
Run instant authentication checks on any government issued ID - willow9886
http://www.confirm.io/
======
Animats
Their authentication check doesn't do much. They aren't validating drivers
licenses against a database. Has anybody tested this thing with common fake
IDs? If you show it a color copy of a driver's license, can it detect that?
How? They're looking only at a flat photo. They can't tell a hologram from a
photo of a hologram. They don't make you take pictures from several different
angles. You could probably take a picture of an ID, alter it in Photoshop, and
get it through this thing.

Their privacy policy looks like a standard web site privacy policy. It says
nothing about how they handle ID data. That's a big deal, because Confirm is
handling personal data that isn't about Confirm's own customers. This can
create liability for Confirm or Confirm's customers under various identity
theft laws.

Here's their founder: [1]

[1]
[https://www.linkedin.com/in/kylekilcoyne](https://www.linkedin.com/in/kylekilcoyne)

~~~
mathrawka
There are actually valid driver's licenses in the US without holograms. They
are usually temporary IDs valid for 3 months or so.

The one I had when I moved was printed on a very low quality inkjet printer...
it looks more fake than a fake ID, but it is a legal, US government issued ID.

~~~
Jemmeh
Same. It actually takes them about a month to mail the plasticy version. I
find it odd since I used to get the plasticy version while I was there at the
DMV, but I figured it was probably more expensive to have one of those
machines at all the DMVs, rather than just having a few in select locations.

~~~
superuser2
Part of the Real ID program is physical security and internal controls at
printing facilities beyond what DMV branch offices are generally capable of,
as well as printing processes that require $300k+ of specialized equipment.

The best route to a fake ID was previously to bribe a DMV clerk to use the
printer after hours. Those fakes were basically undetectable by physical
inspection.

Very few convincing fakes (that are caught) are built to modern standards.
Fake ID makers almost always imitate designs from before the institution of
Real ID.

~~~
Jemmeh
I get the point of that, but doesn't that make it easy to "fake" a temp one
because the temporary ones are really just printed on a poor inkjet printer?

~~~
superuser2
The piece of paper they give you at the DMV will work in a traffic stop, and
maybe for voting (not doing so is a civil rights lawsuit waiting to happen)
but is unlikely to be accepted anywhere else.

Most organizations would rather see your slightly expired card, demand a
second factor, or just refuse service rather than trust a piece of printer
paper. You're definitely not getting into a bar with a temporary ID if you
look plausibly underage, or the kids would be doing that already.

~~~
Jemmeh
I had two recently (renewed, then moved states). I've been able to use my temp
ID at several bars & also to redeem tickets at an event. Sometimes they looked
a little unsure for a moment, but they shrugged and went on with it.

------
okso
Sending photos of government issued IDs to third parties looks like a very
dangerous approach to the problem.

These photos could be stolen and reused for fraud and identity theft.

Electronic IDs provide a much safer and more reliable way to check the
identity of a user. Eg: every citizen in Belgium can authenticate HTTPS
connections with his ID card.

~~~
revicon
Whats an "Electronic ID"?

~~~
okso
An Electronic Identification or "eID" is an ID card with a chip on it, that
allows operations such as authentication and signing electronic documents.

See Wikipedia for more info:
[https://en.wikipedia.org/wiki/Electronic_identification](https://en.wikipedia.org/wiki/Electronic_identification)

------
dsr_
So, what exactly are they promising to do? Let's look at what they say in
their terms of use:

    
    
      EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE LICENSED TECHNOLOGY IS PROVIDED ON AN “AS-IS” BASIS AND CONFIRM DISCLAIMS ANY AND ALL WARRANTIES.  CONFIRM DOES NOT WARRANT THAT THE LICENSED TECHNOLOGY IS ERROR-FREE OR THAT OPERATION OF THE LICENSED TECHNOLOGY WILL BE UNINTERRUPTED. EXCEPT AS OTHERWISE EXPRESSLY PROVIDED IN THIS AGREEMENT, NEITHER PARTY MAKES ANY ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER. ...  EACH PARTY EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, TITLE, AND NON-INFRINGEMENT.
     
     

7 LIMITATIONS OF LIABILITY

7.1 Disclaimer of Consequential Damages. THE PARTIES HERETO AGREE THAT,
NOTWITHSTANDING ANY OTHER PROVISION IN THIS AGREEMENT, EXCEPT FOR (A)
CUSTOMER’S BREACH OF SECTION 1 OR 6.2, (B) EITHER PARTY’S BREACH OF SECTION 5
, AND (C) LIABILITY ARISING FROM A PARTY’S INDEMNIFICATION OBLIGATIONS SET
FORTH IN SECTION 8.1 AND 8.2 BELOW, IN NO EVENT SHALL EITHER PARTY BE LIABLE
TO THE OTHER FOR ANY SPECIAL, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL
DAMAGES OF ANY KIND, LOST OR DAMAGED DATA, LOST PROFITS OR LOST REVENUE,
WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN
IF A PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY THEREOF.

Which is to say, it could tell you that Lovin McSpoonful is a totally valid CA
driver's license, and you have no remedy if you rely on that to sell the 18
year old alcohol.

~~~
repiret
If you have a need to verify IDs, a tool to help is helpful even its maker
isn't going to pay for the consequences of getting the wrong answer. I doubt
the people who make the black light flashlights are making stronger promises.

~~~
mmagin
A blacklight flashlight is a simple tool where you can understand how it
works. This is a opaque service and you cannot reasonably know what's going on
behind the scenes.

------
aestetix
$ nslookup api.confirm.io

Non-authoritative answer: api.confirm.io canonical name =
midentssl-861843077.us-west-2.elb.amazonaws.com. Name: midentssl-861843077.us-
west-2.elb.amazonaws.com Address: 54.149.15.14 Name: midentssl-861843077.us-
west-2.elb.amazonaws.com Address: 52.25.246.175

Hosted in the US on Amazon. That makes it immediately a no-go for European
customers.

So, what's the data retention policy? Who has access to it? Is any PII
contained in the webserver logs? If the answer is "no", how do you define PII?

Have you had a third party security audit done? If so, can we see the report?

Those are just a few of my initial questions :)

~~~
sbierwagen
It's US only at the moment, and given the concerns you just raised, probably
will be forever.

------
imglorp
"Contact sales" is a clear, absolute dinosaur warning.

I want transparent pricing right on the page, instant SDK access for self
evaluation, instant purchase if I want more, and no slimy sales process that
depends on my region or what I negotiate.

~~~
LeifCarrotson
Yes, but you are probably also worried about the many technical and legal
issues listed above, and want them corrected before signing up, rather than
negotiated in a series of conference calls and meetings with your legal team.
You likely want to pay for this with a "credit card" and monthly subscription,
rather than by passing them the fax number if your purchasing department. You
expect detailed API documentation and example code to be easy to find online,
rather than in a training seminar and behind an NDA.

Companies can make money in lots of ways. "Contact Sales" is not an invalid
way to do so, just an unpopular one.

------
iamleppert
What a great way to open your company up to a huge liability. When (and not
if) this place gets hacked, expect to foot the bill for identity protection
service for a few years for anyone you have scanned using this thing. The
burden is usually on the person who originally handles the identity documents,
even if a service they are using has been compromised. There's a reason why
many nightclubs no longer scan ID's.

Also I don't see any data or information about any guarantees, no case
studies, etc. A service like this is worthless unless they are willing to
provide something for when fraud does occur, or provide a guarantee that the
service actually works and the results can be trusted.

Reading through their terms of service, there is no warranty what so ever.
Their technology could be completely bogus, or do nothing for all you know.
It's a black box.

You're basically opening yourself up to liability for questionable benefit.

~~~
djcapelis
> Their technology could be completely bogus, or do nothing for all you know.
> It's a black box.

They say they used machine learning, so the reality is that usually means they
don't even know what their technology does either.

I'm sure they can tell you that statistically, it will _probably_ not validate
an image of a cat as an ID.

------
FabHK
By "any government issued ID" do they mean "some US government issued IDs"?
The website has no indication on what countries are covered, or whether e.g.
US military IDs or FAA pilot licenses are covered.

Reminiscent of IDnow ( [https://www.idnow.eu/](https://www.idnow.eu/) ), which
has been around for a while now. IDnow claims that it "is available worldwide.
IDnow supports identification documents (passports and personal ID cards) in
accordance with the common ICAO standard, which is valid in more than 190
countries."

~~~
uptown
They're happy to take your photos of whatever government ID you're willing to
send them.

------
micaksica
I'm curious how they're protecting this data. Having access to a bunch of raw,
high-megapixel ID images is enormously useful for bad actors.

~~~
ceejayoz
and the Privacy Policy states "In the event of a corporate sale, merger,
reorganization, dissolution or similar event, Personal Data may be part of the
transferred assets."

~~~
ourcat
Though they also say "zero personal information" is retained.

This is hacker-honey.

------
gruez
From the website, it looks like they're doing image analysis on the ID scans
to verify its authenticity. Given that it's hard for a human to spot a high
quality fake, I doubt that some machine learning model can do much better. The
only thing I'd imagine it being useful for would be for checking off a
regulatory requirement.

~~~
djcapelis
Or for training your algorithm that generates fake ID photos! confirm.io
should be okay for that.

------
bouk
Seems kind of sketchy to be saying "safe & secure" but not even bothering to
set up HTTPS for your website

~~~
gruez
to be fair their API endpoints are https

~~~
dangerlibrary
Sure, but lets encrypt costs nothing and takes one engineer a couple hours to
set up, at most. It shows that corners are being cut, which is the opposite of
what you want to see in a product like this.

~~~
djcapelis
What it shows is that they read this
[https://www.wix.com/support/html5/article/request-adding-
an-...](https://www.wix.com/support/html5/article/request-adding-an-ssl-
certificate-https-to-your-site) and decided to build their website with that
platform anyway.

~~~
dangerlibrary
positively octagonal.

------
astanway
Seems like a sketchy business to me. Who founds a company, raises 4M out of
the gate, and the acquires a competitor a month later?
[http://www.confirm.io/#!our-story/h6arz](http://www.confirm.io/#!our-
story/h6arz).

Combine that with a "partnership" six months after that, and it really seems
like there is zero proprietary technology that was built by this company in
the first place.

~~~
jpalomaki
There's an existing company that has nice technology ( Advanced ID Detection,
the company that was acquired [1]), but it is missing the hype factor and
targets brick and mortar market. Somebody has an idea that there's big
potential fort offering this technology as service. Outside money is brought
in and a deal is made. Based on quick look a the web pages, the existing team
and founders continues in the new company.

I don't think this necessarily means that there's something shady going on.
Could be just a way to structure the deal, compensate the founders for their
work so far and get money to focus on sales and expanding the business.

[1] [http://www.advancediddetection.com/](http://www.advancediddetection.com/)

~~~
bestnameever
FYI it is probably the same technology. The whois record for confirm.io
references the same address as that is listed on the contact page of
advancediddetection.com The Owner orgname is also listed as 'Advanced ID
Detection'.

------
koolba
No https and no pricing info means no bueno.

------
fatdog
Consider that to verify these ID's they would need bi-lateral agreements AND
api access to each issuing authority for the cards to lookup up the card to
verify it against the "real" data. Unlikely they have achieved that given
governments are not in the business of offering this service to the market
these days.

The question becomes, who takes on the liability for the identity asserted by
the user who has presented the card? They could compare it to all previous
images of the card, but again, was that original?

All eID solutions have a bootstrapping problem related to the "fons honoram"
that creates the legitimate "original."

The use cases for ID are all law enforcement related, and the integrity of
these processes does not withstand even basic scrutiny.

What is the problem they need to solve? Limited liability broker for proof of
legal identity over a communications channel.

Here are the things that matter:

\- "liability" \- "broker" \- "proof" \- "legal" \- "identity"

Here is what other companies in that space do:

"ah takez teh picturez of teh cardz and ah sendz to tehm."

This company may have solved these other problems. If they have, I would be
yelling it from the rooftops because the technology doesn't matter, they would
literally have been given the right to print money.

~~~
michael_fine
They're not claiming to verify them against a govt database which doesn't
exist, there just claiming to be the smartphone equivalent of the id scanners
that liquor stores have.

------
r1ch
Site doesn't work without JS. No love for progressive enhancement :(.

~~~
gruez
It's like that for all wix template websites.

~~~
whorleater
Oh is that where all these awful "need js to display text" websites were
coming from? I had originally thought that they all switched to React or some
silly CMS.

------
SAS24
There are a ton of players in the "ID verification" space (LexisNexus, Jumio,
MiTek, KoFax). Most of them are only verifying the formatting of the ID, not
the information.

I've yet to find an API based solution that can reliably verify information
solely based on the picture of someones drivers license.

~~~
15155
The information needs to be cross-referenced with a public records check (like
Jumio allows - can't speak to the others) in order to be useful.

------
Gys
US only it seems. The world is bigger then that. Although that is obviously
less obvious to some...

------
leetrout
If anyone from confirm reads this: You should probably change that video on
your site if that's a real ID.

That name, DOB, address, and license number is easily discernible from the
video.

~~~
aclimatt
Wow you're not kidding. It's Tom Hill, their sales guy:
[http://www.confirm.io/#!team/c6ngy](http://www.confirm.io/#!team/c6ngy)

I bet he wouldn't be happy if he realized that is date of birth, driver
license number, and address were publicly on his company's homepage...

~~~
leetrout
Good call- I didn't even think to look. I emailed him directly.

------
jzelinskie
Can this use a square-style card reader to allow for swiping cards? It seems
pretty clunky to use the camera if you're working the door someplace.

~~~
pavel_lishin
My New York state ID doesn't have a magnetic stripe, but a barcode like in
some of the screenshots on the page.

~~~
joombaga
I'd be interested to know if that is the exception or the rule. My Michigan
license has a mag strip and bardcodes, while my Tennessee ID only has a
barcode.

~~~
rtkwe
NC IDs only have a 2D barcode and iirc the data is encrypted so I wonder if
they're able to pull data from them.

~~~
tgokh
I went to a bar/restaurant in Utah recently that scanned everyone's IDs at the
entrance - their little handheld reader pulled my name and computed my age
from the barcode on the back of my NC DL. They said it works for most states,
but it didn't work on a friend's from MN

Edit: Also, the new (ugly, pastel-ey) NC drivers licenses also appear to have
a 1-D barcode on them as well

~~~
rtkwe
I was poking around for fun a while ago looking into the barcode and you could
buy scanners that could read from NC IDs but they weren't free/cheap.

I haven't seen a new ID, haven't bothered getting a new one since I turned 21
a few years back so I have no idea what the newer ones have or don't have.

------
rblatz
This is an interesting problem space. We recently looked into this and found
Jumio, how does this service compare to them?

------
tener
Aren't the advanced badge features they are verifying secret?

------
state
Reading through the comments I'm enjoying thinking about this as an elaborate
honeypot set up by a state actor for recruiting. Looking forward to the
longform Wired article in a few years!

------
djcapelis
Cool. Now we just need a "generate fake ID photos API" to close the loop.

------
Kinnard
This would have been a literal lifesaver when I was running the fifth largest
Bitcoin exchange in the world . . . looks good too!

