> Fundamentally, Identity makes it possible to choose how much of this data traverses / is stored on your servers, just as Stripe did with card numbers.
There's a stark difference in how Stripe treats exports of card numbers versus exports of raw identity verification data. This makes it way easier, and more likely, for Stripe customers to choose to store raw identity verification information.
> With ID verification, however, many businesses have good reason to want more than just the verification result. For example, they may be subject to compliance requirements that mandate that they themselves possess or have access to the raw information. They may need or wish to perform additional checks on their side. Etc.
I acknowledge that some businesses have a need for this. But I see Discord and Clubhouse among your customer logos, and your product page talks about non-KYC use cases. Many of your customers will have access to identity documents without really needing it. That sucks for the end users of Stripe Identity, because it makes it more likely their data will be misused.
A concrete suggestion: make it possible for businesses to choose whether they have access the raw data, and expose the choice to the end user in the Stripe Identity flow. Ideally, businesses that want the raw data would be subject to security compliance requirements. This is an opportunity for Stripe to be a leader in setting high standards on how this type of data should be handled.
Appreciate your feedback. On the first point, limitations on what the secret key can access are coming very soon.
> A concrete suggestion: make it possible for businesses to choose whether they have access the raw data, and expose the choice to the end user in the Stripe Identity flow. Ideally, businesses that want the raw data would be subject to security compliance requirements. This is an opportunity for Stripe to be a leader in setting high standards on how this type of data should be handled.
Yes, per GP comment, I think this is a good idea. I suspect we'll do it.
+1 on being able to choose. I’m building a personal finance app right now, and where I can I’m choosing to not ingest or retain sensitive data. While the origin of this is scratching my own itch, I suspect that I’ll get better traction if I can overtly say I’m not collecting data I don’t need or holding onto it for longer than you want me to. I’d love to be able to just get a Boolean back.
Businesses collecting identity information is nothing new. Somebody like Stripe putting a concerted effort out there to make it more secure and improve the experience so that identity information is stored in a less ad-hoc way is a win and will reduce the odds of some catastrophic leak. If you are only worried about identity leaks now then you are simply miss-calibrated on your assumptions about the nature of online identities. If you are seriously this worried, then you probably shouldn't be using the internet for anything.
> so that identity information is stored in a less ad-hoc way
It will be more ad hoc. Stripe does not decide how their client stores such data. Stripe will make asking for an ID very easy and that will vastly expand the number of businesses utilizing this method of registration.
Right now I think of Stripe as a reliable service. When one of their customer's data is breached or leaked, I don't know that everyone will still trust Stripe as a brand. News articles about such breaches won't be able to relate the nuance of who's at fault.
I'm not concerned about my online personas being linked to me. I'm concerned about making it easy for bad actors to perform identity theft en masse.
I'm not sure you understand. When a business needs your ID to do business, they ask you for it and store it in their infrastructure. This already happens today. Nothing Stripe is doing necessarily changes this. Stripe is simply providing a streamlined mechanism by which business can fulfill their KYC requirements and obtain this information. And now they have the choice to continue to store it in their infrastructure or look it up via the API as needed. If somebody breaches WellsFargo and dumps all the identity info of their customers, clearly Wells Fargo is at fault. Nobody will care if the entry form where they put their info in when they signed up for a bank account was hosted by Stripe and white labeled by Wells Fargo, or if there was a permission box that popped up from Stripe asking if you'd like to allow Wells Fargo access to your info, or if it was simply hosted by Wells Fargo. I don't see the problem here.
I get it. No need to say I don't. Streamlined means more companies will ask you for such identification. Eventually stripe will be part of a news story about a data leak. I imagine they've already factored this in and decided it's worth it, due to requests they've been getting from customers. Essentially, if they don't do it, someone else will. Personally I think they should let someone else do it, or break it into another company, but that's not my call.
I disagree a bit on this. Looking at previous data breaches, when something like an s3 bucket gets hacked, the news is not going to be about on how Amazon is responsible for company X's data breach but on how company X's servers got hacked. Stripe, like AWS, is the infrastructure, the onus is on a company to ensure their infrastructure security as it can be an existential risk. A philosophy of Stripe's is that that they succeed when their customers succeed, I'd like to think that they have a shared interest in try to prevent their customers being breached as much as possible.
You may be right about how breaches are received in the news by people. It may depend on how they roll it out. I'm sure Stripe will do their best to help clients secure their customers' data. At the end of the day, though, it seems inevitable that breaches will occur.
It’s great that you think that limiting the firehose-style wild-west dissemination of people’s identity data might be a good idea and I have good feelings about your suspicions, I suspect they might be well founded.
Might as well wait until anybody that can drag and drop Stripe code into their app gets as many photos of people’s IDs and faces and security questions from their users and squirrels it away into their private databases.
Once that’s done it’ll be a good time to fire off a blog post about how not doing that was always in the works and announce groundbreaking features like “basic privacy permissions for identity data “ will become default.
Fully agree here - I would say that I am a bit shocked at the lack of regulation regarding access to people’s identity documents as compared to credit cards. Credit/debit cards are your money, and there’s an entire network of both regulations and intermediaries working against fraud in this space.
Your identity can create new credit cards. It can take out loans. It is inherently a higher order security risk, and therefore should by default have more restrictions. I as a consumer trust Stripe to do the right thing, but I do not trust its customers. This seems to be the most reasonable stance, but yet the policy does not reflect that. I am concerned that this wedges open a really big new avenue for cybercrime without having any sort of regulations in place a-la PCI audits.
> Your identity can create new credit cards. It can take out loans. It is inherently a higher order security risk, and therefore should by default have more restrictions.
It's a security risk because of the first couple things you listed. The problem is that identity cannot be simultaneously a secret and a public identifier. As the name should suggest, identity serves a much better use as a public identifier. So we should stop treating it like a secret and start creating real infrastructure for actual secrets.
By the way, this is completely analogous to credit cards. There's a reason the industry has moved to chip cards physically and tokenized cards virtually. And that's because the card number was serving as both identity and secret, and that doesn't work. The deviation is that, in this case, we've decided to make the credit card numbers a secret which is cryptographically protected (chips) or at the very least stored in an opaque manner (tokens).
> I would say that I am a bit shocked at the lack of regulation regarding access to people’s identity documents as compared to credit cards.
To some degree it's because there isn't much point. You can call up my home state today, pinky promise that you're me, hand over $20, and they'll ship you my birth certificate or other important documents. We don't have private keys or other kinds of unique identifiers assigned at birth, so attempts to lock it down further would lock people out of their own identities.
Scale does matter, and a breached database of identity documents is definitely worse than having to pay a nominal fee and wait a few days, but given the context of other manual labor like securing loans I'm not sure the extra ease would result in much more fraud.
It's supposed to work in quite a few countries, and not all make it so easy. Given the requirement in my country for ID when obtaining any other ID, I'm actually puzzled about what happens if you lose everything.
For me, the general process would require a police report for lost/stolen ID (mandatory, so that it can be marked as lost/stolen so that it would be detected if someone tries to use it) and verification with the data they have on file - nowadays with EU biometric IDs they can be quite sure that I'm the same person as the one who got the previous ID as the face and fingerprints can be verified.
There's an honor system in many places. You sign a document stating you are who you say you are, and have it witnessed by someone who is "deemed trustworthy" - local police, teacher, clergy.
Just from an end user POV, would I be able to request from Stripe a logs for metadata about which type/how much of my personal data has been shared to the companies?
No. Unfortunately, most businesses in the US are not under any compliance requirements or regulations around identification. Certain states have special rules (like California I think?) but in most places US businesses can generally do anything they want with an ID card or relevant information, so long as they don't impersonate you or commit a crime with it.
Given the way Stripe has implemented this today, Stripe might as well be selling their business customers a <input type="file" /> tag for Driver's Licenses, because that's the level of security 99% of all business will be using around this. There's going to be Amazon S3 buckets filled up with Drivers Licenses JPEG's provided by Stripe Identity, in a few months time.
> There's going to be Amazon S3 buckets filled up with Drivers Licenses JPEG's provided by Stripe Identity, in a few months time.
What makes you think these don't already exist? Have you ever needed provide your identity information to use a service online (e.g. a insurance service, bank, alcohol/weed delivery, crypto market, etc.)? Where do you think the identity information you provided is stored?
If you don't use these type of services, then nothing will change--stripe won't magically have all your identity info. If you do use these services maybe they'll partner with Stripe, maybe not. The only outcome I can see from this news is that it's likely there will be fewer AWS buckets with your identity info moving forward, because Stripe can do that for you now.
Putting my lazy developer hat on for a second here… I think I would choose to store the Stripe Identity token in my db and then pull the JPEG’s on demand from Stripe’s API. Saving the image to S3 would be additional work, and well, I’m a lazy developer.
> Fundamentally, Identity makes it possible to choose how much of this data traverses / is stored on your servers, just as Stripe did with card numbers.
There's a stark difference in how Stripe treats exports of card numbers versus exports of raw identity verification data. This makes it way easier, and more likely, for Stripe customers to choose to store raw identity verification information.
> With ID verification, however, many businesses have good reason to want more than just the verification result. For example, they may be subject to compliance requirements that mandate that they themselves possess or have access to the raw information. They may need or wish to perform additional checks on their side. Etc.
I acknowledge that some businesses have a need for this. But I see Discord and Clubhouse among your customer logos, and your product page talks about non-KYC use cases. Many of your customers will have access to identity documents without really needing it. That sucks for the end users of Stripe Identity, because it makes it more likely their data will be misused.
A concrete suggestion: make it possible for businesses to choose whether they have access the raw data, and expose the choice to the end user in the Stripe Identity flow. Ideally, businesses that want the raw data would be subject to security compliance requirements. This is an opportunity for Stripe to be a leader in setting high standards on how this type of data should be handled.