Of course they leaked the data. Any seasoned techie could've seen that coming from the start.
One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.
Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.
There should be nothing to leak. The record of verification should be a signature saying what was verified and how and when and nothing about the underlying documents/images/data off of which the verification was based.
That is needlessly complicated. The problem is the US federal government does not provide identity verification API as an infrastructure service. And they easily could using the USPS’s physical locations and their workflow in processing US passport applications, which already involves identity verification.
Or even just coordinating the 50 states’ motor vehicle commissions or whatever since they are also verifying identities to issue drivers’ licenses and state identification cards.
A friend applied for a job in the UK civil service - you were required to verify your identity by giving data to a third party, for profit company (and paying for the privilege). All of the companies had recently had significant data breaches. One of them - right there on the government provided guidance - lied about the company (Post Office) to imply a historied bastion of trust. It was blatant.
Verification could have been done using government data, but Tories have to also make a profit off of everything so they instead chose to give every civil service applicants data away to companies with a track record of data leaks.
Exactly this. Even non-civil servants are required to sign up with one of these services for certain government ID accounts.
I don't recall which it was now, but I had to choose from a bunch of providers (I selected Post Office) when I registered for something Gov related a few years back. I don't remember what now since I haven't used it since, but PO still has the details and provides auth for a government service for me. Insanity.
I do honestly think the real reason for this outsourcing is because the Passport Office and DVLA don't provide their databases for identity verification purposes, even to other government agencies, aside from say the security services and police.
Even in banking, where the government mandate thorough KYC/ID vetting, no APIs are made available by the government to actually verify a copy of ID is legitimate. So you're left looking at whether it "looks" correct.
For better or worse, of course, but there's an argument to be made that the refusal of the govt to provide "ID verification as a service" is pro-privacy.
It is more that the Federal government is Constitutionally prohibited from mandating such a thing, the most they can do is ask nicely and hope for compliance. Coordinating the several dozen States, which can do it, is like herding cats. This is further complicated because there are large factions of both Democrats and Republicans that are against it for a litany of unrelated reasons, so the resistance to it is robust and bipartisan.
It has little to do with "monied interests". It is primarily the product of nigh insurmountable legal and political hurdles.
The Federal government can build one but they can’t require it or make people use it, and an ID you can opt out of is useless. Only the States have that authority. This is settled law with a lot of precedent, and largely the reason the US has no national ID system no matter which politician runs the country. Courts have consistently held this to be outside the narrow Constitutional authority of the Federal government.
Having a mandatory Federal ID would require a Constitutional amendment, but since the States have refused to do it voluntarily it seems exceedingly unlikely that a super-majority of States would ratify an amendment that forces them to do it.
Is a legally mandatory ID is required to solve this problem? The Federal government could create a voluntary one and/or coordinate the state IDs system into a modern digital ID system, then Uber and banks could use that instead of letting an SSN number or photo of ID being enough to commit identify fraud. If someone don't want to use the system, that's between the client and Uber.
Yes I know if this happens it will become of those "technically not mandatory but in practice yes" things.
I think the problem is the government would not go to the trouble (nor get approval for) developing a solution that is not guaranteed to be used by anyone.
I don't believe that this is actually unconstitutional. The whole argument about the Fed not being able to set up a Federal ID hinges on the Tenth Amendment, saying that it's not a specifically delegated power.
But that is a ridiculously weak argument, there are tons of ways the Federal Government can mandate the unified ID. For example, it can be tied to the Social Security number. The government can (quite reasonably) argue that it needs to positively identify people to be able to correctly track their SS contributions.
Why this hasn't been done yet? Probably because nobody cares about that. Real ID gets postponed time after time, exactly for the same reason.
What you believe isn’t backed up by the long history of a national ID in the US. Your legal theory would have to explain, for example, why some States today (e.g. Washington) do not recognize or accept any Federal IDs, like passports, only State IDs. This is strictly in line with the Constitution, it is entirely permissible for States to reject Federal IDs for all legal purposes. What would compel a State to recognize any new Federal ID in the future if they already have the power to disregard Federal IDs in theory and practice?
A Social Security Number is not an ID expressly as a matter of law, because it can’t be legally. The many loopholes the Federal government tried to use to backdoor a national ID were shutdown by the Supreme Court repeatedly. The US can only have a mandatory national ID system if the individual States, in aggregate, decide to create one. Thus far, they have shown no interest. Real ID is not a unified ID because the Federal government cannot compel it.
As with most persistent problems, the “obvious” solutions are not being ignored because no one has cared or no one has tried but because there are fundamental technical reasons they don’t work.
> What would compel a State to recognize any new Federal ID in the future if they already have the power to disregard Federal IDs in theory and practice?
The same thing Congress does to add a workaround for any law it's constitutionally forbidden to enforce on the States. A "voluntary" program where states that don't agree to the ID law don't get any federal highway funds that year.
This has been extensively tested and the Supreme Court is fine with it, e.g. [0]
Alternatively, enforcement through military means - Congress hasn't authorized the use of force against dissenting states since the 1860s, but the threat is always there.
Or paramilitary means, where an armed federal law enforcement group seizes control of state installations that aren't aligned with aspects of federal law. The DEA and ATF have a blueprint to follow here.
Or financial means, where Congress orders federally-regulated banks not to engage with customers that don't respect its ID policies.
There are other levers to pull, too. It's not that the States don't have any power, but in practice they are allowed the powers that the federal government chooses not to centralise - the opposite of how it works in theory, where the federal government governs only to the extent the States allow.
> Your legal theory would have to explain, for example, why some States today (e.g. Washington) do not recognize or accept any Federal IDs, like passports, only State IDs
I don't believe you're correct. WA accepts all kinds of identification. I can't find anything in the RCWs to mention the exclusivity of WA identification for ANY purposes.
> A Social Security Number is not an ID expressly as a matter of law, because it can’t be legally.
Yet it is an ID (although not a strong one), and it's used for that purpose by the IRS. You can't be legally employed without an SSN (with several narrow exceptions).
Males in the US are also required to register with the Selective Service, which also requires an SSN.
All this has been upheld by the SCOTUS, the government just needed to show that it had a legitimate need for the ID system.
> As with most persistent problems, the “obvious” solutions are not being ignored because no one has cared or no one has tried but because there are fundamental technical reasons they don’t work.
Really? Have you lived in Europe, in countries like Estonia? It somehow managed to do the technically impossible.
The tenth amendment would be a good place to start. As others have out throughout this thread, the Constitution has a whitelist of powers allowed to the federal government. All other powers are outside it's purview.
Everything you say is true of state IDs too. They are not mandated. They are useful because some people choose to have them. Some people would also choose to have a federal id.
Sure, but in the US, many many many more people have a state-issued ID than a federal one (a passport).
If a company needs to implement age verification, they're not going to limit their market to the set of US citizens with passports if the federal government were to offer an ID (passport) verification service. They're going to want state-run ID verification services, or, as in the case here, a private company contracted to do it for all ID types.
Then again, if the federal government (or my state government, even) offered an ID verification service directly, I would be more likely to use a product that offered it as an option, vs. one that only offered some private company's shoddy ID verification service.
But this feels vaguely analogous to the municipal broadband fights. Private ID verification companies would certainly lobby against states or the feds building their own ID verification services.
Not off-hand but it goes back to at least the early 20th century. There have been many attempts at a national ID system via technical loopholes but the courts have not looked kindly on them. It is the reason a Social Security Number is explicitly not to be used as an ID in law, so as to maintain its legality. It is the reason that every part of the Real ID Act that involves the Feds aggregating a centralized ID database from the States is strictly optional (and many States have opted to opt out of that). The Supreme Court has already ruled that Federal regulatory and taxation power cannot be used to induce States to comply, as that would be an end-run around Constitutional limits on Federal authority. Whether I like it or not doesn’t matter, I recognize that this is the reality.
As a heuristic, when something obvious and simple, like a national ID, has inexplicably never existed across every political administration, it is unlikely to be an oversight. This has been playing out for a very long time, it is unfortunate that most Americans are not familiar with the legal history.
It is similar to why people were surprised the government didn’t even try to enforce lockdowns during COVID anywhere in the US. Freedom of travel was thoroughly adjudicated across many cases by the Supreme Court covering almost every circumstance imaginable. Any prohibitions on freedom of movement are subject to the “strict scrutiny” standard, same as freedom of speech. Any politician attempting to do so would have invited instant wrath and injunctions from the judicial system, and their legal advisors knew it.
Perhaps you didn’t hear about “Real ID”. You need it to fly, and it involves data sharing/matching with the federal government. They did a back door federal ID system by simply integrating with all of the state ID systems.
The Federal integration is optional, it cannot be compelled, and many States have opted to not implement it. The only thing the Real ID does is compel uniform standards for how States implement ID, it does not compel them to share their databases.
The constitution doesn't say what the federal government is disallowed from doing. The constitution says what the federal government is allowed to do, and they are not allowed to do anything it doesn't say.
Good question! I think the short answer is because the Supreme Court has interpreted the constitution as having granted that power. It is not an open-and-shut case, however, and stems from the constitution's grant of power for Congress to control the Rule of Naturalization, and from the 14th amendment. A conservative reading of the constitution, however, might imply that Congress does not have the power to bar entry to foreign nationals.
> Article 1, § 8, clause 4, of the United States Constitution specifically grants Congress the power to establish a "uniform Rule of Naturalization."
I don't think you need to really coordinate all the states. Each state can provide their own ID verification system. Yes, it's a pain that every product wanting to use it will have to do 50 different integrations rather than one, but ultimately things will converge to a more or less standardized API (or a few of them).
Of course it's dumb that taxpayers will have to pay for 50 of these things through their state taxes instead of one of them through their federal taxes.
Then again, what's most likely to happen is that the states will outsource it to a private company like this one, and we're no better off.
Given time, what seems unlikely today will eventually be inevitable.
With sufficient design iteration and manufacturing scale, there's no reason why a humanoid robot couldn't be cheaper to manufacture than a compact car. That's competitive with a single year of unskilled human labour — and that's before you account for the robot working 7 days a week, 18+ hours a day, for many years. No messing around with undocumented workers, no risk of unionising, no sexual harassment accusations, no training costs (after training the first robot), no worker injuries resulting in expensive litigation.
Yeah but a mandatory national ID or voter ID isn't what the comment a few up is asking for. Driver's license is an optional form of ID as far as the govt is concerned, but this doesn't stop Uber from requiring it. The state or federal govt could help prove that someone has a valid DL without that person having to give the original DL to Uber.
Even voter ids would be optional. The govt. won't force you to have one. Voting is a right unlike driving but driving is more important to livelihood and life (which are rights) and yet we require driver's licenses to drive.
Ideally, national (voter) ids should be free and obtainable with minimum effort.
> Ideally, national (voter) ids should be free and obtainable with minimum effort.
Except they definitely won't be. See: the entire south. Election integrity can be maintained without voter IDs as evidenced by the fact that we have a couple centuries of successful elections without them. The concept exists only as a way to disenfranchise voters.
Every democratic country in the world with successful elections has voter ID* except for the US, unless I missed one. I don't know if there's some way people were disenfranchised as a result. For the past couple of centuries here, we don't have a way to prove that election integrity was maintained.
* checked either at registration time or polling time
We do actually have a way to validate election integrity because we have voter registration. If someone impersonates me and casts a vote in my name that is detected when I try to cast it again.
There’s zero credible evidence that it is needed and clear evidence that it will be used to disenfranchise voters.
It’s a feel-good “common-sense” issue but that juice ain’t worth the squeeze.
Impersonation isn't the issue. In almost every state, ID isn't required for voter registration, so there's no way to tell if you're an eligible voter or even a real person. Maybe if we have access to how many people registered and voted without ID in each race, we could determine it's been a small enough number not to matter even if 100% of them were fraudulent. But idk, there have been some tight races in the past.
So what is your assertion here? That there are enough fake voters registered to influence the outcome of elections but there has never been any evidence of that happening? How is that possible? How is such a conspiracy administered and coordinated?
What we do have evidence of is deliberate voter disenfranchisement. Things like limiting where and when voters can register to places that are hard for minorities to reach. Or moving polling locations at the last minute.
You’re attempting to solve a problem that has no evidence of existing with a solution that will definitely benefit proven abusers.
My assertion is that we don't know whether or not fraudulent votes have changed the outcome of an election, whether coordinated or not. You keep saying it's never happened, without any evidence.
There are restrictions on all rights. I don’t see a problem with requiring an ID, whether DL, PP, or just a personal ID. There can be loopholes but it should require some documentation and not simply “I am Kaiser Soze” in the Name blank
And one of the major causes of that problem is that there is no US equivalent to the GDPR, even as the current ID systems are being abused quite thoroughly. Until we have something like the GDPR to prevent companies needlessly demanding personal information, simply making ID verification easier would mean even more places asking for identifying information, using it to build even more surveillance databases, and eventually leaking it all. For starters, imagine that every website currently using SMS login nags as an excuse for collecting phone numbers would switch over to requiring full legal names, inescapable ID verification, and then hard linking their collection of dossiers with the rest of the surveillance industry.
Are you suggesting that bulk-buying a year of Experian credit report access for the few people who haven't already won a subscription from some other leak isn't a consequence? Or that being able to see your own credit report isn't compensation enough? Heresy!
For various reasons I started to open a bank account with Mercury, before deciding to use another provider.
When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part.
When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.
At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.
They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.
Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.
GP was never their customer, though. They started filling out the application to open an account, got past the ID verification step, and then decided not to complete the new account process.
Likely the issue is that they just didn't think of this possible case, and there's no way to delete the ID information, and the CS person didn't want to go through the extra work to find someone who could approve it and/or get it done.
IANAL, so I'm not gonna attempt to interpret it, but here's how it's phrased:
> Recordkeeping. Section 326 of the Act requires reasonable procedures for maintaining
records of the information used to verify a person's name, address, and other identifying
information. The proposed regulation sets forth recordkeeping procedures that must be included
in a bank's CIP. Under the proposal, a bank is required to maintain a record of the identifying
information provided by the customer. Where a bank relies upon a document to verify identity,
the bank must maintain a copy of the document that the bank relied on that clearly evidences the
type of document and any identifying information it may contain.6 The bank also must record
the methods and result of any additional measures undertaken to verify the identity of the
customer. Last, the bank must record the resolution of any discrepancy in the identifying
information obtained. The bank must retain all of these records for five years after the date the
account is closed.
"One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence."
Principled lawyer who knows about tech here: This won't happen.
1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)
Legislation could establish a standard of care here and make this kind of thing gross negligence, but that hasn't really happened yet.
It's also not obvious they owe a duty of care to anyone in the first place, without which negligence is impossible (at least regular old negligence) - this also needs legislative fixing unless you want to end up arguing about it forever.
2. Damages are basically all speculative - what is your actual injury here, and how much can you prove the value of it.
Lots of people on HN love to say how much X or Y is worth. What can you actually prove in terms of real loss?
It's fun to argue speculative loss (ie the value of your personal information maybe being stolen in the future, etc), but most cases are about real loss.
In practice where it's too hard to calculate we often end up with statutorily set damages. That also hasn't happened here.
Sorry to burst your bubble - without a bunch of legislation here, nothing is going to happen outside of the regular old class action lawsuits and $5 coupons.
> 1. It's probably not gross negligence - gross negligence is an extreme departure from ordinary standards of care - the ordinary standard here seems to be to suck at security :)
how hard it is to find a single company which does it right to testify? and then defense would have to find experts and several other legal counsels from similarly sized companies willing to testify that they also "do it wrong as a norm", with the extremely high risk of being included in the malpratice claim if the defense fails.
I mean, if you live forever and cannot die by any means, your odds of getting stuck somewhere approaches 100% (fall in a pit, landslide, fall overboard on a boat, stuck in the sun, lost in space, etc).
I imagine it is the same for data. The longer it is available, the more likelihood of it getting out of the company.
> make one of these companies truly pay for their gross negligence.
I think our whole industry is rotten and we need to drastically rethink a lot of what we do. This is unacceptable and it shouldn't be this hard. We need a reckoning.
We might, but until average person does not consider it an issue ( and Equifax breach[2] proved it is merely cost of doing business[1] -- ~400 million out of $3,362 million profit in 2017 ), it will not be an issue. I am annoyed, but I have been annoyed for a long time. I am just waiting for the rest of the non-technical people to catch up, because it eventually should. But then... I am an optimist.
It's kinda impossible to give out DL, SSN, etc to so many companies and not have it leak. If these theoretical lawsuits scared companies enough, they might pay some centralized third party to handle the verification for them, but bad things follow from that.
The federal and state governments hand out these IDs in the first place. Shouldn't they be the ones to verify them?
Honestly, I hope Ron Wyden (I think his name is, US politician) takes this up - he has previously done excellent work calling companies to be accountable for such invasive and insecure practices
Problem is, "Evil Hackers" always get the blame rather than the negligent companies, who play the victims. They trot out all the usual flawed analogies about locked doors and burglars, to excuse their negligence, and it works! So, the only legislation we ever see is to be Tougher And Tougher On Hackers instead of holding these clown companies responsible for the data they act as custodians of.
For negligence to arise there must be, inter Alia, duty and proximate harm. I think you’ll find the identity services have a duty to their contractual partner, the website, but not to the victim whose identity was stolen. And there’s a circuit split as to whether any of these people were even harmed.
While litigation seems appealing, the answer here is legislation.
Sometimes there's probably negligence involved; sometimes not. You don't know without having access to the specifics. Always blaming "negligent companies" is just as wrong as always blaming "evil hackers".
One of these days, some seasoned and principled lawyer, who knows a bit about tech, is going to get ticked off, and decide to make one of these companies truly pay for their gross negligence.
Then, gazing at the obliterated company, other companies will try to get legislation to let them let them off the hook, but some of those companies will decide the party of recklessness is probably over, and that they need to start acting responsibly and competently.