
Fury at Facebook as login requests “Government ID” - bgtyhn
http://www.thedrum.com/news/2013/10/29/fury-facebook-login-requests-government-id
======
sneak
One of my least favorite memes in western society is that individual people
actually believe that the government has some say in defining your name or the
boundaries of your family.

Everything from the idea of "legally changed his name" to "same-sex marriage"
illustrates the problems of turning to city hall for approval or consent of
individuals' and families' deeply personal and private matters.

I wish the US had two more constitutional amendments: our bodies are property
belonging to us individually and we are free to do with them as we please
(solves abortion debate, war on drugs, assisted suicide, et c) and that
government has no authority to regulate private familial matters such as what
terms we use to call ourselves, what terms we use to call our loved ones, or
who is within or without our families and the terms we use to refer to them
(solves the current state of marriage inequality for homosexual relationships
and also the discrimination against families that practice nonmonogamy, as
well as any other oppressive status-quo reinforcement these assholes may come
up with in the future).

It takes a very special kind of oppressor to tell you what words you are
allowed to use to call yourself, what things you are allowed to do to your own
body, and who you are allowed to love and allow into your family.

~~~
mhurron
I'm going to take issue with just one statement here because I'm short on time
-

> special kind of oppressor to tell you ... who you are allowed to love and
> allow into your family.

They don't. You can have a polygamous marriage all you want, you can have an
open marriage, you can be as gay as you want.

However, husband, wife, father, mother, son, daughter and what not also have
legal ramifications, and that is where the law has domain. It has nothing to
do with any morality associated with the relationships.

The gay marriage issues stem from a misunderstanding, willful or otherwise, of
that. The marriage the state cares about is the contract between two adults,
it doesn't give a damn about your morals or god.

~~~
falcolas
> You can have a polygamous marriage all you want

No, you can't. It's illegal in most states (see how the "Big Love" family had
to move due to pending prosecution in Utah).

> you can be as gay as you want.

Not if you're male - sodomy is illegal in many states (despite a Supreme Court
ruling that pretty much shuts them down) in the US, and many other countries
entirely [1].

> [The law] has nothing to do with any morality associated with the
> relationships.

Laws are derived from the morality of their times. The laws against murder,
and exceptions thereof, are based on what society believes is wrong and right.

[1]
[http://en.wikipedia.org/wiki/Sodomy_law](http://en.wikipedia.org/wiki/Sodomy_law)

~~~
mhurron
> You can have a polygamous marriage all you want

>No, you can't. It's illegal in most states (see how the "Big Love" family had
to move due to pending prosecution in Utah).

Yes you can, you can not however have more than one legal wife. You can marry
wife #1 (marriage certificate) and this person will be the only wife the law
cares about. You can then have any religious or whatever ceremony to marry any
number of other women and you can all live together any way you wish. You can
do this because the state doesn't care about the religious ceremony. You can
not legally marry more than one woman, the women must know they are taking
part in a polyamorous relationship and they can not be coerced into it. Again,
the legal definition of marriage and what you call being married do not have
to match.

As a side not, it is basically impossible to find what you are referring to
with 'the "Big Love" family' since it appears to be a TV show as well. So I
can't say anything about it.

> Not if you're male - sodomy is illegal in many states (despite a Supreme
> Court ruling that pretty much shuts them down) in the US, and many other
> countries entirely.

This is the best example of how the law and individuals differ. Legally (in
the US), sodomy is defined as any sexual contact other than vaginal
intercourse. Ever had a blow job? Congratulations, you could be charged. It
has noting to do with being male, lesbianism would be charged with sodomy as
well.

In the US, you can be as gay as you want.

~~~
dragonwriter
> > > You can have a polygamous marriage all you want

> > No, you can't. It's illegal in most states (see how the "Big Love" family
> had to move due to pending prosecution in Utah).

> Yes you can, you can not however have more than one legal wife. You can
> marry wife #1 (marriage certificate) and this person will be the only wife
> the law cares about.

Whether this is true or not depends on the details of the state law, but its
certainly not true in, e.g., Utah, where the relevant statute [1] looks at
_cohabitation_ as well:

 _(1) A person is guilty of bigamy when, knowing he has a husband or wife or
knowing the other person has a husband or wife, the person purports to marry
another person or cohabits with another person._

 _(2) Bigamy is a felony of the third degree._

 _(3) It shall be a defense to bigamy that the accused reasonably believed he
and the other person were legally eligible to remarry._

[1] Utah Code, tit. 76, chap. 7, sec. 101;
[http://le.utah.gov/code/TITLE76/htm/76_07_010100.htm](http://le.utah.gov/code/TITLE76/htm/76_07_010100.htm)

------
algorias
With each passing day, I look less and less like a lunatic for avoiding
facebook (and its ilk) like the plague.

You should try it.

~~~
sillysaurus2
People think those who don't use Facebook are lunatics? Why?

~~~
algorias
For younger generations who grew up with this kind of tech, it's just not
conceivable. For them, Facebook is a synonym for having contact with their
friends.

In a discussion we once had in class, I mentioned that an option that hadn't
been listed besides Facebook, Google+, Diaspora, etc was "none of the above".
I got bewildered stares of disbelief in return.

~~~
frio
Maybe. This is rapidly becoming less true. I had to give a talk at a school
the other day ("tech is cool, join the tech industry!") and the bulk of the
students didn't have Facebook accounts -- because their parents are on it.

Maybe that'll change when they reach a University age, but it was striking how
few of them used it.

~~~
gailees
Instagram is taking over amongst young people.

~~~
rzt
Instagram is even taking over among people in the post-adolescent set. The
engagement I see seems to be more vigorous, especially if you're dialed-in and
you're making good/interesting photos.

------
aestetix
Two comments on this:

We started [http://www.nymrights.org](http://www.nymrights.org) to combat
issues like this. One of our long term goals is to get companies to adopt
policies preventing data demands like this unless sufficient protections
(read, laws) are in place. (if you're a company debating adopting such a
policy, I'd love to chat!)

Second, if you're European, check out the European Court of Human Rights,
which offers protection against privacy intrusions like this. It's worth
noting that some countries get more specific: Germany has the Telemedia Act,
which specifically protects against problems like this.

~~~
alextingle
How would you formulate such a law? What does Germany's _Telemedia Act_
actually say?

I can refuse to let you into my house if you won't show me your passport. If
you don't have a passport, then I can just refuse to let you in no matter
what. How does that change if I'm running a business? Or a web-site?

Surely it would be better to focus on supply rather than demand. If government
ID is mandatory for everyone (e.g. Germany, Belgium), then it makes it easy
for businesses to demand to see it. If government ID is entirely optional
(e.g. UK) then insisting on seeing it will exclude too many potential
customers.

If FB asks _me_ for government-issued photo ID, then they will effectively be
kicking me out - I'm not going to go through the rigmarole of applying for a
passport just to get a FB log on.

~~~
ZoFreX
> I can refuse to let you into my house if you won't show me your passport. If
> you don't have a passport, then I can just refuse to let you in no matter
> what. How does that change if I'm running a business? Or a web-site?

Well, you would presumably be keeping some kind of record of my ID. Perhaps
you write down my name, date of birth, and passport number. As a business, in
the UK you would have to (amongst other obligations):

* Not keep the data any longer than is necessary * Update any inaccuracies in the data upon request * Tell me what data you are keeping upon request

It's not about asking for data, it's about what you do after I give it to you.
(NB to those wanting to know more about this, these particular obligations are
due to the Data Protection Act)

~~~
alextingle
I'm not sure the DPA needs to come into it. If a nightclub bouncer checks your
ID, then he's free to forget all about it once he lets you inside. If all FB
do is set an "ID checked" flag (and discard data collected as part of the
checking process) then I think they'd be in a similar position - I'm not sure
whether you could successfully argue that an "ID checked" flag could count as
additional personal data.

(Then again, I'm sure FB hold on to data like thieving magpies, so the idea
that they would delete your passport number/image/whatever once they have it
is, I agree, laughable.)

~~~
ZoFreX
I agree 100%, a simple "ID checked" flag would be OK. Where I think the DPA
fits into it is that without the DPA, a lot more people would store those
details just because. With the DPA in place I'm a lot more comfortable sharing
information like that, knowing that either they just store a flag, or if they
store more than that I am protected.

------
Amadou
How does Facebook intend to validate these government IDs?

I'm pretty sure they can't. They want you to send a scan of some photo-id -
that means that all the anti-tamper / anti-forgery tech that might be on the
actual ID will be non-existent.

If you are lying about who you are, it will take about 10 minutes in photoshop
to come up with something that will pass their test.

Are there any countries that even provide validation services that facebook
could use? As I recall, South Korea used to require residents to provide their
national ID numbers to access most (all?) in-country websites. That ended up
producing a ton of identity theft so they repealed that law.

~~~
batuhanicoz
Turkish Government has an API. You post all the info on the ID to it, and it
returns true or false. You have to be a legal entity in Turkey to access it.
(Edit: Correction, everyone can access it, and it doesn't require all the info
anymore, just ID number, name and birthday.
[https://tckimlik.nvi.gov.tr/Service/KPSPublic.asmx?op=TCKiml...](https://tckimlik.nvi.gov.tr/Service/KPSPublic.asmx?op=TCKimlikNoDogrula))

I'm guessing there are other countries that provides this?

~~~
RafiqM
As a developer, that's awesome. As a citizen.. I would guess not so much.

~~~
batuhanicoz
In Turkey everything is accessible with API's. Legal records, insurance,
education, work, bank records, things you own (houses, land, probably cars),
your address (both work and home), your e-mail, phone number, every other
phone number you own, you can even do a quick query on if a car has ever been
in an accident or if someone has priors.

Not everything is open to everyone though. My company had access to some of
this, it was nice. (Edit: nice as in, it made our life easier.)

------
DominikR
I am going to get a lot of downvotes for this but I am still curious to hear
what solutions the HN community could come up with for the problem Facebook is
facing:

Some of the accounts have been hacked.

You locked the accounts as a security measure.

Now you need to validate that some person is the actual owner of the account.

How would you solve this problem? (Sending a code via text message to the
owners mobile device wont work in every case since old accounts didn't have to
validate via phone number on registration)

~~~
dlss
I'll take a stab at this.

Before I get in to it, we need to correct a misconception on your part: using
a government ID doesn't work in every case. It turns out hackers know how to
forge government ID images, and some of FB's users don't have government IDs
(for instance, before I turned 16 all I had was a private school id).

With that out of the way, I think they should do what you suggested: sms
verification. Email verification also works. As does postal mail. As does
credit card charge. As does ACH charge. As does paypal charge. As does "send
in a photo of you with a shoe on your head". As does having a user's friends
vouch for them (they call their friends and ask). As do a lot of things.

Facebook should look closely at whatever attacker they are trying to lock out,
and make several methods of ownership verification available. Maybe require
two?

Requiring IDs just isn't a particularly good way to do it, and has bad PR
effects these days.

~~~
kalleboo
> As does having a user's friends vouch for them (they call their friends and
> ask).

This is probably the most "Facebook" of the options. They already do something
similar for some account lockout situations ("identify 5 photos of your
friends to gain access").

~~~
VLM
"identify 5 photos of your friends to gain access"

Really? I don't use FB so I can't verify, but that sounds like an epic
security hole for prankers, stalkers, ex's, and abusive spouses.

~~~
singold
I can confirm that this happened to a friend when accesin facebook from
another country.

Also I remember reading an article (from HN) where some guy hacked a facebook
account (if I recall correctly) and that was one of the steps (he and the
hacked one where friends and coworkers so they had lots of friends in commmon)

~~~
VLM
Hmm, well hopefully just one of many steps and not "that's all it takes".

I'm no FB fan, but if they are using friends pictures as a CAPTCHA to verify
the authenticator is a human not a automated computer, I grudgingly tip my hat
in respect toward them. That would be much more elegant than the usual lame
CAPTCHA.

This strikes me as it may become more of a problem as kids abandon FB and
older people use it. The kid I sat next to in middle school lunchroom back
when Reagan was president, and I clicked "yes" on his friend request out of
guilt, well, I have no idea what the heck he looks like now. Ex-girlfriends?
Well, I remember really well how she looked when she was 19, but that was a
long time ago, and...

------
ohwp
What amazes me even more is that almost all of those people are screaming an
shouting and are entering the ID the next day and forget about it.

~~~
Tarang
Thats the problem. I wish people would care more about their data. Lots of us
who build stuff are more aware of how stuff works and the repercussions of
putting data up just once.

~~~
jgeerts
This is most valid, data should be centralized, not distributed and not in the
hands of facebook. Imagine that there would exist a website that contains all
your personal data with 1 password, websites request access to a part of that
data and if this website also actively checks that it is valid data that the
site is requesting to function, I would pay for that.

------
jnsaff2
So I got locked out about 10h ago and as I saw lots of people like me on
twitter then I just went to bed without verifying anything. Wake up, account
unlocked without questions.

I suspect this was related to the earlier news where Obama's facebook was
hacked [1]. Some junior dev at FB forgot a WHERE clause at a sql query or did
something equally dumb to mitigate this.

[1] [http://uk.reuters.com/article/2013/10/28/uk-usa-obama-
twitte...](http://uk.reuters.com/article/2013/10/28/uk-usa-obama-twitter-hack-
idUKBRE99R0YQ20131028)

~~~
signed0
That's not what happened at all. The link shortener that Obama used was hacked
and previously shortened links where redirected. That article says nothing
about his Facebook being hacked.

------
VladRussian2
an ID-verified person - 1st level, 100%. Everything s/he tagged, communicated
with, etc... - 2nd level, 95%, everybody "touched" by 2nd level - 90%,... Just
a few hundred thousands optimally selected, and the graph is well verified
while maintaining an impression of the ID-checks being rare exceptional
events.

------
Tarang
A response to 'The Zuckerberg Files'
([http://zuckerbergfiles.org/](http://zuckerbergfiles.org/))?

I find it hard to justify a use for this type of info online? You can get
money-related businesses because of the need to comply legally but why
facebook?

Off topic: Does anyone think Google's floating barge is a way to evade
compliance when it comes to data monitoring? Theoretically they could go
further offshore

~~~
VladRussian2
>Does anyone think Google's floating barge is a way to evade compliance when
it comes to data monitoring? Theoretically they could go further offshore

the compliance is mainly enforced through the company execs being onshore, not
the data/servers. The barges will be waiving 2 Irish flags with 1 Dutch flag
in-between at the same time.

------
jsvaughan
This is the page about verifying your account:

[https://www.facebook.com/help/385569904840341](https://www.facebook.com/help/385569904840341)

Facebook accepts any government-issued ID that contains name and date of
birth. Examples include:

Birth certificate, Driver’s license, Passport, Marriage certificate, Official
name change paperwork, Personal or vehicle insurance card, Non-driver's
government ID (ex. disability, SNAP or national ID card), Green card,
residence permit or immigration papers, Social Security card, Voter ID card

If you don't have a government-issued ID, Facebook will also accept two of the
following items that combined must show name and date of birth. Examples
include:

Bank statement, Bus card, Check, Credit card, Employment verification, Library
card, Mail, Magazine subscription stub, Medical record, Membership ID (ex.
pension card, union membership, working or professional ID), Paycheck stub,
Permit, School card, School record, Utility bill, Yearbook photo (actual scan
or photograph of the page in your yearbook), Please cover up any personal
information we don't need to verify your identity (ex: credit card number,
social security number).

~~~
Tarang
What do you think would happen if we just submitted fake data.

Back before facebook went gigantic people used social networks with avatar
like display pics & put up loads of fake data.

~~~
cmdkeen
You'd no doubt be committing all sorts of criminal offences in both the US and
whatever (Western) country you send them from. It makes for a much better
reason for getting the authorities involved in a hacked account than just the
initial hack.

It's also much less likely that someone will do it due to the hassle and lack
of automation. Though no doubt some hot startup idea is about to be born...

~~~
schukin
How is photoshopping a bank statement/utility bill for the sole purpose of
activating a Facebook account a "criminal offense"?

The same question somewhat applies to government-issued IDs depending on
state/country, since many laws regarding falsified IDs only apply to
purchasing tobacco/alcohol.

~~~
cmdkeen
In the UK it would be forgery - a forged instrument is "any document", and for
it to be forgery they have to use it to "induce someone to accept it as
genuine, and by reason of so accepting it to do or not to do some act to his
own or any other person’s prejudice"

I seriously doubt that the US is going have to have less strict laws regarding
forged documents. Just because you think it isn't illegal doesn't mean it
actually is.

------
NKCSS
This is a smart move by Facebook; they already sit on the worlds largest data
trove (user profiles with likes, family member info, network info, tagged
pictures, etc. etc.), and now they add the last part of the user verification
step...

~~~
sillysaurus2
How is this smart? (Not disagreeing, just requesting more info.)

~~~
weland
They can validate their social network graph with ease and therefore ensure
they are selling perfectly valid data.

It's really disgusting to see people willfully submitting to this.

------
mkhalil
Facebook is still that popular? I deactivated years ago and never cared to go
back. I will activate every once in a while, check the feed, and leave. I have
over 1000 friends, but the feed has slowed down to an extreme and it's mostly
mommy/kid pictures now. A lot of people in my social circles agree too. It's
pretty irrelevant as far as our social lives go. Instagram + Twitter is still
pretty active. Hmm..wonder if it's bigger in other states/countries.

------
JeremyNT
I encountered this, perhaps ironically, while attempting to deactivate my long
unused Facebook account.

I was able to log in using my credentials (which I store in a keepass
database), but since the account had been inactive for so long (I guess?) this
was insufficient. After successfully providing my username and passphrase, I
was prompted with a security question, the answer to which I did not recall (I
had created the account many years ago).

The only remedy, according to Facebook support, was to provide a scan of a
government ID (via email, of course). Nevermind that I knew the password.
Nevermind that I had access to the email address associated with the account.

I told them I was unwilling to provide this, and they told me I was out of
luck. I decided that leaving a phantom, inactive FB account in the wild was
better than providing these people with what they wanted, and got on with my
life.

After several weeks, I for some reason decided to try again - and at that time
all I needed was my passphrase. Why? Who knows. Maybe it was my lucky day.

I don't really know what the takeaway should be, but my personal lesson is
that I should probably also store secret questions and answers in a password
database, since apparently some services deem them to be required even when I
have the passphrase.

------
JoshGlazebrook
Not as bad as Paypal with their requirement that you provide proof of SSN to
unfreeze your funds that were frozen for no apparent legitimate reason.

~~~
rwallace
In fairness, PayPal, being a money transmitter, has to deal with regulations
more complicated and onerous than anyone who hasn't worked in that business
can ever know or understand, so there isn't any basis for holding them to
blame for such things.

Facebook has no such excuse.

------
Fuxy
:)) I don't upload images/scans of important documents on the internet what
makes Facebook think they're special.

I use my card online (because i have to) and I'm constantly checking my
accounts for shady transactions but there's no way in hell I share my id on
the internet.

Every bit-coin website that asked for this lost my business and if Facebook
does the same will happen to them.

~~~
02
I doubt they think they're special. I doubt they think _you 're_ special
either.

------
tehmaco
Isn't there a problem of copyright associated with Government ID?

In the UK, things like your passport are copyright to The Crown and there's
official guidance[1] on how to go about getting permission to make copies of
them.

I'd imagine other countries are the same. So Facebook is asking it's users to
infringe government copyright.

[1]
[https://www.gov.uk/government/uploads/system/uploads/attachm...](https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/118584/crown-
copyright.pdf)

------
k-mcgrady
Something similar happened to me. I had several company accounts with a page
on each. I tried to login one day and Facebook requested ID. It seemed to
happen to me when I tried to login via incognito mode in Chrome (so that I
didn't have to logout of my main account first).

I still haven't entered the ID but I manage one of the pages for a business (I
also manage their website, twitter etc.) and I'm either going to have to enter
the ID or give up the job.

I can't see any reason Facebook require this. It seems like real scummy
practice.

------
bru
That actually happened to me at the beginning of the year. If I remember right
I was in a foreign country (UK) (or just back from it) and Facebook asked me
to log in and to scan my government ID (French one actually). However it was
optional and there was a small link at the bottom of the page offering to skip
that step (which i did without an hesitation).

Is there a difference here? I mean, can they still skip the step? The article
does not say much. Anyway the design was made such that it was hard to know
you could skip the step.

------
znowi
Wow. So, basically, Facebook says: "You're locked out. If you want to stay a
Facebook user, you must provide your government issued ID, or else - get
lost."

This is a glimpse of the future, if we let it slide. The Internet giants can
amend their ToS as they see fit and you will have to comply or get out. And
for many people getting out is not an option when all of their immediate
circle is already on it. So they endure humiliation in order to stay in, as
well.

There must be legal restrictions on this type of behavior.

------
nercury
Simple, do rely only on Facebook, be ready to ditch it at any moment.

------
NemesorZandrak
I'm from Europe. If they will do it to me I will be forced to stop using
Facebook. And I will laugh if they will make it happen in uk as people here
don't have such ID's

~~~
dan1234
The UK issues both passports and photographic driving licences. Most people
will have at least one of those.

~~~
andyjohnson0
Yes, but there is no _requirement_ to have one. UK law doesn't even require a
person to have a name.

~~~
ubernostrum
There is no legal requirement in the US to have a picture ID card, either.
Unless you want to drive. Or, in an increasing number of states, vote. Or get
on a plane without a ton of hassle. Or... well, you get the idea.

It is possible for something to be "not legally required" but still have a
very high degree of adoption due to the inconvenience caused by not having it.

------
thehme
Doesn't really make sense to why FB would want people's Gov IDs to then allow
them to simply upload pictures, gossip, or comment of other people comments.
Does this behavior remind anyone of 1984 and the whole idea about controlling
people's behavior/thinking by pretending or actually monitoring their
activities/life? What is two-step verification, passcode generators or answer
your secret questions, if not for this?

------
Flenser
They should get you to pick 2-3 friends from the subset of your closest
contacts that they trust[1] to receive a multi-part[2] password so that you
can prove you're you by your contact with your friends.

[1] i.e. Facebook believe they are real people who could verify your identity.

[2] It could be a form of n of m authentication so you wouldn't need to get
all of them.

------
ansgri
I wonder how many people respond to such unreasonable request by uploading
something... indecent and shocking, to say the least.

------
jason_slack
Lets all just remember that we make our own choices.

1\. If you want to use Facebook, then you must follow the rules they set
forth.

2\. If you dont like #1. Just dont use it.

As consumers we all make choices that we need to make to benefit ourselves. If
I dont like a grocery store, I dont shop there. If I get treated rude
someplace. I find a new place that treats me better.

------
bovermyer
Meh. The government already knows I use Facebook. Facebook can extrapolate
anything about me using the information it already has, including, I imagine,
my driver's license number and social security number.

I really don't care at this point. I'm too deeply connected now to retract any
of it.

------
ecocentrik
Facebook keeps pushing the bounds of what's acceptable in terms of personal
privacy. They have given no indications that they will ever stop pushing the
privacy boundaries. This behavior seems to be a major component of their
operational/business model.

------
hanley
Wow, the way that they display the Twitter quotes in the article is hideous!
The icons are huge and distracting, and on top of that they don't seem to
understand the basic idea that all close quotes need to match up with an open
quote.

'Open Quote Icon'

message

'Close Quote Icon'

-username

'Another Close Quote Icon'

------
hawkharris
I think you all are overreacting to this story.

You don't _have_ to provide a government ID to login back into Facebook.
Alternatively, I was able to give them my bank passwords, private emails and a
list of deep dark childhood secrets.

------
twaddington
I read that title as "Furry" at Facebook. I guess I need to put on a second
pot of coffee.

------
scrrr
Business idea: Generate "Government ID" that is good enough to pass Facebook
verification.

------
itsbits
Atlast they did it..we can expect same from all other sites soon..

------
VeejayRampay
I like how how those people think they know better than to provide their
personal information to Facebook on a login dialog that is supposed to help
them get onto Facebook in the first place. The irony is just so thick I don't
even...

------
harel
What is a Government ID?

~~~
samuellb
Good point. In my country the government didn't even issue ID cards until 2009
or so, and government-issued IDs are still very very uncommon. Here you
typically get your ID from your bank.

------
ffrryuu
Migrate to a Open Source social network instead then.

------
crististm
Why stop there? They could ask for the SSN as well.

------
hajderr
Boycott Facebook.

------
4hthth4
Is it April 1st?

