I don't know if I just became cynical and jaded, but is this really surprising to anyone in any way? Any time I give out my personal information to anyone for any reason, I basically treat it as 'any member of public can now access it'.
Even if a service doesn't have it in their TOS that they sell it to 3rd parties, they might do it anyway, or there will, sooner or later, be a breach of their poorly secured system.
To make it clear - I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures. I just completely dropped the expectation of my information being private, and for the very few bits that I do actually want to stay private, I just don't, or allow anyone to, digitalize or reproduce them at all in any way.
It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.
This is the essential point, and why it’s always a bit frustrating seeing ‘is anyone surprised’ take come up so often here. It lowers the quality of the possible discussion by trivialising it.
Wonder if this will cause a surge in demand for fake IDs that are sufficient for age-verification but harmless if leaked.
Heck, i would like a fake name, social security number, and birthdate as well while I am at it
In the example you give there is no needed provision to store the id or all information in the document. Only extracting the date of birth, name and document number is sufficient.
Yes I know this a utopia and it won't happen.
Edit: afaik storing the photo is only needed in medical cases to alternatively asses having the correct person. Bit much for something simple as age verification.
This breach is them being irresponsible with customer support software. In the case of automated age verification, the providers say that nothing identifiable gets stored and they might be lying but it’s feasible that you could run that service the way they say they do.
This breach is about the manual alternative to that, where you can appeal to Discord customer support if the automated thing says you’re not the right age. They seem to do that in part by having you send a picture of your ID.
I’m sure in their database they’re then just storing the date of birth etc, but then they obviously just don’t bother deleting the private image from the customer service software.
Sounds like a great use case for an automated ML cleanup/reporting feature. Maybe as a daemon as a bolt-on fix, or integrated as a feature into the support software itself.
Add in blockchain and we’ll be all set.
Even then, for age verification, just verify the ID, record + sign the verification, and DESTROY THE DATA! Don't retain the original document "just in case", or even the birthday or name.
> Facts are reported because they are important.
Without going too much off-topic: In a vacuum, you are right. In reality, facts are reported because they sell.
It is a good day when important facts like this one happen to coincide with what people what to know more about. (the recent UK attempt at stripping the rights of its citizens)
Tomorrow, people will have forgotten all about it, and the government can continue to expand its powers without anyone talking about it.
> I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures
Wrong, governments caused the issue because they demand customers to ID themselves. There exists not a single viable security measure aside from not collecting the data. Government is also not able to propose any security measures.
Unlikely that the data will ever be deleted now, no matter if Discord pays any ransoms or not.
No, governments caused the issue by demanding customers to ID themselves, while failing to provide the necessary tooling for doing so in a secure manor.
There's really only a few countries in the world who can provide the services needed to make this work. On top of my head, Estonia, Sweden and Denmark (there's probably others).
There’s no unbreakable secure tooling, none. It might be unbreakable against script-kiddies level of hacking, even though I have my doubts even about that, but Snowden and the general atmosphere during the last decade or so have proved that State actors can put their hands on almost any piece of data out there, either through genuine hacking or other means involving their monopoly on violence.
In the context of age limits, that is wrong. The German eID has a zero knowledge method of proving that your age is above a certain number without revealing anything else. That method has been around for like 15 years and these days, thanks to smartphones with NFC readers, is quite user-friendly.
In practice it's basically not used anywhere except for cigarette vending machines because it's much simpler to hire some dubious third party "wave your ID in front of your camera" service
Edit: mandatory age verification is still an atrocious idea for a number of other reasons, just to be clear
I won't use the eID because I don't believe in its promises. I don't need a third party, which would be completely dependent on government, to put a signature on my net access.
I would even prefer the dubious service because of the relationship dynamics I mentioned. Best case is that age limits for the net should be enforced on device by parents. Problem solved, no unnecessary infrastructure needed.
Theoretically you could have anyone sign and attest to your age at any time. So maybe the government gives you an attestation of 0 at birth, with timestamp (allowing age to be calculated at any time), as part of the normal new-human bureaucracy. And/or maybe you can separately hire an accredited (co-signed?) lab to perform carbon dating on you later on :)
The companies in question could have a flag in every user data to confirm they are over the age limit.
At worse keep the birth date, since various aspect of a service can be available depending on age (and user can change locality / country, and therefore be subject to different law).
If you keep on top of it, you have at most 3 days of user's "ongoing verification" sensible data available for theft. Keeping more than that will always be an invitation to bad actors.
It's not surprising because there's never been a significant penalty for it, I guess because everybody just got completely used to massive breaches without much reaction. But then again it's very hard to get legislation passed that's not in the interests of big business.
[dead]
ZK proofs for identity can't go mainstream quick enough. I agree with what you're saying completely. It's frustrating that we have the technology now to verify aspects of someone's identity without revealing it, but that it's going to take forever to become robust enough for mainstream use.
It's an interesting litmus test because regulators would not accept ZK age proofs unless the stated purpose of age verification laws (reduce harm to minors) is the _actual_ purpose of those laws.
Not some different unstated goal, such as ending online anonymity.
That is exactly what EU is doing with its age verification law. Basically the service provider just has to accept the certificate and check that it is valid and all the cert says is "is over X years old".
https://ageverification.dev/
And the fact that the companies have to implement the system themselves is just crazy. It is very obvious that if the government require such a check it has to provide the proof/way of checking just like in the physical world it provides the id card/passport/etc used for checking this.
> just like in the physical world it provides the id card/passport/etc used for checking this.
In Sweden it wasn't the government that provided id cards, but the post office and banks. It became the government's job sometime after Sweden joined the EU, after the introduction of the common EUID standard.
And even then online identification is handled by a private company owned by banks: https://en.wikipedia.org/wiki/BankID_(Sweden)
Yeah we have something similar here in Finland with banks doing most of the (strong) identification.
This also makes things difficult for immigrants for the first month or two in the country as a lot of services (like making a phone or internet contract) require this identification to use but it is also a bit of a hassle to get a bank account (but getting a new bank account in a different bank once you have a bank account to do the strong verification takes like 2 minutes)
There is a government system but most don't use it but I expect once the eu digital identity wallet thing rolls around a lot of ppl will switch (or be required to?) to that
https://commission.europa.eu/strategy-and-policy/priorities-...
But very importantly this government, bank id, the identification part of the eu id wallet or really any identification system should not be used for age verification as it actually identifies the user not just give a proof that the user is over X years old.
These systems likely could be extended to just provide age information. If there truly was a wish for it. The suomi.fi systems can be configured. To pass or not pass address for example. So I see no need to pass personal identity number.
Yes and the "backend" (what provides the certificate to the app) for the age verification app for Finland will most likely be suomi.fi (or some dvv.fi thing directly) systems.
But we can't realistically expect every service that needs age check to work with 27 (eu countries) different systems but instead we need to unify it into a single api contract which is what this age verification app basically does.
We have BankID in Norway, run by DNB (I think). A single service that uses my personnummer (like a social security number but actually unique) as my user name and logs me in to almost all government services, banks, insurance companies, etc.
And unfortunately it's also used in some places outside the ones you're mentioning, e.g. private persons renting out their camper (I've seen this). Which opens the doors to fraud, as has happened too many times (the fraudsters make it look like a normal bank-id lookup, gets you to do it twice, and then they have enough to open your bank account and withdraw money. If they can get you do to it three times they also have enough to remove the limit on withdrawal, and empty your account).
The system is highly convenient and pretty safe, but it does still need vigilance from the user. Which is tricky, re all those phishing attempts and click-scams which people fall for again and again and again.
> And the fact that the companies have to implement the system themselves is just crazy.
Isn’t this how most industry regulations work? It’s not like the government provides designs to car companies to reduce emissions or improve crash safety.
Government does issue passports for identiftying their citizens when traveling. It is the one who made/enforces the law that requires that so it is the one who has to provide the means to do that.
Or are you suggesting that anyone should be able to make their own passport?
Or a bit closer example. If there was no official id cards/passports/etc (there currently is no official way of proving your age online) and the government made a law that mandates that one has to be over X to buy alcohol. Who’s job is it to provide the means to prove that you are over X?
For the car a proper analogy would be the goverment requiring drivers license. Who provides the drivers license? Should every manufacturer provide its own?
You mean not collecting IDs is the real answer. Easy solution is the best solution and it already is mainstream.
This is an example why that was a bad idea in the first place. No damage control for bad solutions will change that.
That does not work without treacherous locked-down hardware. The marketing by Google et al is leaving out that fact to privacy-wash what is ultimately a push for digital authoritarianism.
Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used. If all of these things are true while users are running software they can control, then it's trivial for an activist to set up a proxy that takes requests for proofs from other users and generates proofs based on the activist's identity - with no downside for the activist, since this can never be traced back to them.
The only thing that could be done is for proof providers to limit the rate of proofs per identity so that multiple activists would be required to say provide access to Discord to all the kids who want it.
If I had my 'druthers, there would be a kind of physical vending machine installed at local city hall or whatever, which leverages physical controls and (dis-)economies of scale.
The trusted machine would test your ID (or sometimes accept cash) and dispense single-use tokens to help prove stuff. For example, to prove (A) you are a Real Human, or (B) Real and Over Age X, or (C) you Donated $Y On Some Charity To Show Skin In The Game.
That ATM-esque platform would be open-source and audited to try to limit what data the government could collect, using the same TPM that would make it secure in other ways. For example, perhaps it only exposes the sum total of times each ID was used at machine, but for the previous month only.
The black-market in resold tokens would be impaired (not wholly prevented, that's impossible) by factors like:
1. The difficulty of scaling the physical portion of the work of acquiring the tokens.
2. Suspicion, if someone is using the machine dozens of times per month—who needs that many social-media signups or whatever?
3. There's no way to test if a token has already been used, except to spend it. By making reseller fraud easy, it makes the black-market harder, unless a seller also creates a durable (investigate-able) reputation. I suppose people could watch the vending-machine being used, but that adds another hard-to-scale physical requirement.
> 2. Suspicion, if someone is using the machine dozens of times per month—who needs that many social-media signups or whatever?
Anyone who visits pornhub and doesn't want to open an account?
Yeah, introducing real world friction is seemingly one of the only ways of actually solving the problems of frictionless digital systems (apart from computational disenfranchisement, of course).
It might be a better idea to frame your idea in terms of online interactive proofs rather than offline bearer tokens. It's of course a lot less private/convenient to have to bring a phone or other cell-modem enabled device to the vending machine, especially for the average person who won't exercise good digital hygiene. Still, some sort of high-latency challenge-proof protocol is likely the way to go, because bearer tokens still seem too frictionless.
For example (3) could be mitigated with an intermediary marketplace that facilitated transactions with escrow. If tokens were worth say $2, then even just getting 10 at a time to sell could be worth it for the right kind of person. And personally I'd just get 10 tokens myself simply to avoid having to go back to the machine as much. In fact the optimal strategy for regular power users might be to get as many tokens as you think you might need to use (even if you have to pay for them), and then when they near expiration time you sell them to recoup your time/cost/whatever.
My concern with some "bring your phone and use it immediately" scheme is that someone could pierce the privacy by looking at a correlation between the time an account was mode or a pattern of network-traffic occurred, versus the time someone was using/near the vending machine.
Adding large and unpredictable amounts of latency makes that kind of correlation weaker and hopefully impractical.
>Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used.
That is not nessisarially true. There are ZK setups where you can tell when a witness is reused, such as in linkable ring signatures.
Another simple example is blind signatures, you know each unblinded signature corresponds to a unique blind signature without knowing who blinded it.
The easy solution is the best one. Just don't collect the info. Any problems resulting from that need to be handled differently.
Proven to work and we wouldn't be dependent on untrustworthy identity providers.
I agree. It is possible, but that does not mean it should be done.
The thing is with such a ZK system you are still collecting and compiling all this data, it's just done by some sort of (government?) notary and there is a layer of anonymity between the notary and the verifier (which they can cooperate to undo).
The real political problem is the concentration of personal information in one place. The ZK system just allows that place (notary) to be separate from the verifier.
Sure, but making use of that introduces new problems.
Fundamentally it limits a person to one account/nym per site. This itself removes privacy. An individual should be able to have multiple Discord nyms, right?
Then if someone gets their one-account-per-site taken/used by someone else, now administrative processes are required to undo/override that.
Then furthermore it still doesn't prevent someone from selling access to all the sites they don't care about. A higher bar than an activist simply giving it away for free, but still.
>An individual should be able to have multiple Discord nyms, right?
Yeah, I think so. I mean this is like my 20th hacker news account. I am using my 5th discord account right now.
But at the same time it would be an interesting to see how anonymous yet sybil-proof social media would work out.
I get the feeling that it's already pretty easy to buy and sell fake IDs, so I don't think it would pan out in practice. I also had the same idea as you: if such a system were to exist, you could sell proofs for all the services you don't use.
Usually, these zero-knowlege proofs are backed by some sort of financial cost, not the bureaucratic cost of acquiring an ID. All of these "linkable" ZK proofs are aimed at money systems or voting systems.
In the blind-signature based money systems, a big problem used to be dealing with change; you had to go back and spend your unblinded signature at the signatory to get a new one. In a similar fashion, maybe you could make it so that users could produce a new ZK proof by invalidating an old one? So you could retire an old nym if you get banned, and create a new nym but you could only have one at a time? IDK if that is a reasonable tradeoff.
Anonymous proofs of age don't work, because (in theory) I could set up a server, plugged into my ID chip, that lets anyone download age proofs from me, and then anyone can be over 18. They don't just need to know someone is over 18 - they also need to know it's the same person using the website.
Make it so that the proofs are not reusable.
What's wild is that the burden keeps falling on individuals to be ultra-cautious, while the systems handling the data rarely face meaningful consequences
For years, I resisted TSA Pre check on principle, even though I was a frequent traveler. I finally relented when I realized there were places like Thailand that force you to give your biometrics, and almost certainly sell them back to shadowy US agencies.
They might not be competent enough
https://www.scmp.com/week-asia/politics/article/3300568/thai...
Thailand has a big problem with identity theft, and another big problem with Chinese criminal syndicates committing various kinds of scams and fraud. So while they might share that biometric data with US government agencies, it seems more likely to me that at least one identity theft racket has acquired some of it.
> places like Thailand that force you to give your biometrics
You're being returned the favor! Anyone that's ever entered the US has had to do the same, and our prints are being stored in a DHS database.
Out of curiosity, did you not need to provide prints to get a passport in the first place? I can't image a single developed country without biometric passports.
Fingerprints are not required in the UK to apply for a passport (for UK citizens who didn't apply for naturalisation etc). Biometric doesn't just mean fingerprints.
> "or there will, sooner or later, be a breach of their poorly secured system."
It doesn't even need to be poorly secured. The oldest form of hacking is social engineering. If a company is storing valuable enough information, all one needs to do is compel the lowest common denominator with access to it to intentionally or inadvertently provide access.
You can try to create all the sort loopholes and redundancies but in general the reality is that no system is ever going to be truly secure. Another reality is that many of the people with the greatest level of access will not be technical by nature. For instance apparently the DNC hacks were carried out by a textbook phishing email - 'You've like totally been hacked, click on this anonymizer link to leads to Goog1e.com so we can confirm your identity.'
Developer time is more valuable than user data. The market is being efficient.
I think you're assuming an ideal world where there's no information asymmetry, all the market participants receive and understand all the information and the risks, and clients could realistically move to an alternative platform that provably handles things better.
Externalized costs aren't weighed in that calculation
No.Just greedy.
Also this is an issue with people willing to send important documents to some company with which they do not even have a written agreement.
A big problem is that the Silicon Valley playbook drives companies like Discord to be winner take all. It’s hard to avoid using them, but then they require that give up sensitive documents. I shouldn’t have to choose between keeping sensitive documents private and being able to participate in most gaming communities. Some open source projects have also starting adopting Discord to manage their communities.
> Some open source projects have also starting adopting Discord to manage their communities.
And I've chosen not to engage with more than one such community because I'm not perpared even to give Discord my phone number, let alone any kind of ID document. Luckily there's nothing on Discord I care about that much, so I'm not having to make too difficult a choice. I totally get why most people won't take such a stand.
I'm not willing, I just don't have a choice. The US should regulate it from the top down like Europe does
Not sure what you mean by "like europe" because in Europe they are trying to implement `European Digital Identity (EUDI)` for age verification, which will make stuff like this even worse ....
You are not supposed to use EUID for age verification. Instead you use the age verification system.
EUID is made for working with government agencies, banks, etc where you need proper identification of the person and the age verification for verifying ones age (it doesn't even say how old you are just that you are over X years old)
https://ageverification.dev/
End goal is to unify them into the same app at some point but the certificates/validation flows are different. Also as the use cases are very different for the proper identification a whilelist is used on who is allowed to request it. With age verification as it is just a certificate that anyone can validate against the public key so no whitelisting possible (or wanted really)
On the contrary, third parties will only get to know the age of the users, not their identities.
“Linkability is especially problematic because untrusted entities, such as attribute providers and relying parties acting together, can correlate and link auxiliary information to the same user, thereby breaching privacy and enabling tracking, profiling, or de-anonymisation.” [1]
That’s assuming EUDI never gets breached — but if Google and every major tech company has been, it’s only a matter of time, but this will have way more personal info ....
I've been using discord for 5 years and never upload my ID … And I don't want discord (or any other company) to know my age, or any other identification ...
[1] https://www.wi.uni-muenster.de/news/5104-new-publication-pri...
For sure, but with the EU system you'd just give discord an expiring certificate that proves you're over 18. They can leak that all they want, it's worthless otherwise. Right now you have to upload your actual ID which is obviously extremely dangerous if leaked. So yes, even though there are obvious problems that you mentioned, the EU implementation is better.
EUDI requires Google or Apple, I hope it is DOA. It is even bloated before anyone adopted it.
I mean leaked from the EUDI side.
> the EU implementation is better.
It's better than the current implementation, sure, but you can never beat zero identifiers
Again, for sure and I agree with you - but we're talking about institutions that already have our IDs in some form or another, so just asking them to issue a certificate that says "yeah this user is actually over 18" seems like a no brainer functionality on top of an existing system. Like obviously our government office has a copy of my passport and ID card, but if those leak then we have a much bigger problem as a country.
That is not true, EUDI is a security problem instead of a solution. It is trivial to correlate the info and there is a critical path where a breach would expose even more.
Best security: Don't collect. Nothing comes close, no even the best ZK setup.
Also, as a European citizen I really don't want it. Ironically governments aren't mature enough for that.
You must be new here. /s
Same. I automatically assume that all information I send to any organisation will end up on the Internet sooner or later be it by accident or sold to some shady third party.
For us it's too late. But we must push for better laws and build better systems for those that come after us.
I blame companies (including discord) for collecting as much information as they can instead of as little as possible. More data collected -> more data that will eventually get sold / leaked / hacked.
Don't governments require them to chech people's IDs to make sure they aren't kids?
Do they also require permanently storing the document instead of just the check result?
Oficially, no, unoficially, yes.
It depends on the implementation. The EU's European Digital Identity Wallet will allow users to prove that they are over 18 without sharing any other personal information.
Anonymous means you can pay someone $2 to use theirs.
Surely that's solved easily by ensuring a 1:1 association between the proof of age and account?
I don't think you have become jaded. It's just the truth of the internet.
If you upload anything to the internet, it's public. Even the passwords you type are potentially public.
Honestly I don't understand why so many things are tied to one secret _that you have to share with others_ all the time.
Why is there no rotation possible? Why is there no API to issue a new secret and mark the previous one as leaked? Why is there no way to have a temporary validation code for travels, which gets auto revoked once the citizens are back in their home country?
It's like governments don't understand what identity actually means, and always confuse it with publicity of secrets.
I mean, more modern digital passports now have a public and private key. But they put the private key on the card, which essentially is an absolute anti pattern and makes the key infrastructure just as pointless.
If you as a government agency have a system in place that does not accommodate for the use case that passports are stolen all the time, you must be utterly out of touch with reality.
Governments don't get a damn thing about the internet. They just want to govern, and justify the spending.
Their goal is not to build resilient systems — it iss to preserve control. The internet was born decentralised, while governments operate through centralised hierarchies. Every system they design ends up reflecting that mindset: central authority, rigid bureaucracy, zero trust in the user.
So instead of adopting key rotation, temporary credentials, or privacy-first mechanisms, they recreate 1950s paperwork in digital form and call it innovation.
> I basically treat it as 'any member of public can now access it'.
Still remember the conversation over "mega apps"?
Based on my experience with Alipay, which was a Chinese financial focused mega app but now more like a platform of everything plus money, the idea of treating every bit information you uploaded online as public info is laughable.
Back when Alipay was really just a financial app, it make sense for it to collect private information, facial data, government issued ID etc. But now as a mega app, the "smaller app" running inside it can also request permission to read these private information if they wanted to, and since most users are idiots don't know how to read, they will just click whatever you want them to click (it really work like this, magic!).
Alipay of course pretends to have protection in place, but we all know why it's there: just to make it legally look like it's the user's fault if something went wrong -- it's not even very delicate or complex. Kinda like what the idea "(you should) treat it (things uploaded online) as 'any member of public can now access'" tries to do, blame the user, punch down, easy done.
But fundamentally, the information was provided and used in different context, user provided the information without knowing exactly how the information will be used in the future. It's a Bait-and-switch, just that simple.
Of course, Discord isn't Alipay, but that's just because they're not a mega app, yet. A much healthier mentality is ask those companies to NOT to collect these data, or refuse to use their products. For example, I've not ever uploaded my government ID photos to Discord, if some feature requires it, I just don't use that feature.
> this is a systemic issue of governments not having/not enforcing serious security measures.
To do so seems impractical. Imagine the government machinery that would be required to audit all companies and organizations and services to which someone can upload PII.
Not tractable.
The systemic solution wouldn’t be to do that. It would be to both remove their own requirements that organisations collect this data, and to penalise organisations for collecting it outside of a handful of already heavily regulated industries like banking.
The enforcement could be done by incentives, making sure the penalty for such breaches is large.
Sure, but they would still happen is my point.
Audit at random? With severe penalty in case of non compliance.
If “serious security measures” involves anything to that 2fa authentication that any normal person hates with a passion then you can forget about it.
The real, long term answer to all this consists in having less of our lives in digital presence, that even means less digital government thingies and, yes, less payments and other money-related issues being handled online.
I very much do blame the corporations and governments that push for these kinds of policies in some way or another.
We see things like this, which happen about as often as fucking rainfall in a mountain forest, and then also see the ever increasing push towards ID verification by corporations and government organizations that pinkie-promise to secure or not retain any of the personal data you were wrist-burned into handing over to them.
What a toxic mix of garbage that becomes. The result is crap like the above, making the internet ever worse and basic personal data security (to not even speak of lofty things like digital privacy and using the internet anonymously) pretty much null and void even if you really do try to take the right steps.
It's really just creating massive honeypots of sensitive data that will eventually leak. And when it does, the consequences are always on us
I told the 2 servers I hang in about a month ago that if I randomly disappear it’s because I can’t login without an ID and I’m simply not doing it/that they should consider the post my preemptive “goodbye.” I included where to contact me for those who want to. Frankly I think anyone on discord should do the same
It’s surprising that it happened to a big name like Discord in this day and age. Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.
It's getting better, but never reaching good, so still no surprise
i mean it's only every other week we see orgs like TCS handing out admin
> Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.
Citation needed. /s
cough Microsoft cough