Identity Verification - A Hacker's Dream

Identity verification is being marketed as a safety measure, but it's quietly making it easier for governments and companies to ramp up surveillance and track people more deeply online.

Many of us have seen the recent rise in identity and age verification laws and policies. From [this article](https://www.tomsguide.com/computing/online-security/online-age-verification-timeline) written by Olivia Powell on Tom's Guide, we see that there has been a rapid rise in age-verification laws within the United States in just the past few years.

On paper, these checks seem simple. In practice, they have multiple different implementations:

• Uploading pictures of government-issued IDs, creating massive amounts of sensitive identification information.
• Scanning your face to determine you are who you say you are.
• Websites outright blocking their content from being viewed in locations with these laws (Pornhub is notorious for this).

But what happens when those IDs are breached? In a [recent breach](https://www.pcmag.com/news/discord-70k-govt-ids-exposed-breach-hackers-posting-age-verification-selfies) of the social media platform, Discord, over 70,000 government-issued IDs were leaked to hackers. This breach also included the email addresses, partial phone numbers, and physical addresses of so many users. This is exactly the nightmare scenario that critics warned about; The moment verification data exists, it becomes a jackpot for attackers.

This raises some questions:

• Why did Discord have 70,000 government-issued IDs?
  • Once an identity has been verified, the company no longer needs that data, but companies don't generally delete unnecessary data, further expanding the jackpot for attackers.
• Who should be held liable for this?
  • Discord? The third-party vendor who was actually breached? Potentially the lawmakers who wrote identity verification laws? The users who uploaded their information because Discord requested it? Nobody wants to take responsibility for this clusterfuck.
• How much harm does this cause?
  • Potentially a lot. The information gathered in a breach like this could be the missing piece bad actors needed to execute an identity theft operation.

What are some of the main drivers behind these laws and company policies?

1. Protecting children, restricting illegal content, and ensuring that only adults are able to access adult-only content. This language makes it harder for politicians/lawmakers to argue against implementing these laws.
2. Reducing online anonymity, making it harder to "be someone else" and potentially easier to track bad actors.
3. Creating an additional avenue for mass surveillance. We are already tracked pretty heavily and we know this because of the [2010s global surveillance disclosures](https://en.wikipedia.org/wiki/2010s_global_surveillance_disclosures), but just like with the [Patriot Act](https://en.wikipedia.org/wiki/Patriot_Act), once the avenue for surveillance has been created, it tends to grow, not shrink.

Identity verification laws are framed as safety tools, but they're quietly creating some of the highest-risk identity datasets ever. Every time one of those datasets leaks, whether it's Discord or some other platform, the costs get passed on to regular people who probably didn't even know that a third-party was handling their data in the first place.

The people of the United States would benefit from a set of laws similar to the EU's GDPR, giving individuals actual control over their own data and requiring user consent before any third-party gets access to it. But those laws would hinder surveillance efforts and cost companies money, which is why the US isn't in a hurry to implement them.