> Considering that Stripe was originally known for letting websites accept credit card payments without seeing your credit card number, one might assume that Stripe Identity only allows websites to see the verification result, and not your selfies and scans of your identity documents.

A few points:

- Fundamentally, Identity makes it possible to choose how much of this data traverses / is stored on your servers, just as Stripe did with card numbers.

- There's a basic difference between card numbers and identity verification. With card numbers, you (generally) don't really care about the number -- you just want the payment. With ID verification, however, many businesses have good reason to want more than just the verification result. For example, they are often subject to compliance requirements that mandate that they themselves possess or have access to the raw information. They may need or wish to perform additional checks on their side. Etc.

- The relevant UI in Identity is deliberately very clear on this points in order to avoid the assumption you're stating. The flow explicitly says "Stripe and [Business] may each use your data." Even though an end user might consider it suboptimal for the business to have their data, we still view it as an improvement to the usual status quo, where this data is frequently stored in very ad hoc fashion and without rigorous security protections.

- While many of the businesses initially building on Identity wanted access to the raw information, it may well make sense for us to enable them to restrict themselves in the future. In this world, Stripe could tell their customers that the business doesn't have access to the raw details. (This might even make sense for Stripe payments in the future.) As a philosophical matter, we consider ourselves to serve the business, which means that limiting access to what we consider to be the business's own information feels a bit strange. That said, it might sometimes be in the interests of the business to allow them to limit themselves in this fashion (especially as Stripe's brand recognition among consumers grows).

- There's a separate concern about compromise of the business's credentials leading to inadvertent disclosure of this information (a situation analogous to an S3 bucket key getting leaked). This is of general concern to us in lots of situations, not just with Identity. We have some new functionality on the way here.

> Fundamentally, Identity makes it possible to choose how much of this data traverses / is stored on your servers, just as Stripe did with card numbers.

There's a stark difference in how Stripe treats exports of card numbers versus exports of raw identity verification data. This makes it way easier, and more likely, for Stripe customers to choose to store raw identity verification information.

> With ID verification, however, many businesses have good reason to want more than just the verification result. For example, they may be subject to compliance requirements that mandate that they themselves possess or have access to the raw information. They may need or wish to perform additional checks on their side. Etc.

I acknowledge that some businesses have a need for this. But I see Discord and Clubhouse among your customer logos, and your product page talks about non-KYC use cases. Many of your customers will have access to identity documents without really needing it. That sucks for the end users of Stripe Identity, because it makes it more likely their data will be misused.

A concrete suggestion: make it possible for businesses to choose whether they have access the raw data, and expose the choice to the end user in the Stripe Identity flow. Ideally, businesses that want the raw data would be subject to security compliance requirements. This is an opportunity for Stripe to be a leader in setting high standards on how this type of data should be handled.

> A concrete suggestion: make it possible for businesses to choose whether they have access the raw data, and expose the choice to the end user in the Stripe Identity flow. Ideally, businesses that want the raw data would be subject to security compliance requirements. This is an opportunity for Stripe to be a leader in setting high standards on how this type of data should be handled.

Yes, per GP comment, I think this is a good idea. I suspect we'll do it.

It will be more ad hoc. Stripe does not decide how their client stores such data. Stripe will make asking for an ID very easy and that will vastly expand the number of businesses utilizing this method of registration.

Right now I think of Stripe as a reliable service. When one of their customer's data is breached or leaked, I don't know that everyone will still trust Stripe as a brand. News articles about such breaches won't be able to relate the nuance of who's at fault.

I'm not concerned about my online personas being linked to me. I'm concerned about making it easy for bad actors to perform identity theft en masse.

Might as well wait until anybody that can drag and drop Stripe code into their app gets as many photos of people’s IDs and faces and security questions from their users and squirrels it away into their private databases.

Once that’s done it’ll be a good time to fire off a blog post about how not doing that was always in the works and announce groundbreaking features like “basic privacy permissions for identity data “ will become default.

Maybe it’ll be a paid feature for end users?

Your identity can create new credit cards. It can take out loans. It is inherently a higher order security risk, and therefore should by default have more restrictions. I as a consumer trust Stripe to do the right thing, but I do not trust its customers. This seems to be the most reasonable stance, but yet the policy does not reflect that. I am concerned that this wedges open a really big new avenue for cybercrime without having any sort of regulations in place a-la PCI audits.

It's a security risk because of the first couple things you listed. The problem is that identity cannot be simultaneously a secret and a public identifier. As the name should suggest, identity serves a much better use as a public identifier. So we should stop treating it like a secret and start creating real infrastructure for actual secrets.

By the way, this is completely analogous to credit cards. There's a reason the industry has moved to chip cards physically and tokenized cards virtually. And that's because the card number was serving as both identity and secret, and that doesn't work. The deviation is that, in this case, we've decided to make the credit card numbers a secret which is cryptographically protected (chips) or at the very least stored in an opaque manner (tokens).

To some degree it's because there isn't much point. You can call up my home state today, pinky promise that you're me, hand over $20, and they'll ship you my birth certificate or other important documents. We don't have private keys or other kinds of unique identifiers assigned at birth, so attempts to lock it down further would lock people out of their own identities.

Scale does matter, and a breached database of identity documents is definitely worse than having to pay a nominal fee and wait a few days, but given the context of other manual labor like securing loans I'm not sure the extra ease would result in much more fraud.

https://stripe.com/docs/identity/verification-checks

[0] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

Isn’t that already true for businesses that store this data from any source?

Given the way Stripe has implemented this today, Stripe might as well be selling their business customers a <input type="file" /> tag for Driver's Licenses, because that's the level of security 99% of all business will be using around this. There's going to be Amazon S3 buckets filled up with Drivers Licenses JPEG's provided by Stripe Identity, in a few months time.

What makes you think these don't already exist? Have you ever needed provide your identity information to use a service online (e.g. a insurance service, bank, alcohol/weed delivery, crypto market, etc.)? Where do you think the identity information you provided is stored?

If you don't use these type of services, then nothing will change--stripe won't magically have all your identity info. If you do use these services maybe they'll partner with Stripe, maybe not. The only outcome I can see from this news is that it's likely there will be fewer AWS buckets with your identity info moving forward, because Stripe can do that for you now.

> As a philosophical matter, we consider ourselves to serve the business, which means that limiting access to what we consider to be the business's own information feels a bit strange.

Maybe I'm wrong , but once a customer upload the document on Stripe Identity they are supposed to be YOUR documents.

I worked in Bank as a Service , fundamentally when a customer goes through a verification process , the documents uploaded are not the owned by the partner using our APIs. They are owned by us , the Bank.

For Stripe Identity the same should have apply. Here the goal is not "Lock the Partner" but rather to protect them.

Now that discord has access to my Passport , in case of an identity theft could you tell me EXACTLY whose liable for the leak in regards to the law ?

With BaaS it's pretty clear , the Bank carry the responsibility to keep those documents safe , thus it's safer to not give access to a basic business to the raw details.

With the current API design you are offering, it's more ambigous and more prone very large leak within a business information system like Discord or Uber etc..

Those leak will happen.

Discord only has access to your passport if you upload it to them. They don't have access to it by virtue ofthem being a stripe customer.

I don't ever want to have a card number in my database or via a administration system (my own or my provider's).

So I care... but just perhaps not in quite the way you're thinking :)

I trust Stripe more than a random online forum, a dating app, or a social network, which might offer a higher quality service when people are verified. There's a high risk that the ID documents will leak from these services at some point if they get access to them. I don't want them to know who I am at all, if they don't need to know.

It would also offer a way for preventing sybil attacks on P2P networks, or help connecting to non-evil nodes on a P2P network (such as Bitcoin Lightning Network) without knowing the other person. In these cases there could be a some kind of signature generated by Stripe that could be used as an additional trust factor without centralizing the system.

Can you list some examples of the types of places where you think this property holds true and explain what you mean by "good social structure"?

> History has shown time and again that those in positions of advantage will abuse their access to information for their own gains.

What are some examples of scenarios where this has happened in relation to online identity where there have been legal restrictions in place that would have otherwise prevented it? The healthcare industry and credit card industry seem to do a pretty good job of protecting sensitive information, for example.

> Increasing the surface of your online activity trail can and will be used against you by a bad actor when the opportunity arises.

How anonymous do you think you are online? If you're not deliberately taking steps to conceal your identity, your trail is thick and clear for the people who know how to track it. And that's an actual problem: people track you even if you think you're anonymous and we have no legal protection in place to prevent abuse of data that can identify you online. If you are in a position where you need to *depend* on anonymity, you simply can't because nobody will respect your wish. So the internet operates in this grey zone where because we have no rules governing abuse of PII, everyone throws on the cloak and turns to anonymity as the answer. This degrades our ability to fight spam and makes things like strong mutual authentication very very hard to do because platform vendors can't ever expose any sort of fixed identifier because privacy. Look at the insane things Apple does: zero out your mac address when scanning for wifi networks and recently issue a new certificate for every single use so that a persistent identifier does not show up. And look at IPv6, we invented "privacy extensions" where you generate a random IP every few minutes. These hacks break functional systems because we don't understand how to regulate the internet as a society.

All that is somewhat irrelevant, though. We're talking about the identity relationship between you and a service, not necessarily "the features of interacting with the internet that can be recorded and tracked either on purpose or incidentally". Do you think your email address makes you anonymous? Again, unless you're deliberately taking steps to maintain pristine op sec with your online browsing, you identify yourself to service providers one way or another. And again, the problem is people think they're anonymous when they really aren't so they misinterpret what it means to be anonymous and its importance in good societal structure. I honestly don't see a difference between providing a service your email address or your physical address or telephone number. What's so bad about having a third party say "yeah, this person is who they say they are" and optionally "and here's the list of verified fields"? The internet is the only place where people get weirded out when someone asks for an ID. Do you not show the bar tender your ID when asked because you need to be anonymous at a restaurant? How about at the gas station, the liquor store, the axe throwing range, the DMV, the hospital, when making a purchase on a credit card, taking out a loan, etc. What real world interactions do you have that are primarily anonymous? It's not normal.

Strong identity combats spam and abuse. I would choose strong identity over spam almost every single time. I do not disagree that there are some online communities that are respectfully anonymous. But do you think e.g. Reddit is one of those? Because I do not. Regardless, you can still both a) identity check and b) run an anonymous community (and c. not store identity information). You don't have to expose the identity data in the product/community/forum itself, so nothing about making identity easier to use and more streamlined defeats the ability to operate pseudonymous services in the least. I really don't understand the "anonymity by default is good for a wholesome society" angle whatsoever.

This is a completely baseless claim, as most arguments against weak (ie pseudo) anonymity seem to be. Outside of banks, healthcare providers, and payment processors, I see little of benefit. Before bringing up any arguments that involve poor behavior or misinformation, please refresh yourself on the current state of Facebook (where nearly everyone is using their full name).

I already think twice before (and often decide against) using a service that requires my phone number. I will _never_ use Discord or Twitter (in my personal life at least) for this reason. Except for banks, liquor, and the pharmacy, I am almost certain to decline doing business rather than providing my ID.

There are many people I'm friendly with that I know little about. They could very well be giving me fake information about their life. I don't see this as a problem.

> Would you rather be given a pseudonymous name to use for the duration of your trip to the grocery store?

Well in most cases I wouldn't give anyone any name at all. Why does the grocery store require my name?

> The claim is not baseless. There are strong technical reasons why identifying the components in your system is a good thing. and there are practical social reasons.

There are also strong technical reasons not to. And there are practical social reasons not to. As far as I can tell, you've provided essentially no argument supporting this general claim:

> The internet would be a better place if there were more identity requirements

I work on a product that doesn't collect any PII. We made the decision very early on not to collect any information we don’t need because that’s literally not our business. I am deeply aware of the landscape on these topics. However, as a society we cannot run in a “normal meatspace anonymous cyberspace” mode. We need to bridge civil identity in a secure and private (those are fundamental human rights) way into the online era. That is the core focus of the product I’ve been working on. In reality people have identities whether they use them offline or online. The goal is to protect those identities so they cannot be abused, not remove them altogether.

This is false. There are many cases in real life when this is not the case as explained in the very post you just responded to.

> The burden of proof is on an anonymity advocate to demonstrate why that is harmful and should be changed.

You are making certain claims and then saying it's up to others to disprove you? If that's your attitude why are you engaging in this discussion at all?

> But it’s also not my problem if you aren’t aware of the nuances surrounding how security, privacy and anonymity work.

Frankly I don't have the energy to engage with you. Take that as you will. You clearly think you know much more than everyone here already anyway.

My point is that generally (not in all known cases) we are okay, in meatspace, (and quite familiar) with (and even require at times) exchanges that identify us whether it's putting our name on a coffee order, using a credit card to pay, signing a waiver, buying alcohol, visiting the hospital, opening a bank account, sending children to school, filing taxes, driving a car, etc. So to take the stance that anonymity is absolutely better to the point where it should be considered a fundamental human right and we should be worried about some company providing an identity verification api to online services because the whole shroud of pseudo anonymity of the internet is going to fall to pieces does require some supporting material, in the least. Otherwise it's just FUD.

> You clearly think you know much more than everyone here already anyway.

If I seem quip it's because I responded to a question asking if this API would mean we see more identity requirements because it possibly lowers the barrier to adding one with an affirmative "I hope so" and the tone of the responses has been "dude what a terrible thing to say this is hackernews doncha know anonymity is chic" followed by anectdotes about how sometimes you use an identity when doing business and sometimes you don't (so see! anonymity works). That's not a discussion it's just virtue signaling.. and it is certainly the responsibility of the virtuous (in this case those who are supporting the stance that my statement is terrible because anonymity is righteous) to back up their conviction (otherwise it is, simply, a virtue and nothing more). I've presented an argument that we needn't worry because meatspace society has figured out a good balance of security, privacy, and the occasional but rare anonymity, and it is perfectly functional so I don't think there's a qualified threat to the internet. I've described how strong identity backed security and accompanying privacy are not the same as anonymity and suggested that many people are conflating the two. And I've laid out rationale explaining that strong identity is better for security (this is not simply a "claim" if you know the first thing about security) and how if we want to see real privacy on the internet, not just the fake privacy that you get by being pseudonymous, then we need to fundamentally understand and legislate and engineer policies and systems that support such.

So far nobody has presented an argument as to why anonymity is, specifically, better than strong identity with privacy rules beyond "well sometimes you don't need strong identity for things to work so it should be the default" which is talking past me because I never made a claim to the contrary. I've backed up my assertions with the as far as I know factual evidence that identity both enables better security and deters spam (which are problems that are worse on the internet relative to meatspace). I don't know what else you want. I'm sorry my responses are laborious.

This is a pipe dream. The online world spans the globe and we can only enforce the law in our own respective countries.

And even if all countries were cooperative about enforcement, distributed communication tools already exist. The internet has always been a place where you can go to share your thoughts without worrying about what your family or friends think. I don't think that will change in our lifetime, if ever.

Anyway, the market can sort this out. If using an ID to authenticate your Twitter account makes Twitter more successful than its competitors, great! I would not count on it.

You already provide your name and phone number and email to Twitter. You already identify yourself. We're talking about making that exchange more reliable and more secure...

This sounds great -- I don't want to be handling sensitive data of users, and I don't want to give sensitive data to businesses. But I'd rather this be a separate Verification product, with different branding, docs, and UI, so users and businesses are all clear on what's happening to user data.

It's literally called "(K)now (Y)our (C)ustomer".

> They may need or wish to perform additional checks on their side. Etc.

So they get all the data in the off chance that a Stripe customer might want to do something with the data aside from the basic “yeah our large global identity verification service says this person is legit.”

I’m not super clear what a company might ”wish to” do with that data that isn’t served by the basic “this person is who they say they are” function (Does Stripe need their clients to act as guinea pigs to see if the service actually works as intended? If their mysterious black box “wishes” turn up a case where this isn’t working as intended, are your customers required to share that data with you to ensure the overall reliability of the Stripe Identity service? Or do they just get to build a database of info they get from Stripe Identity?)

> While many of the businesses initially building on Identity wanted access to the raw information, it may well make sense for us to enable them to restrict themselves in the future.

Oh nevermind, asked and answered! Just turn on the data hose to whoever has a website and will pay Stripe for identity data and maybe adjust it later if you catch some flack for this practice?

It’s kinda hilarious that the whole “people trust Stripe with their data” as part of the sales pitch as if this didn’t come across to me (a layperson) as a direct violation of that particular trust.

Businesses that do not have a legitimate reason to view my sensitive document like Passport , should not be allowed to do so.

Only authorized institutions like Licensed Payment Institution / Banks / Insurances etc... should be allowed to do so and AFTER they've been approved.

It's sad because you can tell right away that this will we be abused by Stripe's customers inadvertently. Just like Uber "God View" thats you view any customer ride...

Pretty sure the amount of "Identity Theft" or "Privacy" Scandal is going to explode with such technology available for everyone.

I don't know how a product manager at stripe could tell himself that "Yes , it make sense to give access to sensitive documents" in an age where people are seeking more privacy.

I get parent comment's totally legitimate security concerns. And businesses that have no business having my identity should surely not be asking for it. But I don't honestly understand how this has anything to do with Stripe. These businesses (which for whatever reason are asking for ID verification before doing business with you) are just using Stripes API to verify identity instead of just taking your info themselves.

Any customer giving their information presumably knows they are giving said business their identity documents, the customers might not even know that the business is using Stripe's API.

Furthermore, Stripe is ostensibly coming in here to streamline the process for business taking identity info from customers. Why - in your opinion - is it worse for consumers when these-type businesses (which ask for identity), use their own-rolled id verification than using Stripe's?

The point isn't so much using third party , we use a third party on prem.

My point is very simple : Why on earth would you let discord view my passport ? JUST WHY ?!

Those documents are very sensitive and no one should have access to them unless they have a VERY good reason to do so. PCI DSS treat "card information" like hot lava, the same model should have applied here.

Stripe should have acted as a "Trusted Party" and securely store those documents without giving access to it but just let you extract the information from it.

Thus you would been able to have uniquely identified user , backed up by government id , but you can't get access to the documents and sensitive data should have been redacted .... just like Card Number...

Again unless you are a Fintech / Financial Instituion , with a VALID in effect license , you should not have access to those documents.

And the list goes on...

Here, with this system, they could verify and keep the data regardless of what I think is going on.

There was a story on Reddit a few months back, about a bouncer who, when handed real ID cards, claimed they were fakes, and proceeded to immediately "cut them up" (so that people didn't feel any need to demand them back, since what are you going to do with scraps of an ID card?) The bouncer was actually palming the real ID and cutting up a random piece of plastic instead, and then later handing the real ID card off to the owner, who sold them on the black market. One victim of this scheme figured it out after being a victim of identity theft, as they traced back a submitted capture of the photo ID that some third-party had retained, to the one that got "cut up." The police raided the establishment, and a whole ring of people were caught up in it. It was a whole thing.

There's nothing that leads me to believe that this isn't a simple, obvious, repeatable, low-stakes, high-margin criminal business model. As such, it probably happens a lot.

I would still assume identity theft via websites being hacked is a lot more common, and likelihood is an appropriate factor when evaluating protective actions. But you make a good point about the bouncer.

As a consumer, I would expect Stripe would do the verification and give the business partner the result, but not all the data they used to get the results themselves.

I know this because we use Stripe Identity ourselves (in beta) and user's have no idea that Stripe and us are different companies.

Doesn't that imply that if there's a security breach at Stripe, that your users will blame you [too]

Most companies aren't even supposed to ask for identity papers is Stripe verifying with the passport issuer whether the country allows given their passport to some identity?

I think there should be some sort of consent system built in were when the API consumer wants to download a passport the customer gets an email with the question if they consent in them fetching a copy.

Some people at Discord now have access at the pictures of my Passport that I uploaded during the verification process because they use "Stripe Identity".

The FAQ is very clear , Stripe give you full access to those documents. It should NEVER do so.

Now the very smart people have Discord have access to my passport they can now take a 50K Loan using my documents and face-check video , social security and some fake income documents.

They can also destroy my entire life because I maintain a political blog with views they don't really like that they consider "hate speech". These are exaggerated examples , but you get the idea.

I'm concerned by this , because more and more startups are going to use it to increase the value of their userbase to reduce fraud and look more attractive for their planned exit.

In the meantime, people having access to my personal documents is going to go exponential...

Again , I'm an Architect in Banking we have 500+ Partners selling Loan for us , they have NEVER access to your documents / personal data. They can only tell if the document has been approved , income range and some basic information. You don't know what they are going to do those sensitive documents / info , even if you have contractual agreement with them.

Banking industry has had a very simple rule that everyone has been following for decade : DON'T TRUST THIRD PARTY. Stripe has decided to do otherwise I guess and I'm pretty scared about it.

Stripe Identity seems like Identity Theft as a Service.

This is a good policy when ALL first parties meet a certain (regulatory) bar. For banks, I assume that bar is "don't become insolvent" and more recently "don't lend money to terrorists."

The problem is that, as we've seen from the countless hacks in recent years, the first parties are NOT all meeting the bar when it comes to security, namely "don't leak (or abuse) users' private personal info."

And that's unfortunate, because a lot of the time, all a company really needs to know is a "does the registered account correspond (uniquely) to a real human (with certain legal characteristics)." Sometimes they need to know for compliance reasons ("our users are adults" or "aren't terrorists") and other times for uniqueness/fraud reasons ("We want to reduce spam accounts" or "we're paying users $10 to sign up and so need to make sure users aren't signing up multiple times.") It'd be great to be able to answer those questions without having to protect all that personal data that goes into answering it, similar to credit cards.

But your main point stands: if Stripe is allowing companies access to the collected data, then from a security point of view it's little better than having the companies collect and store it themselves. Hopefully Stripe explains their reasoning, or even better, course-corrects early in this launch.

Why would you upload a copy of your passport to Discord, via a third-party or not? The issue here is just trusting people you shouldn't be trusting with things you shouldn't be trusting them with.

The alternative isn't WhizzBangApp doesn't request you upload documents, the alternative is they roll their own WhizBang ID service, or use a Stripe Identity competitor.

I know my bank needs to verify my driving licence or whatever, and I tr.. well banks are heavily regulated anyway, so I'm happy to upload it without caring whether they use Stripe Identity or their own or whatever.

I know Discord has no business with my passport or whatever, so they're not getting it whatever they use under the hood.

I let my Congressperson know policy is needed about online identity service providers needing better governance over identity data, as businesses aren’t going to do it voluntarily unless the law requires. This should probably be overseen by the CFPB, even though identity is a bit of a walk from finance (while Stripe is still primarily a financial services provider).

Given the regular stream of extremely large data leaks even from providers who should have size, motivation and competency to protect that data, I find it incredibly hard to believe anyone who tries to assure me, that they won't be breached.

This is true, but it's also kind of a misleading statement; the original selling point was that you could accept credit cards without having to deal with the requirements of PCI compliance and merchant accounts, which is done (partially) by you not ever seeing the card data.

If there was similar compliance regulation around document storage, I would assume that Stripe would use "Identity-Document-Standards" compliancy as a selling point. As far as I know, there are no such requirements.

I do think your #2 point though is exceptionally valid, and would hope that the majority of Stripe keys are scoped to not even provide access to this data/endpoints.

Edit: grammar

If you want to export credit card numbers from Stripe, you can only have it transferred directly to another PCI DSS Level 1-compliant payment processor, and Stripe imposes rather strict requirements on the transfer: https://stripe.com/docs/security/data-migrations/exports#whe...

If you want to export ID documents or selfies, you can just make an API call or use the web interface. This can and will be abused.

When a hotel copies my passport, they get a jpg. If they use Stripe, now I know they have my biometrics serialized to JSON. That feels way riskier and scarier to me, especially now that it's all centralized by Stripe.

We hear about our personal data getting leaked and hacked every day, and here is Stripe making themselves an enormous target and serializing all the data for malicious actors.

This feels like a really tone deaf misstep by the company.

If not possible, I should mark the copy to the specific user.

Hmm, this doesn't really seem to me like the sort of area where you bring out a MVP and then work out basic fundamentals like this afterwards.

I’d argue that before Stripe sends any PII other than validation results to a customer, it needs to verify that the business indeed is under regulatory requirements to gather this data, and only sell the required part.

Alternatively, you could invert the process, allowing integrating businesses to send documents to Stripe, who replies if they’re legit or not.

Finally, if there is a need for sharing data with customers for e.g. KYC, shouldn’t this be priced significantly higher than verification/validation, so that Discords and Clubhouses can’t justify it from a business perspective?

What is the reasoning for doing neither of the above?

They are both toxic, IMO. Businesses need to stop relying on this stuff.

But download JSON blobs? From 10k records the hotel didn't store properly (cause they are not IT experts, or don't have experts at close hand) -- if you get in to their system the JSON is loads easier to parse than the JPEG.

Methods for KYC could(should!) be improved.

Stripe could do this differently:

1. Allow the customer to choose whether or not they need access to the evidence.

2. If customer has chosen to receive access to the evidence, the Stripe Identity UI should clearly disclose this. (And they shouldn't try to deceive users by talking about deleting biometric identifiers.)

3. Require customers with access to evidence to adhere to certain security standards, similar to how they treat exports of credit card numbers: https://stripe.com/docs/security/data-migrations/exports#whe...

Stripe could have been a leader in setting high standards on how this type of information is handled. Instead they've opted to go the easy route and maximize profits while the rest of us pay the negative externalities from identity theft.

I thought that Stripe's original selling point was that you could easily accept payments online without having to integrate with complicated bank and payment processor tech.

For example, imagine Joe Biden buys a widget from WidgetsR.us and wants it shipped to his home address of 1600 Penn Ave in DC.

    WidgetsR.us -> Fedex.com/order_XYZ/ship-to/Joe Biden at 1600 Penn Ave in DC
    WidgetsR.us <- Fedex.com "201 CREATED"

    WidgetsR.us -> Stripe.com/identity/123_joe?redirect=Fedex.com/order_XYZ/ship-to/$NAME at $ADDRESS
    Stripe.com  -> Fedex.com/order_XYZ/ship-to/Joe Biden at 1600 Penn Ave in DC
    Stripe.com  <- Fedex.com "201 CREATED"
    WidgetsR.us <- Stripe.com '"201 CREATED"'