account, got past the ID verification step, and then decided not to complete the new account process.
Likely the issue is that they just didn't think of this possible case, and there's no way to delete the ID information, and the CS person didn't want to go through the extra work to find someone who could approve it and/or get it done.
They are probably outsourcing to a vendor who will do god knows what with it
Problem is, "Evil Hackers" always get the blame rather than the negligent companies, who play the victims. They trot out all the usual flawed analogies about locked doors and burglars, to excuse their negligence, and it works! So, the only legislation we ever see is to be Tougher And Tougher On Hackers instead of holding these clown companies responsible for the data they act as custodians of.
For negligence to arise there must be, inter Alia, duty and proximate harm. I think you’ll find the identity services have a duty to their contractual partner, the website, but not to the victim whose identity was stolen. And there’s a circuit split as to whether any of these people were even harmed.
While litigation seems appealing, the answer here is legislation.
Sometimes there's probably negligence involved; sometimes not. You don't know without having access to the specifics. Always blaming "negligent companies" is just as wrong as always blaming "evil hackers".
At this point, it's pretty safe to just assume that any personal data any company has about you will be leaked sooner or later.
I mean, if you live forever and cannot die by any means, your odds of getting stuck somewhere approaches 100% (fall in a pit, landslide, fall overboard on a boat, stuck in the sun, lost in space, etc).
I imagine it is the same for data. The longer it is available, the more likelihood of it getting out of the company.
It's kinda impossible to give out DL, SSN, etc to so many companies and not have it leak. If these theoretical lawsuits scared companies enough, they might pay some centralized third party to handle the verification for them, but bad things follow from that.
The federal and state governments hand out these IDs in the first place. Shouldn't they be the ones to verify them?
Honestly, I hope Ron Wyden (I think his name is, US politician) takes this up - he has previously done excellent work calling companies to be accountable for such invasive and insecure practices
"One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence."
Principled lawyer who knows about tech here: This won't happen.
1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)
Legislation could establish a standard of care here and make this kind of thing gross negligence, but that hasn't really happened yet.
It's also not obvious they owe a duty of care to anyone in the first place, without which negligence is impossible (at least regular old negligence) - this also needs legislative fixing unless you want to end up arguing about it forever.
2. Damages are basically all speculative - what is your actual injury here, and how much can you prove the value of it. Lots of people on HN love to say how much X or Y is worth. What can you actually prove in terms of real loss?
It's fun to argue speculative loss (ie the value of your personal information maybe being stolen in the future, etc), but most cases are about real loss.
In practice where it's too hard to calculate we often end up with statutorily set damages. That also hasn't happened here.
Sorry to burst your bubble - without a bunch of legislation here, nothing is going to happen outside of the regular old class action lawsuits and $5 coupons.
I think our whole industry is rotten and we need to drastically rethink a lot of what we do. This is unacceptable and it shouldn't be this hard. We need a reckoning.