Even if a service doesn't have it in their TOS that they sell it to 3rd parties, they might do it anyway, or there will, sooner or later, be a breach of their poorly secured system.
To make it clear - I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures. I just completely dropped the expectation of my information being private, and for the very few bits that I do actually want to stay private, I just don't, or allow anyone to, digitalize or reproduce them at all in any way.
We need to make sure nobody is surprised. Everyone should rewrite every "upload" button in their head to say "publish".
It definitely is not, unless you are doing some sort of survey.
Of course blanket "not surprised" is perhaps not helpful without linkage to the people who denied the risks at steps a, b, c etc. But this is why we really need decision makes and politicians to be treated like anyone making a bet: we need to have collateral takes and enforcers. The "I am surprised" people who are silent would be forced to show they believe "it does not happen" by backing the bet and the "I'm not surprised" people would be raking it in.
With no bets, no collateral (or rather other people's lives), you just get this kind of lying in accounting and a scam. It happens in all kinds of domains with commons risk. This is a particularly good example because it is not so emotionally triggering and divisive (most people presumably don't want their data leaked and can't argue immediately that you are Xist or whatever).
Anyway, I love thinking about this stuff. Hopefully HN does not think these meta-discussions are spammy.
You're welcome to your opinion, of course. Just don't project it onto others.
People who don't really care would, in my experience, use sarcastic tone more often.
Much like the problem in the US Congress: they are not subject to insider trading laws, so they can make huge sums of money acting on non-public information. The only people that can change that are ... members of the US Congress.
https://en.wikipedia.org/wiki/Reactions_to_the_Panama_Papers
[0] https://medium.com/@drewsmith_6943/apple-wallet-id-is-the-so...
If all the X's can agree that one of the claims in the SSO is "is_adult", then at least you limit the exposure of your government ID to X getting breached, while all the "sign in with X" sites won't have access to the ID itself, just the claim.
Of course, pretty much every X gets breached anyway, and the walled garden shenanigans are not attractive, but it's better than ever site getting your ID.
"Really, your honor, it's hardly different from an author getting a DBA or LLC for his pen name."
Don't we still have states and countries issuing new IDs for trans people that don't link to their old identities? Do I have to threaten to kill myself because people won't treat me like a pretty girl in order to get one; or should erasing your past, anonymity, or at least pseudoanonymity be a right that we all get?
> "Really, your honor, it's hardly different from an author getting a DBA or LLC for his pen name."
This is the worst, really. The only way to be truly anonymous is to open corporations, because corruption relies on laundering money through corporations.
Also, it'd only be a DBA/LLC depth of "identity". Those do not give you a citizenship, nor clean police record, nor new gender, nor legal adult status, nor marriage, nor SSN/EIN, nor voting rights, nor ...
Yes I know this a utopia and it won't happen.
Edit: afaik storing the photo is only needed in medical cases to alternatively asses having the correct person. Bit much for something simple as age verification.
This breach is about the manual alternative to that, where you can appeal to Discord customer support if the automated thing says you’re not the right age. They seem to do that in part by having you send a picture of your ID.
I’m sure in their database they’re then just storing the date of birth etc, but then they obviously just don’t bother deleting the private image from the customer service software.
I mean.. if the governments did their jobs and multipled the punishment for a single breach by 70.000 (in this case) and cause the company to go bankrupt.... well, only then would the companies reconsider. But until then, they won't.
It's my take as well, frankly.
Without going too much off-topic: In a vacuum, you are right. In reality, facts are reported because they sell.
It is a good day when important facts like this one happen to coincide with what people what to know more about. (the recent UK attempt at stripping the rights of its citizens)
Tomorrow, people will have forgotten all about it, and the government can continue to expand its powers without anyone talking about it.
Wrong, governments caused the issue because they demand customers to ID themselves. There exists not a single viable security measure aside from not collecting the data. Government is also not able to propose any security measures.
Unlikely that the data will ever be deleted now, no matter if Discord pays any ransoms or not.
There's really only a few countries in the world who can provide the services needed to make this work. On top of my head, Estonia, Sweden and Denmark (there's probably others).
I don't want to ID myself if it isn't necessary. Proven security mechanism to minize data collection. It is a security risk, even with ZKP. It wouldn't even be hard to correlate the data, especially since governments also force ISPs to save connection info.
There is no need to a foul compromise here.
Here was an interesting example recently https://help.kagi.com/kagi/privacy/privacy-pass.html
At worse keep the birth date, since various aspect of a service can be available depending on age (and user can change locality / country, and therefore be subject to different law).
If you keep on top of it, you have at most 3 days of user's "ongoing verification" sensible data available for theft. Keeping more than that will always be an invitation to bad actors.
If they only store a boolean or a birthday then they can't show how they verified the data.
In practice it's basically not used anywhere except for cigarette vending machines because it's much simpler to hire some dubious third party "wave your ID in front of your camera" service
Edit: mandatory age verification is still an atrocious idea for a number of other reasons, just to be clear
I would even prefer the dubious service because of the relationship dynamics I mentioned. Best case is that age limits for the net should be enforced on device by parents. Problem solved, no unnecessary infrastructure needed.
Not some different unstated goal, such as ending online anonymity.
And the fact that the companies have to implement the system themselves is just crazy. It is very obvious that if the government require such a check it has to provide the proof/way of checking just like in the physical world it provides the id card/passport/etc used for checking this.
In Sweden it wasn't the government that provided id cards, but the post office and banks. It became the government's job sometime after Sweden joined the EU, after the introduction of the common EUID standard.
And even then online identification is handled by a private company owned by banks: https://en.wikipedia.org/wiki/BankID_(Sweden)
This also makes things difficult for immigrants for the first month or two in the country as a lot of services (like making a phone or internet contract) require this identification to use but it is also a bit of a hassle to get a bank account (but getting a new bank account in a different bank once you have a bank account to do the strong verification takes like 2 minutes)
There is a government system but most don't use it but I expect once the eu digital identity wallet thing rolls around a lot of ppl will switch (or be required to?) to that
https://commission.europa.eu/strategy-and-policy/priorities-...
But very importantly this government, bank id, the identification part of the eu id wallet or really any identification system should not be used for age verification as it actually identifies the user not just give a proof that the user is over X years old.
But we can't realistically expect every service that needs age check to work with 27 (eu countries) different systems but instead we need to unify it into a single api contract which is what this age verification app basically does.
The system is highly convenient and pretty safe, but it does still need vigilance from the user. Which is tricky, re all those phishing attempts and click-scams which people fall for again and again and again.
Isn’t this how most industry regulations work? It’s not like the government provides designs to car companies to reduce emissions or improve crash safety.
Or are you suggesting that anyone should be able to make their own passport?
Or a bit closer example. If there was no official id cards/passports/etc (there currently is no official way of proving your age online) and the government made a law that mandates that one has to be over X to buy alcohol. Who’s job is it to provide the means to prove that you are over X?
For the car a proper analogy would be the goverment requiring drivers license. Who provides the drivers license? Should every manufacturer provide its own?
Yes, there are things that the directly issues and provides. But the vast majority of regulations are like this one where it basically says “I don’t care how you do it, but you need to check the age of your customers.”
As another example, the government doesn’t make soap but it does mandate that restaurants have hand washing stations.
Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used. If all of these things are true while users are running software they can control, then it's trivial for an activist to set up a proxy that takes requests for proofs from other users and generates proofs based on the activist's identity - with no downside for the activist, since this can never be traced back to them.
The only thing that could be done is for proof providers to limit the rate of proofs per identity so that multiple activists would be required to say provide access to Discord to all the kids who want it.
The trusted machine would test your ID (or sometimes accept cash) and dispense single-use tokens to help prove stuff. For example, to prove (A) you are a Real Human, or (B) Real and Over Age X, or (C) you Donated $Y On Some Charity To Show Skin In The Game.
That ATM-esque platform would be open-source and audited to try to limit what data the government could collect, using the same TPM that would make it secure in other ways. For example, perhaps it only exposes the sum total of times each ID was used at machine, but for the previous month only.
The black-market in resold tokens would be impaired (not wholly prevented, that's impossible) by factors like:
1. The difficulty of scaling the physical portion of the work of acquiring the tokens.
2. Suspicion, if someone is using the machine dozens of times per month—who needs that many social-media signups or whatever?
3. There's no way to test if a token has already been used, except to spend it. By making reseller fraud easy, it makes the black-market harder, unless a seller also creates a durable (investigate-able) reputation. I suppose people could watch the vending-machine being used, but that adds another hard-to-scale physical requirement.
Anyone who visits pornhub and doesn't want to open an account?
It might be a better idea to frame your idea in terms of online interactive proofs rather than offline bearer tokens. It's of course a lot less private/convenient to have to bring a phone or other cell-modem enabled device to the vending machine, especially for the average person who won't exercise good digital hygiene. Still, some sort of high-latency challenge-proof protocol is likely the way to go, because bearer tokens still seem too frictionless.
For example (3) could be mitigated with an intermediary marketplace that facilitated transactions with escrow. If tokens were worth say $2, then even just getting 10 at a time to sell could be worth it for the right kind of person. And personally I'd just get 10 tokens myself simply to avoid having to go back to the machine as much. In fact the optimal strategy for regular power users might be to get as many tokens as you think you might need to use (even if you have to pay for them), and then when they near expiration time you sell them to recoup your time/cost/whatever.
Adding large and unpredictable amounts of latency makes that kind of correlation weaker and hopefully impractical.
Of course, this would require people to exercise some restraint with regards to their timing.
But the real problem is that nobody actually wants these types of systems, so there is no organic demand. The motivation only comes as directives from governments, so it's not about the technically best system but rather whatever corporate lobbyists can manage to get mandated.
That is not nessisarially true. There are ZK setups where you can tell when a witness is reused, such as in linkable ring signatures.
Another simple example is blind signatures, you know each unblinded signature corresponds to a unique blind signature without knowing who blinded it.
Proven to work and we wouldn't be dependent on untrustworthy identity providers.
The thing is with such a ZK system you are still collecting and compiling all this data, it's just done by some sort of (government?) notary and there is a layer of anonymity between the notary and the verifier (which they can cooperate to undo).
The real political problem is the concentration of personal information in one place. The ZK system just allows that place (notary) to be separate from the verifier.
Fundamentally it limits a person to one account/nym per site. This itself removes privacy. An individual should be able to have multiple Discord nyms, right?
Then if someone gets their one-account-per-site taken/used by someone else, now administrative processes are required to undo/override that.
Then furthermore it still doesn't prevent someone from selling access to all the sites they don't care about. A higher bar than an activist simply giving it away for free, but still.
Yeah, I think so. I mean this is like my 20th hacker news account. I am using my 5th discord account right now.
But at the same time it would be an interesting to see how anonymous yet sybil-proof social media would work out.
I get the feeling that it's already pretty easy to buy and sell fake IDs, so I don't think it would pan out in practice. I also had the same idea as you: if such a system were to exist, you could sell proofs for all the services you don't use.
Usually, these zero-knowlege proofs are backed by some sort of financial cost, not the bureaucratic cost of acquiring an ID. All of these "linkable" ZK proofs are aimed at money systems or voting systems.
In the blind-signature based money systems, a big problem used to be dealing with change; you had to go back and spend your unblinded signature at the signatory to get a new one. In a similar fashion, maybe you could make it so that users could produce a new ZK proof by invalidating an old one? So you could retire an old nym if you get banned, and create a new nym but you could only have one at a time? IDK if that is a reasonable tradeoff.
I agree it could be interesting but on the other hand we see plenty of people posting tripe under their public meatspace nym. The real problem with social media is the centralized sites optimizing for engagement, which includes boosting sockpuppets into view of the average user. So focusing on controlling users continues to ignore the puppetmaster elephants in the room.
I think talking about crypto details is a red herring on this topic though. User controlled computing devices mean that any two people can run software that behaves as a single client, using the credentials of the first person to give access to the second person. The only way to stop this is to make the first person have skin in the game, which is directly contrary to all of the privacy goals.
Chewing on this problem a bit more, it's starting to feel like this "use cryptography prove aspects of your identity without revealing your identity" is actually a bit of a longstanding nerd-snipe. It seems like a worthwhile problem because it copies what we do in meatspace for liquor/stripclubs/gambling/etc. But even the meatspace protocols are falling apart with a lot of places using ID scanners that query (ie log) a centralized database, rather than a mere employee who doesn't really care to remember you (and especially catalog your purchases). The straightforward answer to both is actually strong privacy laws that mandate companies cannot unnecessarily request or store data in the first place. Then some very simple digital protocols suffice to avoid this issue of identity being implied by knowing one mostly-public number.
(FWIW the problem of making change always seemed very simple to me - binary denominations of coins/tokens. I've always thought the statement of it as a problem has more to do with the speed of crypto ops during the period of early ecash research)
This is an example why that was a bad idea in the first place. No damage control for bad solutions will change that.
https://www.scmp.com/week-asia/politics/article/3300568/thai...
You're being returned the favor! Anyone that's ever entered the US has had to do the same, and our prints are being stored in a DHS database.
Out of curiosity, did you not need to provide prints to get a passport in the first place? I can't image a single developed country without biometric passports.
And I've chosen not to engage with more than one such community because I'm not perpared even to give Discord my phone number, let alone any kind of ID document. Luckily there's nothing on Discord I care about that much, so I'm not having to make too difficult a choice. I totally get why most people won't take such a stand.
That’s assuming EUDI never gets breached — but if Google and every major tech company has been, it’s only a matter of time, but this will have way more personal info ....
I've been using discord for 5 years and never upload my ID … And I don't want discord (or any other company) to know my age, or any other identification ...
[1] https://www.wi.uni-muenster.de/news/5104-new-publication-pri...
> the EU implementation is better.
It's better than the current implementation, sure, but you can never beat zero identifiers
The issue isn’t who already has our IDs, it’s that EUDI introduces new auxiliary information (public keys, signatures, revocation identifiers) that create globally unique, linkable identifiers.
Even if the same institutions issue the wallet, each transaction generates additional personal data that can be misused for tracking and profiling, far beyond the data already stored in government registries.
But clearly this isn't the way the internet is going. As much as I hate it, it seems inevitable that globally every government is introducing at least a requirement for websites to check the age of their users.
So right now this can be done(here in the UK anyway) either by scanning your ID with a 3rd party provider who "promises" to delete it straight away, or by linking your bank account(yes, I'm definitely going to do that to go on pornhub, 100%). Both methods have the problems you mentioned + the additional risk of leaking my personal details because they are getting more info than they need to fulfil their legal obligations.
But if the government could just issue me an expiring cert that says "yep, this user is 18", without any of my other data on it.....then that's vastly preferable to having to scan my passport or driving licence to browse reddit or discord or whatever? Like yeah, maybe someone could still track it somehow(don't see how if every certificate has a unique ID and doesn't contain any identifiable info other than "yep this is a valid certificate and yes the user is over 18", but let's just say they can), but at least my IDs are not at risk of being leaked anywhere.
Best security: Don't collect. Nothing comes close, no even the best ZK setup.
Also, as a European citizen I really don't want it. Ironically governments aren't mature enough for that.
EUID is made for working with government agencies, banks, etc where you need proper identification of the person and the age verification for verifying ones age (it doesn't even say how old you are just that you are over X years old)
End goal is to unify them into the same app at some point but the certificates/validation flows are different. Also as the use cases are very different for the proper identification a whilelist is used on who is allowed to request it. With age verification as it is just a certificate that anyone can validate against the public key so no whitelisting possible (or wanted really)
(I don't really want to call out specific comments)
So I'm sure this article may be surprising to them.
It doesn't even need to be poorly secured. The oldest form of hacking is social engineering. If a company is storing valuable enough information, all one needs to do is compel the lowest common denominator with access to it to intentionally or inadvertently provide access.
You can try to create all the sort loopholes and redundancies but in general the reality is that no system is ever going to be truly secure. Another reality is that many of the people with the greatest level of access will not be technical by nature. For instance apparently the DNC hacks were carried out by a textbook phishing email - 'You've like totally been hacked, click on this anonymizer link to leads to Goog1e.com so we can confirm your identity.'
You can then prevent certificate forging by forwarding a cryptographic hash of the requester identity (generated by the website client), which will be included in the cert body so the website can verify the attestation was generated for this specific request, and it cannot be randomly reused.
Of course this doesn't solve the problem of using your grandma's id to bypass age restrictions, but I think that problem is worth the cost of privacy gains from corporations not validating IDs directly and screwing up like Discord's vendor did here.
Or the certificate isn't the same every time and therefore you can generate a whole bunch of them and give them out for $2 apiece.
Or the certificate isn't the same every time and also isn't anonymous so they can trace who's doing that.
You don't have to reuse the same certificate for several requests. You can get a new one for every request, for every person who is asked to verify their age and pays you $2, and if they're actually anonymous, there's no way to know you did this. Is a rate limit part of the proposal? Can I only sign up to one adult service per week?
Unless you meant the requester's real identity, in which case... we're back to not anonymous.
> You don't have to reuse the same certificate for several requests. You can get a new one for every request, for every person who is asked to verify their age and pays you $2, and if they're actually anonymous, there's no way to know you did this. Is a rate limit part of the proposal? Can I only sign up to one adult service per week?
This is trivially easy to detect at the attestation service. If someone is trying to repeatedly (and programmatically) use the same personal ID to generate attestations for different request IDs in a short time frame, you can throttle them, flag them, revoke their cert, whatever.
What if I'm checking out all the online casinos and each one wants an age token?
I'm not defending age verification's existence in the first place btw, I don't think it's a good idea without secure protocols of central attestation for such things. But of course, governments aren't interested in solving the harder more valuable problem, they're interested in shifting the responsibility to corporations while crying foul.
We see things like this, which happen about as often as fucking rainfall in a mountain forest, and then also see the ever increasing push towards ID verification by corporations and government organizations that pinkie-promise to secure or not retain any of the personal data you were wrist-burned into handing over to them.
What a toxic mix of garbage that becomes. The result is crap like the above, making the internet ever worse and basic personal data security (to not even speak of lofty things like digital privacy and using the internet anonymously) pretty much null and void even if you really do try to take the right steps.
71% want age verification
https://www.pewresearch.org/short-reads/2023/10/31/81-of-us-...
How that's done is the issue but you can't blame the government and corporations from making it happen.
Is it this, or is it a "systemic issue of governments not minding their own damn business"???
The real, long term answer to all this consists in having less of our lives in digital presence, that even means less digital government thingies and, yes, less payments and other money-related issues being handled online.
Why is there no rotation possible? Why is there no API to issue a new secret and mark the previous one as leaked? Why is there no way to have a temporary validation code for travels, which gets auto revoked once the citizens are back in their home country?
It's like governments don't understand what identity actually means, and always confuse it with publicity of secrets.
I mean, more modern digital passports now have a public and private key. But they put the private key on the card, which essentially is an absolute anti pattern and makes the key infrastructure just as pointless.
If you as a government agency have a system in place that does not accommodate for the use case that passports are stolen all the time, you must be utterly out of touch with reality.
Their goal is not to build resilient systems — it iss to preserve control. The internet was born decentralised, while governments operate through centralised hierarchies. Every system they design ends up reflecting that mindset: central authority, rigid bureaucracy, zero trust in the user.
So instead of adopting key rotation, temporary credentials, or privacy-first mechanisms, they recreate 1950s paperwork in digital form and call it innovation.
If you upload anything to the internet, it's public. Even the passwords you type are potentially public.
Still remember the conversation over "mega apps"?
Based on my experience with Alipay, which was a Chinese financial focused mega app but now more like a platform of everything plus money, the idea of treating every bit information you uploaded online as public info is laughable.
Back when Alipay was really just a financial app, it make sense for it to collect private information, facial data, government issued ID etc. But now as a mega app, the "smaller app" running inside it can also request permission to read these private information if they wanted to, and since most users are idiots don't know how to read, they will just click whatever you want them to click (it really work like this, magic!).
Alipay of course pretends to have protection in place, but we all know why it's there: just to make it legally look like it's the user's fault if something went wrong -- it's not even very delicate or complex. Kinda like what the idea "(you should) treat it (things uploaded online) as 'any member of public can now access'" tries to do, blame the user, punch down, easy done.
But fundamentally, the information was provided and used in different context, user provided the information without knowing exactly how the information will be used in the future. It's a Bait-and-switch, just that simple.
Of course, Discord isn't Alipay, but that's just because they're not a mega app, yet. A much healthier mentality is ask those companies to NOT to collect these data, or refuse to use their products. For example, I've not ever uploaded my government ID photos to Discord, if some feature requires it, I just don't use that feature.
To do so seems impractical. Imagine the government machinery that would be required to audit all companies and organizations and services to which someone can upload PII.
Not tractable.
There are all the reasons in the world to feel that way. The scary thing (says troyvit as he passes out the tinfoil hats) is that privacy laws are all about an "expectation of privacy." In other words we all expect privacy when we're in our bathrooms, so government surveillance in the bathroom is hard to justify. Now that there are cameras in supermarket checkouts, and we all expect them, legally that's no longer a privacy concern and we can't claim that our privacy is being unreasonably infringed.
And what you're saying is that now we've reached the stage in history where through incompetence and greed we shouldn't expect any privacy anyway, and that opens the door for all kinds of surveillance because our expectations have fallen so low. I'm not a lawyer btw so take it all with a grain of salt.
The only rule I can imagine is big penalties for data being breached, no matter the cause, but do we actually think it's a multi million dollar problem for 70k photos to be released? Hard problem.
If I want the ID of a bunch of Discord users, I don't go after Discord directly, I find some bot that the targeted users have on their discord servers, or third party service that Discord uses themselves. Then I find some individual person with access to those things, and I harass and/or threaten that person until they give me what I want to make me go away. If I think they might be crooked, I might just offer them a cut of the take. I'm probably not paying them though, not unless I think I can leverage them against other targets and need to keep them around.
Either way, an individual person isn't going to be able to hold off a coordinated attack for very long, and law enforcement generally doesn't give a shit about internet randoms attacking individual people.
Citation needed. /s
cough Microsoft cough
What other third party was Discord using if not Zendesk? Who's reputation are they protecting?
This might even be a PR move. They fucked up and can merely say "a third party" did it. Who's gonna verify this?
Unless we have whistleblowers we will never know. What a disgrace.
Kinda feels like Discord is lying by omission.
Edit: Actually my bet is their support staff just sold them out.
> they were able to compromise Discord Zendesk by compromising a "BPO Agent" (outsourced support).
> Of course, as is tradition, it is also entirely possible they're lying
The information you provide is only used to confirm your age group, then it's deleted
Refer screenshot: https://www.reddit.com/r/discordapp/comments/1nkrxcp/discord...
I can still swipe the message away, so I haven't done it yet. I'm going to work out how I can fake the face scan. I ain't sending Government ID to some chat app (no matter how big or small) that's over the top.
As an aside, I would have thought the age groups should be: 13 to 18, and 18+. They're the only ones that materially matter to the reason this check exists, in Australia at least. I don't want to contribute to their demographic analysis.
It took me a while to find the connection to Discord. Not sure if I did because it seems like some mobile app for people who play mobile games with some connection to some Japanese network and hosted in China or something?
From the Wikipedia page: "In 2011, OpenFeint was party to a class action suit with allegations including computer fraud, invasion of privacy, breach of contract, bad faith and seven other statutory violations. According to a news report "OpenFeint's business plan included accessing and disclosing personal information without authorization to mobile-device application developers, advertising networks and web-analytic vendors that market mobile applications"."
It was Discord's helpdesk software (reported to be Zendesk).
If you have problems with that system, you can log a support ticket with the Discord helpdesk, attaching your ID, and they can override it for you.
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
It makes sense they have to hang on to the ID in case of processing an appeal, which probably doesn't have the highest priority and hence stretches out in time.
[1]: https://www.theverge.com/news/792032/discord-customer-servic...
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.
It's not that hard. Legislators around the world are consistently dropping the ball on this.
One of Discord’s third-party customer service providers was compromised by an “unauthorized party,” the company says. [...] The unauthorized party “did not gain access to Discord directly.”
Tangent: I've regularly been required to provide copies of my ID to all kinds of businesses simply to function in society — i.e. in practice there is no realistic option to opt out. Want to rent a house? X points of ID. Want a phone? X points of ID. Pretty much every real estate agency in town has copies of at least my driver licence. And they in turn share my details with tenant database companies, credit reporting agencies and so on. Do you think many of these businesses have good data handling practices? Of course they don't. And so all my details are available for purchase in bulk data sets on the dark web, and get refreshed by new data breaches every few years. And yet government still treats it as somehow unexpected each time this happens, or wags its finger and bemoans those naughty criminals, instead of developing any kind of policy that would start to address the underlying issue... which is that our personal details are spread so far and wide in the first place.
In a perfect world, maybe. Not in this one.
If Kafka were alive today, he'd see the world has outdone itself.
And even if lying is illegal in a particular context, it's de-facto legal since nobody ever gets punished for it.
It is ubiquitous in every part of the business world, both internal and consumer-facing.
A lot of things a laypersons would agree were damages just won't fly in civil court and even when there is damage it's limited by factors like what actions you could have taken to mitigate (but may not have).
I have quite a lot of experience dealing with personal identity information. Unless the latter has to be reported then it's never stored. Along with the fact it's actually deleted to comply with GDPR and friends (when it has to be recorded). In any case if any personal data is to be stored, it's always encrypted with personal keys.
I am not surprised these laws are landing with such little resistence.
What you are overlooking is that Discord is the new MSN Messenger, YIM, etc your friends are not backed up in a meaningful way, nor the servers you're in, if you lose your account, you lose contact with basically your entire internet life and friends.
Discord should not keep those IDs longer than a month at a time once the user is unbanned it should be deleted a week later, or removed from that panel altogether.
> You've got to be a complete moron uploading your gov ID to discord
^ Still stands.
But we're forgetting there that the average person online is not a dev. The most they usually know is how to point and click on something. Which also means they usually don't know how to spin up a Linux machine/VM somewhere and install their own chat server.
Discord is popular because it lets almost anyone on Earth point and click to create a chat "server". If someone can figure out how to do that (eg cPanel), you can absolutely break their moat.
VC is also drastically quieter on average, but can be fun too.
You can do better than victim blame, and instead point the finger at Discord and whoever told the British government that delegating ID control to third-parties was a good idea.
Company enacts policy enforced on them by law, for example requiring proof that a user is above the age of 18 to be able to use a channel where other users may use naughty words (The Horror!!!).
User struggles to use the automated age check system (I used the "guess age by letting an AI have a look at a selfie" method and it was a pain in the ass which failed twice before it finally worked) so does what is recommended and make a support ticket. [0]
User, relying on the published policy that Discord will delete ID directly after being used to to the age check [1] decides they wish to remain to have communication with their online friends uploads their ID.
Discord then fail to honour their end of the deal by deleting their users documents after use, and then get breached.
Full blame is on Discord for poorly handling their users data by their 3rd parties, and on the Governments forcing such practices. Discord should have their asses handed to them by the UK's ICO.
Sure, us geeks can and will use self hosted systems and find ways to avoid doing ID checks, but your avg joe isn't going to do that.
Hopefully cases like this will help with the push back on governments mandating these kind of checks, but I see the UK government just falling back to "think of the children" and laying all the blame on Discord, (who are not without fault in this case).
[0] https://support.discord.com/hc/en-us/articles/30326565624343...
[1] https://support.discord.com/hc/en-us/articles/30326565624343...
This wasn't documents uploaded via the automated ID checker, it was users manually sending ID documents to support in order to appeal an automated age decision.
This is the part where the user has to take at least partial blame. You have to be utterly stupid (or at the very least way too sheltered) to believe a statement like this from a company, especially when there are zero consequences to the company for lying about it or negligently failing to live up to their policy.
If the UK Government are determined to enforce companies having to validate user ID's to use the company's services, then the government better well be determined to enforce our data protection laws too. Governments can not have it both ways (esp as the UK government also want to role out new digital IDs that will need to be checked when getting a new job), demanding users hand over ID to access services but not kick butts when those services fuck things up is just idiotic (Ok its the government, they make being idiots a profession), but that's not the fault of the user.
I'm mad at both Discord (for not securing their customers data inline with their published polices), and at the government (for forcing them into collecting the data in the first place, if Discord didn't have the data to begin with it can not be exposed).
But I can not be mad as users of a service, who though no fault of their own just wished to continue to be in communication with their friends and were faced with the no-win choice of providing ID or being denied access to a communication platform.
(just to be clear, I was not breached in this leak so I'm not being salty about the leak, but I see the point of view of the avg user because I see how the avg person uses the net every day.)
I assume if I run out into the middle of the motorway, I'm likely to get hit by a car. That's why I don't do that.
The problem with this is that governments are now requiring you to cross the motorway if you wish to continue having the friends you have already made, but promise that the motorways are now safe for you to cross and they will hold to account anyone who makes crossing motorways unsafe, and the DoT have said "Its fine, we have put in crossings on the motorway to allow you to do so safely!"
Your avg joe is going to take those reassurances made by multiple parties and assume the activity that would otherwise be risky is safe under these circumstances.
When people go on thrill rides at amusement parks and get injured because the operator or manufacturer fucked up, we don't blame the rider "saying they should know better, look at all of those ride failures in the news!", as they expected the ride to be built to a high standard, it be maintained, operated corrected, and have safety watchdogs keeping an eye on everything.
Some other reply posted "Victim blaming!" as if that shuts down the discussion. It shouldn't.
How many of us freely and gleefully gave our info to Facebook, Google, etc all through the 2010’s? How many continue to?
There is nothing wrong with dividing up blame among both people who offer a risky choice and people who make the risky decision to accept that choice, just because one of them suffered the downside of that risk. There are a lot of other examples where if you screw something up you might get hurt, and the victim is definitely at fault. It's a spectrum, as someone else put it.
Sending your government ID over the Internet is a very risky decision, given the number and frequency of data breaches. The people who got burned here are not totally at fault but they share at least a little responsibility.
If I get drunk and drive the wrong way down the highway and cause a wreck, the blame is not shared because the victim was driving a vehicle which is known to be a risky activity. I am culpable, full stop.
I hope this incident and future data breaches will finally raise awareness of which direction many regimes are going.
That's why many of the traditional totalitarian regimes are populistic, they do what their people want them to do or what they can convince them is good for them. New Western hybrid regimes still didn't realize they can't rule against their own people forever.
It's both.
The companies wouldn't have this specific data if it wasn't for the age verification laws. Companies also work to amass as much private data as possible about their users without any influence from government and are often not good stewards of it.
Let's also not forget that companies like Discord often support and work with governments on these kind of laws because they prefer a consolidated regulatory structure and it has the added benefit of making life more difficult for smaller competitors that may enter the space.
[1] - https://www.rtalabel.org/index.php?content=howtofaq#single
As for: > Teens will easily bypass any method as many today watch porn
well, they do, but each obstacle discourage them to do that. It's like with chocolate while being on a diet - if you have it within reach next to you you are more likely to eat it; put it on a shelf which would require standing and walking - slighly less likely; put it in another room - even less; and if you don't have it in home and you would have dress up and take out the car and drive to the shop most likely you would just wave your hand at that :)
So no - it won't prevent it completely but I'd argue that it would significantly decrease the use :)
Many moons ago there were a couple browsers that looked for the ICRA PICS label but the adoption was low due to complexity of the header creation and a lack of laws requiring it. I expect it would take an intern an afternoon to create the code to look for the RTA header and probably a couple weeks to get through the QA/staging process. It only needs to initially get into Chrome, Safari, Edge and Firefox to protect small children on a tablet with kids using a normie account and parents retaining the super-user account. Should a law pass that has a timeline for the check to be mandatory I expect a majority of web agents to recognize and act on the RTA header long before the deadline.
It would be 100% more than what we have today is nothing in the browser and privacy invading third parties that would not be involved in kids going to sites that do not force people into said third party sites which is most of them. To be a fly on the wall when someone tries to force the third party ID checks on 4chan...
We're talking about a solved problem here.
Similar to storing passwords as unhashed/plaintext.
Opening with:
> Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge.
Then a big PR quote, letting a potential wrongdoer further spin it.
Then closing with:
> In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.
This is awful corporate PR language, not journalism, on a big story about probable corporate negligence resulting in harm to tens of thousands people.
Here's the bare minimum kind of lede I expect on this reporting:
Discord may have leaked sensitive personal information about 70,000 users -- including (but not necessarily limited to) government IDs, names, usernames, email addresses, last 4 digits of SSN, and IP addresses.
I'm ready to block both Discord and The Verge.
Credit card numbers are not SSNs, and I can't fathom why Discord would have the latter (I certainly never gave them any government ID either). Not to mention, "last 4 digits" of a credit card number will commonly appear on, for example, store receipts that people commonly just leave behind. Usernames can hardly be called sensitive information, either. The point is all the other stuff being tied to the username.
It's also enough data to improve surveillance and facial recognition systems, allowing them to identify you more easily.
Most scenarios I’ve worked with, you toss the ID image once you validate it.
* Tragically underused because impractical
https://www.ausweisapp.bund.de/so-werden-sie-diensteanbieter
If they were fined $10k per leaked ID, then there is a serious liability there.
Right now, they publish a press release, go 'oopsie poopsie', maybe have to pay for some anit-fraud things from equifax if someone asks, and call it day.
Don't forget the usual Press Release starting with "At [Company], we take security very seriously..."
I complained to the CNPD of Luxembourg and sent a GDPR request, as they defaulted to doing this WITHOUT asking for consent (super illegal as doing AI training with your data is definitely not the minimum required to offer the service)
We would never get clearance from counsel to store that in most scenarios, and I can’t think of a reason to justify it for a age or name verification.
With the relatively low number leaked here it could have been information collected actively during an ongoing breach, not a dump of some permanent database.
You'd expect the numbers to be "low" either way.
If their machine learning models, think that two people are the exact same, having the original image, especially a photo of the same ID card could confirm that.
1/ Safety Bans (lets pretend 0.01% of ID card users have been banned for safety reasons: 650k accounts)
If a user submits their selfie/ID card, Discord needs to compare the new image with one of the 650k banned (but deleted?) images. I can't possible think how a human could remember the 650k photos well enough to declare a match.
Even if such a human existed with this perfect recall, there can't be very many of them on this planet to hire.
2/ Duplicate account bans
If a user registers, how can a support staff search the 65m photos without ML assistance to determine if this is a new user or a fraudster?
That being said, you can still hash faces and metadata (such as ID numbers) instead of storing the whole ID as a scanned photo, if the information is only used for duplicate checking. Hashing does not increase the racial bias. If your model has a bias it will always have a margin of error.
Either the fraudster or the true human can request an appeal and the support staff could easily tell which one is tricking the AI and which one is not.
You can see all the videos of people trying to trick the Apple face lock. To a human, it was obvious they are wearing a mask. To the device, its the same person.
The product scales, but sfaely using users' data doesn't? Hardly an excuse.
It should be able to detect and hash facial features so that it can compare it to a future (potentially taken from a different angle) photo of the same person. You need some type of machine learning algorithm.
The models are not perfect. Humans should still be in the loop to verify, especially when the consequences of being wrong really suck for the user: losing access to their bank account, getting fired from their job.
If you're referring to algorithms like phash (Where they are using the same core image, but just add a filter), they wont work well, because everyone's ID card mostly looks the same. There will be too many FPs.
Like it was since the beginning when government ID's first became a thing.
while there probably are some countries with terrible designed passport for most they are designed to be machine readable even with very old style (like >10year old tech) OCR systems
so even if you want to do something like that you can extract all relevant information and just store that, maybe als extract the image
this seems initially pointless, but isn't, if you store a copy of a photo of a people can use that to impersonate someone, if you only steel the information on it it's harder
outside of impersonation issues another problem is that it's not uncommon that technically ids/passports count as property of the state and you might not be allowed to store full photo copies of it and the person they are for can't give you permission for it either (as they don't own the passport technically speaking). Most times that doesn't matter but if a country wants to screw with you holding images of ids/passports is a terrible idea.
but then you also should ask yourself what degree of "duplicate" protection you actually need wich isn't a perfect one. If someone can circumvent it by spending multiple thousands to endup with a new full name + fudged id image this isn't something a company like discord really needs to care about. Or in other word storing a subset of the information on a passport, potentially hashed, is sufficient for like way over 90% of all companies needs for secondary account prevention.
in the end the reason a company might store a whole photo is because it's convenient and you can retrospectively apply whatever better model you want to use and in many places the penalties for a data breach aren't too big. So you might even start out with "it's bad but we only do so for a short time while building a better system" situation, and then due to the not so threatening consequence of not fixing it (or awareness) it is constantly de-prioritized and never happens...
And if a few people manage to slip through it’s not really an issue. They will either get banned again for the same reasons or not violate the rules anymore so who cares
GDPR requires data minimalism and ~use case binding so if you submit data for age verification there is no technical reason to keep it after knowing your age so you _have to_ delete it.
The GDPR is your friend. It makes retailing unnecessary personal data a liability. As it should be.
Discord is idiotic for operating in the UK and Europe without complying.
No excuses.
How would you get around this verification though? Afaik this is nearly akin to KYC which is effective impossible to get around
I wish breaches like this would cause people to reconsider their choices but sadly, it's unlikely most users will move.
I've hit the cap and it's driving me crazy. It's really easy to hit it since each friend group, hobby group, gaming community, and open-source community often all have their own servers.
It is sometimes possible to view a Discord server without joining it, but it is painful compared to just joining the server.
Theres users who rotate community servers on a VPN / new spun up alts. They are relentless. I noticed the communities that are massive and do not have this problem to this extend all require phone number.
You can set up a community on their servers.
I’m not sure why they chose to use misleading language, but it is misleading.
I also have trouble going along with the doublespeak. If a supermarket called their beer apple juice, I'd also not be offering my friends "apple juice", I'd call it what it is
Guild is innocuous enough and since the API docs still call their communities that, that can be a term to use among those in the know to have common and clear terminology
'Guilds in Discord represent an isolated collection of users and channels, and are often referred to as "servers" in the UI.' —https://discord.com/developers/docs/resources/guild
Focusing on the fact that it's not really a "server" because they aren't running as separate processes seems like utterly silly pedantry, and we probably don't even know if that's actually true regarding Discord or not.
It's like pretending a taxi is the same as owning a vehicle, even if the taxi company was your neighbor and there's always someone available. The result is the same but the distinction couldn't be clearer. To me it's similarly misrepresentative to say you own a car when you live next to a big taxi station, as to say the SaaS web front-end you get on Discord is a rented server
Gamers are well familiar with different communities actually hosting servers and instances for games or voice chat pre discord. Discord offers the same experience but without physically being different servers. Keeping the name guides users in the same way OSs call it a recycling bin despite not actually being a bin.
Makes this huge data leak a real head scratcher
> You'll be required to register a phone number to your Discord account in order to continue the use of it.
The following is worded in such a way that it very much reads that you're saying it doesn't happen...
>When other people say that something happens to them, why should I simply take them at their word when it contradicts the evidence actually available to me?
You've very clearly said that if something hasn't happened to you, you're not likely to believe someone when they tell you it's happened to them. Further...
>You seemed to be implying that it will always happen, or commonly happen...
... there was no implication. The comment you initially responded to clearly stated specific instances that will trigger the phone number requirement, the same instances that are very clearly stated by Discord[1] itself.
And I'm saying that I've personally been (as far as I can tell) in some of the situations described without encountering such requirement, therefore "will" is hyperbolic.
It especially doesn't make sense to me that there would be a flag for "joining too many servers" because they put a hard cap on that anyway. And indeed, the support article says that this triggers for joining too many servers in a short period of time.
That's about the level of evidence that your specific user account offers to you about whether phone verification is a thing their anti-spam algorithms can trigger...
https://support.discord.com/hc/en-us/articles/6181726888215-...
Bully for you that you haven't encountered it, but it's certainly a thing.
(To be explicit, not supporting jailing here, just removing from office.)
Time to pump up those numbers…
we publish this every year or so: https://qbix.com/blog/
I do not like this world that we have created and I would like to apply for a full refund
We could likely see a bit more of these data leaks in the future I guess, due to how there are more and more countries/states adopting this.
[1] https://support.discord.com/hc/en-us/articles/30326565624343...
”Discord's investments in AI-driven self-service with the Zendesk CX platform have enabled the company to provide seamless support.”
Where there is smoke, there is a fire. Wait for more and wait for people to learn how identity theft is the worst problem you can have.
Imagine you trying to prove that you are you, while somebody else with your passport details, driver license, address, DOB, phone SIM swap, etc, is acting like you causing all sort of financial disaster???
1995 The Net movie, people in 2025 will learn the hard way that was not just a movie.
WTF were they thinking about?
It will keep happening as well.
Their IDs given in the name of "online safety" how safe are they now their IDs are leaked?
ZK proofs cannot become mainstream fast enough.
Mandated to be accessible to EU citizens by 2027 when all Member States have developed a Wallet solution.
Not associated but learned through it at work recently, just awesome project and thought I'd share in this context.
[1] https://commission.europa.eu/strategy-and-policy/priorities-...
[2] https://eu-digital-identity-wallet.github.io/eudi-doc-archit...
These companies should be forced to release a proper account of events - like Google/Cloudflare do when they mess something up
It is going to take a long time before companies realize that data they don't need is a liability, not an asset.
You submit a ticket to Discord with the ID attached when the automated ID verification didn't work for you.
Once the ticket is dealt with, Discord could have a policy of deleting the IDs, but they don't.
At some point we'll start seeing companies that rotate your passwords automatically and integrate with your autologins, and send immediate reports of breaches / suddenly failing logins.
Wait. Why isn't this a thing
How did we get to this state anyway?
Isn't HN supposed to be populated by the people who work at these companies, the fuck are you guys doing??
And even at modest-sized companies, those are decided by Legal Dept's and senior business managers.
While you might find it cathartic, to angrily curse at some convenient Post Office employee for (say) the Postmaster General's latest postage stamp price increase - that is really not a classy move.
Or, maybe try https://en.wikipedia.org/wiki/World_Economic_Forum
BUT - the "shame them" is only from your PoV. They really don't share that. Nor care what you think.
For example, if you state you want to verify age, you only need the ID for a couple of seconds. So why didn't they think about the risk of a hack before? They could have done the age verification and then immediately deleted the document. The cynical take is af course they did think about it but would take the fine if it came to that...
Maybe it is good to make an example out of Discord? Don't keep stuff around if you don't need it should be common sense.