> Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack.
However, their senior director states in this Verge article:
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
This is also contradicted by what Discord actually says:
> Quick deletion: Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation.
Not to mention collecting them at all means those servers are a primo location for state actors to stage themselves to make copies of data before being deleted.
To say nothing of insider threats of which likely exist across every major social media platform in service to foreign govs.
It was this deep into the thread when I decided I don’t think I need internet service this bad, let alone Discord. I think I’m out. Let us know how it goes!
All of these types of developments, of the trap door starting to close, really do totally depend on the addiction, the dependency that was created to make sure the people would be unable to withdraw themselves. We now have some generations of people who have only been online and in a fantasy world of games and “TV”. It seems the system has calculated that we have crossed the threshold after which the system is self-reinforcing and there is very little chance of effective resistance, let alone reversal.
I’m not sure how to really get this point across, but you would be very incorrect believing that and I have first hand knowledge of that.
Yes, it’s not a waterfall methodology/system like some Soviet central committee planned economy, but what else do you call things like the kill list board meetings of the Obama administration, if not malicious and with forethought? They had lists, they decided on who to murder, they broke to accomplish their weekly objectives and then they reported on their progress every week. And that’s just a tiny snowflake on top of the iceberg of what is available for anyone in the public all around the world to know, even without any kind of special access other than an open mind willing to accept reality that is not what one was told it is from childhood on. You know, when people are the most vulnerable and easily manipulated, the MO of the people like Epstein.
Is not even that the information needed to understand these things are not all there in public agreed caps leaks and releases, it’s just that most people seem to just want to accept that 2+2=5 and in exchange live a life they believe is a good deal from the devil.
You seem to represent one of those people who has no idea what you are a part of, similar to how an animal born into a zoo is quite content since all his needs are met. That animal cannot understand any bigger context, because all it’s ever known is that cage it’s always been in all your conscious existence.
All the information you need is publicly available to you even without any clearances, on the internet (for the time being). What is your excuse for not knowing, e.g., that effectively all NGOs are a tool of the CIA? Or what else would you call the Obama kill list meetings where, just like how you may have weekly sprints, they picked from a backlog and then killed them and reported back on progress; if not malicious and with forethought?
Reality simply is that the majority of people are like those peasant masses that applauded Obama at the Winter Olympics; the same malicious, deliberate murderer with forethought and with a kill list that we know he was. What are you?
> write a mildly unhinged internet comment that tries to shame people for not knowing the true conspiracy all around them. Use themes like sheeple and kill squads. Explicitly call out Obama and only Obama and make sure you repeat one claim about Obama at least three times.
> Not to mention collecting them at all means those servers are a primo location for state actors to stage themselves to make copies of data before being deleted.
Not to nitpick, but in this case they'd be collecting data they already own.
For state actors - they frequently have issues "connecting the dots". Or heck - maybe connecting the dots is easy but it's a manual process that introduces too much friction for them to do casually. Maybe some of the data they connect it with is not trustworthy.
If the dots already come pre-connected, it makes the job easier.
Not to mention its value as blackmail material shoots up because it comes pre-associated with your government ID and/or a scan of your face because fewer sources/methods need to be risked.
In addition to the sibling comments, even if they do own the ID itself, they do not own the association with Discord users, and the ID might also be faked.
> Also, _Discord_ deleting them is really only half the battle; random vendors deleting them remains an issue.
This really is the issue. Of the 5 or so data breach notifications I received last year, none are from an entity I have a direct relationship with. They're all from a vendor used directly or indirectly by these entities.
The real answer is more serious penalties for having data breaches. Having 6 concurrent "identity monitoring" services is of zero value to me.
Vendors like that would be in deep GDPR shit if they claim to not store highly sensitive data and then do in fact store highly sensitive data.
Generally the GDPR is not rigorously enforced, but when it comes to sensitive data like face scans, IDs, medical data etc. the hammer comes down a lot swifter and harder.
Weird that I have to get a list of all the cookie vendors that know I visit a website to show me an ad about something I already bought but the guys with my ID don't need to be listed.
Personally Identifiable Information is about data that can identify you personally. Personal data might be something you don't want to share but is not necessarily identifying you
Well since you have these IDs, for national security (AML, criminals and whatnot), we will need you to keep them if our endpoint says so, here's the endpoint
Imagine the neural network you could train over such a large dataset of ID's so when you pay your bills or do the flight check-in you avoid the hassle of manually inputting the data yourself? Ah, yes, we have that already.
It was only one example they gave, and they accept multiple different types of ID; a driver's license or national ID card being other likely ones, and DLs do say where you live.
Not updating your DL after changing your address is a crime* in all US states. I'm not as familiar with law elsewhere, but would be surprised if that's not true most other places.
*There are exceptions for active duty military personal and other limited exceptions.
It is a law but rarely enforced, also some places like Washington are primarily digital meaning you update your DL address online but they don’t print a new ID unless you request it or your DL is expired
Unless you’re wild camping, campsites have addresses. So do marinas where a ship would need to be docked more or less regularly to establish residency.
As for being a nomad, you don’t need a driver’s license or any kind of ID to wander if you’re willing to sleep rough. If you want to drive on public roadways though, you better have a primary address where the courts can send someone if you kill someone in a traffic accident and bail.
Docking is expensive, so no. It's also only needed once per 5 years or so for maintenance.
Government fining you a ticket doesn't mean your address has to be on the drivers license. They could register the number plate to an SSN for instance.
Did you skip my last sentence? A traffic ticket is not the worst thing you can do in an automobile. And not everyone eligible for a drivers license will have an SSN.
Laws of the government can't override laws of physics. If you don't have a place where you can receive mail, do they just arrest you or what? Do they assign a PO box to you?
My Spanish identity card has my full address. Not sure if the DNI does as well, or only the foreign resident version.
> And what do you mean by “us”?
US folks are pretty used to being able to up and drive across the country with a suitcase, without filing any paperwork (at least till the taxman comes knocking next April)
Have to get your vehicle registered in your new state as well (if you own one) as well as your driver’s license. God help you if your vehicle is towed and your license/vehicle is not registered in the current state. Absolute mess.
Germany has the full address the ID card and the issuing office (containing the city) on both the driving license. They are also digital so who knows what they also store on them.
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
Everyone says this, including the TSA. But they never say they don't keep a hash, or an eigenvector of your biometric. Which is equally as important.
They also never say it goes through datacenters in room 641A or though Utah before it's "deleted", because it's a US company and they can't refuse that.
In case someone is unaware, 641A and Utah and both references to the US mass surveillance systems in this context. Specifically interceptors that a company wouldn't be able to prevent from saving your data for the few seconds they need to process and delete it
I might be misremembering, but AFAIK, that kind of surveillance mostly worked because many companies didn't bother encrypting datacenter-to-datacenter traffic, thinking that those networks are trusted. That mistake has since been rectified though.
With almost everything going over TLS these days and HTTPS being the norm, even for server-to-server APIs, it's much harder to snoop on traffic without the collaboration of one of the endpoints, and the more companies you ask for that kind of collaboration, the higher your risk of an unhappy employee becoming a whistleblower.
That's also about US companies that can't refuse or can't bother to challenge that a dragnet is set up in their process.
ISPs themselves didn't save any data.
However, they gave interception rooms to the NSA (which is indeed technically not them).
Nowadays ISPs aren't the right scale to do it for the reasons you mentioned. But the USA lowkey moved the dragnet to the main datacenters with prism, then made it mandatory for all with the CLOUD act.
And if the threat is not coming from the USA, but some other country starts to ask Discord to BCC them the IDs of their citizens, we can do the odds on whether Discord will challenge it or not.
Now I want to ask Discord who is their third party provider ? Why don't they process IDs themselves ?
Unless you use Cloudflare (or roughly any other DDOS protection system), in which case you're letting those companies MITM all requests on purpose. Protected between you and Cloudflare by PFS and any other acronym you like.
I think the odds that Cloudflare hasn't been forced into data snooping by the government are approximately zero. It's the by far the biggest, juiciest target.
> We do not keep any information around like your name
But they might be sending a copy to the NSA, similarly to how Alphabet, Yahoo, Apple, Meta etc. have been doing (PRISM program, part of the Snowden revelation [1]). The US has the legal mechanisms of requiring this to happen, secretly, such as NSLs [2].
They don’t need to prove that. The government or whatever would have to prove that they aren’t checking ages, by going to the site and seeing a lack of age verification.
Until we have some kind of "One Time ID Verification" service that would work, the ID will never be deleted. Or a hash of the info or some kind of identifiable info.
Humm yeah, like a government digital ID of some sort. Except people go mental about that, so sending scanned copies of my personal ID documents to every bank/solicitor/estate agent/mortgage broker/random internet service it is then...
They're a nonsense company, and trusting them with any information is foolish.
They'll store everything and anything, because data is valuable, and won't delete anything unless legally compelled to and held accountable by third party independent verification. This is the default.
The purpose of things is what they do. They're an adtech user data collection company, they're not a user information securing company.
TL;DR: The IDs were used in age-related appeals. If someone's account was banned for being too young they have to submit an ID as part of the appeal. Appeals take time to process and review.
Discord has 200,000,000 users and age verification happens a lot due to the number of young users and different countries.
GDPR is no joke and storing people’s actual ID card photos is a gigantic liability. Companies treat that stuff like it’s toxic waste, they want to get rid of it as fast as possible and permanently.
So Discord only just survived financially because of heavy fines imposed from their earlier breach of trust? All their C-suite were fined commensurate with their remunerations+wealth?
Sigh, I guess it's time to move platforms again or get your identity stolen. The more a company makes a fuss about trusting users, the more likely they store all of their shit in plaintext with vibe coded server security.
https://www.bbc.com/news/articles/c8jmzd972leo
> Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack.
However, their senior director states in this Verge article:
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
Why they didn't do that the first time?