I don't know if I just became cynical and jaded, but is this really surprising to anyone in any way? Any time I give out my personal information to anyone for any reason, I basically treat it as 'any member of public can now access it'.
Even if a service doesn't have it in their TOS that they sell it to 3rd parties, they might do it anyway, or there will, sooner or later, be a breach of their poorly secured system.
To make it clear - I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures. I just completely dropped the expectation of my information being private, and for the very few bits that I do actually want to stay private, I just don't, or allow anyone to, digitalize or reproduce them at all in any way.
It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.
It's not surprising because there's never been a significant penalty for it, I guess because everybody just got completely used to massive breaches without much reaction. But then again it's very hard to get legislation passed that's not in the interests of big business.
ZK proofs for identity can't go mainstream quick enough. I agree with what you're saying completely. It's frustrating that we have the technology now to verify aspects of someone's identity without revealing it, but that it's going to take forever to become robust enough for mainstream use.
It's an interesting litmus test because regulators would not accept ZK age proofs unless the stated purpose of age verification laws (reduce harm to minors) is the _actual_ purpose of those laws.
Not some different unstated goal, such as ending online anonymity.
That is exactly what EU is doing with its age verification law. Basically the service provider just has to accept the certificate and check that it is valid and all the cert says is "is over X years old".
And the fact that the companies have to implement the system themselves is just crazy. It is very obvious that if the government require such a check it has to provide the proof/way of checking just like in the physical world it provides the id card/passport/etc used for checking this.
> just like in the physical world it provides the id card/passport/etc used for checking this.
In Sweden it wasn't the government that provided id cards, but the post office and banks. It became the government's job sometime after Sweden joined the EU, after the introduction of the common EUID standard.
Yeah we have something similar here in Finland with banks doing most of the (strong) identification.
This also makes things difficult for immigrants for the first month or two in the country as a lot of services (like making a phone or internet contract) require this identification to use but it is also a bit of a hassle to get a bank account (but getting a new bank account in a different bank once you have a bank account to do the strong verification takes like 2 minutes)
There is a government system but most don't use it but I expect once the eu digital identity wallet thing rolls around a lot of ppl will switch (or be required to?) to that
But very importantly this government, bank id, the identification part of the eu id wallet or really any identification system should not be used for age verification as it actually identifies the user not just give a proof that the user is over X years old.
These systems likely could be extended to just provide age information. If there truly was a wish for it. The suomi.fi systems can be configured. To pass or not pass address for example. So I see no need to pass personal identity number.
Yes and the "backend" (what provides the certificate to the app) for the age verification app for Finland will most likely be suomi.fi (or some dvv.fi thing directly) systems.
But we can't realistically expect every service that needs age check to work with 27 (eu countries) different systems but instead we need to unify it into a single api contract which is what this age verification app basically does.
That does not work without treacherous locked-down hardware. The marketing by Google et al is leaving out that fact to privacy-wash what is ultimately a push for digital authoritarianism.
Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used. If all of these things are true while users are running software they can control, then it's trivial for an activist to set up a proxy that takes requests for proofs from other users and generates proofs based on the activist's identity - with no downside for the activist, since this can never be traced back to them.
The only thing that could be done is for proof providers to limit the rate of proofs per identity so that multiple activists would be required to say provide access to Discord to all the kids who want it.
If I had my 'druthers, there would be a kind of physical vending machine installed at local city hall or whatever, which leverages physical controls and (dis-)economies of scale.
The trusted machine would test your ID (or sometimes accept cash) and dispense single-use tokens to help prove stuff. For example, to prove (A) you are a Real Human, or (B) Real and Over Age X, or (C) you Donated $Y On Some Charity To Show Skin In The Game.
That ATM-esque platform would be open-source and audited to try to limit what data the government could collect, using the same TPM that would make it secure in other ways. For example, perhaps it only exposes the sum total of times each ID was used at machine, but for the previous month only.
The black-market in resold tokens would be impaired (not wholly prevented, that's impossible) by factors like:
1. The difficulty of scaling the physical portion of the work of acquiring the tokens.
2. Suspicion, if someone is using the machine dozens of times per month—who needs that many social-media signups or whatever?
3. There's no way to test if a token has already been used, except to spend it. By making reseller fraud easy, it makes the black-market harder, unless a seller also creates a durable (investigate-able) reputation. I suppose people could watch the vending-machine being used, but that adds another hard-to-scale physical requirement.
Yeah, introducing real world friction is seemingly one of the only ways of actually solving the problem of frictionless digital systems (apart from computational disenfranchisement, of course).
It might be a better idea to frame your idea in terms of online interactive proofs rather than offline bearer tokens. It's of course a lot less private/convenient to have to bring a phone or other cell-modem enabled device to the vending machine, especially for the average person who won't exercise good digital hygiene. Still, some sort of high-latency challenge-proof protocol is likely the way to go, because bearer tokens still seem too frictionless.
For example (3) could be mitigated with an intermediary marketplace that facilitated transactions with escrow. If tokens were worth say $2, then even just getting 10 at a time to sell could be worth it for the right kind of person. And personally I'd just get 10 tokens myself simply to avoid having to go back to the machine as much. In fact the optimal strategy for regular power users might be to get as many tokens as you think you might need to use (even if you have to pay for them), and then when they near expiration time you sell them to recoup your time/cost/whatever.
For years, I resisted TSA Pre check on principle, even though I was a frequent traveler. I finally relented when I realized there were places like Thailand that force you to give your biometrics, and almost certainly sell them back to shadowy US agencies.
Thailand has a big problem with identity theft, and another big problem with Chinese criminal syndicates committing various kinds of scams and fraud. So while they might share that biometric data with US government agencies, it seems more likely to me that at least one identity theft racket has acquired some of it.
I think you're assuming an ideal world where there's no information asymmetry, all the market participants receive and understand all the information and the risks, and clients could realistically move to an alternative platform that provably handles things better.
> I basically treat it as 'any member of public can now access it'.
Still remember the conversation over "mega apps"?
Based on my experience with Alipay, which was a Chinese financial focused mega app but now more like a platform of everything plus money, the idea of treating every bit information you uploaded online as public info is laughable.
Back when Alipay was really just a financial app, it make sense for it to collect private information, facial data, government issued ID etc. But now as a mega app, the "smaller app" running inside it can also request permission to read these private information if they wanted to, and since most users are idiots don't know how to read, they will just click whatever you want them to click (it really work like this, magic!).
Alipay of course pretends to have protection in place, but we all know why it's there: just to make it legally look like it's the user's fault if something went wrong -- it's not even very delicate or complex. Kinda like what the idea "(you should) treat it (things uploaded online) as 'any member of public can now access'" tries to do, blame the user, punch down, easy done.
But fundamentally, the information was provided and used in different context, user provided the information without knowing exactly how the information will be used in the future. It's a Bait-and-switch, just that simple.
Of course, Discord isn't Alipay, but that's just because they're not a mega app, yet. A much healthier mentality is ask those companies to NOT to collect these data, or refuse to use their products. For example, I've not ever uploaded my government ID photos to Discord, if some feature requires it, I just don't use that feature.
I blame companies (including discord) for collecting as much information as they can instead of as little as possible. More data collected -> more data that will eventually get sold / leaked / hacked.
It depends on the implementation. The EU's European Digital Identity Wallet will allow users to prove that they are over 18 without sharing any other personal information.
Honestly I don't understand why so many things are tied to one secret _that you have to share with others_ all the time.
Why is there no rotation possible? Why is there no API to issue a new secret and mark the previous one as leaked? Why is there no way to have a temporary validation code for travels, which gets auto revoked once the citizens are back in their home country?
It's like governments don't understand what identity actually means, and always confuse it with publicity of secrets.
I mean, more modern digital passports now have a public and private key. But they put the private key on the card, which essentially is an absolute anti pattern and makes the key infrastructure just as pointless.
If you as a government agency have a system in place that does not accommodate for the use case that passports are stolen all the time, you must be utterly out of touch with reality.
Governments don't get a damn thing about the internet. They just want to govern, and justify the spending.
Their goal is not to build resilient systems — it iss to preserve control. The internet was born decentralised, while governments operate through centralised hierarchies. Every system they design ends up reflecting that mindset: central authority, rigid bureaucracy, zero trust in the user.
So instead of adopting key rotation, temporary credentials, or privacy-first mechanisms, they recreate 1950s paperwork in digital form and call it innovation.
A big problem is that the Silicon Valley playbook drives companies like Discord to be winner take all. It’s hard to avoid using them, but then they require that give up sensitive documents. I shouldn’t have to choose between keeping sensitive documents private and being able to participate in most gaming communities. Some open source projects have also starting adopting Discord to manage their communities.
Not sure what you mean by "like europe" because in Europe they are trying to implement `European Digital Identity (EUDI)` for age verification, which will make stuff like this even worse ....
“Linkability is especially problematic because untrusted entities, such as attribute providers and relying parties acting together, can correlate and link auxiliary information to the same user, thereby breaching privacy and enabling tracking, profiling, or de-anonymisation.” [1]
That’s assuming EUDI never gets breached — but if Google and every major tech company has been, it’s only a matter of time, but this will have way more personal info ....
I've been using discord for 5 years and never upload my ID … And I don't want discord (or any other company) to know my age, or any other identification ...
> this is a systemic issue of governments not having/not enforcing serious security measures.
To do so seems impractical. Imagine the government machinery that would be required to audit all companies and organizations and services to which someone can upload PII.
The systemic solution wouldn’t be to do that. It would be to both remove their own requirements that organisations collect this data, and to penalise organisations for collecting it outside of a handful of already heavily regulated industries like banking.
I told the 2 servers I hang in about a month ago that if I randomly disappear it’s because I can’t login without an ID and I’m simply not doing it/that they should consider the post my preemptive “goodbye.” I included where to contact me for those who want to. Frankly I think anyone on discord should do the same
It’s surprising that it happened to a big name like Discord in this day and age. Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.
One important problem that's mostly ignored is the lack of transparency about the third-party providers handling such sensitive ID documents. When a breach occurs, public statements rarely name the exact vendor responsible, making it difficult for affected users to understand who actually had access and who might still have their data. This opacity delays accountability and creates ongoing risks, since users have no meaningful way to audit or assess the practices of these shadow providers. Unless this layer of the data-handling ecosystem is discussed and regulated, future breaches will remain inevitable and largely untraceable.
I think it is nice that the GDPR forces companies to not keep too much data about people. And you can only have data that you need for the stated purpose (of course this leaves loopholes but it is good data hygiene to always consider).
For example, if you state you want to verify age, you only need the ID for a couple of seconds. So why didn't they think about the risk of a hack before? They could have done the age verification and then immediately deleted the document.
Maybe it is good to make an example out of Discord? Don't keep stuff around if you don't need it should be common sense.
Discord uses Zendesk (1). However in the press release they don't name the third party that was compromised, and Zendesk denies that it was their service.
What other third party was Discord using if not Zendesk? Who's reputation are they protecting?
Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
I can still swipe the message away, so I haven't done it yet. I'm going to work out how I can fake the face scan. I ain't sending Government ID to some chat app (no matter how big or small) that's over the top.
As an aside, I would have thought the age groups should be: 13 to 18, and 18+. They're the only ones that materially matter to the reason this check exists, in Australia at least. I don't want to contribute to their demographic analysis.
When the australia sub reddit was discussing the introduction of id on discord, the top comment was something along the lines of "look up openfeint". That was the day I uninstalled discord. It may not be an easy decision, especially if you are part of important social communities, but we cannot accept this level of disregard for our identities.
It took me a while to find the connection to Discord. Not sure if I did because it seems like some mobile app for people who play mobile games with some connection to some Japanese network and hosted in China or something?
OpenFeint was founded by the same guy who founded Discord.
From the Wikipedia page: "In 2011, OpenFeint was party to a class action suit with allegations including computer fraud, invasion of privacy, breach of contract, bad faith and seven other statutory violations. According to a news report "OpenFeint's business plan included accessing and disclosing personal information without authorization to mobile-device application developers, advertising networks and web-analytic vendors that market mobile applications"."
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
It makes sense they have to hang on to the ID in case of processing an appeal, which probably doesn't have the highest priority and hence stretches out in time.
The funny thing about this is that it kinda makes it OK for Discord to still have the records. But...
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.
Do they actually say in the TOS that they will delete them? If they do, do they say immediately? How immediately? Right away or, perhaps, 1 month? Unless specified in contractual documentation, words like "immediately" or "soon" do not have any single definition, which allows them to stretch it without technically being in breach of contract. Not to mention that often times, governments mandate data retention for so-and-so amount of time, so the companies are legally required in such cases to keep the data even if they, miraculously, desire not to.
A more useful construct is that civil offenses are only a problem if someone is aware of, motivated, and able to afford to sue you over it. Businesses do a lot of arguably illegal things that are not likely to lead to an actual lawsuit.
A bunch of UK users are blocked from the more "free speech" (over 13) channels unless they prove their identity to Discord, to comply with the Online Safety Act.
It is specifically because you got banned for "being under 13" it comes from someone asking a question like "How many candles in this photo?" then you reply "7" then they edit the message to say "How old are you" and voila, underage ban.
What you are overlooking is that Discord is the new MSN Messenger, YIM, etc your friends are not backed up in a meaningful way, nor the servers you're in, if you lose your account, you lose contact with basically your entire internet life and friends.
Discord should not keep those IDs longer than a month at a time once the user is unbanned it should be deleted a week later, or removed from that panel altogether.
No need to blame the user for the companies actions.
Company enacts policy enforced on them by law, for example requiring proof that a user is above the age of 18 to be able to use a channel where other users may use naughty words (The Horror!!!).
User struggles to use the automated age check system (I used the "guess age by letting an AI have a look at a selfie" method and it was a pain in the ass which failed twice before it finally worked) so does what is recommended and make a support ticket. [0]
User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
Full blame is on Discord for poorly handling their users data by their 3rd parties, and on the Governments forcing such practices. Discord should have their asses handed to them by the UK's ICO.
Sure, us geeks can and will use self hosted systems and find ways to avoid doing ID checks, but your avg joe isn't going to do that.
Hopefully cases like this will help with the push back on governments mandating these kind of checks, but I see the UK government just falling back to "think of the children" and laying all the blame on Discord, (who are not without fault in this case).
> User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
This is the part where the user has to take at least partial blame. You have to be utterly stupid (or at the very least way too sheltered) to believe a statement like this from a company, especially when there are zero consequences to the company for lying about it or negligently failing to live up to their policy.
In the UK we have the ICO (https://ico.org.uk/) who have the ability to fine companies who fail to live up to their data retention polices and/or fail to take adequate security measures to prevent or contain a serious personal data breaches.
If the UK Government are determined to enforce companies having to validate user ID's to use the company's services, then the government better well be determined to enforce our data protection laws too. Governments can not have it both ways (esp as the UK government also want to role out new digital IDs that will need to be checked when getting a new job), demanding users hand over ID to access services but not kick butts when those services fuck things up is just idiotic (Ok its the government, they make being idiots a profession), but that's not the fault of the user.
I'm mad at both Discord (for not securing their customers data inline with their published polices), and at the government (for forcing them into collecting the data in the first place, if Discord didn't have the data to begin with it can not be exposed).
But I can not be mad as users of a service, who though no fault of their own just wished to continue to be in communication with their friends and were faced with the no-win choice of providing ID or being denied access to a communication platform.
(just to be clear, I was not breached in this leak so I'm not being salty about the leak, but I see the point of view of the avg user because I see how the avg person uses the net every day.)
I'd have much more sympathy if this was the first instance ever of a corporation being negligent with people's data, and nobody was expecting it. We have to expect it, now. Corporations have a horrible track record of irresponsibility, and governments have a horrible track record of not punishing them. Data breaches are absolutely routine. Knowing this, it's very foolish to hand over ID through the Internet to someone. The top poster in this thread[1] has it right. At this point, you have to assume everything you submit or type into a web site is public information--that's how bad companies have gotten.
I assume if I run out into the middle of the motorway, I'm likely to get hit by a car. That's why I don't do that.
> I assume if I run out into the middle of the motorway, I'm likely to get hit by a car. That's why I don't do that.
The problem with this is that governments are now requiring you to cross the motorway if you wish to continue having the friends you have already made, but promise that the motorways are now safe for you to cross and they will hold to account anyone who makes crossing motorways unsafe, and the DoT have said "Its fine, we have put in crossings on the motorway to allow you to do so safely!"
Your avg joe is going to take those reassurances made by multiple parties and assume the activity that would otherwise be risky is safe under these circumstances.
When people go on thrill rides at amusement parks and get injured because the operator or manufacturer fucked up, we don't blame the rider "saying they should know better, look at all of those ride failures in the news!", as they expected the ride to be built to a high standard, it be maintained, operated corrected, and have safety watchdogs keeping an eye on everything.
At this point a whole bunch of crypto exchanges including chinese ones have my driver's license, passport and more. It is what it is, any real KYC process will require video identification anyway.
That is the bonkers thing about this story. Why take on the liability? Get what you need and toss the responsibility. If you must store it (which seems unlikely) put that extra-bad-if-leaked information behind a separate append only service for which read is heavily restricted.
If they were fined $10k per leaked ID, then there is a serious liability there.
Right now, they publish a press release, go 'oopsie poopsie', maybe have to pay for some anit-fraud things from equifax if someone asks, and call it day.
> Right now, they publish a press release, go 'oopsie poopsie', maybe have to pay for some anit-fraud things from equifax if someone asks, and call it day.
Don't forget the usual Press Release starting with "At [Company], we take security very seriously..."
I’m in a different industry, but when I’ve had to collect identification for reasons we extracted metadata at the time of presentation, validated it, and discarded the image.
We would never get clearance from counsel to store that in most scenarios, and I can’t think of a reason to justify it for a age or name verification.
Why are people assuming they did store it after the process was completed?
With the relatively low number leaked here it could have been information collected actively during an ongoing breach, not a dump of some permanent database.
Just a guess, but they may store the original ID card to audit duplicate accounts.
If their machine learning models, think that two people are the exact same, having the original image, especially a photo of the same ID card could confirm that.
IMHO this is a pretty dump approach to the problem
while there probably are some countries with terrible designed passport for most they are designed to be machine readable even with very old style (like >10year old tech) OCR systems
so even if you want to do something like that you can extract all relevant information and just store that, maybe als extract the image
this seems initially pointless, but isn't, if you store a copy of a photo of a people can use that to impersonate someone, if you only steel the information on it it's harder
outside of impersonation issues another problem is that it's not uncommon that technically ids/passports count as property of the state and you might not be allowed to store full photo copies of it and the person they are for can't give you permission for it either (as they don't own the passport technically speaking). Most times that doesn't matter but if a country wants to screw with you holding images of ids/passports is a terrible idea.
but then you also should ask yourself what degree of "duplicate" protection you actually need wich isn't a perfect one. If someone can circumvent it by spending multiple thousands to endup with a new full name + fudged id image this isn't something a company like discord really needs to care about. Or in other word storing a subset of the information on a passport, potentially hashed, is sufficient for like way over 90% of all companies needs for secondary account prevention.
in the end the reason a company might store a whole photo is because it's convenient and you can retrospectively apply whatever better model you want to use and in many places the penalties for a data breach aren't too big. So you might even start out with "it's bad but we only do so for a short time while building a better system" situation, and then due to the not so threatening consequence of not fixing it (or awareness) it is constantly de-prioritized and never happens...
Can you elaborate more? Discord has 656m users. if 10% upload their ID, they'd have 65m ID photos to search through. There are 2 use-cases here:
1/ Safety Bans (lets pretend 0.01% of ID card users have been banned for safety reasons: 650k accounts)
If a user submits their selfie/ID card, Discord needs to compare the new image with one of the 650k banned (but deleted?) images. I can't possible think how a human could remember the 650k photos well enough to declare a match.
Even if such a human existed with this perfect recall, there can't be very many of them on this planet to hire.
2/ Duplicate account bans
If a user registers, how can a support staff search the 65m photos without ML assistance to determine if this is a new user or a fraudster?
How does this help you identify duplicate accounts? If the original photo is deleted, do you just trust the model to be correct 100% of the time when it rejects the newly created account? Or do you keep the original photo and allow a human to make a final decision?
There are a million other signals for duplicate accounts anyway. Location, OS, device fingerprints, communities joined, etc. If those match and real name matches that’s enough data.
And if a few people manage to slip through it’s not really an issue. They will either get banned again for the same reasons or not violate the rules anymore so who cares
The best years online were when it was universally recognized that government ID's are completely unsuitable for interaction with the internet in any way.
Like it was since the beginning when government ID's first became a thing.
GDPR requires data minimalism and ~use case binding so if you submit data for age verification there is no technical reason to keep it after knowing your age so you _have to_ delete it.
> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.
Then a big PR quote, letting a potential wrongdoer further spin it.
Then closing with:
> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.
This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.
Here's the bare minimum kind of lede I expect on this reporting:
Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
> Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.
Age verification is "scan your government ID or give us a detailed video of your face from various angles, open and close your mouth" etc. Not sure which is better to give out in a breach
The fact that the data is digitized, indexed and can be easily correlated with other data points is what turns your seemingly innocuous 4 numbers into a way to better impersonate, phish, or otherwise harm you.
It’s an escalation path. When you store and image of an ID unnecessarily, then associate it with those last four digits, you’ve created a way to link other data sources to individuals.
Most scenarios I’ve worked with, you toss the ID image once you validate it.
I didn't feel comfortable giving discord my phone number when they demanded it, so I lost access to the open source communities that insist on collaborating there.
I wish breaches like this would cause people to reconsider their choices but sadly, it's unlikely most users will move.
I also wish open-source communities would move off of Discord for another reason: Users are limited to joining a maximum of 100 servers.
I've hit the cap and it's driving me crazy. It's really easy to hit it since each friend group, hobby group, gaming community, and open-source community often all have their own servers.
I can barely keep up with 6 semi active discord servers, each with tens of semi active channels... Much less think about doing it with hundreds. More power to you, must have figured out a good notification scheme
The issue is if you don't enforce the phone number requirement on your server you get all the trolls who don't use phone numbered accounts. I wish Discord would allow you to restrict known VPNs instead of requiring phone numbers. It would solve so many issues. I know a LOT of VPNs wont be caught, but if you block MOST non-residential IP blocks, you'll capture a lot of them.
Trolls likely have access to phone number farms though. And in some parts of the world it's extra cheap to mass-register phone numbers. Trolls wouldn't be harmed in a data leak, only normal users get hurt.
Phone numbers may be required to bring order to a vast international user base, but a few dozen devs and a small user community can function without invasive moderation tactics.
The communities I'm in don't require a phone number and very rarely gets trolls. Proper moderation is the most important part. Occasionally there's a spambot, but they're just hacked accounts from pre-existing real users, and as someone that uses a VPN with Discord, I'd prefer to not be treated as an evil-doer please.
Sure, are the communities you're in tens of thousands of users or more? Because things change really quickly depending on how many users are active, if it's a community server, and the subject matter. Even a programming Discord is a hell hole. You cannot have enough mods ever. Things fall through the cracks and people get hurt. You can't moderate DMs or know the wellbeing of tens of thousands of your users who are being harassed in DMs and have no idea how to get help. Discords full of a lot of youth.
Theres users who rotate community servers on a VPN / new spun up alts. They are relentless. I noticed the communities that are massive and do not have this problem to this extend all require phone number.
Discord doesn’t require a phone number. It’s individual community owners who opt to require it. You can create a server that doesn’t require one but it effectively means you can’t ban people since they can just sign up again on a new account.
I tried making an account once, technically my account was created but trying to log in only gets me a screen that requires I verify a phone number. I was never even able to attempt to join a server. I assume it's my browser's privacy settings and ad blocker but I'm not sure.
Fun fact: Discord called them guilds before realising that they could compete with paid services that set up actual (e.g. Mumble) servers for you by pretending this is equivalent and free
I also have trouble going along with the doublespeak. If a supermarket called their beer apple juice, I'd also not be offering my friends "apple juice", I'd call it what it is
Guild is innocuous enough and since the API docs still call their communities that, that can be a term to use among those in the know to have common and clear terminology
It’s wrong in terms of the technical implementation and right in terms of user experience.
Gamers are well familiar with different communities actually hosting servers and instances for games or voice chat pre discord. Discord offers the same experience but without physically being different servers. Keeping the name guides users in the same way OSs call it a recycling bin despite not actually being a bin.
I'm not sure it matters in this situation ...? Server/instance/VM/shard/... when used in this context is pure corporate naming BS. They'd have called it "setting up a new circle jerk" if they thought it would increase metrics
Discord has an account flag that triggers a mandatory phone number verification. It happens if you do things like send messages too quickly over the span of about a minute, or send multiple friend requests, or join too many servers, or start too many DMs, or indeed, join any server that is set to require phone number verification.
I am in dozens of servers and have not encountered this demand for a phone number. I have been in servers that required it for moderators as part of 2FA, and I just declined to moderate there. It had no effect on my use of any other server.
When other people say that something happens to them, why should I simply take them at their word when it contradicts the evidence actually available to me?
I would think that the appropriate response is to show more concrete evidence; in this case that could be the related policy, for example.
More to the point, the post I responded to says "It happens if...". I think that can reasonably be understood as logical implication. If it was meant to mean "it can happen if..." then I genuinely don't understand why or how I was supposed to come to that interpretation.
Especially with the bit about servers that require it. It read to me like the claim was that entering such a server would automatically flag your entire account. I know that not to be the case from my own experience.
If it doesn't rain one day, that's not evidence there exists no rain
That's about the level of evidence that your specific user account offers to you about whether phone verification is a thing their anti-spam algorithms can trigger...
Two of the other replies are wrong. This isn't actually about the new 18+ age verification stuff that countries seem to be ramming through right now - as far as I know, Discord uses third parties for that service. The link from Discord's statement in the article mentions that this is about appealing account bans of users who were suspected to be under the legal age to use Discord at all (<13 in most places). This is an older thing, which also explains the amount of data that was leaked.
Joining "NSFW channels", which usually means porn. But some normal channel are also tagged NSFW to opt out of Discord's forced content filter on public servers, which has occasional baffling false positives.
I once accidentally set an incorrect birth year on Twitter. They locked me out of my account and insisted that I upload a government ID to unlock my account.
.... The government ID's they only started asking for as a bullshit requirement after running for like 10 years without needing them?
At some point we'll start seeing companies that rotate your passwords automatically and integrate with your autologins, and send immediate reports of breaches / suddenly failing logins.
I don't know if I just became cynical and jaded, but is this really surprising to anyone in any way? Any time I give out my personal information to anyone for any reason, I basically treat it as 'any member of public can now access it'.
Even if a service doesn't have it in their TOS that they sell it to 3rd parties, they might do it anyway, or there will, sooner or later, be a breach of their poorly secured system.
To make it clear - I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures. I just completely dropped the expectation of my information being private, and for the very few bits that I do actually want to stay private, I just don't, or allow anyone to, digitalize or reproduce them at all in any way.
It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.
It's not surprising because there's never been a significant penalty for it, I guess because everybody just got completely used to massive breaches without much reaction. But then again it's very hard to get legislation passed that's not in the interests of big business.
[dead]
ZK proofs for identity can't go mainstream quick enough. I agree with what you're saying completely. It's frustrating that we have the technology now to verify aspects of someone's identity without revealing it, but that it's going to take forever to become robust enough for mainstream use.
It's an interesting litmus test because regulators would not accept ZK age proofs unless the stated purpose of age verification laws (reduce harm to minors) is the _actual_ purpose of those laws.
Not some different unstated goal, such as ending online anonymity.
That is exactly what EU is doing with its age verification law. Basically the service provider just has to accept the certificate and check that it is valid and all the cert says is "is over X years old".
https://ageverification.dev/
And the fact that the companies have to implement the system themselves is just crazy. It is very obvious that if the government require such a check it has to provide the proof/way of checking just like in the physical world it provides the id card/passport/etc used for checking this.
> just like in the physical world it provides the id card/passport/etc used for checking this.
In Sweden it wasn't the government that provided id cards, but the post office and banks. It became the government's job sometime after Sweden joined the EU, after the introduction of the common EUID standard.
And even then online identification is handled by a private company owned by banks: https://en.wikipedia.org/wiki/BankID_(Sweden)
Yeah we have something similar here in Finland with banks doing most of the (strong) identification.
This also makes things difficult for immigrants for the first month or two in the country as a lot of services (like making a phone or internet contract) require this identification to use but it is also a bit of a hassle to get a bank account (but getting a new bank account in a different bank once you have a bank account to do the strong verification takes like 2 minutes)
There is a government system but most don't use it but I expect once the eu digital identity wallet thing rolls around a lot of ppl will switch (or be required to?) to that
https://commission.europa.eu/strategy-and-policy/priorities-...
But very importantly this government, bank id, the identification part of the eu id wallet or really any identification system should not be used for age verification as it actually identifies the user not just give a proof that the user is over X years old.
These systems likely could be extended to just provide age information. If there truly was a wish for it. The suomi.fi systems can be configured. To pass or not pass address for example. So I see no need to pass personal identity number.
Yes and the "backend" (what provides the certificate to the app) for the age verification app for Finland will most likely be suomi.fi (or some dvv.fi thing directly) systems.
But we can't realistically expect every service that needs age check to work with 27 (eu countries) different systems but instead we need to unify it into a single api contract which is what this age verification app basically does.
That does not work without treacherous locked-down hardware. The marketing by Google et al is leaving out that fact to privacy-wash what is ultimately a push for digital authoritarianism.
Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used. If all of these things are true while users are running software they can control, then it's trivial for an activist to set up a proxy that takes requests for proofs from other users and generates proofs based on the activist's identity - with no downside for the activist, since this can never be traced back to them.
The only thing that could be done is for proof providers to limit the rate of proofs per identity so that multiple activists would be required to say provide access to Discord to all the kids who want it.
If I had my 'druthers, there would be a kind of physical vending machine installed at local city hall or whatever, which leverages physical controls and (dis-)economies of scale.
The trusted machine would test your ID (or sometimes accept cash) and dispense single-use tokens to help prove stuff. For example, to prove (A) you are a Real Human, or (B) Real and Over Age X, or (C) you Donated $Y On Some Charity To Show Skin In The Game.
That ATM-esque platform would be open-source and audited to try to limit what data the government could collect, using the same TPM that would make it secure in other ways. For example, perhaps it only exposes the sum total of times each ID was used at machine, but for the previous month only.
The black-market in resold tokens would be impaired (not wholly prevented, that's impossible) by factors like:
1. The difficulty of scaling the physical portion of the work of acquiring the tokens.
2. Suspicion, if someone is using the machine dozens of times per month—who needs that many social-media signups or whatever?
3. There's no way to test if a token has already been used, except to spend it. By making reseller fraud easy, it makes the black-market harder, unless a seller also creates a durable (investigate-able) reputation. I suppose people could watch the vending-machine being used, but that adds another hard-to-scale physical requirement.
Yeah, introducing real world friction is seemingly one of the only ways of actually solving the problem of frictionless digital systems (apart from computational disenfranchisement, of course).
It might be a better idea to frame your idea in terms of online interactive proofs rather than offline bearer tokens. It's of course a lot less private/convenient to have to bring a phone or other cell-modem enabled device to the vending machine, especially for the average person who won't exercise good digital hygiene. Still, some sort of high-latency challenge-proof protocol is likely the way to go, because bearer tokens still seem too frictionless.
For example (3) could be mitigated with an intermediary marketplace that facilitated transactions with escrow. If tokens were worth say $2, then even just getting 10 at a time to sell could be worth it for the right kind of person. And personally I'd just get 10 tokens myself simply to avoid having to go back to the machine as much. In fact the optimal strategy for regular power users might be to get as many tokens as you think you might need to use (even if you have to pay for them), and then when they near expiration time you sell them to recoup your time/cost/whatever.
For years, I resisted TSA Pre check on principle, even though I was a frequent traveler. I finally relented when I realized there were places like Thailand that force you to give your biometrics, and almost certainly sell them back to shadowy US agencies.
They might not be competent enough
https://www.scmp.com/week-asia/politics/article/3300568/thai...
Thailand has a big problem with identity theft, and another big problem with Chinese criminal syndicates committing various kinds of scams and fraud. So while they might share that biometric data with US government agencies, it seems more likely to me that at least one identity theft racket has acquired some of it.
Developer time is more valuable than user data. The market is being efficient.
I think you're assuming an ideal world where there's no information asymmetry, all the market participants receive and understand all the information and the risks, and clients could realistically move to an alternative platform that provably handles things better.
No.Just greedy.
> I basically treat it as 'any member of public can now access it'.
Still remember the conversation over "mega apps"?
Based on my experience with Alipay, which was a Chinese financial focused mega app but now more like a platform of everything plus money, the idea of treating every bit information you uploaded online as public info is laughable.
Back when Alipay was really just a financial app, it make sense for it to collect private information, facial data, government issued ID etc. But now as a mega app, the "smaller app" running inside it can also request permission to read these private information if they wanted to, and since most users are idiots don't know how to read, they will just click whatever you want them to click (it really work like this, magic!).
Alipay of course pretends to have protection in place, but we all know why it's there: just to make it legally look like it's the user's fault if something went wrong -- it's not even very delicate or complex. Kinda like what the idea "(you should) treat it (things uploaded online) as 'any member of public can now access'" tries to do, blame the user, punch down, easy done.
But fundamentally, the information was provided and used in different context, user provided the information without knowing exactly how the information will be used in the future. It's a Bait-and-switch, just that simple.
Of course, Discord isn't Alipay, but that's just because they're not a mega app, yet. A much healthier mentality is ask those companies to NOT to collect these data, or refuse to use their products. For example, I've not ever uploaded my government ID photos to Discord, if some feature requires it, I just don't use that feature.
I blame companies (including discord) for collecting as much information as they can instead of as little as possible. More data collected -> more data that will eventually get sold / leaked / hacked.
Don't governments require them to chech people's IDs to make sure they aren't kids?
Do they also require permanently storing the document instead of just the check result?
Oficially, no, unoficially, yes.
It depends on the implementation. The EU's European Digital Identity Wallet will allow users to prove that they are over 18 without sharing any other personal information.
Honestly I don't understand why so many things are tied to one secret _that you have to share with others_ all the time.
Why is there no rotation possible? Why is there no API to issue a new secret and mark the previous one as leaked? Why is there no way to have a temporary validation code for travels, which gets auto revoked once the citizens are back in their home country?
It's like governments don't understand what identity actually means, and always confuse it with publicity of secrets.
I mean, more modern digital passports now have a public and private key. But they put the private key on the card, which essentially is an absolute anti pattern and makes the key infrastructure just as pointless.
If you as a government agency have a system in place that does not accommodate for the use case that passports are stolen all the time, you must be utterly out of touch with reality.
Governments don't get a damn thing about the internet. They just want to govern, and justify the spending.
Their goal is not to build resilient systems — it iss to preserve control. The internet was born decentralised, while governments operate through centralised hierarchies. Every system they design ends up reflecting that mindset: central authority, rigid bureaucracy, zero trust in the user.
So instead of adopting key rotation, temporary credentials, or privacy-first mechanisms, they recreate 1950s paperwork in digital form and call it innovation.
Also this is an issue with people willing to send important documents to some company with which they do not even have a written agreement.
A big problem is that the Silicon Valley playbook drives companies like Discord to be winner take all. It’s hard to avoid using them, but then they require that give up sensitive documents. I shouldn’t have to choose between keeping sensitive documents private and being able to participate in most gaming communities. Some open source projects have also starting adopting Discord to manage their communities.
I'm not willing, I just don't have a choice. The US should regulate it from the top down like Europe does
Not sure what you mean by "like europe" because in Europe they are trying to implement `European Digital Identity (EUDI)` for age verification, which will make stuff like this even worse ....
On the contrary, third parties will only get to know the age of the users, not their identities.
“Linkability is especially problematic because untrusted entities, such as attribute providers and relying parties acting together, can correlate and link auxiliary information to the same user, thereby breaching privacy and enabling tracking, profiling, or de-anonymisation.” [1]
That’s assuming EUDI never gets breached — but if Google and every major tech company has been, it’s only a matter of time, but this will have way more personal info ....
I've been using discord for 5 years and never upload my ID … And I don't want discord (or any other company) to know my age, or any other identification ...
[1] https://www.wi.uni-muenster.de/news/5104-new-publication-pri...
You must be new here. /s
> this is a systemic issue of governments not having/not enforcing serious security measures.
To do so seems impractical. Imagine the government machinery that would be required to audit all companies and organizations and services to which someone can upload PII.
Not tractable.
The systemic solution wouldn’t be to do that. It would be to both remove their own requirements that organisations collect this data, and to penalise organisations for collecting it outside of a handful of already heavily regulated industries like banking.
The enforcement could be done by incentives, making sure the penalty for such breaches is large.
Sure, but they would still happen is my point.
I told the 2 servers I hang in about a month ago that if I randomly disappear it’s because I can’t login without an ID and I’m simply not doing it/that they should consider the post my preemptive “goodbye.” I included where to contact me for those who want to. Frankly I think anyone on discord should do the same
It’s surprising that it happened to a big name like Discord in this day and age. Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.
It's getting better, but never reaching good, so still no surprise
i mean it's only every other week we see orgs like TCS handing out admin
> Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.
Citation needed. /s
cough Microsoft cough
One important problem that's mostly ignored is the lack of transparency about the third-party providers handling such sensitive ID documents. When a breach occurs, public statements rarely name the exact vendor responsible, making it difficult for affected users to understand who actually had access and who might still have their data. This opacity delays accountability and creates ongoing risks, since users have no meaningful way to audit or assess the practices of these shadow providers. Unless this layer of the data-handling ecosystem is discussed and regulated, future breaches will remain inevitable and largely untraceable.
I think it is nice that the GDPR forces companies to not keep too much data about people. And you can only have data that you need for the stated purpose (of course this leaves loopholes but it is good data hygiene to always consider).
For example, if you state you want to verify age, you only need the ID for a couple of seconds. So why didn't they think about the risk of a hack before? They could have done the age verification and then immediately deleted the document.
Maybe it is good to make an example out of Discord? Don't keep stuff around if you don't need it should be common sense.
Discord uses Zendesk (1). However in the press release they don't name the third party that was compromised, and Zendesk denies that it was their service.
What other third party was Discord using if not Zendesk? Who's reputation are they protecting?
[1] https://www.zendesk.fr/customer/discord/
Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
The Discord message (in Australia at least) specifically says:
The information you provide is only used to confirm your age group, then it's deleted
Refer screenshot: https://www.reddit.com/r/discordapp/comments/1nkrxcp/discord...
I can still swipe the message away, so I haven't done it yet. I'm going to work out how I can fake the face scan. I ain't sending Government ID to some chat app (no matter how big or small) that's over the top.
As an aside, I would have thought the age groups should be: 13 to 18, and 18+. They're the only ones that materially matter to the reason this check exists, in Australia at least. I don't want to contribute to their demographic analysis.
When the australia sub reddit was discussing the introduction of id on discord, the top comment was something along the lines of "look up openfeint". That was the day I uninstalled discord. It may not be an easy decision, especially if you are part of important social communities, but we cannot accept this level of disregard for our identities.
I just looked up "Openfeint".
It took me a while to find the connection to Discord. Not sure if I did because it seems like some mobile app for people who play mobile games with some connection to some Japanese network and hosted in China or something?
OpenFeint was founded by the same guy who founded Discord.
From the Wikipedia page: "In 2011, OpenFeint was party to a class action suit with allegations including computer fraud, invasion of privacy, breach of contract, bad faith and seven other statutory violations. According to a news report "OpenFeint's business plan included accessing and disclosing personal information without authorization to mobile-device application developers, advertising networks and web-analytic vendors that market mobile applications"."
Oh wow ok.
Now I understand :D
From the previous[1] statement:
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
It makes sense they have to hang on to the ID in case of processing an appeal, which probably doesn't have the highest priority and hence stretches out in time.
[1]: https://www.theverge.com/news/792032/discord-customer-servic...
The funny thing about this is that it kinda makes it OK for Discord to still have the records. But...
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.
Do they actually say in the TOS that they will delete them? If they do, do they say immediately? How immediately? Right away or, perhaps, 1 month? Unless specified in contractual documentation, words like "immediately" or "soon" do not have any single definition, which allows them to stretch it without technically being in breach of contract. Not to mention that often times, governments mandate data retention for so-and-so amount of time, so the companies are legally required in such cases to keep the data even if they, miraculously, desire not to.
Lying is usually legal.
And even if lying is illegal in a particular context, it's de-facto legal since nobody ever gets punished for it.
fraud is not legal. There's a difference between lying on the playground and fraud in a business setting.
Again: fraud is de facto legal.
It is ubiquitous in every part of the business world, both internal and consumer-facing.
De facto is the opposite of de jure, so no, non-enforcement doesn't make it legal
A more useful construct is that civil offenses are only a problem if someone is aware of, motivated, and able to afford to sue you over it. Businesses do a lot of arguably illegal things that are not likely to lead to an actual lawsuit.
deleted = database column
Why does discord have gov IDs? At this point we already have the tech to prove using zero knowledge that we have an ID
ZenDesk boasts on this:
”Discord's investments in AI-driven self-service with the Zendesk CX platform have enabled the company to provide seamless support.”
You've got to be a complete moron uploading your gov ID to discord
A bunch of UK users are blocked from the more "free speech" (over 13) channels unless they prove their identity to Discord, to comply with the Online Safety Act.
This applies to all users and isn’t related to OSA (though that will probably make leaks like this more likely).
It's channels marked NSFW that you need verification for and it's also incredibly easy to bypass with a VPN.
It is specifically because you got banned for "being under 13" it comes from someone asking a question like "How many candles in this photo?" then you reply "7" then they edit the message to say "How old are you" and voila, underage ban.
What you are overlooking is that Discord is the new MSN Messenger, YIM, etc your friends are not backed up in a meaningful way, nor the servers you're in, if you lose your account, you lose contact with basically your entire internet life and friends.
Discord should not keep those IDs longer than a month at a time once the user is unbanned it should be deleted a week later, or removed from that panel altogether.
You can come up with all kinds of excuses, but Discord is not, and NEVER WAS a trustworthy company.
> You've got to be a complete moron uploading your gov ID to discord
^ Still stands.
This hits the nail on the head. The big issue here is that the submitted photos were not deleted and that is quite concerning to me.
No need to blame the user for the companies actions.
Company enacts policy enforced on them by law, for example requiring proof that a user is above the age of 18 to be able to use a channel where other users may use naughty words (The Horror!!!).
User struggles to use the automated age check system (I used the "guess age by letting an AI have a look at a selfie" method and it was a pain in the ass which failed twice before it finally worked) so does what is recommended and make a support ticket. [0]
User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
Full blame is on Discord for poorly handling their users data by their 3rd parties, and on the Governments forcing such practices. Discord should have their asses handed to them by the UK's ICO.
Sure, us geeks can and will use self hosted systems and find ways to avoid doing ID checks, but your avg joe isn't going to do that.
Hopefully cases like this will help with the push back on governments mandating these kind of checks, but I see the UK government just falling back to "think of the children" and laying all the blame on Discord, (who are not without fault in this case).
[0] https://support.discord.com/hc/en-us/articles/30326565624343...
[1] https://support.discord.com/hc/en-us/articles/30326565624343...
> User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
This is the part where the user has to take at least partial blame. You have to be utterly stupid (or at the very least way too sheltered) to believe a statement like this from a company, especially when there are zero consequences to the company for lying about it or negligently failing to live up to their policy.
In the UK we have the ICO (https://ico.org.uk/) who have the ability to fine companies who fail to live up to their data retention polices and/or fail to take adequate security measures to prevent or contain a serious personal data breaches.
If the UK Government are determined to enforce companies having to validate user ID's to use the company's services, then the government better well be determined to enforce our data protection laws too. Governments can not have it both ways (esp as the UK government also want to role out new digital IDs that will need to be checked when getting a new job), demanding users hand over ID to access services but not kick butts when those services fuck things up is just idiotic (Ok its the government, they make being idiots a profession), but that's not the fault of the user.
I'm mad at both Discord (for not securing their customers data inline with their published polices), and at the government (for forcing them into collecting the data in the first place, if Discord didn't have the data to begin with it can not be exposed).
But I can not be mad as users of a service, who though no fault of their own just wished to continue to be in communication with their friends and were faced with the no-win choice of providing ID or being denied access to a communication platform.
(just to be clear, I was not breached in this leak so I'm not being salty about the leak, but I see the point of view of the avg user because I see how the avg person uses the net every day.)
I'd have much more sympathy if this was the first instance ever of a corporation being negligent with people's data, and nobody was expecting it. We have to expect it, now. Corporations have a horrible track record of irresponsibility, and governments have a horrible track record of not punishing them. Data breaches are absolutely routine. Knowing this, it's very foolish to hand over ID through the Internet to someone. The top poster in this thread[1] has it right. At this point, you have to assume everything you submit or type into a web site is public information--that's how bad companies have gotten.
I assume if I run out into the middle of the motorway, I'm likely to get hit by a car. That's why I don't do that.
1: https://news.ycombinator.com/item?id=45522379
> I assume if I run out into the middle of the motorway, I'm likely to get hit by a car. That's why I don't do that.
The problem with this is that governments are now requiring you to cross the motorway if you wish to continue having the friends you have already made, but promise that the motorways are now safe for you to cross and they will hold to account anyone who makes crossing motorways unsafe, and the DoT have said "Its fine, we have put in crossings on the motorway to allow you to do so safely!"
Your avg joe is going to take those reassurances made by multiple parties and assume the activity that would otherwise be risky is safe under these circumstances.
When people go on thrill rides at amusement parks and get injured because the operator or manufacturer fucked up, we don't blame the rider "saying they should know better, look at all of those ride failures in the news!", as they expected the ride to be built to a high standard, it be maintained, operated corrected, and have safety watchdogs keeping an eye on everything.
You don’t remember what it was like to just not think about this stuff too much because all our peers weren’t either.
How many of us freely and gleefully gave our info to Facebook, Google, etc all through the 2010’s? How many continue to?
At this point a whole bunch of crypto exchanges including chinese ones have my driver's license, passport and more. It is what it is, any real KYC process will require video identification anyway.
Asking this out of curiosity: is it a requirement, that such data is being stored once the verification process is completed?
That is the bonkers thing about this story. Why take on the liability? Get what you need and toss the responsibility. If you must store it (which seems unlikely) put that extra-bad-if-leaked information behind a separate append only service for which read is heavily restricted.
Because there is no liability.
If they were fined $10k per leaked ID, then there is a serious liability there.
Right now, they publish a press release, go 'oopsie poopsie', maybe have to pay for some anit-fraud things from equifax if someone asks, and call it day.
> Right now, they publish a press release, go 'oopsie poopsie', maybe have to pay for some anit-fraud things from equifax if someone asks, and call it day.
Don't forget the usual Press Release starting with "At [Company], we take security very seriously..."
Because it's free training data and great for building profiles on users so you can make money showing them targeted ads
Discord isn't really monetized through 'traditional' targeted advertising, though.
The data is valuable to sell or train ai on. You can use that data to train ai hr people or whatever
I’m in a different industry, but when I’ve had to collect identification for reasons we extracted metadata at the time of presentation, validated it, and discarded the image.
We would never get clearance from counsel to store that in most scenarios, and I can’t think of a reason to justify it for a age or name verification.
Why are people assuming they did store it after the process was completed?
With the relatively low number leaked here it could have been information collected actively during an ongoing breach, not a dump of some permanent database.
There are only a handful of countries where you are legally mandated to dox yourself and it's a recent change.
You'd expect the numbers to be "low" either way.
Just a guess, but they may store the original ID card to audit duplicate accounts.
If their machine learning models, think that two people are the exact same, having the original image, especially a photo of the same ID card could confirm that.
IMHO this is a pretty dump approach to the problem
while there probably are some countries with terrible designed passport for most they are designed to be machine readable even with very old style (like >10year old tech) OCR systems
so even if you want to do something like that you can extract all relevant information and just store that, maybe als extract the image
this seems initially pointless, but isn't, if you store a copy of a photo of a people can use that to impersonate someone, if you only steel the information on it it's harder
outside of impersonation issues another problem is that it's not uncommon that technically ids/passports count as property of the state and you might not be allowed to store full photo copies of it and the person they are for can't give you permission for it either (as they don't own the passport technically speaking). Most times that doesn't matter but if a country wants to screw with you holding images of ids/passports is a terrible idea.
but then you also should ask yourself what degree of "duplicate" protection you actually need wich isn't a perfect one. If someone can circumvent it by spending multiple thousands to endup with a new full name + fudged id image this isn't something a company like discord really needs to care about. Or in other word storing a subset of the information on a passport, potentially hashed, is sufficient for like way over 90% of all companies needs for secondary account prevention.
in the end the reason a company might store a whole photo is because it's convenient and you can retrospectively apply whatever better model you want to use and in many places the penalties for a data breach aren't too big. So you might even start out with "it's bad but we only do so for a short time while building a better system" situation, and then due to the not so threatening consequence of not fixing it (or awareness) it is constantly de-prioritized and never happens...
There are image processing methods for hashing people's faces. They don't have to store the actual photo to do that.
Models have racial biases, can't support aged faces, or look-alike faces.
You don't have to use ML models for this.
Can you elaborate more? Discord has 656m users. if 10% upload their ID, they'd have 65m ID photos to search through. There are 2 use-cases here:
1/ Safety Bans (lets pretend 0.01% of ID card users have been banned for safety reasons: 650k accounts)
If a user submits their selfie/ID card, Discord needs to compare the new image with one of the 650k banned (but deleted?) images. I can't possible think how a human could remember the 650k photos well enough to declare a match.
Even if such a human existed with this perfect recall, there can't be very many of them on this planet to hire.
2/ Duplicate account bans
If a user registers, how can a support staff search the 65m photos without ML assistance to determine if this is a new user or a fraudster?
Just store the name and the fact that it was verified and delete the photo. You get what you need without holding on to a massive liability.
How does this help you identify duplicate accounts? If the original photo is deleted, do you just trust the model to be correct 100% of the time when it rejects the newly created account? Or do you keep the original photo and allow a human to make a final decision?
There are a million other signals for duplicate accounts anyway. Location, OS, device fingerprints, communities joined, etc. If those match and real name matches that’s enough data.
And if a few people manage to slip through it’s not really an issue. They will either get banned again for the same reasons or not violate the rules anymore so who cares
The best years online were when it was universally recognized that government ID's are completely unsuitable for interaction with the internet in any way.
Like it was since the beginning when government ID's first became a thing.
in case of the EU it's more the opposite
GDPR requires data minimalism and ~use case binding so if you submit data for age verification there is no technical reason to keep it after knowing your age so you _have to_ delete it.
Requirement by who? Discord isn't required to demand your ID, let alone store it.
It's required in the UK to access non-child friendly content: https://support.discord.com/hc/en-us/articles/33362401287959...
When can people start going to jail for this kind of thing
After a revolution
Yes, good question: When can we start jailing CEOs and their employees for these blatant violations of the CPRA and GDPR?
And the politicians who mandate ID-checking requirements, without which the "government IDs" part of this wouldn't have happened.
(To be explicit, not supporting jailing here, just removing from office.)
Was thinking the same exact thing!!
Immediately if you move to China.
You know it'll be the IT pros going to jail not the execs right?
Good, then they can stop the excuses for implementing the most shittiest things that ruined the web and just say no.
This is not OK, and the reporting is not OK.
Opening with:
> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.
Then a big PR quote, letting a potential wrongdoer further spin it.
Then closing with:
> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.
This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.
Here's the bare minimum kind of lede I expect on this reporting:
Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
I'm ready to block both Discord and The Verge.
> Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.
Age verification is "scan your government ID or give us a detailed video of your face from various angles, open and close your mouth" etc. Not sure which is better to give out in a breach
It's enough data that, combined with photos and videos from social media, could allow for more convincing deepfakes of your average person.
It's also enough data to improve surveillance and facial recognition systems, allowing them to identify you more easily.
I think it's less a case of which is better and more of which is less bad...
The fact that the data is digitized, indexed and can be easily correlated with other data points is what turns your seemingly innocuous 4 numbers into a way to better impersonate, phish, or otherwise harm you.
It’s an escalation path. When you store and image of an ID unnecessarily, then associate it with those last four digits, you’ve created a way to link other data sources to individuals.
Most scenarios I’ve worked with, you toss the ID image once you validate it.
I think discord is one of the services that requires age verification in some countries.
I didn't feel comfortable giving discord my phone number when they demanded it, so I lost access to the open source communities that insist on collaborating there.
I wish breaches like this would cause people to reconsider their choices but sadly, it's unlikely most users will move.
I also wish open-source communities would move off of Discord for another reason: Users are limited to joining a maximum of 100 servers.
I've hit the cap and it's driving me crazy. It's really easy to hit it since each friend group, hobby group, gaming community, and open-source community often all have their own servers.
I can barely keep up with 6 semi active discord servers, each with tens of semi active channels... Much less think about doing it with hundreds. More power to you, must have figured out a good notification scheme
That limit is per account, right?
The issue is if you don't enforce the phone number requirement on your server you get all the trolls who don't use phone numbered accounts. I wish Discord would allow you to restrict known VPNs instead of requiring phone numbers. It would solve so many issues. I know a LOT of VPNs wont be caught, but if you block MOST non-residential IP blocks, you'll capture a lot of them.
Trolls likely have access to phone number farms though. And in some parts of the world it's extra cheap to mass-register phone numbers. Trolls wouldn't be harmed in a data leak, only normal users get hurt.
Most trolls aren't the kind of trolls that run large scale networks, they're the 12 year olds you triggered by saying BLM
Phone numbers may be required to bring order to a vast international user base, but a few dozen devs and a small user community can function without invasive moderation tactics.
The communities I'm in don't require a phone number and very rarely gets trolls. Proper moderation is the most important part. Occasionally there's a spambot, but they're just hacked accounts from pre-existing real users, and as someone that uses a VPN with Discord, I'd prefer to not be treated as an evil-doer please.
Sure, are the communities you're in tens of thousands of users or more? Because things change really quickly depending on how many users are active, if it's a community server, and the subject matter. Even a programming Discord is a hell hole. You cannot have enough mods ever. Things fall through the cracks and people get hurt. You can't moderate DMs or know the wellbeing of tens of thousands of your users who are being harassed in DMs and have no idea how to get help. Discords full of a lot of youth.
Theres users who rotate community servers on a VPN / new spun up alts. They are relentless. I noticed the communities that are massive and do not have this problem to this extend all require phone number.
[dead]
Discord doesn’t require a phone number. It’s individual community owners who opt to require it. You can create a server that doesn’t require one but it effectively means you can’t ban people since they can just sign up again on a new account.
I tried making an account once, technically my account was created but trying to log in only gets me a screen that requires I verify a phone number. I was never even able to attempt to join a server. I assume it's my browser's privacy settings and ad blocker but I'm not sure.
I refuse to use their “create a server” language. It is not a server by any definition of the word server.
You can set up a community on their servers.
I’m not sure why they chose to use misleading language, but it is misleading.
Fun fact: Discord called them guilds before realising that they could compete with paid services that set up actual (e.g. Mumble) servers for you by pretending this is equivalent and free
I also have trouble going along with the doublespeak. If a supermarket called their beer apple juice, I'd also not be offering my friends "apple juice", I'd call it what it is
Guild is innocuous enough and since the API docs still call their communities that, that can be a term to use among those in the know to have common and clear terminology
'Guilds in Discord represent an isolated collection of users and channels, and are often referred to as "servers" in the UI.' —https://discord.com/developers/docs/resources/guild
It’s wrong in terms of the technical implementation and right in terms of user experience.
Gamers are well familiar with different communities actually hosting servers and instances for games or voice chat pre discord. Discord offers the same experience but without physically being different servers. Keeping the name guides users in the same way OSs call it a recycling bin despite not actually being a bin.
I'm not sure it matters in this situation ...? Server/instance/VM/shard/... when used in this context is pure corporate naming BS. They'd have called it "setting up a new circle jerk" if they thought it would increase metrics
Discord has an account flag that triggers a mandatory phone number verification. It happens if you do things like send messages too quickly over the span of about a minute, or send multiple friend requests, or join too many servers, or start too many DMs, or indeed, join any server that is set to require phone number verification.
I am in dozens of servers and have not encountered this demand for a phone number. I have been in servers that required it for moderators as part of 2FA, and I just declined to moderate there. It had no effect on my use of any other server.
Just because something hasn't happened to you, doesn't mean it doesn't happen to other people
It never happened to him, so it's never happened
Makes this huge data leak a real head scratcher
When other people say that something happens to them, why should I simply take them at their word when it contradicts the evidence actually available to me?
I would think that the appropriate response is to show more concrete evidence; in this case that could be the related policy, for example.
More to the point, the post I responded to says "It happens if...". I think that can reasonably be understood as logical implication. If it was meant to mean "it can happen if..." then I genuinely don't understand why or how I was supposed to come to that interpretation.
Especially with the bit about servers that require it. It read to me like the claim was that entering such a server would automatically flag your entire account. I know that not to be the case from my own experience.
If it doesn't rain one day, that's not evidence there exists no rain
That's about the level of evidence that your specific user account offers to you about whether phone verification is a thing their anti-spam algorithms can trigger...
It has happened to me on two accounts. OP is also not the only other person I've seen who has dealt with it.
Bully for you that you haven't encountered it, but it's certainly a thing.
Anyone on HN should know the fickle nature of fraud detection, especially when the cost of getting it wrong is 0.
The hackers claim they have data of 5.5 million, discord is saying 70k. Hmmmm
Probably 5.5 million emails/names, 70k photos.
Why. I see Australia is intending on blocking YouTube and other platforms. Expect this more regularly
Why are they permanently storing government ID's?
Why haven't zero knowledge proofs shined in this area? Can anyone explain?
They are on the way. The EU is field testing such a system now.
KYC is a bug
How many times the same thing... most even tell you that they verify you and then delete your ID.
ZK proofs cannot become mainstream fast enough.
Why is it still so hard to identify yourself online?
What is the use case for uploading your government ID to Discord?
Two of the other replies are wrong. This isn't actually about the new 18+ age verification stuff that countries seem to be ramming through right now - as far as I know, Discord uses third parties for that service. The link from Discord's statement in the article mentions that this is about appealing account bans of users who were suspected to be under the legal age to use Discord at all (<13 in most places). This is an older thing, which also explains the amount of data that was leaked.
Online Safety Act for the UK. You will be safe.
Joining "NSFW channels", which usually means porn. But some normal channel are also tagged NSFW to opt out of Discord's forced content filter on public servers, which has occasional baffling false positives.
So people are willing to upload their govt IDs to watch porn.
Wow.
As the article says it’s used for age verification
Wait already? I was hoping to hear about it next year. Maybe it’s a good thing that it happened early so they can fix?
No, it’s a good thing it happened early so they can remove it.
Oh no! Anyway software engineers are not real engineers so nobody will be held accountable.
Those are rookie numbers.
Time to pump up those numbers…
we publish this every year or so: https://qbix.com/blog/
I once accidentally set an incorrect birth year on Twitter. They locked me out of my account and insisted that I upload a government ID to unlock my account.
Did they accept the edited ID with a DoB matching the account data or how did you solve that?
Bring back IRC.
It's still very much alive! Regularly active on a few channels spread across different IRC servers. Still works great.
Source: https://discord.com/press-releases/update-on-security-incide...
.... The government ID's they only started asking for as a bullshit requirement after running for like 10 years without needing them?
At some point we'll start seeing companies that rotate your passwords automatically and integrate with your autologins, and send immediate reports of breaches / suddenly failing logins.
Wait. Why isn't this a thing
[dead]
[flagged]