Comment by codedokode
6 months ago
Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
6 months ago
Companies usually promise that the ID would be used only for validation and then immediately deleted. How so many IDs could leak then? They verify millions of IDs per month?
The Discord message (in Australia at least) specifically says:
The information you provide is only used to confirm your age group, then it's deleted
Refer screenshot: https://www.reddit.com/r/discordapp/comments/1nkrxcp/discord...
I can still swipe the message away, so I haven't done it yet. I'm going to work out how I can fake the face scan. I ain't sending Government ID to some chat app (no matter how big or small) that's over the top.
As an aside, I would have thought the age groups should be: 13 to 18, and 18+. They're the only ones that materially matter to the reason this check exists, in Australia at least. I don't want to contribute to their demographic analysis.
When the australia sub reddit was discussing the introduction of id on discord, the top comment was something along the lines of "look up openfeint". That was the day I uninstalled discord. It may not be an easy decision, especially if you are part of important social communities, but we cannot accept this level of disregard for our identities.
I just looked up "Openfeint".
It took me a while to find the connection to Discord. Not sure if I did because it seems like some mobile app for people who play mobile games with some connection to some Japanese network and hosted in China or something?
3 replies →
Unless they get fined for this, nothing will change.
That is not the system that was compromised.
It was Discord's helpdesk software (reported to be Zendesk).
If you have problems with that system, you can log a support ticket with the Discord helpdesk, attaching your ID, and they can override it for you.
From the previous[1] statement:
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
It makes sense they have to hang on to the ID in case of processing an appeal, which probably doesn't have the highest priority and hence stretches out in time.
[1]: https://www.theverge.com/news/792032/discord-customer-servic...
The funny thing about this is that it kinda makes it OK for Discord to still have the records. But...
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.
There is no reason for a company like Discord to ever see the ID. The owner of each relevant form of ID — usually a government agency/department — should provide an attestation service, such that users prove their identity to the agency and the agency tells the company "yes, this user is who they say they are".
It's not that hard. Legislators around the world are consistently dropping the ball on this.
4 replies →
> passed some level of authorised audit in order to be able to store government ID cards.
In a perfect world, maybe. Not in this one.
Do they actually say in the TOS that they will delete them? If they do, do they say immediately? How immediately? Right away or, perhaps, 1 month? Unless specified in contractual documentation, words like "immediately" or "soon" do not have any single definition, which allows them to stretch it without technically being in breach of contract. Not to mention that often times, governments mandate data retention for so-and-so amount of time, so the companies are legally required in such cases to keep the data even if they, miraculously, desire not to.
Either the deletion promise is a lie, or the third-party vendor was storing the data anyway
Or it's all kosher as per their "internal policy" which translates to "yes, it was deleted on the server where you first uploaded it" but "pre-deletion" it was "transitioned" to "another secure server" for "your convenience" and "everything is as per our T&C that you agreed to and we follow the highest standards of data security and safety. Thank you for your time".
If Kafka were alive today, he'd see the world has outdone itself.
From what I understand, these were IDs submitted to the third-party for support cases where the user was disputing the verification process. Whether these leaked IDs were from open tickets or not should be the question, if my understanding of the situation is correct.
I guess they are required to store everything for years for "compliance". How else are they are going to save their butts when someone manages to fake their identity through them?
The regulation lets identity verification companies store identity data for up to three years. The providers typically do it to train machine learning models for fraud detection.
Lying is usually legal.
And even if lying is illegal in a particular context, it's de-facto legal since nobody ever gets punished for it.
fraud is not legal. There's a difference between lying on the playground and fraud in a business setting.
Again: fraud is de facto legal.
It is ubiquitous in every part of the business world, both internal and consumer-facing.
4 replies →
Fraud is illegally getting money, and IDs are not money.
The fact the deletion is at all needed speaks for a pretty terrible design. The data should simply not be permanently stored.
I have quite a lot of experience dealing with personal identity information. Unless the latter has to be reported then it's never stored. Along with the fact it's actually deleted to comply with GDPR and friends (when it has to be recorded). In any case if any personal data is to be stored, it's always encrypted with personal keys.
deleted = database column
Or maybe they define 'delete' as moving data from "production" env to "deleted" env and if someone asked that data to be deleted even from there then the next step is moving from "deleted" to "purged".
Discord is a fed honeypot so why would they.