I don't know if I just became cynical and jaded, but is this really surprising to anyone in any way? Any time I give out my personal information to anyone for any reason, I basically treat it as 'any member of public can now access it'.
Even if a service doesn't have it in their TOS that they sell it to 3rd parties, they might do it anyway, or there will, sooner or later, be a breach of their poorly secured system.
To make it clear - I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures. I just completely dropped the expectation of my information being private, and for the very few bits that I do actually want to stay private, I just don't, or allow anyone to, digitalize or reproduce them at all in any way.
It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.
This is the essential point, and why it’s always a bit frustrating seeing ‘is anyone surprised’ take come up so often here. It lowers the quality of the possible discussion by trivialising it.
Reminds me of the Panama Papers, which exposed a huge international money laundering/tax evasion ring that no one seemed to care about because "everyone knows they're doing this stuff"
In the example you give there is no needed provision to store the id or all information in the document. Only extracting the date of birth, name and document number is sufficient.
Yes I know this a utopia and it won't happen.
Edit: afaik storing the photo is only needed in medical cases to alternatively asses having the correct person. Bit much for something simple as age verification.
Without going too much off-topic: In a vacuum, you are right. In reality, facts are reported because they sell.
It is a good day when important facts like this one happen to coincide with what people what to know more about. (the recent UK attempt at stripping the rights of its citizens)
Tomorrow, people will have forgotten all about it, and the government can continue to expand its powers without anyone talking about it.
> I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures
Wrong, governments caused the issue because they demand customers to ID themselves. There exists not a single viable security measure aside from not collecting the data. Government is also not able to propose any security measures.
Unlikely that the data will ever be deleted now, no matter if Discord pays any ransoms or not.
No, governments caused the issue by demanding customers to ID themselves, while failing to provide the necessary tooling for doing so in a secure manor.
There's really only a few countries in the world who can provide the services needed to make this work. On top of my head, Estonia, Sweden and Denmark (there's probably others).
The companies in question could have a flag in every user data to confirm they are over the age limit.
At worse keep the birth date, since various aspect of a service can be available depending on age (and user can change locality / country, and therefore be subject to different law).
If you keep on top of it, you have at most 3 days of user's "ongoing verification" sensible data available for theft. Keeping more than that will always be an invitation to bad actors.
In the context of age limits, that is wrong. The German eID has a zero knowledge method of proving that your age is above a certain number without revealing anything else. That method has been around for like 15 years and these days, thanks to smartphones with NFC readers, is quite user-friendly.
In practice it's basically not used anywhere except for cigarette vending machines because it's much simpler to hire some dubious third party "wave your ID in front of your camera" service
Edit: mandatory age verification is still an atrocious idea for a number of other reasons, just to be clear
It's not surprising because there's never been a significant penalty for it, I guess because everybody just got completely used to massive breaches without much reaction. But then again it's very hard to get legislation passed that's not in the interests of big business.
ZK proofs for identity can't go mainstream quick enough. I agree with what you're saying completely. It's frustrating that we have the technology now to verify aspects of someone's identity without revealing it, but that it's going to take forever to become robust enough for mainstream use.
It's an interesting litmus test because regulators would not accept ZK age proofs unless the stated purpose of age verification laws (reduce harm to minors) is the _actual_ purpose of those laws.
Not some different unstated goal, such as ending online anonymity.
That does not work without treacherous locked-down hardware. The marketing by Google et al is leaving out that fact to privacy-wash what is ultimately a push for digital authoritarianism.
Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used. If all of these things are true while users are running software they can control, then it's trivial for an activist to set up a proxy that takes requests for proofs from other users and generates proofs based on the activist's identity - with no downside for the activist, since this can never be traced back to them.
The only thing that could be done is for proof providers to limit the rate of proofs per identity so that multiple activists would be required to say provide access to Discord to all the kids who want it.
Anonymous proofs of age don't work, because (in theory) I could set up a server, plugged into my ID chip, that lets anyone download age proofs from me, and then anyone can be over 18. They don't just need to know someone is over 18 - they also need to know it's the same person using the website.
What's wild is that the burden keeps falling on individuals to be ultra-cautious, while the systems handling the data rarely face meaningful consequences
For years, I resisted TSA Pre check on principle, even though I was a frequent traveler. I finally relented when I realized there were places like Thailand that force you to give your biometrics, and almost certainly sell them back to shadowy US agencies.
> places like Thailand that force you to give your biometrics
You're being returned the favor! Anyone that's ever entered the US has had to do the same, and our prints are being stored in a DHS database.
Out of curiosity, did you not need to provide prints to get a passport in the first place? I can't image a single developed country without biometric passports.
I think you're assuming an ideal world where there's no information asymmetry, all the market participants receive and understand all the information and the risks, and clients could realistically move to an alternative platform that provably handles things better.
A big problem is that the Silicon Valley playbook drives companies like Discord to be winner take all. It’s hard to avoid using them, but then they require that give up sensitive documents. I shouldn’t have to choose between keeping sensitive documents private and being able to participate in most gaming communities. Some open source projects have also starting adopting Discord to manage their communities.
I told the 2 servers I hang in about a month ago that if I randomly disappear it’s because I can’t login without an ID and I’m simply not doing it/that they should consider the post my preemptive “goodbye.” I included where to contact me for those who want to. Frankly I think anyone on discord should do the same
> "or there will, sooner or later, be a breach of their poorly secured system."
It doesn't even need to be poorly secured. The oldest form of hacking is social engineering. If a company is storing valuable enough information, all one needs to do is compel the lowest common denominator with access to it to intentionally or inadvertently provide access.
You can try to create all the sort loopholes and redundancies but in general the reality is that no system is ever going to be truly secure. Another reality is that many of the people with the greatest level of access will not be technical by nature. For instance apparently the DNC hacks were carried out by a textbook phishing email - 'You've like totally been hacked, click on this anonymizer link to leads to Goog1e.com so we can confirm your identity.'
I blame companies (including discord) for collecting as much information as they can instead of as little as possible. More data collected -> more data that will eventually get sold / leaked / hacked.
I very much do blame the corporations and governments that push for these kinds of policies in some way or another.
We see things like this, which happen about as often as fucking rainfall in a mountain forest, and then also see the ever increasing push towards ID verification by corporations and government organizations that pinkie-promise to secure or not retain any of the personal data you were wrist-burned into handing over to them.
What a toxic mix of garbage that becomes. The result is crap like the above, making the internet ever worse and basic personal data security (to not even speak of lofty things like digital privacy and using the internet anonymously) pretty much null and void even if you really do try to take the right steps.
If “serious security measures” involves anything to that 2fa authentication that any normal person hates with a passion then you can forget about it.
The real, long term answer to all this consists in having less of our lives in digital presence, that even means less digital government thingies and, yes, less payments and other money-related issues being handled online.
Honestly I don't understand why so many things are tied to one secret _that you have to share with others_ all the time.
Why is there no rotation possible? Why is there no API to issue a new secret and mark the previous one as leaked? Why is there no way to have a temporary validation code for travels, which gets auto revoked once the citizens are back in their home country?
It's like governments don't understand what identity actually means, and always confuse it with publicity of secrets.
I mean, more modern digital passports now have a public and private key. But they put the private key on the card, which essentially is an absolute anti pattern and makes the key infrastructure just as pointless.
If you as a government agency have a system in place that does not accommodate for the use case that passports are stolen all the time, you must be utterly out of touch with reality.
Governments don't get a damn thing about the internet. They just want to govern, and justify the spending.
Their goal is not to build resilient systems — it iss to preserve control. The internet was born decentralised, while governments operate through centralised hierarchies. Every system they design ends up reflecting that mindset: central authority, rigid bureaucracy, zero trust in the user.
So instead of adopting key rotation, temporary credentials, or privacy-first mechanisms, they recreate 1950s paperwork in digital form and call it innovation.
Same. I automatically assume that all information I send to any organisation will end up on the Internet sooner or later be it by accident or sold to some shady third party.
> I basically treat it as 'any member of public can now access it'.
Still remember the conversation over "mega apps"?
Based on my experience with Alipay, which was a Chinese financial focused mega app but now more like a platform of everything plus money, the idea of treating every bit information you uploaded online as public info is laughable.
Back when Alipay was really just a financial app, it make sense for it to collect private information, facial data, government issued ID etc. But now as a mega app, the "smaller app" running inside it can also request permission to read these private information if they wanted to, and since most users are idiots don't know how to read, they will just click whatever you want them to click (it really work like this, magic!).
Alipay of course pretends to have protection in place, but we all know why it's there: just to make it legally look like it's the user's fault if something went wrong -- it's not even very delicate or complex. Kinda like what the idea "(you should) treat it (things uploaded online) as 'any member of public can now access'" tries to do, blame the user, punch down, easy done.
But fundamentally, the information was provided and used in different context, user provided the information without knowing exactly how the information will be used in the future. It's a Bait-and-switch, just that simple.
Of course, Discord isn't Alipay, but that's just because they're not a mega app, yet. A much healthier mentality is ask those companies to NOT to collect these data, or refuse to use their products. For example, I've not ever uploaded my government ID photos to Discord, if some feature requires it, I just don't use that feature.
Couldn't agree more, save for your last sentence. How do you avoid that? We need to provide o
Digital papers to a number of different people for proper handling
> this is a systemic issue of governments not having/not enforcing serious security measures.
To do so seems impractical. Imagine the government machinery that would be required to audit all companies and organizations and services to which someone can upload PII.
The systemic solution wouldn’t be to do that. It would be to both remove their own requirements that organisations collect this data, and to penalise organisations for collecting it outside of a handful of already heavily regulated industries like banking.
> I just completely dropped the expectation of my information being private
There are all the reasons in the world to feel that way. The scary thing (says troyvit as he passes out the tinfoil hats) is that privacy laws are all about an "expectation of privacy." In other words we all expect privacy when we're in our bathrooms, so government surveillance in the bathroom is hard to justify. Now that there are cameras in supermarket checkouts, and we all expect them, legally that's no longer a privacy concern and we can't claim that our privacy is being unreasonably infringed.
And what you're saying is that now we've reached the stage in history where through incompetence and greed we shouldn't expect any privacy anyway, and that opens the door for all kinds of surveillance because our expectations have fallen so low. I'm not a lawyer btw so take it all with a grain of salt.
You really think governments could write rules that would help this?
The only rule I can imagine is big penalties for data being breached, no matter the cause, but do we actually think it's a multi million dollar problem for 70k photos to be released? Hard problem.
It’s surprising that it happened to a big name like Discord in this day and age. Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.
If I want the ID of a bunch of Discord users, I don't go after Discord directly, I find some bot that the targeted users have on their discord servers, or third party service that Discord uses themselves. Then I find some individual person with access to those things, and I harass and/or threaten that person until they give me what I want to make me go away. If I think they might be crooked, I might just offer them a cut of the take. I'm probably not paying them though, not unless I think I can leverage them against other targets and need to keep them around.
Either way, an individual person isn't going to be able to hold off a coordinated attack for very long, and law enforcement generally doesn't give a shit about internet randoms attacking individual people.
One important problem that's mostly ignored is the lack of transparency about the third-party providers handling such sensitive ID documents. When a breach occurs, public statements rarely name the exact vendor responsible, making it difficult for affected users to understand who actually had access and who might still have their data. This opacity delays accountability and creates ongoing risks, since users have no meaningful way to audit or assess the practices of these shadow providers. Unless this layer of the data-handling ecosystem is discussed and regulated, future breaches will remain inevitable and largely untraceable.
The third-party layer is basically the dark matter of data breaches like invisible to users, barely acknowledged by companies, and completely unaccountable when things go wrong
Discord uses Zendesk (1). However in the press release they don't name the third party that was compromised, and Zendesk denies that it was their service.
What other third party was Discord using if not Zendesk? Who's reputation are they protecting?
Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
I can still swipe the message away, so I haven't done it yet. I'm going to work out how I can fake the face scan. I ain't sending Government ID to some chat app (no matter how big or small) that's over the top.
As an aside, I would have thought the age groups should be: 13 to 18, and 18+. They're the only ones that materially matter to the reason this check exists, in Australia at least. I don't want to contribute to their demographic analysis.
When the australia sub reddit was discussing the introduction of id on discord, the top comment was something along the lines of "look up openfeint". That was the day I uninstalled discord. It may not be an easy decision, especially if you are part of important social communities, but we cannot accept this level of disregard for our identities.
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
It makes sense they have to hang on to the ID in case of processing an appeal, which probably doesn't have the highest priority and hence stretches out in time.
The funny thing about this is that it kinda makes it OK for Discord to still have the records. But...
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.
Do they actually say in the TOS that they will delete them? If they do, do they say immediately? How immediately? Right away or, perhaps, 1 month? Unless specified in contractual documentation, words like "immediately" or "soon" do not have any single definition, which allows them to stretch it without technically being in breach of contract. Not to mention that often times, governments mandate data retention for so-and-so amount of time, so the companies are legally required in such cases to keep the data even if they, miraculously, desire not to.
Or it's all kosher as per their "internal policy" which translates to "yes, it was deleted on the server where you first uploaded it" but "pre-deletion" it was "transitioned" to "another secure server" for "your convenience" and "everything is as per our T&C that you agreed to and we follow the highest standards of data security and safety. Thank you for your time".
If Kafka were alive today, he'd see the world has outdone itself.
From what I understand, these were IDs submitted to the third-party for support cases where the user was disputing the verification process. Whether these leaked IDs were from open tickets or not should be the question, if my understanding of the situation is correct.
I guess they are required to store everything for years for "compliance". How else are they are going to save their butts when someone manages to fake their identity through them?
The regulation lets identity verification companies store identity data for up to three years. The providers typically do it to train machine learning models for fraud detection.
The fact the deletion is at all needed speaks for a pretty terrible design. The data should simply not be permanently stored.
I have quite a lot of experience dealing with personal identity information. Unless the latter has to be reported then it's never stored. Along with the fact it's actually deleted to comply with GDPR and friends (when it has to be recorded). In any case if any personal data is to be stored, it's always encrypted with personal keys.
Or maybe they define 'delete' as moving data from "production" env to "deleted" env and if someone asked that data to be deleted even from there then the next step is moving from "deleted" to "purged".
The whole "it wasn't us, it was our third-party vendor" line is getting way too common. If you're collecting government IDs for age verification, the security bar should be extremely high... no matter who's handling the data
ID checks, driven by prudishness, are an absolute gift to the big social media companies. They're the only entities whom (a) already know the check's answers, and (b) have the resources to keep hackers largely at bay.
I am not surprised these laws are landing with such little resistence.
It is specifically because you got banned for "being under 13" it comes from someone asking a question like "How many candles in this photo?" then you reply "7" then they edit the message to say "How old are you" and voila, underage ban.
What you are overlooking is that Discord is the new MSN Messenger, YIM, etc your friends are not backed up in a meaningful way, nor the servers you're in, if you lose your account, you lose contact with basically your entire internet life and friends.
Discord should not keep those IDs longer than a month at a time once the user is unbanned it should be deleted a week later, or removed from that panel altogether.
The issue then becomes "well why don't they just go back to a Teamspeak server? they can self host it!"
But we're forgetting there that the average person online is not a dev. The most they usually know is how to point and click on something. Which also means they usually don't know how to spin up a Linux machine/VM somewhere and install their own chat server.
Discord is popular because it lets almost anyone on Earth point and click to create a chat "server". If someone can figure out how to do that (eg cPanel), you can absolutely break their moat.
A bunch of UK users are blocked from the more "free speech" (over 13) channels unless they prove their identity to Discord, to comply with the Online Safety Act.
What would you say of a lot of FOSS companies/orgs who love to stay on places like Discord? Hell, some entities that pride themselves on "privacy" and "E2EE" shit are specifically on Discord. I think that must go beyond moronity.
Are you seriously blaming kids and teenagers (who spend their free time on Discord) because they are not smart enough to know better and form communities elsewhere?
You can do better than victim blame, and instead point the finger at Discord and whoever told the British government that delegating ID control to third-parties was a good idea.
No need to blame the user for the companies actions.
Company enacts policy enforced on them by law, for example requiring proof that a user is above the age of 18 to be able to use a channel where other users may use naughty words (The Horror!!!).
User struggles to use the automated age check system (I used the "guess age by letting an AI have a look at a selfie" method and it was a pain in the ass which failed twice before it finally worked) so does what is recommended and make a support ticket. [0]
User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
Full blame is on Discord for poorly handling their users data by their 3rd parties, and on the Governments forcing such practices. Discord should have their asses handed to them by the UK's ICO.
Sure, us geeks can and will use self hosted systems and find ways to avoid doing ID checks, but your avg joe isn't going to do that.
Hopefully cases like this will help with the push back on governments mandating these kind of checks, but I see the UK government just falling back to "think of the children" and laying all the blame on Discord, (who are not without fault in this case).
> Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
This wasn't documents uploaded via the automated ID checker, it was users manually sending ID documents to support in order to appeal an automated age decision.
> User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
This is the part where the user has to take at least partial blame. You have to be utterly stupid (or at the very least way too sheltered) to believe a statement like this from a company, especially when there are zero consequences to the company for lying about it or negligently failing to live up to their policy.
At this point a whole bunch of crypto exchanges including chinese ones have my driver's license, passport and more. It is what it is, any real KYC process will require video identification anyway.
Don't worry, the only thing governments will learn from this is that they need to exert even more control. They'll use this as a convenient excuse to centralize the age verification in the interest of security, which conveniently gives the government the final say over which web services you're allowed to use.
The stricter the dictatorship is, the more likely people will resist the regime.
That's why many of the traditional totalitarian regimes are populistic, they do what their people want them to do or what they can convince them is good for them. New Western hybrid regimes still didn't realize they can't rule against their own people forever.
> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.
Then a big PR quote, letting a potential wrongdoer further spin it.
Then closing with:
> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.
This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.
Here's the bare minimum kind of lede I expect on this reporting:
Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
> Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.
Age verification is "scan your government ID or give us a detailed video of your face from various angles, open and close your mouth" etc. Not sure which is better to give out in a breach
It’s an escalation path. When you store and image of an ID unnecessarily, then associate it with those last four digits, you’ve created a way to link other data sources to individuals.
Most scenarios I’ve worked with, you toss the ID image once you validate it.
The fact that the data is digitized, indexed and can be easily correlated with other data points is what turns your seemingly innocuous 4 numbers into a way to better impersonate, phish, or otherwise harm you.
My preference would be just requiring site operators to add the RTA header [1] for anything that could potentially be adult in nature or user contributed content and let parents decide if devices should have parental controls. Not perfect, nothing is but would protect most small children. Teens will easily bypass any method as many today watch porn together in rated-g/pg video games that allow setting up a streaming player in-game.
That would be also nice, but given we can't make everyone to do the most basic interoperability I don't see it working…
As for:
> Teens will easily bypass any method as many today watch porn
well, they do, but each obstacle discourage them to do that. It's like with chocolate while being on a diet - if you have it within reach next to you you are more likely to eat it; put it on a shelf which would require standing and walking - slighly less likely; put it in another room - even less; and if you don't have it in home and you would have dress up and take out the car and drive to the shop most likely you would just wave your hand at that :)
So no - it won't prevent it completely but I'd argue that it would significantly decrease the use :)
That is the bonkers thing about this story. Why take on the liability? Get what you need and toss the responsibility. If you must store it (which seems unlikely) put that extra-bad-if-leaked information behind a separate append only service for which read is heavily restricted.
If they were fined $10k per leaked ID, then there is a serious liability there.
Right now, they publish a press release, go 'oopsie poopsie', maybe have to pay for some anit-fraud things from equifax if someone asks, and call it day.
I’m in a different industry, but when I’ve had to collect identification for reasons we extracted metadata at the time of presentation, validated it, and discarded the image.
We would never get clearance from counsel to store that in most scenarios, and I can’t think of a reason to justify it for a age or name verification.
Why are people assuming they did store it after the process was completed?
With the relatively low number leaked here it could have been information collected actively during an ongoing breach, not a dump of some permanent database.
Just a guess, but they may store the original ID card to audit duplicate accounts.
If their machine learning models, think that two people are the exact same, having the original image, especially a photo of the same ID card could confirm that.
The best years online were when it was universally recognized that government ID's are completely unsuitable for interaction with the internet in any way.
Like it was since the beginning when government ID's first became a thing.
IMHO this is a pretty dump approach to the problem
while there probably are some countries with terrible designed passport for most they are designed to be machine readable even with very old style (like >10year old tech) OCR systems
so even if you want to do something like that you can extract all relevant information and just store that, maybe als extract the image
this seems initially pointless, but isn't, if you store a copy of a photo of a people can use that to impersonate someone, if you only steel the information on it it's harder
outside of impersonation issues another problem is that it's not uncommon that technically ids/passports count as property of the state and you might not be allowed to store full photo copies of it and the person they are for can't give you permission for it either (as they don't own the passport technically speaking). Most times that doesn't matter but if a country wants to screw with you holding images of ids/passports is a terrible idea.
but then you also should ask yourself what degree of "duplicate" protection you actually need wich isn't a perfect one. If someone can circumvent it by spending multiple thousands to endup with a new full name + fudged id image this isn't something a company like discord really needs to care about. Or in other word storing a subset of the information on a passport, potentially hashed, is sufficient for like way over 90% of all companies needs for secondary account prevention.
in the end the reason a company might store a whole photo is because it's convenient and you can retrospectively apply whatever better model you want to use and in many places the penalties for a data breach aren't too big. So you might even start out with "it's bad but we only do so for a short time while building a better system" situation, and then due to the not so threatening consequence of not fixing it (or awareness) it is constantly de-prioritized and never happens...
GDPR requires data minimalism and ~use case binding so if you submit data for age verification there is no technical reason to keep it after knowing your age so you _have to_ delete it.
As far as I have heard zero knowledge proofs have become optional (thus dead) in the EU wallet specification. I expect selective disclosure in all form to be completely axed next.
I didn't feel comfortable giving discord my phone number when they demanded it, so I lost access to the open source communities that insist on collaborating there.
I wish breaches like this would cause people to reconsider their choices but sadly, it's unlikely most users will move.
I also wish open-source communities would move off of Discord for another reason: Users are limited to joining a maximum of 100 servers.
I've hit the cap and it's driving me crazy. It's really easy to hit it since each friend group, hobby group, gaming community, and open-source community often all have their own servers.
I can barely keep up with 6 semi active discord servers, each with tens of semi active channels... Much less think about doing it with hundreds. More power to you, must have figured out a good notification scheme
The issue is if you don't enforce the phone number requirement on your server you get all the trolls who don't use phone numbered accounts. I wish Discord would allow you to restrict known VPNs instead of requiring phone numbers. It would solve so many issues. I know a LOT of VPNs wont be caught, but if you block MOST non-residential IP blocks, you'll capture a lot of them.
Trolls likely have access to phone number farms though. And in some parts of the world it's extra cheap to mass-register phone numbers. Trolls wouldn't be harmed in a data leak, only normal users get hurt.
Phone numbers may be required to bring order to a vast international user base, but a few dozen devs and a small user community can function without invasive moderation tactics.
The communities I'm in don't require a phone number and very rarely gets trolls. Proper moderation is the most important part. Occasionally there's a spambot, but they're just hacked accounts from pre-existing real users, and as someone that uses a VPN with Discord, I'd prefer to not be treated as an evil-doer please.
Discord doesn’t require a phone number. It’s individual community owners who opt to require it. You can create a server that doesn’t require one but it effectively means you can’t ban people since they can just sign up again on a new account.
Discord has an account flag that triggers a mandatory phone number verification. It happens if you do things like send messages too quickly over the span of about a minute, or send multiple friend requests, or join too many servers, or start too many DMs, or indeed, join any server that is set to require phone number verification.
I tried making an account once, technically my account was created but trying to log in only gets me a screen that requires I verify a phone number. I was never even able to attempt to join a server. I assume it's my browser's privacy settings and ad blocker but I'm not sure.
The one approach that has never failed is to use a fake identity when signing up for online services. It is a violation of TOS but not a crime to do so. Only give your real information to the government. If companyX requires hard information but cannot protect this PII, then they don't deserve real data.
Every time I see a data breach caused by a third party vendor, I can't help but wonder why are these big companies so deeply reliant on outsourcing, yet so lax when it comes to controlling security?
Usually some regulation change that the company is not aware off, they have to run to find a fix as soon as possible, some business guy who don't know anything about tech find a vendor who are ready to sell a solution (they probably created their whole business last month on a gamble that the new regulation would be passed and that businesses would be rushing for a solution). Then they simply buy that solution "for compliance" as a top down decision, even when internal employees ring the warning bell.
I don't think incidents like this are minor. I believe personal information security is very important. Maybe they see the consequences as small, but I don't.
I understand I grew up in a different era but it is beyond absurd to me that a chat application requires government ID from it's users. I understand the rationale but I do not find it convincing in the least, especially with the way that security is treated at basically any entity that has this kind of info on file.
I do not like this world that we have created and I would like to apply for a full refund
The Principle of Least Privilege is one of the foundational aspects of security. Governments should be enforcing that not requiring companies to collect very sensitive information like they are currently doing. Things like "prove your age", digital ID, and Chat Control are actively malicious when it comes to safety, security, and privacy.
I work at a company where we also store government IDs in Zendesk. I've alerted management multiple times but no one seems to care. It's a disaster waiting to happen…
Will the British Government be held liable for ID Thefts from this? If they hadn't created a honeypot with minimal security would this info now be out there?
Where there is smoke, there is a fire.
Wait for more and wait for people to learn how identity theft is the worst problem you can have.
Imagine you trying to prove that you are you, while somebody else with your passport details, driver license, address, DOB, phone SIM swap, etc, is acting like you causing all sort of financial disaster???
1995 The Net movie, people in 2025 will learn the hard way that was not just a movie.
I once accidentally set an incorrect birth year on Twitter. They locked me out of my account and insisted that I upload a government ID to unlock my account.
Aren't ZKPs useless for their paranoid 'children will die if they see boobies' crap because then they'd allow for a single common token to be shared willy nilly? Not to mention that surveillance is the clear government actual goal.
One's government digital identity should be public. It's my public identity. If there's some risk to this being the case, the it's a bad implementation.
This is why I am really looking forward to PIDs in the European Digital Identity ecosystem (EUDI) [1]. This works with the OpenID Verifiable Credentials spec built on top of Oauth2. There are open source solutions in the competition for building the EUDI Wallet and the architecture and reference framework is openly accessible [2]. All credentials are kept with the holder (you) at all times. Basically implementation of the EU eIDAS 2.0 regulation, obviously subject to GDPR.
Mandated to be accessible to EU citizens by 2027 when all Member States have developed a Wallet solution.
Not associated but learned through it at work recently, just awesome project and thought I'd share in this context.
Two of the other replies are wrong. This isn't actually about the new 18+ age verification stuff that countries seem to be ramming through right now - as far as I know, Discord uses third parties for that service. The link from Discord's statement in the article mentions that this is about appealing account bans of users who were suspected to be under the legal age to use Discord at all (<13 in most places). This is an older thing, which also explains the amount of data that was leaked.
Joining "NSFW channels", which usually means porn. But some normal channel are also tagged NSFW to opt out of Discord's forced content filter on public servers, which has occasional baffling false positives.
Pieces of shit. Do they need to look at them on a daily basis or isn't is enough to use them to confirm identity when received and then encrypt them and move them to an offline storage?
So many companies do not understand this simple principle. Blast radius reduction. But no, they need to have everything online, and instantly accessible all the time. Because they can't possibly be inconvenienced with a short delay in case they ever want to look at that piece of data that they will never want to look at anyway.
It is going to take a long time before companies realize that data they don't need is a liability, not an asset.
.... The government ID's they only started asking for as a bullshit requirement after running for like 10 years without needing them?
At some point we'll start seeing companies that rotate your passwords automatically and integrate with your autologins, and send immediate reports of breaches / suddenly failing logins.
I wonder how many people in the UK have actually got their passport out to sign into these services. I'm guessing the average HN user isn't likely to do this, but I'd love to see the numbers for the general populous.
Whatever stereotypes you've read, about 0.01% of HNer's hold C-level jobs at huge tech companies, to be setting such policies.
And even at modest-sized companies, those are decided by Legal Dept's and senior business managers.
While you might find it cathartic, to angrily curse at some convenient Post Office employee for (say) the Postmaster General's latest postage stamp price increase - that is really not a classy move.
I think it is nice that the GDPR forces companies to not keep too much data about people. And you can only have data that you need for the stated purpose (of course this leaves loopholes but it is good data hygiene to always consider).
For example, if you state you want to verify age, you only need the ID for a couple of seconds. So why didn't they think about the risk of a hack before? They could have done the age verification and then immediately deleted the document. The cynical take is af course they did think about it but would take the fine if it came to that...
Maybe it is good to make an example out of Discord? Don't keep stuff around if you don't need it should be common sense.
I don't know if I just became cynical and jaded, but is this really surprising to anyone in any way? Any time I give out my personal information to anyone for any reason, I basically treat it as 'any member of public can now access it'.
Even if a service doesn't have it in their TOS that they sell it to 3rd parties, they might do it anyway, or there will, sooner or later, be a breach of their poorly secured system.
To make it clear - I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures. I just completely dropped the expectation of my information being private, and for the very few bits that I do actually want to stay private, I just don't, or allow anyone to, digitalize or reproduce them at all in any way.
It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.
This is the essential point, and why it’s always a bit frustrating seeing ‘is anyone surprised’ take come up so often here. It lowers the quality of the possible discussion by trivialising it.
10 replies →
Reminds me of the Panama Papers, which exposed a huge international money laundering/tax evasion ring that no one seemed to care about because "everyone knows they're doing this stuff"
7 replies →
Wonder if this will cause a surge in demand for fake IDs that are sufficient for age-verification but harmless if leaked.
12 replies →
In the example you give there is no needed provision to store the id or all information in the document. Only extracting the date of birth, name and document number is sufficient.
Yes I know this a utopia and it won't happen.
Edit: afaik storing the photo is only needed in medical cases to alternatively asses having the correct person. Bit much for something simple as age verification.
6 replies →
I don't think there was any suggestion that the story should not have been reported, or that only "surprising" facts should be considered news.
Things that cease to be surprising can also cease being important. Which is made clear reading the remainder of the post.
It's my take as well, frankly.
> Facts are reported because they are important.
Without going too much off-topic: In a vacuum, you are right. In reality, facts are reported because they sell.
It is a good day when important facts like this one happen to coincide with what people what to know more about. (the recent UK attempt at stripping the rights of its citizens)
Tomorrow, people will have forgotten all about it, and the government can continue to expand its powers without anyone talking about it.
> I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures
Wrong, governments caused the issue because they demand customers to ID themselves. There exists not a single viable security measure aside from not collecting the data. Government is also not able to propose any security measures.
Unlikely that the data will ever be deleted now, no matter if Discord pays any ransoms or not.
No, governments caused the issue by demanding customers to ID themselves, while failing to provide the necessary tooling for doing so in a secure manor.
There's really only a few countries in the world who can provide the services needed to make this work. On top of my head, Estonia, Sweden and Denmark (there's probably others).
4 replies →
The companies in question could have a flag in every user data to confirm they are over the age limit.
At worse keep the birth date, since various aspect of a service can be available depending on age (and user can change locality / country, and therefore be subject to different law).
If you keep on top of it, you have at most 3 days of user's "ongoing verification" sensible data available for theft. Keeping more than that will always be an invitation to bad actors.
1 reply →
In the context of age limits, that is wrong. The German eID has a zero knowledge method of proving that your age is above a certain number without revealing anything else. That method has been around for like 15 years and these days, thanks to smartphones with NFC readers, is quite user-friendly.
In practice it's basically not used anywhere except for cigarette vending machines because it's much simpler to hire some dubious third party "wave your ID in front of your camera" service
Edit: mandatory age verification is still an atrocious idea for a number of other reasons, just to be clear
3 replies →
It's not surprising because there's never been a significant penalty for it, I guess because everybody just got completely used to massive breaches without much reaction. But then again it's very hard to get legislation passed that's not in the interests of big business.
[dead]
ZK proofs for identity can't go mainstream quick enough. I agree with what you're saying completely. It's frustrating that we have the technology now to verify aspects of someone's identity without revealing it, but that it's going to take forever to become robust enough for mainstream use.
It's an interesting litmus test because regulators would not accept ZK age proofs unless the stated purpose of age verification laws (reduce harm to minors) is the _actual_ purpose of those laws.
Not some different unstated goal, such as ending online anonymity.
10 replies →
That does not work without treacherous locked-down hardware. The marketing by Google et al is leaving out that fact to privacy-wash what is ultimately a push for digital authoritarianism.
Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used. If all of these things are true while users are running software they can control, then it's trivial for an activist to set up a proxy that takes requests for proofs from other users and generates proofs based on the activist's identity - with no downside for the activist, since this can never be traced back to them.
The only thing that could be done is for proof providers to limit the rate of proofs per identity so that multiple activists would be required to say provide access to Discord to all the kids who want it.
11 replies →
You mean not collecting IDs is the real answer. Easy solution is the best solution and it already is mainstream.
This is an example why that was a bad idea in the first place. No damage control for bad solutions will change that.
1 reply →
Anonymous proofs of age don't work, because (in theory) I could set up a server, plugged into my ID chip, that lets anyone download age proofs from me, and then anyone can be over 18. They don't just need to know someone is over 18 - they also need to know it's the same person using the website.
3 replies →
What's wild is that the burden keeps falling on individuals to be ultra-cautious, while the systems handling the data rarely face meaningful consequences
For years, I resisted TSA Pre check on principle, even though I was a frequent traveler. I finally relented when I realized there were places like Thailand that force you to give your biometrics, and almost certainly sell them back to shadowy US agencies.
They might not be competent enough
https://www.scmp.com/week-asia/politics/article/3300568/thai...
1 reply →
> places like Thailand that force you to give your biometrics
You're being returned the favor! Anyone that's ever entered the US has had to do the same, and our prints are being stored in a DHS database.
Out of curiosity, did you not need to provide prints to get a passport in the first place? I can't image a single developed country without biometric passports.
2 replies →
Developer time is more valuable than user data. The market is being efficient.
I think you're assuming an ideal world where there's no information asymmetry, all the market participants receive and understand all the information and the risks, and clients could realistically move to an alternative platform that provably handles things better.
Externalized costs aren't weighed in that calculation
No.Just greedy.
Also this is an issue with people willing to send important documents to some company with which they do not even have a written agreement.
A big problem is that the Silicon Valley playbook drives companies like Discord to be winner take all. It’s hard to avoid using them, but then they require that give up sensitive documents. I shouldn’t have to choose between keeping sensitive documents private and being able to participate in most gaming communities. Some open source projects have also starting adopting Discord to manage their communities.
1 reply →
I'm not willing, I just don't have a choice. The US should regulate it from the top down like Europe does
13 replies →
I told the 2 servers I hang in about a month ago that if I randomly disappear it’s because I can’t login without an ID and I’m simply not doing it/that they should consider the post my preemptive “goodbye.” I included where to contact me for those who want to. Frankly I think anyone on discord should do the same
There's a surprising amount of people pro-age verification in this thread https://news.ycombinator.com/item?id=45424888
(I don't really want to call out specific comments)
So I'm sure this article may be surprising to them.
> "or there will, sooner or later, be a breach of their poorly secured system."
It doesn't even need to be poorly secured. The oldest form of hacking is social engineering. If a company is storing valuable enough information, all one needs to do is compel the lowest common denominator with access to it to intentionally or inadvertently provide access.
You can try to create all the sort loopholes and redundancies but in general the reality is that no system is ever going to be truly secure. Another reality is that many of the people with the greatest level of access will not be technical by nature. For instance apparently the DNC hacks were carried out by a textbook phishing email - 'You've like totally been hacked, click on this anonymizer link to leads to Goog1e.com so we can confirm your identity.'
I blame companies (including discord) for collecting as much information as they can instead of as little as possible. More data collected -> more data that will eventually get sold / leaked / hacked.
Don't governments require them to chech people's IDs to make sure they aren't kids?
16 replies →
I very much do blame the corporations and governments that push for these kinds of policies in some way or another.
We see things like this, which happen about as often as fucking rainfall in a mountain forest, and then also see the ever increasing push towards ID verification by corporations and government organizations that pinkie-promise to secure or not retain any of the personal data you were wrist-burned into handing over to them.
What a toxic mix of garbage that becomes. The result is crap like the above, making the internet ever worse and basic personal data security (to not even speak of lofty things like digital privacy and using the internet anonymously) pretty much null and void even if you really do try to take the right steps.
>I very much do blame the corporations and governments that push for these kinds of policies in some way or another
71% want age verification
https://www.pewresearch.org/short-reads/2023/10/31/81-of-us-...
How that's done is the issue but you can't blame the government and corporations from making it happen.
It's really just creating massive honeypots of sensitive data that will eventually leak. And when it does, the consequences are always on us
> "this is a systemic issue of governments not having/not enforcing serious security measures"
Is it this, or is it a "systemic issue of governments not minding their own damn business"???
If “serious security measures” involves anything to that 2fa authentication that any normal person hates with a passion then you can forget about it.
The real, long term answer to all this consists in having less of our lives in digital presence, that even means less digital government thingies and, yes, less payments and other money-related issues being handled online.
Honestly I don't understand why so many things are tied to one secret _that you have to share with others_ all the time.
Why is there no rotation possible? Why is there no API to issue a new secret and mark the previous one as leaked? Why is there no way to have a temporary validation code for travels, which gets auto revoked once the citizens are back in their home country?
It's like governments don't understand what identity actually means, and always confuse it with publicity of secrets.
I mean, more modern digital passports now have a public and private key. But they put the private key on the card, which essentially is an absolute anti pattern and makes the key infrastructure just as pointless.
If you as a government agency have a system in place that does not accommodate for the use case that passports are stolen all the time, you must be utterly out of touch with reality.
Governments don't get a damn thing about the internet. They just want to govern, and justify the spending.
Their goal is not to build resilient systems — it iss to preserve control. The internet was born decentralised, while governments operate through centralised hierarchies. Every system they design ends up reflecting that mindset: central authority, rigid bureaucracy, zero trust in the user.
So instead of adopting key rotation, temporary credentials, or privacy-first mechanisms, they recreate 1950s paperwork in digital form and call it innovation.
I don't think you have become jaded. It's just the truth of the internet.
If you upload anything to the internet, it's public. Even the passwords you type are potentially public.
Same. I automatically assume that all information I send to any organisation will end up on the Internet sooner or later be it by accident or sold to some shady third party.
> I basically treat it as 'any member of public can now access it'.
Still remember the conversation over "mega apps"?
Based on my experience with Alipay, which was a Chinese financial focused mega app but now more like a platform of everything plus money, the idea of treating every bit information you uploaded online as public info is laughable.
Back when Alipay was really just a financial app, it make sense for it to collect private information, facial data, government issued ID etc. But now as a mega app, the "smaller app" running inside it can also request permission to read these private information if they wanted to, and since most users are idiots don't know how to read, they will just click whatever you want them to click (it really work like this, magic!).
Alipay of course pretends to have protection in place, but we all know why it's there: just to make it legally look like it's the user's fault if something went wrong -- it's not even very delicate or complex. Kinda like what the idea "(you should) treat it (things uploaded online) as 'any member of public can now access'" tries to do, blame the user, punch down, easy done.
But fundamentally, the information was provided and used in different context, user provided the information without knowing exactly how the information will be used in the future. It's a Bait-and-switch, just that simple.
Of course, Discord isn't Alipay, but that's just because they're not a mega app, yet. A much healthier mentality is ask those companies to NOT to collect these data, or refuse to use their products. For example, I've not ever uploaded my government ID photos to Discord, if some feature requires it, I just don't use that feature.
Couldn't agree more, save for your last sentence. How do you avoid that? We need to provide o Digital papers to a number of different people for proper handling
For us it's too late. But we must push for better laws and build better systems for those that come after us.
> this is a systemic issue of governments not having/not enforcing serious security measures.
To do so seems impractical. Imagine the government machinery that would be required to audit all companies and organizations and services to which someone can upload PII.
Not tractable.
The systemic solution wouldn’t be to do that. It would be to both remove their own requirements that organisations collect this data, and to penalise organisations for collecting it outside of a handful of already heavily regulated industries like banking.
The enforcement could be done by incentives, making sure the penalty for such breaches is large.
1 reply →
Audit at random? With severe penalty in case of non compliance.
> I just completely dropped the expectation of my information being private
There are all the reasons in the world to feel that way. The scary thing (says troyvit as he passes out the tinfoil hats) is that privacy laws are all about an "expectation of privacy." In other words we all expect privacy when we're in our bathrooms, so government surveillance in the bathroom is hard to justify. Now that there are cameras in supermarket checkouts, and we all expect them, legally that's no longer a privacy concern and we can't claim that our privacy is being unreasonably infringed.
And what you're saying is that now we've reached the stage in history where through incompetence and greed we shouldn't expect any privacy anyway, and that opens the door for all kinds of surveillance because our expectations have fallen so low. I'm not a lawyer btw so take it all with a grain of salt.
You really think governments could write rules that would help this?
The only rule I can imagine is big penalties for data being breached, no matter the cause, but do we actually think it's a multi million dollar problem for 70k photos to be released? Hard problem.
It’s surprising that it happened to a big name like Discord in this day and age. Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.
Penetrations of this sort happen differently.
If I want the ID of a bunch of Discord users, I don't go after Discord directly, I find some bot that the targeted users have on their discord servers, or third party service that Discord uses themselves. Then I find some individual person with access to those things, and I harass and/or threaten that person until they give me what I want to make me go away. If I think they might be crooked, I might just offer them a cut of the take. I'm probably not paying them though, not unless I think I can leverage them against other targets and need to keep them around.
Either way, an individual person isn't going to be able to hold off a coordinated attack for very long, and law enforcement generally doesn't give a shit about internet randoms attacking individual people.
It's getting better, but never reaching good, so still no surprise
i mean it's only every other week we see orgs like TCS handing out admin
> Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.
Citation needed. /s
cough Microsoft cough
One important problem that's mostly ignored is the lack of transparency about the third-party providers handling such sensitive ID documents. When a breach occurs, public statements rarely name the exact vendor responsible, making it difficult for affected users to understand who actually had access and who might still have their data. This opacity delays accountability and creates ongoing risks, since users have no meaningful way to audit or assess the practices of these shadow providers. Unless this layer of the data-handling ecosystem is discussed and regulated, future breaches will remain inevitable and largely untraceable.
The third-party layer is basically the dark matter of data breaches like invisible to users, barely acknowledged by companies, and completely unaccountable when things go wrong
The biggest problem is giving data to people in the first place.
Discord uses Zendesk (1). However in the press release they don't name the third party that was compromised, and Zendesk denies that it was their service.
What other third party was Discord using if not Zendesk? Who's reputation are they protecting?
[1] https://www.zendesk.fr/customer/discord/
I don't understand how we allow these companies to protect each other even in the face of egregious malpractice.
This might even be a PR move. They fucked up and can merely say "a third party" did it. Who's gonna verify this?
Unless we have whistleblowers we will never know. What a disgrace.
The wording Discord used leaves open the possibility that a ZenDesk account was compromised through no fault of ZenDesk.
Kinda feels like Discord is lying by omission.
Edit: Actually my bet is their support staff just sold them out.
vx-underground claims to have communication with the group, and this post of theirs adds to the support agent theory: https://xcancel.com/vxunderground/status/1976238815665856646
> they were able to compromise Discord Zendesk by compromising a "BPO Agent" (outsourced support).
> Of course, as is tradition, it is also entirely possible they're lying
Do you happen to have a link to Zendesk's denial?
Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
The Discord message (in Australia at least) specifically says:
The information you provide is only used to confirm your age group, then it's deleted
Refer screenshot: https://www.reddit.com/r/discordapp/comments/1nkrxcp/discord...
I can still swipe the message away, so I haven't done it yet. I'm going to work out how I can fake the face scan. I ain't sending Government ID to some chat app (no matter how big or small) that's over the top.
As an aside, I would have thought the age groups should be: 13 to 18, and 18+. They're the only ones that materially matter to the reason this check exists, in Australia at least. I don't want to contribute to their demographic analysis.
When the australia sub reddit was discussing the introduction of id on discord, the top comment was something along the lines of "look up openfeint". That was the day I uninstalled discord. It may not be an easy decision, especially if you are part of important social communities, but we cannot accept this level of disregard for our identities.
4 replies →
Unless they get fined for this, nothing will change.
That is not the system that was compromised.
It was Discord's helpdesk software (reported to be Zendesk).
If you have problems with that system, you can log a support ticket with the Discord helpdesk, attaching your ID, and they can override it for you.
From the previous[1] statement:
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
It makes sense they have to hang on to the ID in case of processing an appeal, which probably doesn't have the highest priority and hence stretches out in time.
[1]: https://www.theverge.com/news/792032/discord-customer-servic...
The funny thing about this is that it kinda makes it OK for Discord to still have the records. But...
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.
6 replies →
Do they actually say in the TOS that they will delete them? If they do, do they say immediately? How immediately? Right away or, perhaps, 1 month? Unless specified in contractual documentation, words like "immediately" or "soon" do not have any single definition, which allows them to stretch it without technically being in breach of contract. Not to mention that often times, governments mandate data retention for so-and-so amount of time, so the companies are legally required in such cases to keep the data even if they, miraculously, desire not to.
Either the deletion promise is a lie, or the third-party vendor was storing the data anyway
Or it's all kosher as per their "internal policy" which translates to "yes, it was deleted on the server where you first uploaded it" but "pre-deletion" it was "transitioned" to "another secure server" for "your convenience" and "everything is as per our T&C that you agreed to and we follow the highest standards of data security and safety. Thank you for your time".
If Kafka were alive today, he'd see the world has outdone itself.
From what I understand, these were IDs submitted to the third-party for support cases where the user was disputing the verification process. Whether these leaked IDs were from open tickets or not should be the question, if my understanding of the situation is correct.
I guess they are required to store everything for years for "compliance". How else are they are going to save their butts when someone manages to fake their identity through them?
The regulation lets identity verification companies store identity data for up to three years. The providers typically do it to train machine learning models for fraud detection.
Lying is usually legal.
And even if lying is illegal in a particular context, it's de-facto legal since nobody ever gets punished for it.
fraud is not legal. There's a difference between lying on the playground and fraud in a business setting.
6 replies →
The fact the deletion is at all needed speaks for a pretty terrible design. The data should simply not be permanently stored.
I have quite a lot of experience dealing with personal identity information. Unless the latter has to be reported then it's never stored. Along with the fact it's actually deleted to comply with GDPR and friends (when it has to be recorded). In any case if any personal data is to be stored, it's always encrypted with personal keys.
deleted = database column
Or maybe they define 'delete' as moving data from "production" env to "deleted" env and if someone asked that data to be deleted even from there then the next step is moving from "deleted" to "purged".
Discord is a fed honeypot so why would they.
The whole "it wasn't us, it was our third-party vendor" line is getting way too common. If you're collecting government IDs for age verification, the security bar should be extremely high... no matter who's handling the data
But our subcontractor made a contractual promise to use only sub-subcontractors who use only sub-sub-subcontractors who promise to be secure!
Ahh I see you've done work for the government.
ID checks, driven by prudishness, are an absolute gift to the big social media companies. They're the only entities whom (a) already know the check's answers, and (b) have the resources to keep hackers largely at bay.
I am not surprised these laws are landing with such little resistence.
Its as if the big social media companies lobbied for extra redtape, eh?
Large companies love regulation and red tape because it usually kills smaller competitors.
Surprisingly they've generally lobbied against it for ideological reasons despite their economic incentives.
1 reply →
You've got to be a complete moron uploading your gov ID to discord
It is specifically because you got banned for "being under 13" it comes from someone asking a question like "How many candles in this photo?" then you reply "7" then they edit the message to say "How old are you" and voila, underage ban.
What you are overlooking is that Discord is the new MSN Messenger, YIM, etc your friends are not backed up in a meaningful way, nor the servers you're in, if you lose your account, you lose contact with basically your entire internet life and friends.
Discord should not keep those IDs longer than a month at a time once the user is unbanned it should be deleted a week later, or removed from that panel altogether.
You can come up with all kinds of excuses, but Discord is not, and NEVER WAS a trustworthy company.
> You've got to be a complete moron uploading your gov ID to discord
^ Still stands.
4 replies →
This hits the nail on the head. The big issue here is that the submitted photos were not deleted and that is quite concerning to me.
1 reply →
The issue then becomes "well why don't they just go back to a Teamspeak server? they can self host it!"
But we're forgetting there that the average person online is not a dev. The most they usually know is how to point and click on something. Which also means they usually don't know how to spin up a Linux machine/VM somewhere and install their own chat server.
Discord is popular because it lets almost anyone on Earth point and click to create a chat "server". If someone can figure out how to do that (eg cPanel), you can absolutely break their moat.
4 replies →
Ah, the classic shoe size prank.
A bunch of UK users are blocked from the more "free speech" (over 13) channels unless they prove their identity to Discord, to comply with the Online Safety Act.
It's channels marked NSFW that you need verification for and it's also incredibly easy to bypass with a VPN.
1 reply →
This applies to all users and isn’t related to OSA (though that will probably make leaks like this more likely).
What would you say of a lot of FOSS companies/orgs who love to stay on places like Discord? Hell, some entities that pride themselves on "privacy" and "E2EE" shit are specifically on Discord. I think that must go beyond moronity.
Are you seriously blaming kids and teenagers (who spend their free time on Discord) because they are not smart enough to know better and form communities elsewhere?
You can do better than victim blame, and instead point the finger at Discord and whoever told the British government that delegating ID control to third-parties was a good idea.
...or point the finger at ourselves, for not creating a more decentralized and secure place for our kids to hang out online.
No need to blame the user for the companies actions.
Company enacts policy enforced on them by law, for example requiring proof that a user is above the age of 18 to be able to use a channel where other users may use naughty words (The Horror!!!).
User struggles to use the automated age check system (I used the "guess age by letting an AI have a look at a selfie" method and it was a pain in the ass which failed twice before it finally worked) so does what is recommended and make a support ticket. [0]
User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
Full blame is on Discord for poorly handling their users data by their 3rd parties, and on the Governments forcing such practices. Discord should have their asses handed to them by the UK's ICO.
Sure, us geeks can and will use self hosted systems and find ways to avoid doing ID checks, but your avg joe isn't going to do that.
Hopefully cases like this will help with the push back on governments mandating these kind of checks, but I see the UK government just falling back to "think of the children" and laying all the blame on Discord, (who are not without fault in this case).
[0] https://support.discord.com/hc/en-us/articles/30326565624343...
[1] https://support.discord.com/hc/en-us/articles/30326565624343...
> Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
This wasn't documents uploaded via the automated ID checker, it was users manually sending ID documents to support in order to appeal an automated age decision.
> User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
This is the part where the user has to take at least partial blame. You have to be utterly stupid (or at the very least way too sheltered) to believe a statement like this from a company, especially when there are zero consequences to the company for lying about it or negligently failing to live up to their policy.
11 replies →
At this point a whole bunch of crypto exchanges including chinese ones have my driver's license, passport and more. It is what it is, any real KYC process will require video identification anyway.
It's great news. Introducing totalitarian laws and rushing companies to implement them, who would've thought something would go wrong?
I hope this incident and future data breaches will finally raise awareness of which direction many regimes are going.
Don't worry, the only thing governments will learn from this is that they need to exert even more control. They'll use this as a convenient excuse to centralize the age verification in the interest of security, which conveniently gives the government the final say over which web services you're allowed to use.
The stricter the dictatorship is, the more likely people will resist the regime.
That's why many of the traditional totalitarian regimes are populistic, they do what their people want them to do or what they can convince them is good for them. New Western hybrid regimes still didn't realize they can't rule against their own people forever.
This is the end result of forcing private companies enforce ID verification.
No, this is the result that companies dngaf about your private data. Sue them to oblivion.
Hard disagree. Companies could care about your data and still be subject to rbeach. ID verification is the source of the issue.
2 replies →
This is not OK, and the reporting is not OK.
Opening with:
> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.
Then a big PR quote, letting a potential wrongdoer further spin it.
Then closing with:
> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.
This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.
Here's the bare minimum kind of lede I expect on this reporting:
Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
I'm ready to block both Discord and The Verge.
> Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.
Age verification is "scan your government ID or give us a detailed video of your face from various angles, open and close your mouth" etc. Not sure which is better to give out in a breach
2 replies →
It’s an escalation path. When you store and image of an ID unnecessarily, then associate it with those last four digits, you’ve created a way to link other data sources to individuals.
Most scenarios I’ve worked with, you toss the ID image once you validate it.
I think discord is one of the services that requires age verification in some countries.
The fact that the data is digitized, indexed and can be easily correlated with other data points is what turns your seemingly innocuous 4 numbers into a way to better impersonate, phish, or otherwise harm you.
This is what most of journalism has been for quite some time. Read some of Noam Chomskys work.
I kinda hope and root for EU's spec (https://ageverification.dev/Technical%20Specification/archit...) with "Zero Knowledge Proof" that wouldn't require passing actual ID to the service…
My preference would be just requiring site operators to add the RTA header [1] for anything that could potentially be adult in nature or user contributed content and let parents decide if devices should have parental controls. Not perfect, nothing is but would protect most small children. Teens will easily bypass any method as many today watch porn together in rated-g/pg video games that allow setting up a streaming player in-game.
[1] - https://www.rtalabel.org/index.php?content=howtofaq#single
That would be also nice, but given we can't make everyone to do the most basic interoperability I don't see it working…
As for: > Teens will easily bypass any method as many today watch porn
well, they do, but each obstacle discourage them to do that. It's like with chocolate while being on a diet - if you have it within reach next to you you are more likely to eat it; put it on a shelf which would require standing and walking - slighly less likely; put it in another room - even less; and if you don't have it in home and you would have dress up and take out the car and drive to the shop most likely you would just wave your hand at that :)
So no - it won't prevent it completely but I'd argue that it would significantly decrease the use :)
1 reply →
This.
We're talking about a solved problem here.
Similar to storing passwords as unhashed/plaintext.
Asking this out of curiosity: is it a requirement, that such data is being stored once the verification process is completed?
That is the bonkers thing about this story. Why take on the liability? Get what you need and toss the responsibility. If you must store it (which seems unlikely) put that extra-bad-if-leaked information behind a separate append only service for which read is heavily restricted.
Because there is no liability.
If they were fined $10k per leaked ID, then there is a serious liability there.
Right now, they publish a press release, go 'oopsie poopsie', maybe have to pay for some anit-fraud things from equifax if someone asks, and call it day.
1 reply →
Because it's free training data and great for building profiles on users so you can make money showing them targeted ads
2 replies →
The data is valuable to sell or train ai on. You can use that data to train ai hr people or whatever
I’m in a different industry, but when I’ve had to collect identification for reasons we extracted metadata at the time of presentation, validated it, and discarded the image.
We would never get clearance from counsel to store that in most scenarios, and I can’t think of a reason to justify it for a age or name verification.
Why are people assuming they did store it after the process was completed?
With the relatively low number leaked here it could have been information collected actively during an ongoing breach, not a dump of some permanent database.
There are only a handful of countries where you are legally mandated to dox yourself and it's a recent change.
You'd expect the numbers to be "low" either way.
Just a guess, but they may store the original ID card to audit duplicate accounts.
If their machine learning models, think that two people are the exact same, having the original image, especially a photo of the same ID card could confirm that.
There are image processing methods for hashing people's faces. They don't have to store the actual photo to do that.
13 replies →
The best years online were when it was universally recognized that government ID's are completely unsuitable for interaction with the internet in any way.
Like it was since the beginning when government ID's first became a thing.
IMHO this is a pretty dump approach to the problem
while there probably are some countries with terrible designed passport for most they are designed to be machine readable even with very old style (like >10year old tech) OCR systems
so even if you want to do something like that you can extract all relevant information and just store that, maybe als extract the image
this seems initially pointless, but isn't, if you store a copy of a photo of a people can use that to impersonate someone, if you only steel the information on it it's harder
outside of impersonation issues another problem is that it's not uncommon that technically ids/passports count as property of the state and you might not be allowed to store full photo copies of it and the person they are for can't give you permission for it either (as they don't own the passport technically speaking). Most times that doesn't matter but if a country wants to screw with you holding images of ids/passports is a terrible idea.
but then you also should ask yourself what degree of "duplicate" protection you actually need wich isn't a perfect one. If someone can circumvent it by spending multiple thousands to endup with a new full name + fudged id image this isn't something a company like discord really needs to care about. Or in other word storing a subset of the information on a passport, potentially hashed, is sufficient for like way over 90% of all companies needs for secondary account prevention.
in the end the reason a company might store a whole photo is because it's convenient and you can retrospectively apply whatever better model you want to use and in many places the penalties for a data breach aren't too big. So you might even start out with "it's bad but we only do so for a short time while building a better system" situation, and then due to the not so threatening consequence of not fixing it (or awareness) it is constantly de-prioritized and never happens...
Just store the name and the fact that it was verified and delete the photo. You get what you need without holding on to a massive liability.
2 replies →
in case of the EU it's more the opposite
GDPR requires data minimalism and ~use case binding so if you submit data for age verification there is no technical reason to keep it after knowing your age so you _have to_ delete it.
I've come a long way down for somebody to have finally said this!
The GDPR is your friend. It makes retailing unnecessary personal data a liability. As it should be.
Discord is idiotic for operating in the UK and Europe without complying.
No excuses.
Requirement by who? Discord isn't required to demand your ID, let alone store it.
It's required in the UK to access non-child friendly content: https://support.discord.com/hc/en-us/articles/33362401287959...
More governments should provide a system like the German electronic ID*, which lets you prove your age without revealing other information.
* Tragically underused because impractical
As far as I have heard zero knowledge proofs have become optional (thus dead) in the EU wallet specification. I expect selective disclosure in all form to be completely axed next.
not just impractical, but also not easy and free to integrate with your service. Seems designed to push you to use a commercial product.
https://www.ausweisapp.bund.de/so-werden-sie-diensteanbieter
In Belgium we have a service called "itsme". Had it for ages, works very well, used to be mainly for government but banks are also switching to it.
The hackers claim they have data of 5.5 million, discord is saying 70k. Hmmmm
Probably 5.5 million emails/names, 70k photos.
https://x.com/IntCyberDigest/status/1975846997568737666?t=nD...
I didn't feel comfortable giving discord my phone number when they demanded it, so I lost access to the open source communities that insist on collaborating there.
I wish breaches like this would cause people to reconsider their choices but sadly, it's unlikely most users will move.
I also wish open-source communities would move off of Discord for another reason: Users are limited to joining a maximum of 100 servers.
I've hit the cap and it's driving me crazy. It's really easy to hit it since each friend group, hobby group, gaming community, and open-source community often all have their own servers.
I can barely keep up with 6 semi active discord servers, each with tens of semi active channels... Much less think about doing it with hundreds. More power to you, must have figured out a good notification scheme
2 replies →
That limit is per account, right?
The issue is if you don't enforce the phone number requirement on your server you get all the trolls who don't use phone numbered accounts. I wish Discord would allow you to restrict known VPNs instead of requiring phone numbers. It would solve so many issues. I know a LOT of VPNs wont be caught, but if you block MOST non-residential IP blocks, you'll capture a lot of them.
Trolls likely have access to phone number farms though. And in some parts of the world it's extra cheap to mass-register phone numbers. Trolls wouldn't be harmed in a data leak, only normal users get hurt.
2 replies →
Phone numbers may be required to bring order to a vast international user base, but a few dozen devs and a small user community can function without invasive moderation tactics.
1 reply →
The communities I'm in don't require a phone number and very rarely gets trolls. Proper moderation is the most important part. Occasionally there's a spambot, but they're just hacked accounts from pre-existing real users, and as someone that uses a VPN with Discord, I'd prefer to not be treated as an evil-doer please.
1 reply →
[dead]
Discord doesn’t require a phone number. It’s individual community owners who opt to require it. You can create a server that doesn’t require one but it effectively means you can’t ban people since they can just sign up again on a new account.
I refuse to use their “create a server” language. It is not a server by any definition of the word server.
You can set up a community on their servers.
I’m not sure why they chose to use misleading language, but it is misleading.
9 replies →
Discord has an account flag that triggers a mandatory phone number verification. It happens if you do things like send messages too quickly over the span of about a minute, or send multiple friend requests, or join too many servers, or start too many DMs, or indeed, join any server that is set to require phone number verification.
12 replies →
I tried making an account once, technically my account was created but trying to log in only gets me a screen that requires I verify a phone number. I was never even able to attempt to join a server. I assume it's my browser's privacy settings and ad blocker but I'm not sure.
The one approach that has never failed is to use a fake identity when signing up for online services. It is a violation of TOS but not a crime to do so. Only give your real information to the government. If companyX requires hard information but cannot protect this PII, then they don't deserve real data.
Relevant name.
How would you get around this verification though? Afaik this is nearly akin to KYC which is effective impossible to get around
The problem is that the government has these leaks too.
sure, but your reducing the likelihood of your real data getting out there if it's only stored in one place, rather than hundreds.
When can people start going to jail for this kind of thing
It is UK. They find it hard to jail people that lied on purpose to jail innocent people, multiple times.
Yes, good question: When can we start jailing CEOs and their employees for these blatant violations of the CPRA and GDPR?
And the politicians who mandate ID-checking requirements, without which the "government IDs" part of this wouldn't have happened.
(To be explicit, not supporting jailing here, just removing from office.)
Was thinking the same exact thing!!
Immediately if you move to China.
After a revolution
You know it'll be the IT pros going to jail not the execs right?
Good, then they can stop the excuses for implementing the most shittiest things that ruined the web and just say no.
Why. I see Australia is intending on blocking YouTube and other platforms. Expect this more regularly
Every time I see a data breach caused by a third party vendor, I can't help but wonder why are these big companies so deeply reliant on outsourcing, yet so lax when it comes to controlling security?
Usually some regulation change that the company is not aware off, they have to run to find a fix as soon as possible, some business guy who don't know anything about tech find a vendor who are ready to sell a solution (they probably created their whole business last month on a gamble that the new regulation would be passed and that businesses would be rushing for a solution). Then they simply buy that solution "for compliance" as a top down decision, even when internal employees ring the warning bell.
Because the consequences of events like this are minimal so why would they waste time and effort worrying about it?
I don't think incidents like this are minor. I believe personal information security is very important. Maybe they see the consequences as small, but I don't.
1 reply →
Those are rookie numbers.
Time to pump up those numbers…
we publish this every year or so: https://qbix.com/blog/
I understand I grew up in a different era but it is beyond absurd to me that a chat application requires government ID from it's users. I understand the rationale but I do not find it convincing in the least, especially with the way that security is treated at basically any entity that has this kind of info on file.
I do not like this world that we have created and I would like to apply for a full refund
Rationale is likely the requirements of age verification rules by UK, some US states, etc.
We could likely see a bit more of these data leaks in the future I guess, due to how there are more and more countries/states adopting this.
newer generations have been indoctrinated early
Looking forward to being forced to provide my government ID to access Discord [1], when they have only just suffered a major breach. Good stuff.
[1] https://support.discord.com/hc/en-us/articles/30326565624343...
ZenDesk boasts on this:
”Discord's investments in AI-driven self-service with the Zendesk CX platform have enabled the company to provide seamless support.”
The Principle of Least Privilege is one of the foundational aspects of security. Governments should be enforcing that not requiring companies to collect very sensitive information like they are currently doing. Things like "prove your age", digital ID, and Chat Control are actively malicious when it comes to safety, security, and privacy.
Ah, the thing that everyone warned would happen has happened.
I work at a company where we also store government IDs in Zendesk. I've alerted management multiple times but no one seems to care. It's a disaster waiting to happen…
Leave paper trails (emails most likely) and keep hard copies.
Will the British Government be held liable for ID Thefts from this? If they hadn't created a honeypot with minimal security would this info now be out there?
WTF were they thinking about?
So it begins...
Where there is smoke, there is a fire. Wait for more and wait for people to learn how identity theft is the worst problem you can have.
Imagine you trying to prove that you are you, while somebody else with your passport details, driver license, address, DOB, phone SIM swap, etc, is acting like you causing all sort of financial disaster???
1995 The Net movie, people in 2025 will learn the hard way that was not just a movie.
I once accidentally set an incorrect birth year on Twitter. They locked me out of my account and insisted that I upload a government ID to unlock my account.
Did they accept the edited ID with a DoB matching the account data or how did you solve that?
I just... sent a scan of my passport. I mean, they promised to delete it right? Nothing could go wrong?
2 replies →
Why does discord have gov IDs? At this point we already have the tech to prove using zero knowledge that we have an ID
Source: https://discord.com/press-releases/update-on-security-incide...
Why haven't zero knowledge proofs shined in this area? Can anyone explain?
Aren't ZKPs useless for their paranoid 'children will die if they see boobies' crap because then they'd allow for a single common token to be shared willy nilly? Not to mention that surveillance is the clear government actual goal.
No, Discord would create a new challenge for every user by creating a random nonce.
They are on the way. The EU is field testing such a system now.
Merely weeke ago before this law came in we said this would happen.
It will keep happening as well.
Their IDs given in the name of "online safety" how safe are they now their IDs are leaked?
One's government digital identity should be public. It's my public identity. If there's some risk to this being the case, the it's a bad implementation.
Why are they permanently storing government ID's?
Why is it still so hard to identify yourself online?
Discord always was a privacy nightmare. How come people upload ids there? And why do the service stores them in hot storage?
How many times the same thing... most even tell you that they verify you and then delete your ID.
ZK proofs cannot become mainstream fast enough.
Wait already? I was hoping to hear about it next year. Maybe it’s a good thing that it happened early so they can fix?
No, it’s a good thing it happened early so they can remove it.
This is why I am really looking forward to PIDs in the European Digital Identity ecosystem (EUDI) [1]. This works with the OpenID Verifiable Credentials spec built on top of Oauth2. There are open source solutions in the competition for building the EUDI Wallet and the architecture and reference framework is openly accessible [2]. All credentials are kept with the holder (you) at all times. Basically implementation of the EU eIDAS 2.0 regulation, obviously subject to GDPR.
Mandated to be accessible to EU citizens by 2027 when all Member States have developed a Wallet solution.
Not associated but learned through it at work recently, just awesome project and thought I'd share in this context.
[1] https://commission.europa.eu/strategy-and-policy/priorities-...
[2] https://eu-digital-identity-wallet.github.io/eudi-doc-archit...
[3] https://github.com/openwallet-foundation/credo-ts
If only someone would have warned us
Oh no! Anyway software engineers are not real engineers so nobody will be held accountable.
First problem is - they never should have such data. Why you are sending them IDs?
What is the use case for uploading your government ID to Discord?
Two of the other replies are wrong. This isn't actually about the new 18+ age verification stuff that countries seem to be ramming through right now - as far as I know, Discord uses third parties for that service. The link from Discord's statement in the article mentions that this is about appealing account bans of users who were suspected to be under the legal age to use Discord at all (<13 in most places). This is an older thing, which also explains the amount of data that was leaked.
Joining "NSFW channels", which usually means porn. But some normal channel are also tagged NSFW to opt out of Discord's forced content filter on public servers, which has occasional baffling false positives.
So people are willing to upload their govt IDs to watch porn.
Wow.
Online Safety Act for the UK. You will be safe.
As the article says it’s used for age verification
We need more breaches, it will render that data unstorable
This is why social media should never ever ask for an ID.
Why are they even storing these? Once they have verified them as old enough, why keep them?
These companies should be forced to release a proper account of events - like Google/Cloudflare do when they mess something up
why would one give their government ID to Discord?
Why did they have them in the first place?
Bring back IRC.
It's still very much alive! Regularly active on a few channels spread across different IRC servers. Still works great.
It will only get worse, of course.
Pieces of shit. Do they need to look at them on a daily basis or isn't is enough to use them to confirm identity when received and then encrypt them and move them to an offline storage?
So many companies do not understand this simple principle. Blast radius reduction. But no, they need to have everything online, and instantly accessible all the time. Because they can't possibly be inconvenienced with a short delay in case they ever want to look at that piece of data that they will never want to look at anyway.
It is going to take a long time before companies realize that data they don't need is a liability, not an asset.
It's just a standard helpdesk application.
You submit a ticket to Discord with the ID attached when the automated ID verification didn't work for you.
Once the ticket is dealt with, Discord could have a policy of deleting the IDs, but they don't.
KYC is a bug
.... The government ID's they only started asking for as a bullshit requirement after running for like 10 years without needing them?
At some point we'll start seeing companies that rotate your passwords automatically and integrate with your autologins, and send immediate reports of breaches / suddenly failing logins.
Wait. Why isn't this a thing
haveibeenpwned?
afaik they do not actually handle your logins
I wonder how many people in the UK have actually got their passport out to sign into these services. I'm guessing the average HN user isn't likely to do this, but I'd love to see the numbers for the general populous.
And how will they pay for it?
How did we get to this state anyway?
Isn't HN supposed to be populated by the people who work at these companies, the fuck are you guys doing??
Whatever stereotypes you've read, about 0.01% of HNer's hold C-level jobs at huge tech companies, to be setting such policies.
And even at modest-sized companies, those are decided by Legal Dept's and senior business managers.
While you might find it cathartic, to angrily curse at some convenient Post Office employee for (say) the Postmaster General's latest postage stamp price increase - that is really not a classy move.
So where do the people making those decision hang out so we can shame them
2 replies →
I think it is nice that the GDPR forces companies to not keep too much data about people. And you can only have data that you need for the stated purpose (of course this leaves loopholes but it is good data hygiene to always consider).
For example, if you state you want to verify age, you only need the ID for a couple of seconds. So why didn't they think about the risk of a hack before? They could have done the age verification and then immediately deleted the document. The cynical take is af course they did think about it but would take the fine if it came to that...
Maybe it is good to make an example out of Discord? Don't keep stuff around if you don't need it should be common sense.
we, uuuuhhhhhh, we still gonna make every E-Tom, Dick.com and HarryAPI collect people's identifying information?
[dead]
[dead]
[flagged]