[TameAntelope]

To be fair, it's not part of their login flow, it's part of their verification flow. It's a one-time thing, not an every-login thing.

I also see no problem with this. What could they realistically use this information for that would be nefarious? It doesn't actually store the ID in any real sense, as they explain in the link, and I see no reason for them to lie about that.

It's real easy to scream, "But My Privacy!!!", and probably a decent amount more difficult to come up with an actual and practical risk there.

Honestly, if your threat model includes "video game companies that lie about age verification systems", I don't think you're taking your security very seriously.

[modzu]

one risk is the inevitable data leak and having these documents for sale on a darkweb market. how exactly is the ID anonymized? who knows?

[MomoXenosaga]

In the Netherlands we have a government app that blacks out the sensitive stuff called kopieID.

Honestly if you are going to ask for identification ask for a passport or driver's license not this idiocy of credit cards and bank statements. That's just insulting my intelligence.

[TameAntelope]

The documentation says anonymized "value" is generated, so likely some kind of hash.

I don't think these are able to be stolen in any meaningful sense, based on how they describe their tech stack.