ID verification service for TikTok, Uber, X exposed driver licenses

Original Article ↗ Hacker News Discussion ↗

Security and governance failures

  • Commenters highlight that AU10TIX allegedly left a high‑privilege portal without 2FA and failed to fully revoke known‑leaked credentials for ~18 months, calling this typical rather than exceptional in the industry.
  • Many see these vendors less as “high‑trust specialists” and more as generic software shops and “blame‑outsourcing firms” that let consumer‑facing brands offload risk and PR.

Data retention and “why do they keep IDs?”

  • Strong criticism that full images of IDs and biometrics are retained instead of deleted after verification.
  • Defenses raised: KYC/AML and other regulations often require storing verification evidence for years; firms also want an audit trail in case of disputes or court cases.
  • Others argue retention could still be done in heavily restricted cold storage, with strict minimization, but isn’t.

User distrust and pushback

  • Many now assume any ID or biometric shared online will eventually leak, and avoid services that ask for more than legally required—or drop transactions entirely.
  • Examples include intrusive flows via Stripe or AirBnB‑style “liveness” videos; some see liveness checks as legitimate anti‑fraud tools, others as dystopian overreach.
  • Breach statements like “no evidence of exploitation” are widely interpreted as “we didn’t or can’t really look.”

Law, liability, and lack of consequences

  • Skepticism that anyone will face prison or serious financial penalties; past breaches (e.g., credit bureaus) are cited as proof that modest settlements are just a cost of doing business.
  • Lawyers in the thread note it’s hard to prove duty of care, gross negligence, and concrete damages under current law; many call for explicit legislation and statutory damages.

Identity systems and alternatives

  • Multiple comments advocate government‑run or government‑standardized digital ID / verification APIs (postal services, tax authorities, DMV‑style systems), citing Europe and Canada as partial models.
  • Others strongly oppose centralized state ID power on civil‑liberties grounds, especially in the US context.
  • Bank/carrier‑based OAuth‑like identity in Poland, Finland, Canada, etc. is cited as working better than ad‑hoc ID uploads; US adoption is limited by fragmentation and mistrust between banks.

Geopolitics and data export

  • Concern over US citizens’ IDs and biometrics being processed in or by entities linked to Israel and other countries; some advocate boycotts, others argue for more targeted, evidence‑based divestment.
  • It’s noted that US financial and tech firms routinely offshore access to sensitive data (e.g., India, Poland), so global exposure is already common.

Structural fixes and professionalization

  • Some propose licensing / certification for software handling PII, akin to civil engineering, to give security‑minded engineers leverage and attach clearer liability.
  • Others worry licensing would expand broadly, add rent‑seeking and bureaucracy, and may not meaningfully improve outcomes without stronger enforcement and incentives.