Comment by terminalshort
1 month ago
What is the risk? Anyone who wants a picture of my face can already get one by googling my name and going to my linkedin profile.
1 month ago
What is the risk? Anyone who wants a picture of my face can already get one by googling my name and going to my linkedin profile.
For phots of ID this is obvious: A data leak, followed by impersonation ("identity theft") and unwelcome invoices and/or empty bank accounts.
Some dumb companies and gov entities use national ID numbers (social security numbers for americans)as secret identifiers or grants access if presented. It typically has place of birth, date of birth, full names, gender, and face pic. In most cases this is enough to commit a ton of different kinds of fraud or hijack certain accounts (especially social engineering).
In my mind, national Id's (and the extra meta data of the person) should be public and only used for identification, not for authentication or authorization. Meaning there needs to be two or three extra steps after providing it to allow a transaction to occur. This needs to be a legal requirement for companies if they enter into contracts with a person.
If we need to prove we are not-minors or authenticate we are real or authorize access of personal information, the government should provide an api to auth the request, since they are the issuer of the document (the ID), so only they actually have the means to prove you are real and you are above 18. This can allow for a company to ask the gov, "is this person real and is this person above 18", and the gov shows me the request (otp, ussd, email, OS popup etc) to confirm the request and to select what info that company can pull. So its is 3 legged system, no third party companies involved. If the gov wants to create these constraints, they need to be the ones to provide the mean to authenticate (both for the consumer and the company). Also, when the gov shows the request to the user/citizen, it need to show exactly what the company is asking for and the full details of the company and the human representative that is making the request (almost similar to OAuth).
The problem runs much deeper than just "Whats the risk, my facepic is public already". Oh and this has nothing to do with minor and wont protect them in any way - only way to protect them is to take internet access away. The internet is not a child-friendly place and wasn't built by or for children. We should not bend to make it child friendly as it will destroy the internet in the long term.
Depending what they get about you the risks range from impersonation all the way to deepfakes.