That would be an incorrect assumption. Per https://support.stripe.com/questions/managing-your-id-verifi... customers of Stripe Identity have API access to "captured images of the ID document, selfies, extracted data from the ID document, keyed-in information, and the verification result".

Thus, when you use Stripe Identity to verify your identity, you have to trust that:

1. The website doesn't download, retain, and later leak your selfie and identity information.

2. The website's Stripe API token isn't compromised and exploited by identity thieves to access your selfie and identity information.

Stripe appears to be leaning heavily on their claim that they don't disclose "biometric identifiers" to websites and that these "biometric identifiers" are deleted from their systems within 48 hours. This is extremely deceptive considering that biometric identifiers can be reconstructed from the selfie.

> Considering that Stripe was originally known for letting websites accept credit card payments without seeing your credit card number, one might assume that Stripe Identity only allows websites to see the verification result, and not your selfies and scans of your identity documents.

A few points:

- Fundamentally, Identity makes it possible to choose how much of this data traverses / is stored on your servers, just as Stripe did with card numbers.

- There's a basic difference between card numbers and identity verification. With card numbers, you (generally) don't really care about the number -- you just want the payment. With ID verification, however, many businesses have good reason to want more than just the verification result. For example, they are often subject to compliance requirements that mandate that they themselves possess or have access to the raw information. They may need or wish to perform additional checks on their side. Etc.

- The relevant UI in Identity is deliberately very clear on this points in order to avoid the assumption you're stating. The flow explicitly says "Stripe and [Business] may each use your data." Even though an end user might consider it suboptimal for the business to have their data, we still view it as an improvement to the usual status quo, where this data is frequently stored in very ad hoc fashion and without rigorous security protections.

- While many of the businesses initially building on Identity wanted access to the raw information, it may well make sense for us to enable them to restrict themselves in the future. In this world, Stripe could tell their customers that the business doesn't have access to the raw details. (This might even make sense for Stripe payments in the future.) As a philosophical matter, we consider ourselves to serve the business, which means that limiting access to what we consider to be the business's own information feels a bit strange. That said, it might sometimes be in the interests of the business to allow them to limit themselves in this fashion (especially as Stripe's brand recognition among consumers grows).

- There's a separate concern about compromise of the business's credentials leading to inadvertent disclosure of this information (a situation analogous to an S3 bucket key getting leaked). This is of general concern to us in lots of situations, not just with Identity. We have some new functionality on the way here.

> Fundamentally, Identity makes it possible to choose how much of this data traverses / is stored on your servers, just as Stripe did with card numbers.

There's a stark difference in how Stripe treats exports of card numbers versus exports of raw identity verification data. This makes it way easier, and more likely, for Stripe customers to choose to store raw identity verification information.

> With ID verification, however, many businesses have good reason to want more than just the verification result. For example, they may be subject to compliance requirements that mandate that they themselves possess or have access to the raw information. They may need or wish to perform additional checks on their side. Etc.

I acknowledge that some businesses have a need for this. But I see Discord and Clubhouse among your customer logos, and your product page talks about non-KYC use cases. Many of your customers will have access to identity documents without really needing it. That sucks for the end users of Stripe Identity, because it makes it more likely their data will be misused.

A concrete suggestion: make it possible for businesses to choose whether they have access the raw data, and expose the choice to the end user in the Stripe Identity flow. Ideally, businesses that want the raw data would be subject to security compliance requirements. This is an opportunity for Stripe to be a leader in setting high standards on how this type of data should be handled.

> A concrete suggestion: make it possible for businesses to choose whether they have access the raw data, and expose the choice to the end user in the Stripe Identity flow. Ideally, businesses that want the raw data would be subject to security compliance requirements. This is an opportunity for Stripe to be a leader in setting high standards on how this type of data should be handled.

Yes, per GP comment, I think this is a good idea. I suspect we'll do it.

It will be more ad hoc. Stripe does not decide how their client stores such data. Stripe will make asking for an ID very easy and that will vastly expand the number of businesses utilizing this method of registration.

Right now I think of Stripe as a reliable service. When one of their customer's data is breached or leaked, I don't know that everyone will still trust Stripe as a brand. News articles about such breaches won't be able to relate the nuance of who's at fault.

I'm not concerned about my online personas being linked to me. I'm concerned about making it easy for bad actors to perform identity theft en masse.

Might as well wait until anybody that can drag and drop Stripe code into their app gets as many photos of people’s IDs and faces and security questions from their users and squirrels it away into their private databases.

Once that’s done it’ll be a good time to fire off a blog post about how not doing that was always in the works and announce groundbreaking features like “basic privacy permissions for identity data “ will become default.

Maybe it’ll be a paid feature for end users?

Your identity can create new credit cards. It can take out loans. It is inherently a higher order security risk, and therefore should by default have more restrictions. I as a consumer trust Stripe to do the right thing, but I do not trust its customers. This seems to be the most reasonable stance, but yet the policy does not reflect that. I am concerned that this wedges open a really big new avenue for cybercrime without having any sort of regulations in place a-la PCI audits.

It's a security risk because of the first couple things you listed. The problem is that identity cannot be simultaneously a secret and a public identifier. As the name should suggest, identity serves a much better use as a public identifier. So we should stop treating it like a secret and start creating real infrastructure for actual secrets.

By the way, this is completely analogous to credit cards. There's a reason the industry has moved to chip cards physically and tokenized cards virtually. And that's because the card number was serving as both identity and secret, and that doesn't work. The deviation is that, in this case, we've decided to make the credit card numbers a secret which is cryptographically protected (chips) or at the very least stored in an opaque manner (tokens).

To some degree it's because there isn't much point. You can call up my home state today, pinky promise that you're me, hand over $20, and they'll ship you my birth certificate or other important documents. We don't have private keys or other kinds of unique identifiers assigned at birth, so attempts to lock it down further would lock people out of their own identities.

Scale does matter, and a breached database of identity documents is definitely worse than having to pay a nominal fee and wait a few days, but given the context of other manual labor like securing loans I'm not sure the extra ease would result in much more fraud.

https://stripe.com/docs/identity/verification-checks

[0] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

Isn’t that already true for businesses that store this data from any source?

Given the way Stripe has implemented this today, Stripe might as well be selling their business customers a <input type="file" /> tag for Driver's Licenses, because that's the level of security 99% of all business will be using around this. There's going to be Amazon S3 buckets filled up with Drivers Licenses JPEG's provided by Stripe Identity, in a few months time.

What makes you think these don't already exist? Have you ever needed provide your identity information to use a service online (e.g. a insurance service, bank, alcohol/weed delivery, crypto market, etc.)? Where do you think the identity information you provided is stored?

If you don't use these type of services, then nothing will change--stripe won't magically have all your identity info. If you do use these services maybe they'll partner with Stripe, maybe not. The only outcome I can see from this news is that it's likely there will be fewer AWS buckets with your identity info moving forward, because Stripe can do that for you now.

> As a philosophical matter, we consider ourselves to serve the business, which means that limiting access to what we consider to be the business's own information feels a bit strange.

Maybe I'm wrong , but once a customer upload the document on Stripe Identity they are supposed to be YOUR documents.

I worked in Bank as a Service , fundamentally when a customer goes through a verification process , the documents uploaded are not the owned by the partner using our APIs. They are owned by us , the Bank.

For Stripe Identity the same should have apply. Here the goal is not "Lock the Partner" but rather to protect them.

Now that discord has access to my Passport , in case of an identity theft could you tell me EXACTLY whose liable for the leak in regards to the law ?

With BaaS it's pretty clear , the Bank carry the responsibility to keep those documents safe , thus it's safer to not give access to a basic business to the raw details.

With the current API design you are offering, it's more ambigous and more prone very large leak within a business information system like Discord or Uber etc..

Those leak will happen.

Discord only has access to your passport if you upload it to them. They don't have access to it by virtue ofthem being a stripe customer.

I don't ever want to have a card number in my database or via a administration system (my own or my provider's).

So I care... but just perhaps not in quite the way you're thinking :)

I trust Stripe more than a random online forum, a dating app, or a social network, which might offer a higher quality service when people are verified. There's a high risk that the ID documents will leak from these services at some point if they get access to them. I don't want them to know who I am at all, if they don't need to know.

It would also offer a way for preventing sybil attacks on P2P networks, or help connecting to non-evil nodes on a P2P network (such as Bitcoin Lightning Network) without knowing the other person. In these cases there could be a some kind of signature generated by Stripe that could be used as an additional trust factor without centralizing the system.

Can you list some examples of the types of places where you think this property holds true and explain what you mean by "good social structure"?

> History has shown time and again that those in positions of advantage will abuse their access to information for their own gains.

What are some examples of scenarios where this has happened in relation to online identity where there have been legal restrictions in place that would have otherwise prevented it? The healthcare industry and credit card industry seem to do a pretty good job of protecting sensitive information, for example.

> Increasing the surface of your online activity trail can and will be used against you by a bad actor when the opportunity arises.

How anonymous do you think you are online? If you're not deliberately taking steps to conceal your identity, your trail is thick and clear for the people who know how to track it. And that's an actual problem: people track you even if you think you're anonymous and we have no legal protection in place to prevent abuse of data that can identify you online. If you are in a position where you need to *depend* on anonymity, you simply can't because nobody will respect your wish. So the internet operates in this grey zone where because we have no rules governing abuse of PII, everyone throws on the cloak and turns to anonymity as the answer. This degrades our ability to fight spam and makes things like strong mutual authentication very very hard to do because platform vendors can't ever expose any sort of fixed identifier because privacy. Look at the insane things Apple does: zero out your mac address when scanning for wifi networks and recently issue a new certificate for every single use so that a persistent identifier does not show up. And look at IPv6, we invented "privacy extensions" where you generate a random IP every few minutes. These hacks break functional systems because we don't understand how to regulate the internet as a society.

All that is somewhat irrelevant, though. We're talking about the identity relationship between you and a service, not necessarily "the features of interacting with the internet that can be recorded and tracked either on purpose or incidentally". Do you think your email address makes you anonymous? Again, unless you're deliberately taking steps to maintain pristine op sec with your online browsing, you identify yourself to service providers one way or another. And again, the problem is people think they're anonymous when they really aren't so they misinterpret what it means to be anonymous and its importance in good societal structure. I honestly don't see a difference between providing a service your email address or your physical address or telephone number. What's so bad about having a third party say "yeah, this person is who they say they are" and optionally "and here's the list of verified fields"? The internet is the only place where people get weirded out when someone asks for an ID. Do you not show the bar tender your ID when asked because you need to be anonymous at a restaurant? How about at the gas station, the liquor store, the axe throwing range, the DMV, the hospital, when making a purchase on a credit card, taking out a loan, etc. What real world interactions do you have that are primarily anonymous? It's not normal.

Strong identity combats spam and abuse. I would choose strong identity over spam almost every single time. I do not disagree that there are some online communities that are respectfully anonymous. But do you think e.g. Reddit is one of those? Because I do not. Regardless, you can still both a) identity check and b) run an anonymous community (and c. not store identity information). You don't have to expose the identity data in the product/community/forum itself, so nothing about making identity easier to use and more streamlined defeats the ability to operate pseudonymous services in the least. I really don't understand the "anonymity by default is good for a wholesome society" angle whatsoever.

This is a completely baseless claim, as most arguments against weak (ie pseudo) anonymity seem to be. Outside of banks, healthcare providers, and payment processors, I see little of benefit. Before bringing up any arguments that involve poor behavior or misinformation, please refresh yourself on the current state of Facebook (where nearly everyone is using their full name).

I already think twice before (and often decide against) using a service that requires my phone number. I will _never_ use Discord or Twitter (in my personal life at least) for this reason. Except for banks, liquor, and the pharmacy, I am almost certain to decline doing business rather than providing my ID.

There are many people I'm friendly with that I know little about. They could very well be giving me fake information about their life. I don't see this as a problem.

> Would you rather be given a pseudonymous name to use for the duration of your trip to the grocery store?

Well in most cases I wouldn't give anyone any name at all. Why does the grocery store require my name?

> The claim is not baseless. There are strong technical reasons why identifying the components in your system is a good thing. and there are practical social reasons.

There are also strong technical reasons not to. And there are practical social reasons not to. As far as I can tell, you've provided essentially no argument supporting this general claim:

> The internet would be a better place if there were more identity requirements

I work on a product that doesn't collect any PII. We made the decision very early on not to collect any information we don’t need because that’s literally not our business. I am deeply aware of the landscape on these topics. However, as a society we cannot run in a “normal meatspace anonymous cyberspace” mode. We need to bridge civil identity in a secure and private (those are fundamental human rights) way into the online era. That is the core focus of the product I’ve been working on. In reality people have identities whether they use them offline or online. The goal is to protect those identities so they cannot be abused, not remove them altogether.

This is false. There are many cases in real life when this is not the case as explained in the very post you just responded to.

> The burden of proof is on an anonymity advocate to demonstrate why that is harmful and should be changed.

You are making certain claims and then saying it's up to others to disprove you? If that's your attitude why are you engaging in this discussion at all?

> But it’s also not my problem if you aren’t aware of the nuances surrounding how security, privacy and anonymity work.

Frankly I don't have the energy to engage with you. Take that as you will. You clearly think you know much more than everyone here already anyway.

My point is that generally (not in all known cases) we are okay, in meatspace, (and quite familiar) with (and even require at times) exchanges that identify us whether it's putting our name on a coffee order, using a credit card to pay, signing a waiver, buying alcohol, visiting the hospital, opening a bank account, sending children to school, filing taxes, driving a car, etc. So to take the stance that anonymity is absolutely better to the point where it should be considered a fundamental human right and we should be worried about some company providing an identity verification api to online services because the whole shroud of pseudo anonymity of the internet is going to fall to pieces does require some supporting material, in the least. Otherwise it's just FUD.

> You clearly think you know much more than everyone here already anyway.

If I seem quip it's because I responded to a question asking if this API would mean we see more identity requirements because it possibly lowers the barrier to adding one with an affirmative "I hope so" and the tone of the responses has been "dude what a terrible thing to say this is hackernews doncha know anonymity is chic" followed by anectdotes about how sometimes you use an identity when doing business and sometimes you don't (so see! anonymity works). That's not a discussion it's just virtue signaling.. and it is certainly the responsibility of the virtuous (in this case those who are supporting the stance that my statement is terrible because anonymity is righteous) to back up their conviction (otherwise it is, simply, a virtue and nothing more). I've presented an argument that we needn't worry because meatspace society has figured out a good balance of security, privacy, and the occasional but rare anonymity, and it is perfectly functional so I don't think there's a qualified threat to the internet. I've described how strong identity backed security and accompanying privacy are not the same as anonymity and suggested that many people are conflating the two. And I've laid out rationale explaining that strong identity is better for security (this is not simply a "claim" if you know the first thing about security) and how if we want to see real privacy on the internet, not just the fake privacy that you get by being pseudonymous, then we need to fundamentally understand and legislate and engineer policies and systems that support such.

So far nobody has presented an argument as to why anonymity is, specifically, better than strong identity with privacy rules beyond "well sometimes you don't need strong identity for things to work so it should be the default" which is talking past me because I never made a claim to the contrary. I've backed up my assertions with the as far as I know factual evidence that identity both enables better security and deters spam (which are problems that are worse on the internet relative to meatspace). I don't know what else you want. I'm sorry my responses are laborious.

This is a pipe dream. The online world spans the globe and we can only enforce the law in our own respective countries.

And even if all countries were cooperative about enforcement, distributed communication tools already exist. The internet has always been a place where you can go to share your thoughts without worrying about what your family or friends think. I don't think that will change in our lifetime, if ever.

Anyway, the market can sort this out. If using an ID to authenticate your Twitter account makes Twitter more successful than its competitors, great! I would not count on it.

You already provide your name and phone number and email to Twitter. You already identify yourself. We're talking about making that exchange more reliable and more secure...

This sounds great -- I don't want to be handling sensitive data of users, and I don't want to give sensitive data to businesses. But I'd rather this be a separate Verification product, with different branding, docs, and UI, so users and businesses are all clear on what's happening to user data.

It's literally called "(K)now (Y)our (C)ustomer".

> They may need or wish to perform additional checks on their side. Etc.

So they get all the data in the off chance that a Stripe customer might want to do something with the data aside from the basic “yeah our large global identity verification service says this person is legit.”

I’m not super clear what a company might ”wish to” do with that data that isn’t served by the basic “this person is who they say they are” function (Does Stripe need their clients to act as guinea pigs to see if the service actually works as intended? If their mysterious black box “wishes” turn up a case where this isn’t working as intended, are your customers required to share that data with you to ensure the overall reliability of the Stripe Identity service? Or do they just get to build a database of info they get from Stripe Identity?)

> While many of the businesses initially building on Identity wanted access to the raw information, it may well make sense for us to enable them to restrict themselves in the future.

Oh nevermind, asked and answered! Just turn on the data hose to whoever has a website and will pay Stripe for identity data and maybe adjust it later if you catch some flack for this practice?

It’s kinda hilarious that the whole “people trust Stripe with their data” as part of the sales pitch as if this didn’t come across to me (a layperson) as a direct violation of that particular trust.

Businesses that do not have a legitimate reason to view my sensitive document like Passport , should not be allowed to do so.

Only authorized institutions like Licensed Payment Institution / Banks / Insurances etc... should be allowed to do so and AFTER they've been approved.

It's sad because you can tell right away that this will we be abused by Stripe's customers inadvertently. Just like Uber "God View" thats you view any customer ride...

Pretty sure the amount of "Identity Theft" or "Privacy" Scandal is going to explode with such technology available for everyone.

I don't know how a product manager at stripe could tell himself that "Yes , it make sense to give access to sensitive documents" in an age where people are seeking more privacy.

I get parent comment's totally legitimate security concerns. And businesses that have no business having my identity should surely not be asking for it. But I don't honestly understand how this has anything to do with Stripe. These businesses (which for whatever reason are asking for ID verification before doing business with you) are just using Stripes API to verify identity instead of just taking your info themselves.

Any customer giving their information presumably knows they are giving said business their identity documents, the customers might not even know that the business is using Stripe's API.

Furthermore, Stripe is ostensibly coming in here to streamline the process for business taking identity info from customers. Why - in your opinion - is it worse for consumers when these-type businesses (which ask for identity), use their own-rolled id verification than using Stripe's?

The point isn't so much using third party , we use a third party on prem.

My point is very simple : Why on earth would you let discord view my passport ? JUST WHY ?!

Those documents are very sensitive and no one should have access to them unless they have a VERY good reason to do so. PCI DSS treat "card information" like hot lava, the same model should have applied here.

Stripe should have acted as a "Trusted Party" and securely store those documents without giving access to it but just let you extract the information from it.

Thus you would been able to have uniquely identified user , backed up by government id , but you can't get access to the documents and sensitive data should have been redacted .... just like Card Number...

Again unless you are a Fintech / Financial Instituion , with a VALID in effect license , you should not have access to those documents.

And the list goes on...

Here, with this system, they could verify and keep the data regardless of what I think is going on.

There was a story on Reddit a few months back, about a bouncer who, when handed real ID cards, claimed they were fakes, and proceeded to immediately "cut them up" (so that people didn't feel any need to demand them back, since what are you going to do with scraps of an ID card?) The bouncer was actually palming the real ID and cutting up a random piece of plastic instead, and then later handing the real ID card off to the owner, who sold them on the black market. One victim of this scheme figured it out after being a victim of identity theft, as they traced back a submitted capture of the photo ID that some third-party had retained, to the one that got "cut up." The police raided the establishment, and a whole ring of people were caught up in it. It was a whole thing.

There's nothing that leads me to believe that this isn't a simple, obvious, repeatable, low-stakes, high-margin criminal business model. As such, it probably happens a lot.

I would still assume identity theft via websites being hacked is a lot more common, and likelihood is an appropriate factor when evaluating protective actions. But you make a good point about the bouncer.

As a consumer, I would expect Stripe would do the verification and give the business partner the result, but not all the data they used to get the results themselves.

I know this because we use Stripe Identity ourselves (in beta) and user's have no idea that Stripe and us are different companies.

Doesn't that imply that if there's a security breach at Stripe, that your users will blame you [too]

Most companies aren't even supposed to ask for identity papers is Stripe verifying with the passport issuer whether the country allows given their passport to some identity?

I think there should be some sort of consent system built in were when the API consumer wants to download a passport the customer gets an email with the question if they consent in them fetching a copy.

Some people at Discord now have access at the pictures of my Passport that I uploaded during the verification process because they use "Stripe Identity".

The FAQ is very clear , Stripe give you full access to those documents. It should NEVER do so.

Now the very smart people have Discord have access to my passport they can now take a 50K Loan using my documents and face-check video , social security and some fake income documents.

They can also destroy my entire life because I maintain a political blog with views they don't really like that they consider "hate speech". These are exaggerated examples , but you get the idea.

I'm concerned by this , because more and more startups are going to use it to increase the value of their userbase to reduce fraud and look more attractive for their planned exit.

In the meantime, people having access to my personal documents is going to go exponential...

Again , I'm an Architect in Banking we have 500+ Partners selling Loan for us , they have NEVER access to your documents / personal data. They can only tell if the document has been approved , income range and some basic information. You don't know what they are going to do those sensitive documents / info , even if you have contractual agreement with them.

Banking industry has had a very simple rule that everyone has been following for decade : DON'T TRUST THIRD PARTY. Stripe has decided to do otherwise I guess and I'm pretty scared about it.

Stripe Identity seems like Identity Theft as a Service.

This is a good policy when ALL first parties meet a certain (regulatory) bar. For banks, I assume that bar is "don't become insolvent" and more recently "don't lend money to terrorists."

The problem is that, as we've seen from the countless hacks in recent years, the first parties are NOT all meeting the bar when it comes to security, namely "don't leak (or abuse) users' private personal info."

And that's unfortunate, because a lot of the time, all a company really needs to know is a "does the registered account correspond (uniquely) to a real human (with certain legal characteristics)." Sometimes they need to know for compliance reasons ("our users are adults" or "aren't terrorists") and other times for uniqueness/fraud reasons ("We want to reduce spam accounts" or "we're paying users $10 to sign up and so need to make sure users aren't signing up multiple times.") It'd be great to be able to answer those questions without having to protect all that personal data that goes into answering it, similar to credit cards.

But your main point stands: if Stripe is allowing companies access to the collected data, then from a security point of view it's little better than having the companies collect and store it themselves. Hopefully Stripe explains their reasoning, or even better, course-corrects early in this launch.

Why would you upload a copy of your passport to Discord, via a third-party or not? The issue here is just trusting people you shouldn't be trusting with things you shouldn't be trusting them with.

The alternative isn't WhizzBangApp doesn't request you upload documents, the alternative is they roll their own WhizBang ID service, or use a Stripe Identity competitor.

I know my bank needs to verify my driving licence or whatever, and I tr.. well banks are heavily regulated anyway, so I'm happy to upload it without caring whether they use Stripe Identity or their own or whatever.

I know Discord has no business with my passport or whatever, so they're not getting it whatever they use under the hood.

I let my Congressperson know policy is needed about online identity service providers needing better governance over identity data, as businesses aren’t going to do it voluntarily unless the law requires. This should probably be overseen by the CFPB, even though identity is a bit of a walk from finance (while Stripe is still primarily a financial services provider).

Given the regular stream of extremely large data leaks even from providers who should have size, motivation and competency to protect that data, I find it incredibly hard to believe anyone who tries to assure me, that they won't be breached.

This is true, but it's also kind of a misleading statement; the original selling point was that you could accept credit cards without having to deal with the requirements of PCI compliance and merchant accounts, which is done (partially) by you not ever seeing the card data.

If there was similar compliance regulation around document storage, I would assume that Stripe would use "Identity-Document-Standards" compliancy as a selling point. As far as I know, there are no such requirements.

I do think your #2 point though is exceptionally valid, and would hope that the majority of Stripe keys are scoped to not even provide access to this data/endpoints.

Edit: grammar

If you want to export credit card numbers from Stripe, you can only have it transferred directly to another PCI DSS Level 1-compliant payment processor, and Stripe imposes rather strict requirements on the transfer: https://stripe.com/docs/security/data-migrations/exports#whe...

If you want to export ID documents or selfies, you can just make an API call or use the web interface. This can and will be abused.

When a hotel copies my passport, they get a jpg. If they use Stripe, now I know they have my biometrics serialized to JSON. That feels way riskier and scarier to me, especially now that it's all centralized by Stripe.

We hear about our personal data getting leaked and hacked every day, and here is Stripe making themselves an enormous target and serializing all the data for malicious actors.

This feels like a really tone deaf misstep by the company.

If not possible, I should mark the copy to the specific user.

Hmm, this doesn't really seem to me like the sort of area where you bring out a MVP and then work out basic fundamentals like this afterwards.

I’d argue that before Stripe sends any PII other than validation results to a customer, it needs to verify that the business indeed is under regulatory requirements to gather this data, and only sell the required part.

Alternatively, you could invert the process, allowing integrating businesses to send documents to Stripe, who replies if they’re legit or not.

Finally, if there is a need for sharing data with customers for e.g. KYC, shouldn’t this be priced significantly higher than verification/validation, so that Discords and Clubhouses can’t justify it from a business perspective?

What is the reasoning for doing neither of the above?

They are both toxic, IMO. Businesses need to stop relying on this stuff.

But download JSON blobs? From 10k records the hotel didn't store properly (cause they are not IT experts, or don't have experts at close hand) -- if you get in to their system the JSON is loads easier to parse than the JPEG.

Methods for KYC could(should!) be improved.

Stripe could do this differently:

1. Allow the customer to choose whether or not they need access to the evidence.

2. If customer has chosen to receive access to the evidence, the Stripe Identity UI should clearly disclose this. (And they shouldn't try to deceive users by talking about deleting biometric identifiers.)

3. Require customers with access to evidence to adhere to certain security standards, similar to how they treat exports of credit card numbers: https://stripe.com/docs/security/data-migrations/exports#whe...

Stripe could have been a leader in setting high standards on how this type of information is handled. Instead they've opted to go the easy route and maximize profits while the rest of us pay the negative externalities from identity theft.

I thought that Stripe's original selling point was that you could easily accept payments online without having to integrate with complicated bank and payment processor tech.

For example, imagine Joe Biden buys a widget from WidgetsR.us and wants it shipped to his home address of 1600 Penn Ave in DC.

    WidgetsR.us -> Fedex.com/order_XYZ/ship-to/Joe Biden at 1600 Penn Ave in DC
    WidgetsR.us <- Fedex.com "201 CREATED"

    WidgetsR.us -> Stripe.com/identity/123_joe?redirect=Fedex.com/order_XYZ/ship-to/$NAME at $ADDRESS
    Stripe.com  -> Fedex.com/order_XYZ/ship-to/Joe Biden at 1600 Penn Ave in DC
    Stripe.com  <- Fedex.com "201 CREATED"
    WidgetsR.us <- Stripe.com '"201 CREATED"'

At this point there is giant databases containing everything people need to take complete control of your identity sitting there just waiting to be hacked.

I have no idea how to change it/fix it. But it seems weird to me.

The government already operates an identity service via passports. The only reason they do not have an electronic identity service yet is because it is beneficial for them to be able to blame private actors when things go wrong.

I don't think the question GP is asking is whether or not Stripe is a good way to confirm someone's real-life identity, or whether it would be better for the government to do it. I think what they're asking why we're doing identity verification for chat applications. Is this a good direction overall for the Internet to be moving in?

I don't like the idea that I should have one real-life identity that every service I sign up for online knows, even trivial services like social networks. I would argue a world like that is abridging on people's Right to Hide (https://anewdigitalmanifesto.com/#right-to-hide)

Discord are doing it for verifying bot ownership, because bots can do a lot of damage if they're just free to sign up to Discord and start "talking" to people. A good way of omitting bad bots from the network is by verifying and tying the bot to the (verified) identity of a real person.

I run a server with 1,200 people on it - I've never needed to verify my identity. You don't need to verify your identity for using Discord.

Is it?

I am much less charitable than you about whether Discord's bot verification is intended purely for user safety or whether it's a combination of laziness and a way of slowly clamping down control over how users access the service, how it can be extended, and what services/clients can interop.

I disagree that 100 servers is a particularly large number for a popular bot to join, but more importantly I think the threat model you describe illustrates a deeper problem with Discord overall. If the issue is that bots can sign up to Discord and just start talking to people, that's a permissions issue. Why can bots do that? And why is it OK for bots to keep doing that as long as they're in fewer than 100 servers?

So sure, we can have an extremely invasive form of verification, but we could also just... not let bots join random servers in the first place. We're jumping straight to real-life identification in a system that doesn't even support granular control over invites. In my opinion Discord's moderation and user-vetting tools are basically non-existent, so I am at least a little bit skeptical about whether verification is a completely necessary tradeoff between security and privacy.

HN does quite well without requiring anything other than an IP address. So does Mastodon. And mailing lists generally have no way of knowing even that!

Pretty certain HN does way more than this.

(Of course they also have my entire post, view, and vote histories. Those are arguably far more sensitive than any PII I could possibly provide, but I seem to have developed a habit of repeatedly forcing that information on them so I guess that's on me.)

I'm saying HN do anything of this, but I doubt they only look at your IP when you're interacting with the service.

So what? It's a private network and a private service. They can have it function however they like. That's why free market economies work - people will go find something else, or demand something else, should what's available not fit their needs or they feel too restrictive.

Something like Discord can be replicated easily enough by someone with enough money and a decent engineering team. And it's not like there aren't other options already.

> I disagree that 100 servers is a particularly large number for a popular bot to join

I'm not sure what you mean by "100 servers". I guess that's the maximum amount of servers a bot can join?

There are some pretty big servers out there. If a bot can join 100 servers, and they have an average of 10,000 users, then that's literally 100,000 people that can attached with malware, scams, and more.

Are you saying that's not a problem?

> If the issue is that bots can sign up to Discord and just start talking to people, that's a permissions issue. Why can bots do that?

I don't believe they can. I believe the verification process prevents this? I could be wrong.

> So sure, we can have an extremely invasive form of verification, but we could also just... not let bots join random servers in the first place

I don't believe they can.

> ... we can have an extremely invasive form of verification ...

Is it that invasive? Is requiring people to validate their identity before introducing something that has the potential to directly address millions of people all at once really that invasive?

Should my credentials (and character, intention, etc.) by validated before I'm allowed to talk on a radio station listened to by millions of people, or is the (privately owned) radio station being, "extremely invasive" by asking me to validate who I am before they let me use their network?

> Discord's moderation and user-vetting tools are basically non-existent

There are five levels of verification you can select from, ranging from none to highest. The former requires a validated phone be added to their account.

Their moderation tools are pretty powerful. You can create roles that are flexible enough to allow you to create some pretty interesting setups.

What is it about these tools that you feel could be better?

You're commenting under a thread that proposes creating a government service to reduce the implementation costs of identity verification. When we start talking about essentially subsidizing a business practice, then this isn't really about the free market anymore.

But even if it was, criticism is a fundamental part of how the free market works. People are free to advocate against a company's policy, to publicly criticize them, to encourage people not to use them, to argue for an industry to move in a certain direction... the free market has never been a shield against the kind of criticism happening on this thread. The invisible hand of the free market isn't actually invisible, when you see people complaining about companies and making arguments about the overall direction of the market, that is the free market at work.

> Is requiring people to validate their identity before introducing something that has the potential to directly address millions of people all at once really that invasive?

In this context, yes. In a different context, maybe not. But the Internet has different social norms surrounding anonymity, and most people online aren't thrown off by the fact that they might not know the physical identity of someone who makes a website or runs a Twitter account or releases a piece of code/bot.

I think that Discord's policy runs counter to how people expect to consume content online, and I think it's reasonable to describe their request as invasive in the context of Internet norms. You're on HN right now. Does it bother you that the site hasn't asked you for your drivers license yet?

And just as a quick side note on this point, Facebook has been around for long enough that I feel like we should drop the argument that tying accounts to real-world identities inherently prevents abuse or curbs misinformation. Heck, talk radio and cable news has been around long enough that we should probably drop the argument that vetting guests in traditional settings inherently means we'll have less misinformation.

> If a bot can join 100 servers, and they have an average of 10,000 users, then that's literally 100,000[1,000,000] people that can attached with malware, scams, and more. Are you saying that's not a problem?

I think the much more interesting question in your scenario is why Discord thinks it's OK for a malicious bot to target 990,000 people. I don't think 100 servers is a particularly high limit for a popular bot or a meaningful line for when abuse becomes a problem. I don't see how identity verification solves the abuse problem overall when hackers/spammers can just create multiple bots that can target smaller numbers of servers. I think it's really weird to act like this becomes a problem at 100 servers.

> What is it about these tools that you feel could be better?

The ability to create private invites that can only be used by a single person, the ability to require users to be approved before they join your server. The ability to ban words, the ability to block links (or better, the ability to only allow links to certain domains), the ability to block bots outright from joining (what seems to be the entire reason this verification process exists), the ability to easily share blocklists between servers, the ability to hold comments from new accounts in limbo until they're approved.

Some of this can be replicated by setting up your own bots and figuring out some kind of custom role where new users jump through hoops; and that's basically what a lot of servers I run into on Discord have to do. But it's really awful and it's a bad experience and it makes moderation unnecessarily complicated for non-technical users. As a result, most servers don't really set anything up because it's time consuming, so we end up with bad defaults on most servers. And that situation doesn't have to exist. Why do I need to find a bot to ban certain words on a server? That's something that belongs in the settings in a text input. Why do I have to go through this weird song-and-dance with invite codes, why can't I add people by their account ID? Why is there no one-click setting to just block new bots from joining my server unless I specifically grant them permission?

I've joined Discord servers that have these complicated house-of-cards setups where you're entering passwords into dedicated rooms to get granted access to other rooms by moderator bots. It's really bad, moderators shouldn't have to spend hours building custom rube goldberg machine to handle new users. This is stuff that should be configurable within 30 seconds from the settings page.

You mention that you "don't believe they can" block bots from abusing servers this way. But I just do not understand what the technical problem is. If the problem is that bots are joining random servers, and if bots can join my server without my permission, give me a single checkbox somewhere in settings to turn that off.

For the same reason that Facebook required proof that you were a college student. A platform with a barrier to entry and a degree of exclusivity (but not too exclusive), will tend to have higher quality content and interactions than an anonymous forum that anybody (and anybot) can join.

Whether it's a good direction for the internet to be moving in, I have no idea. But it's certainly good business, which naturally makes me suspect it's the wrong trajectory.

Maybe not those two, but your bank does, your insurance company does, your employer does, your business partner does.

There's a lot of places where there's trust placed in a specific citizen and their identity. The "root of trust" of being a citizen is the government, it'd be nothing new really to provide that digitally.

The proof of it being doable are the governments providing electronic ID's for decade or two now. Solving those really hairy problems hundreds of millions of Americans are struggling or encumbered by daily.

Because of credit card fraud. I've run services where >5% of attempted transactions were done using stolen credit cards. So we used services that determine the risk of a transaction being fraudulent, and if the risk was too high, we required identity verification.

The alternative was to reject those transactions outright and permanently lose those customers, which is terrible when there is a false positive.

If credit card fraud is high, it doesn't matter whether you are a chat app or a bank app.

Does Discord need to know my identity, or does it need to know that my card hasn't been stolen? If it's the latter, then I'm unsure why Stripe is offering the business access to my passport/license, and I'm unsure why we would want to build a government ID system for Discord instead of a government payment system.

The proper way to do it is to either enforce 3D-Secure or offer passport as an option when 3DS is unavailable, but because ID verification is getting easier and cheaper with services such as this one, there will be no reason to spend extra engineering time to implement solutions such as this one when you can just ask for everyone's passports especially when this also allows you to use the data for marketing purposes or be able to reliably ban "undesirable" people (and "undesirable" in this case doesn't mean "bad" or "illegal", it could simply be someone who uses an ad-blocker or doesn't "engage" with dark patterns like the company wants them to).

We can't justify every architecture decision about the web via only business costs, if that was the case we'd make adblockers illegal and deprecate HTML. You need a stronger argument if you want me as a user to care about or support your business interests. If you want my support you have to show how this benefits the web overall, not just your company.

> the overall population of users on the web

You keep arguing about a non-issue. Normal users do not need to verify with Discord. It's only for bot owners of popular bots to prevent the widespread abuse Discord saw.

https://news.ycombinator.com/item?id=27505905

The linked comment is incorrect to say that Discord only requires verification for specific permissions, Discord requires verification for bots who are in more than 100 servers regardless of what permissions they use. I think it's fairly obvious that verification for Discord bots is going to gradually expand and encompass more of the service, but maybe I'm just cynical from watching other companies do the same thing with their identity verification schemes.

More importantly, I disagree that identity verification is the best way for Discord to combat abuse. I think that Discord's moderation tools and server settings are lackluster. At best, I think identity verification is a an easy way for them to avoid improving those tools, at the cost of user privacy.

I don't think your comment changes anything about what I'm saying in regards to Discord, but regardless, I also want to point out that it's not just Discord we're talking about: we are seeing a trend towards more services online requiring real-world identities. So we can fight over whether Discord in specific should be grouped in with that trend (I think it should be), but even if you disagree on that point, it still seems pretty clear to me how Stripe's service is going to be used in the future. Do you feel identity verification is also a non-issue for services like Clubhouse and Facebook?

I think the fact that Stripe is advertising both Discord and Clubhouse as early partners says a lot about the types of services they think are going to be attracted to their product.

Am I entitled to alternatives that do not verify identity? Maybe the operating costs are too high?

The "we" in this context (ordinary users) also comprise the majority of voters and regulators who will ultimately decide how the system you propose is built and what restrictions it will have; and that is a group that is not solely motivated by your business interests -- so it is kind of important for you to be able to convince them that your system benefits them, and not just a few businesses.

Why should a Congressperson vote to build the system you propose instead of introducing a harsh privacy law that restricts which businesses are allowed to collect identification?

We're already living in a world where you have to "login with Facebook" to do many things, but at the very least you can currently still create a fake account if you have no other option. If reliable identity verification starts becoming commonplace, that option goes away.

1. I don't trust my government to have better security than anybody else.

2. I'm worried that I would lose the ability to opt out of a government-provided IaaS. Unlike Stripe, and I can't avoid using the government even if I try really hard. They already have my identity, so my privacy is dependent upon whatever their current policy happens to be. I do not trust unknown future administrations not to sell my data to the highest bidder.

3. The U.S. government has an... uneven track record delivering services and software, especially when there is no competition.

Those are my anxieties: what are the advantages to this approach that I'm not seeing?

It is all the same reasons the government does not outsource issuing of passports. It needs to be from an official source with legal protections.

The government (in the US at least) does offer some form of identity services like everify for employment.

The government is using 2FA SMS as your identity (for government services themselves), effectively offloading their liability into the mobile operators. But not really, because the mobile operators are not liable either. So as a little person, you are screwed all around.

If the government were to make an electronic identity, which it needs to for its own services, it might as well be accessible for all so you do not have to trust private businesses with it.

Agreed. An example: https://www.realme.govt.nz/

Misc governments already operate 1,000s of identity, credentialing, and licensing services.

Wouldn't it be great if profiles on DoorDash, Yelp, Hotels, etc. were required to be linked to IRL identities and licenses?

If DoorDash has a fake profile for D111af5ccf's Divine Donuts, is that not a crime? Impersonation, fraud, theft of IP, etc.

Again, how does authenticity conflict with free speech?

Examples, please.

To make it even more complicated, regulators often hold contradictory views. They want to see increased safety, but in the same breath will announce actions against companies for violating privacy. This is a super-difficult balance to strike.

Specifically for Stripe, I trust them. So if I see that a new start-up is using them rather than rolling their own solution, that increases my trust. But it means there is now a big giant server in the cloud with millions (billions?) of identity documents that is worth a lot of money for hackers.

Note that Stripe allows their customers access to the "captured images of the ID document, selfies, extracted data from the ID document, keyed-in information"[1]. So you still have to trust any company using Stripe not to download, store, and later leak your personal information, and you also have to trust them not to let their Stripe API token be compromised and exploited by identity thieves.

[1] https://support.stripe.com/questions/managing-your-id-verifi...

The problem with this is that the user isn't trusting Stripe today, they are trusting Stripe today, and all future Stripe managers and owners until the user dies and no longer cares. That's a big bet! Bad CEOs and sales happen.

Has anyone told you they are really happy about it? I haven't heard someone say that. Most users have no idea about it.

[1] https://stripe.com/global

[2] https://stripe.com/docs/acceptable-verification-documents

Kind of like IRC? Which is basically what Discord is. Why would you assume anything you put on the internet isn't part of the permanent public record? (Wait until you find out about mailing lists, Reddit mirrors, the Internet Archive, ...)

(Aside: The only halfway sane solution to this is having separate disconnected identities for each service you use and cycling them semi-regularly so you don't need to worry too much about small identifying details being aggregated.)

One, Discord is still primarily used by underage people.

Two, most Discord guilds are not public, this was a case of malicious bots. If you install an app on your phone, is your expectation automatically that it will skirt all App Store rules and dump the contents of your phone on the internet? I hate people that obsessively archive everything, but even I can see the case for IRC being expected to be public. Especially without SSL enforcement on a channel. Discord does not work like that at all. You are advocating for a treasure trove for the likes of Kiwifarms. (Which is exactly how dis.cool ended up being used, as a stalking tool)

Three, the people who say “every litte piece of info on the internet becomes part of the public record, be careful” are also the ones doing the archiving. Nobody else cares enough. Stop doing it. Not everything is worth preserving only because you are a data hoarder. I’m happy you think you’re building the library of alexandria, just make sure it’s not built out of piles of shit and PII.

If it was technically feasible to permanently record every public place outside the internet and make the recordings available to everyone, would you be in favor of that too? Just because the internet makes that technically feasible doesn't mean it's a good idea.

Many of them, perhaps. Certainly not all of them. That's irrelevant because there are a great many more who aren't necessarily saying much of anything but are logging everything. There are clear business and governmental (ie surveillance) use cases for such data so it's more or less guaranteed to happen en masse.

> most Discord guilds are not public, this was a case of malicious bots

Apologies, I don't actually use Discord and (based on this and a few other comments here) have realized that the term "bot" is being used in a very nonstandard manner. It seems that Discord "bots" are server side apps that can be launched (ie used) by other people. Using such bots to scrape private channels that the author doesn't otherwise have access to is indeed highly malicious and not to be expected or tolerated. (Of course one could wonder why such bots were permitted unrestricted communication with the outside world in the first place. Does Discord lack even a basic permission system?!)

Still, if you choose to run unverified code provided by an unknown party you should fully expect to be exploited to the maximum extent possible. It's really no different than installing arbitrary browser extensions or running arbitrary binaries that you found on the internet.

For some additional context, Discord bots aren't that far off from IRC bots.

You invite a bot to your server, you give the permissions and channel access you want it to have, and it receives various events over the web gateway such as "Message Received" of which the bot developer can use to build elaborate command systems and various other features.

Prior to the must-be-verified limit of 100 guilds, Discord had a serious issue with scam bots that would mass-message users promising free bitcoin or "insert free thing here", and usually one the "steps" was adding the bot to an additional guild. This resulted in the bot quickly cascading past 100 guilds within a matter of hours before Discord support had even noticed the problem.

Once joined to the additional guild, it would scrape as much of the server content as it could and usually dump it on some sort of "discord user tracker" platform.

On top of preventing joins past 100 guilds, verification is also required for some sensitive capabilities such as querying the entire member list.

This has some other unfortunate side effects (user tokens can't be used for bots, third party clients are a risk), but unfortunately the only way to really curtail this behavior. Privacy is not something easily understood, especially for people outside tech that just want to be around their friends during the pandemic, do not be blind for this. Technology can't be the sole component of solving this issue, so I'm glad Discord is committed to legally perusing those that misuse their API.

> (user tokens can't be used for bots, third party clients are a risk)

... how convenient. So sorry, but we need to restrict what you can do for your own protection. Where have I heard that one before?

> Privacy is not something easily understood

"Privacy" isn't what needs to be understood here. "Don't run arbitrary code" is what applies; it applies everywhere whether you like it or not.

The bots provide a function for the "server" and the server operator. That's like saying "Why not just provide a system for users to opt out of ChanServ/NickServ".

You don't say. Go to a random Discord server and you will see how bots are used. Your solution makes no sense and would kill most of the current use cases.

Re: Age Verifications on Google & YouTube: this has been covered well elsewhere. Google is required to do so by EU law. Blame regulators not the companies.

If it's limited to only people receiving payments, then it's far more reasonable than what I thought was happening (eg. people getting randomly asked for ID scans to use their service).

But I can say that I'm in... about 10 servers as a user and have a couple of bots I hacked together for various things operating in 3 of them and have never been asked for anything but my email. And across all the people I know using Discord, I was totally unaware that they even did that sort of identity verification because it seems like no one I know's ever run into it.

No. This is something we’ve become dangerously desensitized to.

Is bot spam rampant on discord or something? Are less invasive forms of verification (eg. SMS, credit card, or requiring a deposit) not enough? Can it not be solved via technical means? eg. requiring users to opt-in before receiving messages from a bot?

> And shipping services use Identity when a user is suspected as a fraudster—to double check before creating fraudulent shipping labels.

Yet I can buy hundreds of dollars of goods off amazon (or any other e-commerce site) without uploading my ID and giving them a live video feed of my face.

For both of these use cases, I don't doubt that ID verification provides benefit, I just find the privacy tradeoff to be unacceptable. As an analogy, a store can probably cut down on shoplifting if they performed ID checks at the entrance and kept a visitors log, but I think most people would find that unnecessarily intrusive and would refuse to patronize that store.

It definitely is. If you don't turn off DMs from all the public servers you're in you'll inevitably be hit with the crypto spam bots.

There's also the issue of bots silently sitting on servers and logging all chats, user statuses, etc.

> bots silently sitting on servers and logging all chats

Anyone who thinks this isn't happening in every public communication channel is hopelessly naive.

The ones that aren't marked as bots and wouldn't have their identify verified anyway?

This doesn't seem like it works.

Careful there, mate. This is just another form of the infamous "Nothing to hide" fallacy.

https://en.wikipedia.org/wiki/Nothing_to_hide_argument

See also: https://news.ycombinator.com/item?id=27503674

Some years ago I worked on a system let banks do identity assertions with proofs via SAML attributes instead of sharing customer PII. It is now a federation of banks in wide use for govt services in Canada. The use cases were really limited because the federation partners were too conservative to extend the identity services to relying party consumer applications real people actually wanted to use, and institutional sales cycles meant product feedback was glacial, so it has existed for over a decade in this relative backwater of gov-tech. I think identity companies have mostly failed to get traction because of a terminal lack of consumer sexiness, whereas Stripe has the jelly.

Other companies in the identity space have been working on protocols and platforms, but none of them had a user base to extend an identity federation services into, which means they have never been able to make a real or viable product, just interesting techs. An internet payment provider with young consumer traction getting into identity is a Very Big Deal.

It's going to position Stripe to knock out a lot of retail banks who can't offer similar services. Imo, this could make them bigger than Apple.

But despite paying over £20 a user for each verification they only got one or two banks to join, and the scheme was a disaster.

E.g. when I registered for Covid vaccine I logged in using my bank login.

There are other ways to do it too but since I already had an account in a participating bank I didn’t bother looking into them.

I don’t know if banks earn anything from it. I’d be surprised if they did.

I work for a major US Bank and they are most definitely monetizing KYC data, in fact we have made several billion dollar acquisitions just to scoop peoples data.

What I see is that Stripe doing IAM for platforms and services that people use daily sets them up to dominate retail and small business banking services if they wanted to go there.

See this page:

https://services.securekeyconcierge.com/cbs/saml/login?l=1&l...

The way the service works by getting permission from you, the user, to share some part of your identity with the destination and you can chose what you share. You could pick for example just to share name and not DoB.

The one reason I hate this otherwise superbly designed service and refused to use it is that is has a dark pattern where it creates a "SecureKey / Verified.Me Concierge Account" for "you" when you use it and starts proxying/pre-emptying the bank-login-as-verification process.

WHICH IS STUPID AND SCAMMY IF YOU ARE READING THIS VERIFIED.ME, THIS IS DARK PATTERN BEHAVIOR AND IT IS NOT RIGHT OR FAIR

/start rant

From my perspective, the whole point is - inhale - "I sorta trust my bank because I have to so I will log on to them so that they can vouch for me but I definitely don't trust you so why are you being a dick and making me make an account with your service that I don't trust and will never trust" - exhale

Just let the bank vouch for me each time, this is what I expect a reasonable and non-scammy service provider to do. Don't wait till you have my info then tell me, hey, I will make an verified.met / secureconcierge account for you so that <insert your preferred monetization rationale here> before you do what you promised to do.

I get the idea that they want to consolidate a profile so that you can pick what to share without entering it each time but they way it is done right now feels really slimy.

/end rant

Similar to Stripe, SecureKey currently offers an analysis service for photo ID that looks for anomalies and calls them out. The next version of the service integrates with provincial records to concretely confirm validity.

How would Stripe solve something like this?

That doesn't matter.

2. Any biometric identifiers that are created to perform the verification are never stored or retained—they are fully removed from all of our systems within 48 hours (usually within minutes).

More on this at https://support.stripe.com/questions/managing-your-id-verifi....

That doesn't make me feel a lot better. :( The images are enough to generate biometric data such as facial recognition profiles.

It's simply not legal to "not keep records" if you are running payments.

If you ran a payment to "O Bin Laden" but you have a driver's license picture showing that it is Oscar Bin Laden, from CA, DoB 2001, you'd better keep all that information for your records in case you get audited for potential OFAC violations.

> all images captured, extracted data from your ID document including name, date of birth, and ID number, and any information submitted via forms such as name, date of birth, SSN, email, and phone number, and the verification response.

How do you foresee that consent working if your product is used in account recovery flows?

For example, imagine if Steam adopted Stripe Identity as their only way to allow people with $$$$ worth of games to recover hacked accounts. If the user's only choice is to "consent" or lose their valuable account, that makes the "consent" something of a joke.

I'd be interested to hear how you plan to square that circle!

Does Stripe have a legal contract with users that says something to the effect of "if it does 1 and 2 above (by mistake or by choice doesn't matter) - that they will be liable for it". If not, all the support documents and technical security documentation is moot. I want to see "skin in the game" by Stripe. If you're so sure about "security" sign a legal contract.

Trust and goodwill is enough to get me to consider a service, not enough to sign up.

Also, data outlives management regimes. Eventually, any data set that can be used will be used.

For example: KYC is a core use case for identity, which requires us to retain ID information for audit purposes.

For businesses who don’t need to keep the ID for as long, we provide a deletion API that lets them automatically delete the IDs from our system.

They could be charging you AND creating an international ID database.

And frankly, if Stripe is offering any form of credit, it's likely working with the credit unions too.

The only way i would trust such a thing is if i have complete control over my data and how it's used (that's probably never gonna happen from a for-profit imo)

    The electronic identity cards of Austria, Belgium, Estonia, Finland, Germany, Italy, Liechtenstein, Lithuania, Portugal and Spain all have a digital signature application which, upon activation, enables the bearer to authenticate the card using their confidential PIN. Consequently they can, at least theoretically, authenticate documents to satisfy any third party that the document's not been altered after being digitally signed. This application uses a registered certificate in conjunction with public/private key pairs so these enhanced cards do not necessarily have to participate in online transactions.

Yet I've never seen any company use it. Everyone uses slower, more expensive private services that don't ask any questions about what you're going to do with the data they collect.

I am too, but that's not an endorsement. And more pertinently, that is nowhere nearly enough.

Every database of value tends towards uncontrollable sharing over time. The more available and more valuable it is, the harder it is to fight that trend.

The best thing for humanity is to stop making high-value data hordes like this. Unfortunately, the interests of smaller groupings are the reverse.

If there was, all black-hats would be coming from Ivy League schools. They’re not.

Nor is there a correlation between Stanford degrees and wanting to write secure code.

After that they have: my face, copy of my passport, my voice, my phone number, my IP (unless I'm really going out of my way to obfuscate it), my email, etc.

Once I did this, then the series of documents to sign using Docusign came in.

That was the most serious KYC/AML I've ever seen.

I don't like it much but I gotta say: I can definitely see how it raises the bar for would be scammers/impersonators.

MasterCard and their "True Name" program did a good thing there.

As more commerce moves online, Stripe Identity was built to significantly reduce the number of organizations and humans that would touch your ID—in a faster, secure way that’s hosted by Stripe (https://support.stripe.com/questions/common-questions-about-...).

We are also very direct about collecting consent: https://support.stripe.com/questions/common-questions-about-....

And as we've all come to know the distinction between "able to surveil" and "collect it all" crosses a threshold to make it of a different kind.

If one's mindset is that in general, tech companies, unlike those other entities store it all, then there actually is a recent "trend" to migrate a normal behavior into an abnormally socially adjusted space.