

Ask HN: DigitalOcean asking for government ID? - kohanz

Although I used Heroku&#x27;s free dyno to host my side-project, I couldn&#x27;t justify the cost to move it to a paid dyno. Instead, I looked for a lower cost VPS and found DigitalOcean. Reviews looked decent and the price was right.<p>However, after signing up and giving them my CC info, I was informed that my signup had triggered DO&#x27;s automatic abuse detection and I needed to submit some supplemental information. I complied and submitted my name, physical location, phone number, and my personal twitter account as asked. Fair enough, I thought.<p>I then received another request, this time stating <i>To help us verify your identity, please send us a scan of your government-issued photo ID or passport to verify@digitalocean.com</i><p>Now, I like to think that I am not as stringent or even disciplined when it comes to privacy or shared data. However, am I off-base to feel that this request is beyond reasonable? I know the practical answer is &quot;If you think it&#x27;s unreasonable, take your business elsewhere&quot;. I understand that and may well do so (e.g. Linode).<p>I am in Canada and I do know that in the US it is common for merchants to ask for photo ID along with CC, but I am much more comfortable flashing my ID card in a brick &amp; mortar store than I am sending a digital scan to an online business I have no experience or relationship with.<p>When I googled this type of request, I couldn&#x27;t find previous references to it. How do people feel about DO asking for government photo ID to go along with CC information? Is this a common practice that I am just not informed about?
======
superuser2
A credit card transaction is a _promise to pay_ , not a payment. That promise
is what you sign when you sign a receipt in a store. The merchant and its
credit card processor need to identify someone who can be legally compelled to
make good on that promise in order for the system to work. This is not a
corporate conspiracy, just the nature of credit. Increased risk of fraud calls
for more reliable identification; DigitalOcean is asking for a second factor
to confirm that you actually own that CC. (Otherwise, they are at risk of
eating the loss in case of a chargeback. An ID document, like a signature,
gives them something to show in court to hold you responsible for the payment
even if you chargeback.)

It is the nature of the credit card payment system that legitimate
transactions are never anonymous. In any situation where you keep your
identity private from your creditor, then either your creditor is brain-dead
or you are committing fraud.

If you wish to purchase VPS hosting without revealing your identity to the
seller, use (tumbled) BitCoin.

If your concern is for the security of your ID document (rather than the fact
that DigitalOcean will know your identity) then insist on using email
encryption or send via snail-mail.

~~~
kohanz
Thanks for your explanation. I do believe they are not outside of their bounds
in wanting to verify my identity. You are correct that my concern is the
security of my ID document.

I'm curious how email encryption would solve this problem. Presumably it would
make for the secure transmission of the document, but I would still be left
with DOs word that the document would be completely deleted after they viewed
it and not kept on file. I just hate the thought of my CC info _and_
government ID sitting somewhere on their servers and then hearing they had a
security breach (for the very reasons that you specified - CC alone ==
promise, CC + ID == identity theft?).

------
codezero
This isn't terribly uncommon. You should ask if you can redact certain
information from the ID. They probably don't do this often and when they do
it's because there is some significant signal that means that the cost of
asking you for this generally excessive information, outweighs possibly losing
you as a customer because of some inherent risk they see on their side.

If you trust them with your credit card number, then I don't see why you
shouldn't trust them with your identification as long as you are sure this is
not a phishing scam of some sort. All the same, I'd still see if they would
let you redact anything you are uncomfortable sharing (like the license # or
address) Chances are that they just want to make sure you are definitely who
you say you are, which a solid, scanned ID will help to confirm.

As a slightly unrelated aside: bartenders ask for your ID, so do some vendors
when using a debit/credit card, so this is not completely crazy, obviously
they don't explicitly store it in digital form, which is probably where your
concern comes from.

~~~
kohanz
Thanks for your helpful comment.

I asked if I could redact anything and received the response: _A scan of the
entire ID would suffice. It 's for verification, we do not store it in
anyway._ Hardly a response that creates confidence. Pardon me if in this day
and age I don't exactly trust the public facing data retention policies of
private companies.

I agree that brick and mortar vendors ask for ID all the time (in the US, at
least), but as you said I'm comfortable having a human peruse it, not so much
having them store it in a digital format.

~~~
codezero
It's up to you at this point. I think it's a bit unusual that they won't
accept it after being redacted. You can try just sending it redacted anyways.
Leaving name/address/dob/photo seems reasonable. If it's sufficiently high
resolution, I can't see that they will be terribly bothered.

For reference, by the way, I work at Quora, and have done a lot of work
relating to enforcing real names on the site. We have asked for photo ID, but
specifically ask for details to be redacted. The only things that will
escalate something to this level of scrutiny are multiple red flags that
signal a suspicion of abuse.

I imagine that because there is a financial transaction involved, DigitalOcean
has different procedures and looks for different red flags.

------
disclosure
Just got this myself too and my first thought was it has to be a scam.
Submitting photo ID online is rather unusual for hosting company to ask for.
DO does appear to be less favorable now given the level of verification they
need. I wonder if this applies to most DO users though.

[Sent to support] Earlier today, I received a support ticket from
DigitialOcean with the message below asking for government issued ID. This is
an unusual request for hosting company. Can you confirm this? \--- ATTACHED
MESSAGE BELOW --- To help us verify your identity, please send us a scan of
your government-issued photo ID or passport to verify@digitalocean.com with
this ticket's ID in the subject, example: "Ticket #XXXXXX". Once you have sent
that please let us know by replying to this ticket.

[Response from DO] We ask for IDs for accounts that have been flagged during
verification. We apologize if it appears abnormal but we take abuse very
seriously Alex

------
ElongatedTowel
What is a good way to pay then? I can't get a normal credit card so I have to
make due with a prepaid card. To make it right from the getgo and buying a new
domain as well as hosting my alternative idea was:

buy domain/mail at namecheap with bitcoin -> paypal on my bank account with
that address -> pay digital ocean

I wanted to avoid bitcoin and paypal so I came up with a different plan buying
a prepaird card and:

buy domain/mail at namecheap with cc -> pay digital ocean with cc.

This makes me wonder if I run into the same trouble in two instances. I don't
have a scanner or a camera (believe it or not) so I'd have to run to a friend
who lives an hour away. I'd rather avoid that...

------
manishsharan
Hetzner also asks for government ID; I had to send them a scanned image of my
driver's license. I do not see that as an issue; hopefully it will keep the
malware/spamware guys off Hetzner.

------
mumf83
I just had the same, asking me for photoID or my passport. There is absolutely
no way I trust anyone with my credit card information plus photoID / passport.
It's like I'm trying to enter the USA. Surely they will keep the digital copy
if they really did take us to court?

A real shame, specially as I heard a lot of good things with DigitalOcean.

------
mutant
Consider photoshopping, not to falsify, but the claim of not storing is
dubious....plus, they aren't a police organization, not like its perjury.

I think it's excessive myself. I'd flip them the bird and try amazon,
dreamhost, or rackspace (although they are hardly inexpensive).

~~~
codezero
They'll spot this, so it's not worth it, it will only add to their suspicion.
It's OK to 'shop it if you are removing stuff very obviously, but to
hide/alter info they want will just cause trouble.

