Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
The Discord message (in Australia at least) specifically says:
The information you provide is only used to confirm your age group, then it's deleted
Refer screenshot: https://www.reddit.com/r/discordapp/comments/1nkrxcp/discord...
I can still swipe the message away, so I haven't done it yet. I'm going to work out how I can fake the face scan. I ain't sending Government ID to some chat app (no matter how big or small) that's over the top.
As an aside, I would have thought the age groups should be: 13 to 18, and 18+. They're the only ones that materially matter to the reason this check exists, in Australia at least. I don't want to contribute to their demographic analysis.
When the australia sub reddit was discussing the introduction of id on discord, the top comment was something along the lines of "look up openfeint". That was the day I uninstalled discord. It may not be an easy decision, especially if you are part of important social communities, but we cannot accept this level of disregard for our identities.
I just looked up "Openfeint".
It took me a while to find the connection to Discord. Not sure if I did because it seems like some mobile app for people who play mobile games with some connection to some Japanese network and hosted in China or something?
OpenFeint was founded by the same guy who founded Discord.
From the Wikipedia page: "In 2011, OpenFeint was party to a class action suit with allegations including computer fraud, invasion of privacy, breach of contract, bad faith and seven other statutory violations. According to a news report "OpenFeint's business plan included accessing and disclosing personal information without authorization to mobile-device application developers, advertising networks and web-analytic vendors that market mobile applications"."
Oh wow ok.
Now I understand :D
Unless they get fined for this, nothing will change.
From the previous[1] statement:
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
It makes sense they have to hang on to the ID in case of processing an appeal, which probably doesn't have the highest priority and hence stretches out in time.
[1]: https://www.theverge.com/news/792032/discord-customer-servic...
The funny thing about this is that it kinda makes it OK for Discord to still have the records. But...
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.
There is no reason for a company like Discord to ever see the ID. The owner of each relevant form of ID — usually a government agency/department — should provide an attestation service, such that users prove their identity to the agency and the agency tells the company "yes, this user is who they say they are".
It's not that hard. Legislators around the world are consistently dropping the ball on this.
Doesn't seem like they did. From the original article I referenced earlier:
One of Discord’s third-party customer service providers was compromised by an “unauthorized party,” the company says. [...] The unauthorized party “did not gain access to Discord directly.”
The third party company shouldn't ever need to see the IDs, either. Same issue.
When governments do things the wrong way around, like mandating age control before they have a method for doing that in a secure manner, what's a company to do?
Do they actually say in the TOS that they will delete them? If they do, do they say immediately? How immediately? Right away or, perhaps, 1 month? Unless specified in contractual documentation, words like "immediately" or "soon" do not have any single definition, which allows them to stretch it without technically being in breach of contract. Not to mention that often times, governments mandate data retention for so-and-so amount of time, so the companies are legally required in such cases to keep the data even if they, miraculously, desire not to.
Either the deletion promise is a lie, or the third-party vendor was storing the data anyway
Or it's all kosher as per their "internal policy" which translates to "yes, it was deleted on the server where you first uploaded it" but "pre-deletion" it was "transitioned" to "another secure server" for "your convenience" and "everything is as per our T&C that you agreed to and we follow the highest standards of data security and safety. Thank you for your time".
If Kafka were alive today, he'd see the world has outdone itself.
I guess they are required to store everything for years for "compliance". How else are they are going to save their butts when someone manages to fake their identity through them?
The regulation lets identity verification companies store identity data for up to three years. The providers typically do it to train machine learning models for fraud detection.
Lying is usually legal.
And even if lying is illegal in a particular context, it's de-facto legal since nobody ever gets punished for it.
fraud is not legal. There's a difference between lying on the playground and fraud in a business setting.
Again: fraud is de facto legal.
It is ubiquitous in every part of the business world, both internal and consumer-facing.
De facto is the opposite of de jure, so no, non-enforcement doesn't make it legal
A more useful construct is that civil offenses are only a problem if someone is aware of, motivated, and able to afford to sue you over it. Businesses do a lot of arguably illegal things that are not likely to lead to an actual lawsuit.
The fact the deletion is at all needed speaks for a pretty terrible design. The data should simply not be permanently stored.
I have quite a lot of experience dealing with personal identity information. Unless the latter has to be reported then it's never stored. Along with the fact it's actually deleted to comply with GDPR and friends (when it has to be recorded). In any case if any personal data is to be stored, it's always encrypted with personal keys.
deleted = database column
Or maybe they define 'delete' as moving data from "production" env to "deleted" env and if someone asked that data to be deleted even from there then the next step is moving from "deleted" to "purged".