Hacker News new | ask | show | jobs
by ibeitia 1833 days ago
I’m an engineer on the Identity team. There are two somewhat separate questions here. (1) Whether the business should ever have access to this data. And (2) how exactly the business should access that data and the security properties around it. On (1) this data is fundamentally the user’s, and there are often important compliance reasons as to why the user needs access to the raw data because of obligations that they themselves are subject to. It’s important to remember that you should trust both Stripe and the business that’s asking you to verify your identity. They are in control of explaining to you how they are using this data and giving you an option to opt out—or lose you as a customer. On (2) we’re working on a way to restrict access via secret keys very soon.
4 comments
PuffinBlue 1833 days ago
> On (2) we’re working on a way to restrict access via secret keys very soon.

Hmm, this doesn't really seem to me like the sort of area where you bring out a MVP and then work out basic fundamentals like this afterwards.

link
3np 1832 days ago
How large percentage of Stripe Identity customers do you foresee actually are required by legal regulation to retain all this information, as opposed to verifying certain aspects of an individual, as opposed to wanting it and likely handling it in ways violating GDPR and similar regulation?

I’d argue that before Stripe sends any PII other than validation results to a customer, it needs to verify that the business indeed is under regulatory requirements to gather this data, and only sell the required part.

Alternatively, you could invert the process, allowing integrating businesses to send documents to Stripe, who replies if they’re legit or not.

Finally, if there is a need for sharing data with customers for e.g. KYC, shouldn’t this be priced significantly higher than verification/validation, so that Discords and Clubhouses can’t justify it from a business perspective?

What is the reasoning for doing neither of the above?

link
petemyers 1832 days ago
As a consumer, how can I request a removal of my personal info from Stripe's Identity database?
link
Mumps 1832 days ago
Same as petermeyers: how can I have my personal information removed from Stripe Identity? thanks!
link