[ryandrake]

It's gotten to the point where if a company requires you to upload something to verify your identity, you should treat it as if that something is being posted visibly to the public internet, and decide based on that whether it is worth providing. Companies repeatedly demonstrate their inability to secure personal data that they obtain and store, while always issuing press releases about how "we take security very seriously."

[TacticalCoder]

And the real scary stuff is that they demand more than the law requires. They're not just doing the minimal KYC/AML stuff (which is already a huge endeavor btw): they're going out of their way to get as much infos as they can.

For example for AirBnB (well, granted some "conciergerie" service belonging to AirBnB, in France: but even if it's top-end it's still AirBnB) they wanted me to record a video of me of 20 seconds.

They're not the only ones to do that: I've seen other sites asking these vids.

The more regulated stuff, like brokers, banks, etc. shall ask what's legally required: proof of address (a utility bill), scan of the driving license, etc. but nothing more (at least in my experience).

But the non-regulated players: they invent stuff. They make up shit, apparently on the spot.

At some point they'll ask a blood and urine sample to "verify my identity".

Which would be okay'ish, I guess, if they weren't so incompetent as to invariably leak those data when a hacker shows them who can code.

I take it the KYC/AML will have to be modified to prevent anything more than what is legally required from being collected.

[Terr_]

I dimly recall some sci-fi quantum-technobabble book where a character is reminiscing that a collapsed government's most important duties were (A) identity and (B) official timekeeping.

The US Federal Constitution, back in 1787, immediately authorized a government-run postal service. If a similar scenario was echoed today, I think it would/should contain a government-run identity service.

Governments already have a compelling interest to identify people for the purposes of the legal system, property ownership, etc. With all that happening anyway, might as well have an API that allows for attestation and Single-Sign-On.

___

P.S.: Not having it isn't really an option, since it's a void that will still get filled, just differently... Either with a hodgepodge of half-broken systems, or an abusive private monopoly, and no accountability or good appeals process.

[space_fountain]

Obama briefly pitched the idea of this. A lot of people worried that the government providing services with the ability to verify identities would kill anomenlty online and it died.

[pphysch]

And yet anonymity/privacy is already dead for the average consumer, and we don't get to benefit from a public, reputable SSO service...

[Terr_]

For example, the IRS's free online filing thingy this year involves a third-party private company doing the ID checking and proprietary facial recognition database shit.

Hell, they didn't even white-label it behind a .gov domain and UI, which means they're training taxpayers to fall for phishing scams by disclosing their most sensitive data to any dang company with a spiffy web page and plausible-sounding domain name and a "Trusted By The IRS!" image sticker.

[akira2501]

> a government-run identity service.

Sponsored and standardized, maybe, /run/ definitely not.

These entities love creating things like "No Fly Lists" I can only imagine what their greedy little hands would do with the authority to strip one of the ability prove their identity.

[krapp]

I wanted to step in and make fun of the Mark of the Beast people and paranoid gun owners who always freak out about things like this but then I considered what half the country would do if they had control over the immutable legal identities of gay and transgendered people, and I realize they might actually have a point.

It's not that a national identity service is a bad idea, it's a good idea and the US should have it, like it should have nationalized healthcare, education, UBI and gun control that's actually effective. It's that the United States government specifically can't be trusted to implement it at any level and in any way that won't lead to undesirables in mass graves. We just can't have nice things here.

[tivert]

> For example for AirBnB (well, granted some "conciergerie" service belonging to AirBnB, in France: but even if it's top-end it's still AirBnB) they wanted me to record a video of me of 20 seconds.

> They're not the only ones to do that: I've seen other sites asking these vids.

So basically they're trying to do a "liveness" check, probably under the assumption that videos are too hard to fake (and hopefully they compare the ID documents against the video). Honestly, that seems legitimate to me. With data leaks and generative AI, it's going to be increasingly hard to do the kind of identity verification tasks online that we take for granted.

I predict there will soon be a huge necessity and demand for in-person notaries to verify identities for online services. Want to open a bank account online and there's no branch nearby? Go to some ID verification business with a ticket number from the sign up workflow, they check your documents, and then they tell the bank if you checked out or not.

[b112]

Canada Post has a service like this. They already need to do identity verification for some types of packages (certified/registered mail with mandatory Post Office pick up), so it's a natural extension.

Not sure how rigid it is through. Probably just a glace at a driver's license / id card?

Anyhow, a good extra revenue stream for classic postal services.

[jamesrr39]

> So basically they're trying to do a "liveness" check, probably under the assumption that videos are too hard to fake (and hopefully they compare the ID documents against the video). Honestly, that seems legitimate to me. With data leaks and generative AI, it's going to be increasingly hard to do the kind of identity verification tasks online that we take for granted.

I worked for a company that required these videos in one of the markets they served. Some countries have decent digital ID solutions already in place, but in many it's just a picture of a driving license or such that is so easily faked/stolen. Kind of a shame how in many countries officially identifying yourself online is not implemented/implemented badly enough that no-one uses it, so instead we have this poor uploading pictures of private documents and videos of yourself fallback.

[Frieren]

> The more regulated stuff,

They have been regulated for a reason. Without regulation they will also do all kind of stuff. (They still do a lot of really harmful stuff, but not as much as they could otherwise)

[cute_boi]

Even facebook is telling to upload video. What a dystopia ....

[ww520]

The amount of data collected is truly getting out of hand.

I was buying an iPhone from a cell carrier for their bundled cell plan deal. They used Stripe for payment processing. Stripe asked me to upload my driver license/passport and took a video of my face so their “AI” could verify my identity. I’ve been a customer with the carrier for years so my profile and credit card info were with them already.

The data collection was unbelievably intrusive. Really, I could just walk down to an Apple store to get the phone and went with another cell carrier. I did exactly that. Stopped the transaction and took my business elsewhere.

[trollbridge]

And, of course, a picture of your passport and driver licence proves absolutely nothing, except that you're able to upload a picture of a passport and a picture of a driver licence. Uploading a video of your face proves that, well, you have a face. It would be trivial to make the photo and video match with easily accessible technology.

At least where I live, governments don't really let a third party validate the info on a passport or even on a driver licence outside of a few regulated entities like banks - so they aren't doing anything useful with these photos, except storing them for the inevitable leak.

[ww520]

Yes. There's a reason hotels refuse to accept the photo copy of a driver license on paper or in phone as the ID for the check-in guests. Similarly hotels refuse to accept photo copy of credit cards. It's so easy to Photoshop an ID these day.

[blitzar]

It's so easy to Photoshop an ID since the 80's

[bangaroo]

i mean i have worked in the industry (including a long stint in fintech!) for something like 20 years now and i genuinely have yet to work at a place that didn't just nod knowingly at the need for it.

i genuinely struggle to recall an active effort to continuously train, test, and improve security that had any impact across any company i've worked at. it's super costly work that feels like a pure expense to folks who don't know any better.

i recall substantially longer discussions - at the company i worked at that handled people's banking credentials and is part of one of the largest financial institutions in the world - about how we could spin "the disks that your secure data is stored on are encrypted at the OS level" to sound as secure as possible without lying. far, far fewer meaningful discussions were had about how to audit for real security issues or train folks to write more secure code or build more secure systems.

i know that anecdotes aren't evidence but i've really met very few folks in my time in engineering who had experiences different from mine.

[akira2501]

They take the security of their cash flow very seriously. Which is partly why the anti-regulation vibe in Silicon Valley bums me out so much. The writing is literally on the wall here.

[anon291]

I mean... realistically, everyone should just assume their data is public, because if it's not for private companies, most states have had their systems hacked and data taken.