I am sure even my passport would be part of the breach, are the passport holders beign notified of the breach?
dgellow•Jun 28, 2026
Oh god that’s pretty bad
> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
real_chudson•Jun 28, 2026
The EU's verification laws will ensure much more of these leaks in the future, and therefore much more fines
dgellow•Jun 28, 2026
Yep… not sure about more fines, but for sure more leaks
Kuinox•Jun 28, 2026
How so, are you purely speculating or you found a hole in the zero knowledge proof system some countries are implementing ?
raron•Jun 30, 2026
It is not using ZKP. Zero knowledge proof is mentioned as an optional experimental feature in the next release.
Is it requirement to retain the documents? Many are waiting for gatekeeper tech companies to organise around attestation rather than submission to third parties. I hope they are making progress.
TacticalCoder•Jun 29, 2026
I had to receive a letter from France (I'm not french, I don't live in France, but we've got family real estate there). To be able to open this letter, online (!), I had to scan my EU ID card, tilt it, and scan my face (pointing at the camera, looking to the left, etc.).
We're talking about a major french institution here, either public or private but colluding with the government to have their monopoly (don't know, don't care: they're all the same worms to me).
Speaking of which... There's been a recent case in France where a very nice lady working for some public institution (basically the IRS) was giving the name/wealth of "targets" to her brother so that her brother and his friends could go and kidnap/torture (fingers of victims have been cut) family members of rich french persons.
It's sickening and the real culprits are those creating the laws mandating this full on surveillance apparatus.
axus•Jun 29, 2026
The governments want to retain their abilities to target people for kidnapping/finger-lopping.
ExoticPearTree•Jun 30, 2026
> The EU's verification laws will ensure much more of these leaks in the future, and therefore much more fines
So its a feature, not a bug and a clever revenue stream for the governments?
voakbasda•Jun 29, 2026
Show me the consequences. I hear there are supposed to be repercussions, but these asshats never seem to pay for their crimes.
hahahaa•Jun 30, 2026
Why can't verification simply be go to post office, clerk will affadavit that you presented correct ID via online form. Which could also do the photo lookup for good measure.
Store that fact in the computer. Good for one ID usage. Good for less critical stuff like this weed thing (versus say a visa application which may need to store).
The analogy is a nightclub bouncer checks your ID.
simoncion•Jun 30, 2026
> The analogy is a nightclub bouncer checks your ID.
...the obvious thing to deploy is a cannabis club bouncer that checks your ID with only his eyes and hands and either bounces you or lets you in, depending on the outcome of that check.
That's far simpler than involving some unrelated third party and far more secure than storing any information about the event in any computer.
raverbashing•Jun 28, 2026
That's good, just grab one of those whenever your need to prove your age online /s
Cider9986•Jun 29, 2026
For liveness i suppose you need a good graphics card.
So dystopian
sebastiennight•Jun 30, 2026
> a good graphics card
Well, see, for safety reasons we're not going to let consumers have those anymore. You could be doing all kinds of shenanigans, running LLMs locally like a pirate.
jubilee33•Jun 30, 2026
Not even needed many times, I was recently at an overseas airport that wanted you to scan your passport to log into the internet. Ya not happening. On another device I downloaded a "sample" passport image of a British passport, the first one on Google images, pointed the phone at the device screen. "This will never work" , he thought as he was immediately logged in.
All this stuff really hurts the people who follow the rules the most.
gertrunde•Jun 28, 2026
The lack of security is one thing, but why have they retained the information at all!
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
rationalist•Jun 29, 2026
10 years after I took the ACT, I received a letter from a university that I never went to, saying my SSN was leaked.
WHY THE F**k ARE THEY HOLDING ON TO THAT 10 YEARS LATER!?!?!?
Of course now I know better than to give out my SSN to anyone who asks for it, but I didn't know that as a teenager.
Until stupid s**t like this becomes illegal, it will just keep continuing.
robrtsql•Jun 29, 2026
Don't be so hard on 17-ish-year-old you. What exactly were you supposed to do? Not take the ACT (and probably not get into your desired college)?
DANmode•Jun 29, 2026
Ask if it’s required, instead of assuming it is, is the point.
Modern equivalent “move over here for your picture ‘for the doctor’.”
No thanks, I’d like to opt-out!
AgentOrange1234•Jun 29, 2026
This is a real problem.
I was appalled when renewing my car this year that I now need a Texas by Texas account (https://www.texas.gov/texas-by-texas/), which wants... a social security number because why?!?!
Anyway, yet another data breach incoming.
axus•Jun 29, 2026
I'd hope that there's an in-person option for renewal. Maybe people without a data plan don't exist anymore?
Tangurena2•Jun 30, 2026
> which wants... a social security number because why?
Because of federal child support legislation. If you are $2500 (or more) in arrears, your passport gets cancelled. Most states will also suspend/revoke your professional licenses and possibly driving license when you cross that state's threshold.
> In 1996, Congress passed and President Bill Clinton signed the Personal Responsibility and Work Opportunity Act (42 U.S.C. § 666), which required that states adopt UIFSA by January 1, 1998 or face loss of federal funding for child support enforcement. Every U.S. state has adopted either the 1996 or a later version of UIFSA.
When I worked for my state's motor vehicle bureau, one of the verification apis that the driving license/ID folks got to use was a verification of citizenship/lawful residence service. Which used SSNs.
cute_boi•Jun 29, 2026
I think every SSN is already leaked and government is doing nothing. I tried to change SSN and they told me it is not possible.
recursivecaveat•Jun 30, 2026
100s of millions have definitely been exposed already. The best defence is probably to be a baby so your risk window is minimal. I haven't been able to pull that off personally, so I follow the other recommended piece of advice which is to keep your credit checks permanently frozen with the agencies and only temporarily thaw it for specific usages.
Which is a shame, as there are only hundreds of millions possible… and they still have to include room in that 9-digit namespace for non-social-security-involved ITINs and employer ID numbers!
throwaway173738•Jun 30, 2026
They’ll definitely issue loans to a child. You have to actually put a special freeze on your child’s credit account, which is insane but welcome to the US, where any obstruction to the wheels of commerce is an affront to our national dignity.
frollogaston•Jun 29, 2026
I've had stuff like this happen too, and always wondered if they really leaked my data or were just notifying everyone whose data they possibly leaked.
bigfishrunning•Jun 30, 2026
I think the argument is "if they didn't retain your data, it couldn't have possibly leaked"
frollogaston•Jun 30, 2026
Yeah I meant it's possible they didn't retain your passport, they just know you took the test at some point.
Sohcahtoa82•Jun 29, 2026
The real answer?
In case you want to retrieve your test scores 10 years after you took it. They need some way to uniquely identify you. Sure, they could have given you a specific test taker ID, but what if you lost that? They could have created a way for you to log in with an e-mail address, but what if you changed e-mail addresses?
You might think "Why would I need my test scores from 10+ years ago?", but my wife just started a job and they demanded her college transcripts to prove she went there...over 20 years ago.
catlikesshrimp•Jun 29, 2026
Identify the student by full name, dob, date of admission, career, etc. It takes 5 minutes instead of one.
The problem here is using a username (the ID) as a password (security check)
throwaway173738•Jun 30, 2026
And make them call the registrar during regular hours. That’s what I had to do to get a transcript from 15 years ago once. The registrar holds the records and should be able to provide them.
xmcp123•Jun 30, 2026
I think the issue here is that it was the university, not ACT. ACT has a valid reason for holding it. A university he never went to does not.
TZubiri•Jun 30, 2026
I'm not american, but the idea that your SSN, which is effectively a (federal) unique identifier for a person, would be secret, is very foreign.
In most countries, like most databases, our primary keys do not hold an expectation of secrecy.
I would even argue that the expectation of secrecy is what creates it's secret semantics, that is, it's secret because you make it secret. I get that it's a collective action thing, if you just publish your own SSN, a bank in another state might not be aware it's a public thing for YOU, and might open an account for a stranger.
Interestingly enough, for corporations, their identifiers, EIN, are not assumed to be private, in many states these are available through the DoS public records. So it turns out the system works just fine if you make the ID of a person (juristic or legal) public.
smcin•Jun 30, 2026
So what prevents people applying for loans or doing identity theft, in other countries?
rightbyte•Jun 30, 2026
To sign on for a house, marry, claim a child as yours etc you need witnesses where I live. Web of trust I guess?
If someone takes a loan in my name and I don't receive the money it is not an identity theft it is fraud and the victim is the bank not me.
sleepybrett•Jun 30, 2026
do you think scammers don't travel in packs?
TZubiri•Jun 30, 2026
Key difference might be that most countries have centralized Federal ID document. The Americans never allowed the government such a power, which is a tremendous idea. But they did concede to an ID number through a federal tax entity which de facto served as an id number. Turns out one disadvantage there is that a document is easier to prove ownership of than a number.
bluebarbet•Jun 30, 2026
Sure but all countries have numbers (tax, SS, ID card) that serve de-facto as IDs. The question is why the number alone (i.e. a username without a password) would ever be considered sufficient to authenticate something.
Tangurena2•Jun 30, 2026
My original SSN card has "not valid for identification" printed on it. Originally, it was supposed to only be used for filing taxes. The first 3 digits identified the state you applied in, the second 2 digits identified the office (in that state) and 2 of the last 4 digits identified the filing cabinet.
Over the years, it ended up becoming the de facto federal identity number. It has no check digits, so you can make up any you want (I used to use a phone number of a major customer - only dropping 1 digit). I was a rebel/jerk/butthead back then. Now I just yell at clouds.
Long ago, I worked at a place that handled electronic prescriptions, lab results and insurance claims. There were huge numbers of incorrect SSNs which meant there were huge numbers of duplicates. Someone transposed 2 digits? Yep. Someone remembered their number incorrectly? Sure. Someone made one up? Like from a phone number? Oh noes! Before 911, trying to match someone with faulty ID numbers and messed up names was called "patient matching" and after 911 all the academics doing research into this stuff disappeared into large defense contractors or 3-letter-agencies trying to find more terrorists/bad guys.
For a good start in this area of research, I recommend this dissertation:
> Adaptive detection of approximately duplicate database records and the database integration approach to information discovery
> The most misused SSN of all time was [see link]. In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each wallet. Company Vice President and Treasurer Douglas Patterson thought it would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher.
> The wallet was sold by Woolworth stores and other department stores all over the country. Even though the card was only half the size of a real card, was printed all in red, and had the word "specimen" written across the face, many purchasers of the wallet adopted the SSN as their own. In the peak year of 1943, 5,755 people were using Hilda's number.
Most state agencies redact the SSN from public records. I want to say that they all do, but I work for a state and I see too many in all the wrong places.
Tangurena2•Jun 30, 2026
My first university, back in the 1970s, used my SSN as my student ID and was embossed into the ID card (who is that stranger in the photo?). Nowadays, no university uses SSN for student IDs. There's a saying that applies: the past is a foreign country.
dotancohen•Jun 29, 2026
> Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
Might KYC laws and general CYA policies prefer to keep the proof of age? For instance to protect e.g. against a minor altering the date on their passport. Especially in such a regulated industry.
charles_f•Jun 29, 2026
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
> Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.
Why do these systems hold onto user's data post verification?
observationist•Jun 29, 2026
Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement, and they're probably mandated to retain records for some period, with no consequences to extended retention.
Set up a system so that it costs you nothing to do a bad thing but possibly wrecks you legally and financially to do the good thing, and people will inevitably do the bad thing. They shouldn't be collecting this information in the first place.
The people who design these policies are incapable of actually building things that work. They are not the intelligent, competent leaders exercising a careful craft that they like to pretend they are.
They keep going after age verification, online ID, central bank digital currencies, etc - keep this incident in mind. The people who implement and write these policies are morons. They don't game things out and plan for redundancy or resiliency. They don't take into account bad faith actors. They don't account for deliberate exploitation of the system.
charles_f•Jun 29, 2026
> Why wouldn't they?
They most likely weren't allowed to keep it past the verification per GDPR art.5. Once the passport has been verified for whatever purpose they needed it ("age verified to be > 18yo on 2026-06-12" or "identity verified to be XXXX YYYY"), there is no legitimate use for the passport photo and details anymore, and they should delete it.
petercooper•Jun 29, 2026
(I'm naive in this area, but..) I wonder if the various "proof of age" laws coming into play will clash with the GDPR in insidious ways. Like requiring identity providers to hold definitive "proof" of why they made an assessment rather than merely proving and discarding. I assume/hope there is some cryptographic way to do this rather than hang on to passport and ID images, however.
lschueller•Jun 29, 2026
There are established ways / protocols to hold and provide cryptographically valid proof of a verification process, without any need to keep the actual id images in any storage. And to my knowledge there is no requirement for compliant KYC (Know your customer) to provide their ID as a proof as long as the verification process itself is compliant and audited in accordance to certain criteria.
You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.
charles_f•Jun 30, 2026
I'm somewhat knowledgable on privacy topics, pasting my answer to another comment:
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
>Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement,
Right, and keeping old passports used for verification should cause an audit to fail.
lazide•Jun 29, 2026
Not if there is no law about it.
If there is a law about verifying buyers, how else are they going to pass that audit?
subscribed•Jun 29, 2026
There's a law forbidding storage beyond necessary minimum and law punishing such behaviour unless another law necessitated storage of the original document in the unsecured, unencrypted form. Doubtful.
There's also laws mandating secure systems design.
Separately there's no _need_ to store the original document if the verification system is sound (and audit real, not some phony crap like in some of the scandals posted here on HN).
lazide•Jun 30, 2026
If you need to prove you sold to real people, storing their credentials is a necessary thing, for as long as your need to prove that. At least with the way things currently are.
How else do you expect it to work? ‘Honest, we checked’ checkboxes?
hackinthebochs•Jun 30, 2026
If the credentials are stored for some period of time, then an inspection will reveal those stored credentials within the preservation window. Unannounced inspections will then show with high certainty a legitimate validation process.
The auditor can act as a customer and validate whether phony credentials are rejected.
lazide•Jun 30, 2026
Thanks for agreeing with me?
hackinthebochs•Jun 30, 2026
I thought I was elaborating on how to minimize exposure. If this is just what you meant, then sure!
lazide•Jun 30, 2026
Yeah, my point is that there is a significant exposure they are required to have, if they need to be able to be audited and have to actually prove they are dealing with real people.
At least - as you mention - until the rules catch up and there is some sort of one way hashing/signing or something possible, which for most of these industries is probably decades away (if ever). Most of these industries struggle with photocopies at this point.
subscribed•Jun 30, 2026
You can store for example ID type and serial number AND hash of the personal information.
If the government-affiliated agency decides to check, they can.
But back to my original statement - unless they're explicitly mandated to keep it longer, they are forbidden from doing so, and their DPO would know it.
TZubiri•Jun 29, 2026
I have a story about this, although it's a bit convoluted and not entirely related. But it does showcase low-value usecase compromising a high-value auth mechanism.
I was working on a project, client is a Real Estate agency, they use a CRM where they upload houses and it in turn uploads it to various sites like Zillow. We needed a list of their listed houses, so we wanted to use that data source instead of making a CRUD where they have to add houses yet again.
We ask the CRM sales team about APIs, they tell us that there's no accounts for third parties, client accounts have APIs, so we have to ask the client for an API key (or for their account password).
Which makes sense in general I guess, but the data is public in our case, so the CRM sales staff 's idea was that we should ask the client to let us access their account in order to get public data. We proceeded to scrape the houses from a website like Zillow like cavemen.
As it happens, our project was ancilliary low-value. So I don't doubt that the clients of this CRM are vulnerable in a similar way, and the root cause of the issue isn't evident at all, I can see 2:
1- Paradoxically, having an API that always requires an API KEY (as opposed to allowing unauthenticated access for public data) is less secure, as credentials/tokens will be used more often when not necessary.
2- This CRM effectively acted as an aggregator, consuming the APIs to publish to other vendors, but they don't provide an API for other vendors to read data from them. This effectively causes third party vendors to authenticate as the client, which is just incorrect. Credentials should identify a person/group, not a usecase.
bee_rider•Jun 30, 2026
This is a really great story. It is super short and understandable, and nails the point that just falling into the default case of authenticating everything can hurt security. If someone was teaching a some sort of software engineering seminar, they should totally steal it.
mothballed•Jun 29, 2026
I'm not sure how it works in the EU, but in the US, most states have a "PMP" (prescription monitoring program) that tracks the sale of marijuana in many states (nevermind that its not an actual prescription, but it is a controlled substance) and viewable by your doctor back up to ~12 months or so. Most people don't know this however and think it works like alcohol sales where it's sold after ID verification and then everyone forgets about it. Some states treat marijuana sales like prescription drug dispensing, it has to be reported to a central database including the intimate details of the persons involved. I have no idea if this is the case in Spain, however.
subscribed•Jun 29, 2026
EU is not a country and the laws covering illicit substances vary wildly between member states.
wil421•Jun 30, 2026
How’s that any different than the US? States determine what they can do.
subscribed•Jun 30, 2026
Still, EU is a loose federation with some common laws and mostly common border policy. It doesn't even have common currency.
sebastiennight•Jun 30, 2026
> It doesn't even have common currency.
This statement is about as accurate as saying the US doesn't have a common language, or Vatican City residents don't have a common religion.
Economic and monetary union is as a group of policies aimed at CONVERGING the economies. From your link.
The European Union consists of 27 countries.
25% of them did not adopt Euro as the currency.
"common" language is orthogonal here - it would be valid if you could legally use euro everywhere. You can't, it's not a currency in the quarter of the states. Sure, someone may accept it and offer you the exchange to the local currency.
Vatican City example is also not very good (to put it mildly), because Catholicism is a state religion. You're not going to be deported for being Sikh, yes, but it's akin to the Romanian not being deported form Portugal for carrying lei in his pocket.
Euro is NOT a common currency in the EU. It is by far the most popular. It is a common currency in the Eurozone countries. And these two are distinct from Europe as well.
I'd suggest you discuss your ideas with someone before posting them again.
bluebarbet•Jun 30, 2026
The last line was unnecessary.
subscribed•Jun 30, 2026
That was the measured response to the attempted ridicule (that's not nice too).
Or, more politely, a suggestion to post arguments that are relevant.
mothballed•Jun 30, 2026
You were ridiculed because I never stated the EU was a country. I said I didn't know how things work in the EU, not that everywhere you go in the EU it would be the same (in fact, I explicitly stated, I did not know how the system worked in Spain specifically to denote national differences in law in the EU). Your malicious use of feigned lack of reading comprehension merits the response.
No surprise you got back what you dished out.
subscribed•Jun 30, 2026
Awwwwww....
Look, non sequitur doesn't hold as much as you think it does.
And I'd also like to point to something you missed:
>> *attempted* ridicule.
_If_ their arguments were sound and relevant, maybe. But, well, they weren't.
Note I wasn't even responding to you, just replied to someone else seemingly conflating EU with Eurozone, trying to make fun of one phrase out of several statements, omitting the key "EU is a loose federation".
Now I fully expect @bluebarbet descent again and either chastise me for being amused at your comment, or tell you off for rudely implying malicious intent that wasn't there.
Especially since I wasn't even talking to you right now, and from your first comment's first sentence it could be clearly inferred you expect some sort of the federal policy, and this is what I was trying to address concisely, in a good faith.
Do with it whatever you want, I wasted too much time on that already anyway.
Have a good day, sir or madam.
someonebaggy•Jun 30, 2026
Cannabis is federally illegal in the US, and the federation has its own enforcement teams that can come and get you even if your state's enforcement teams won't.
mothballed•Jun 30, 2026
This is half true. Medical cannabis is now schedule III, with state programs explicitly placed into sched III (even without FDA approval) making it fully federal legal in that case.
edoceo•Jun 30, 2026
It's not like this in USA for cannabis. States with medical programs issue medical cards and the dispensary uses that as the only form of ID. For adult-recreational the dispensary can choose their ID verification system. Many use ID scanners connected to their online POS provider. The State run system doesn't track retail sales to an individual.
mothballed•Jun 30, 2026
Medical marijuana is linked to the PMP in my state.
OMG, I forgot that AZ and VT have very unique programs. Basically everyone else is on BioTrack or Metrc which are dedicated cannabis "track and trace" - ex-pharmacy infrastructure
baliex•Jun 30, 2026
In a word: complaints.
It’s somewhat understandable but also part of the problem.
ishouldstayaway•Jun 30, 2026
> Why do these systems hold onto user's data post verification?
Depending on the company, you could rate the reasons on a scale from "incompetence/naivete" to "revenue stream".
hombre_fatal•Jun 30, 2026
There are various reasons. What if it turned out someone was using a stolen ID or a fake ID, or the ID didn't match the face, or it wasn't even an ID? You'd want to be able to see how your process missed it.
The real problem is that there aren't many options for real authentication over getting people to upload pictures of high-value credentials. Now every service has to be a security expert, like encrypting the images at rest so they aren't the ones who leak it.
It's kind of like how dumb our credit card system is where you have to both share a secret with everyone (from random websites to random restaurants) while hoping the bad guys never get it because the secret can be used anywhere. It kinda works against everyone except the bad guys.
Maybe it's time we come up with a deliberate system.
ehnto•Jun 30, 2026
> You'd want to be able to see how your process missed it.
An incredible risk to take on someone elses behalf, for personal gain. Don't worry, market forces will surely fix this, no need for regulation.
hombre_fatal•Jun 30, 2026
But, once again, it's the only mechanism we have.
We are decades beyond the days where the waitress uses a credit card imprinter to copy your credit card so the restaurant can charge your credit card later, yet that's still basically the state of our tech when it comes to authentication and payment.
Not even KYC institutions have better tech. You still upload a scan of your high value creds, maybe with your face in frame.
somenameforme•Jun 30, 2026
The leak came from a third party ID/age verification service for a regulated substance in a heavily regulated region. I think there's a good chance that they're under various regulatory/KYC type laws that would make holding onto user data mandatory. One practical scenario where this would come into play is if they were suspected of intentionally accepting fraudulent credentials, basically acting like a fake ID service for hire. In that case authorities would want to be able to see all data that they were basing acceptance on.
vfclists•Jun 29, 2026
Do the laws that mandate identity verification set security standards that the websites which collect and verify the data must meet?
shmoobadge•Jun 29, 2026
Much as passports are very important for proving identity etc, people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in. I'm not sure the shoebox in the backroom in Koh Samui with the photocopies in constitutes good storage hygiene protocols.
How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.
Avshalom•Jun 29, 2026
the whole "not being an automatable remote sql injection away from everything" quality of physical objects grants a filing cabinet a tremendous amount of inherent security compared to anything digital.
Terr_•Jun 29, 2026
Much like that old quip about the bandwidth of a vehicle full of tapes: "Never underestimate the at-rest security of a room full of filing cabinets."
Friction and delay have always been aspects of security.
annzabelle•Jun 29, 2026
Not sure if they're still doing this, but as of a few years ago, the IRS was still using literal trucks full of tapes to transport data to backup facilities. Tapes are good for this because they don't degrade as quickly as hard drives, so if you're actually looking to do archival storage that will outlast the cloud provider of the decade, they are surprisingly practical.
DANmode•Jun 29, 2026
Does tape still burn really easily?
Or has that been fixed?
Terr_•Jun 29, 2026
Compared to what what option, clay tablets of cuneiform? :p
In terms of significant danger, perhaps you're thinking of nitrocellulose movie film that was phased out in the '50s.
rcbdev•Jun 30, 2026
Working with tape storage was part of my high school education. So was mainframe job scheduling...
Europe is as much ahead as it is behind.
Tangurena2•Jun 30, 2026
As long as the janitors aren't using electric floor buffers, like NASA used to do, the tapes will last forever. However NASA ended up losing the data (from 1960s space missions) on the bottom 2 rows of tapes. It took a couple decades though.
The newer stuff is a heck of a lot better than the olden stuff.
petit_robert•Jun 30, 2026
It depends on the stakes?
In the 90s, the French IRS seized massive amounts of files from Elf, then a major French oil company under investigation for various frauds.
Their offices where burglarized maybe a couple nights after that. All that was seized disappeared.
wisemang•Jun 30, 2026
Nothing says “we’re watching you” like the wifi password at the hotel I stayed at in Shanghai being my passport number.
nkrisc•Jun 29, 2026
Stealing a shoebox of photocopied passports from every hotel in the city sounds like way more work and way riskier than downloading an already aggregated trove of digital data.
shmoobadge•Jun 29, 2026
Ok, how about the google photos archive from the hotel next door with 1000s of pictures of passports taken on the shared unlocked $100 android phone that sits on the front desk? Not millions I grant you, but again, there doesn't seem to be an issue with active exploitation of these.
mothballed•Jun 29, 2026
There is an issue with active exploitation of passports, of course the scale can change. Due to banking KYC / other KYC laws there's a market for these copied identities and of course so criminals don't even get a speedbump by KYC whereas the boot is used up the ass of the normal person trying to pass KYC when they're missing some stupid document like proof of address.
lifestyleguru•Jun 30, 2026
> the boot is used up the ass of the normal person trying to pass KYC when they're missing some stupid document like proof of address.
We are not there yet, Sir. First you must provide inheritance document showing the amount inherited and deed of purchase and sale of real estate. This is the law.
annzabelle•Jun 29, 2026
My guess is that the machine readable chip standards and the production quality required to replicate a physical passport are high enough that only the most organized of organized crime can fake the highest value passports effectively, and if a passport is easy to replicate, it is less likely to have visa free access to most countries.
To second the photographed/photocopied requirements, as an expat, I am frequently asked to send a scan of my passport to people or entities that are not necessarily the most secure.
I also have a couple of important documents that are literally PDFs. My Canadian citizenship certificate is a PDF with a barcode in it, that I can print off a copy of if I need to mail it, or show on my phone to a consular office or a border guard if needed. My work visa here in New Zealand is a PDF with my passport number and a visa number, which my workplace and bank checked with an online database. Fundamentally, these and my passport are pointers to a row in various databases.
SXX•Jun 29, 2026
AFAIK not all NFC-enabled passports support Active Authentication. E.g least before US passports did not support it so cloning them is as easy as reading them via NFC.
So you cant fake non-existing passport because of issuer signature, but cloning is not a rocket science for many countries passports.
Tangurena2•Jun 30, 2026
Nowadays, for US passports (I don't know about other countries), the number/key needed to let the chip talk to you is printed on the photo page, so the older way of reading the NFC from afar won't work without that number.
stephen_g•Jun 30, 2026
Yes for other countries, it’s a standards thing not something unique to the US!
VladVladikoff•Jun 30, 2026
I am working on hotel software. And we are doing an automated kiosk check in with identity scanning. I’m seriously stressed about holding on to this kind of toxic waste. I am trying to limit it as much as possible. For example throwing away scans as fast as possible (within regulatory allowances). But I would love to hear any ideas anyone has in terms of further security. Obviously the documents are not just on a public bucket. But I’m considering maybe encrypting each document with a separate key, or something along those lines.
ashley95•Jun 30, 2026
Encrypt the data with an asymmetric key; and keep the decryption key somewhere offline. You can get a hardware token to store the key on (I think a yubikey can do this).
fy20•Jun 30, 2026
At smaller hotels or hostels I've had the staff take photos of ID with their own personal devices.
lifestyleguru•Jun 30, 2026
Nothing starts better a stay at a new place, than (most likely) illegal immigrant working (most likely) illegally at the reception of a grubby hotel or hostel taking photo of my passport with their private smartphone. Then I really fell that everything will go well and that I'm safe.
bluebarbet•Jun 30, 2026
Same. Many times. This cat is out of the bag.
Scaled•Jun 30, 2026
I had my identity stolen this way before.
Since then, I do not allow the scans anymore. It is a dreadful feeling showing up to a hotel not knowing if you'll get turned away at the last minute because you take a stand for your privacy. So far, none have been willing to lose the bookings, but I know sooner or later my luck will run out and I'll have to find last minute accomodations.
mattrighetti•Jun 30, 2026
> people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in.
This. I hate it. People expect you to send your documents on messaging apps and god only knows where they end up. Unfortunately, I fear there's nothing we can do to stop this as govs enforce this kind of operations.
deanc•Jun 30, 2026
It's far worse than that. In a lot of cases when you pay on booking.com, they don't charge your card. Instead, they send all your information (including CVV) along to the hotel where they can charge you how they want. A hotel I visited in Austria, had my card details printed out on a piece of A4 paper.
charles_f•Jun 29, 2026
> Zero password protection on document storage systems
>
> No encryption for sensitive identity verification data
>
> Public URL access with no authentication requirements
>
> No access logging or monitoring systems in place
Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.
maipen•Jun 29, 2026
So much of our information is being leaked nowadays that news like these don’t surprise me anymore…
I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.
Any sort of convenience to access said data, is a possible surface of attack.
croes•Jun 29, 2026
> No hacking was required—documents were accessible through direct URLs with zero authentication or encryption.
You would be surprised what some courts already count as hacking
spullara•Jun 29, 2026
Remember that there is no such thing as identity theft. There is just fraud. You weren't involved at all.
lifestyleguru•Jun 30, 2026
Identity theft is a term made up by banks and institutions who don't want to take responsibility for who they sign contracts with. Despite billions of profits they have every year.
petilon•Jun 30, 2026
Exactly. We should stop saying "Identity Theft" because that lets financial institutions off the hook. "Identity Theft" sounds like it is either your fault for being careless with your identity, or the thief's fault for stealing it. How about "Negligent Verification Fraud"? That makes it clear it is the fault of the bank. It is impersonation enabled by the bank's lax verification process.
cebert•Jun 30, 2026
> PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe.
At least we’re keeping the children safe though by verifying ages. It’s worth giving up privacy for that…
hahahaa•Jun 30, 2026
Yep. Teenagers are famously incapable of finding a dealer who might even be their mate.
throwaway692675•Jun 30, 2026
I'm aware of another batch of leaked passports, from a few years ago.
A family member was booking a school tour, when he noticed the URL of the Travel CRM included an id number. Sure enough, the CRM would return all his details given only the (sequential) id number without a need for credentials: high resolution passport scan, and all the other details provided when booking an overseas trip.
He notified the CRM company, and that email was ignored. He emailed again, proposing disclosure, and the problem was silently fixed with no response.
A few months later he mentioned it to the school, along with the fact that he had followed up and had the vulnerability fixed. The school went straight into panic mode, called him to the principal's office and forced him to write a statement so they could refer him to the Feds. I intervened, explaining that he was the good guy who got the vulnerability fixed, and the problem was the school's, since they had supposedly vetted the CRM for security when choosing a tour company.
All of a sudden from the school's point of view there was no problem and no need to mention it to any of the people whose information had been disclosed, despite my insistence. The people still haven't been notified. The school did acknowledge that the family member had done the right thing and verbally thanked him, but would not put anything in writing.
The people involved in the tour had their details leaked, but there was nothing special about those people in the system, so realistically every person whose details were in that CRM had their details, including passports, leaked. It was a major travel CRM provider, so the number of people in the system would have been 6 or 7 figures.
The kicker is that the family member was employed by a software company that had the school system as a customer. The IT person who was responsible for vetting the travel CRM (and had verbally thanked him) arranged for the school system to phone his employer and deliver an ultimatum: that the family member be sacked or they would risk losing a customer. The family member got the sack.
gomoboo•Jun 30, 2026
After all of that why protect the company by not mentioning their name?
throwaway692675•Jun 30, 2026
Because it's not worth it. I'm protecting the family member, not the company.
The image of people standing up for the noble whistleblower is far from the truth. Disclosing the company here won't achieve anything apart from garnering a few karma points and generating some short lived outrage at the company.
I'd consider disclosing it to the ICO, and made tentative steps in that direction at the time, but it's not clear that they are interested and whose interests they would protect.
Here's a question that might make this discussion useful: What is people's experience of reporting data breaches to the UK's ICO? In your case, was meaningful action taken by the ICO and was the person doing the reporting protected? .
bestouff•Jun 30, 2026
This kind of behavior should be punished.
darkwater•Jun 30, 2026
And one thought about this situation and the common view that companies/corporation are a being on their own: I'm pretty sure that the IT guy that gave the OK to the CRM and then asked to sack your family member is directly responsible and could have took another decision if they were a person with a higher moral ground, like accept responsibility and accepting the risk of being fired. And the same apply to every level of the chain of command.
But it's easier to say that people are removed by design from the consequences of their acts so it's not easy to take the right decision for anyone. It's just not convenient, instead.
tempfile•Jun 30, 2026
If you can't actually substantiate these claims (they probably can't prove it, even if it's true) then this could be a very expensive claim to make.
tempfile•Jun 30, 2026
> The family member got the sack.
Isn't this classic wrongful termination?
throwaway692675•Jun 30, 2026
It wasn't worth pursuing, partly because it was a part time job. A bit sad, as the company had promised to sponsor him though further study. It was the right decision, as it turned out to be less effort than a court case to get better opportunities with other companies.
j-bos•Jun 30, 2026
It was the right choice for the individual, wrong choice for society.
6_7•Jun 30, 2026
I'm sorry, how many figures?
the_bear•Jun 30, 2026
I run a small CRM company that serves some travel agents (we're not travel-specific, but we have a lot of small broker/agent businesses using us). We have ~11,000 customers with ~25,000 users between them, and our database stores ~100 million contacts, so about 4k contacts per user.
Most of those contacts are probably random leads that got imported, not actual clients that would have uploaded their passport info, but it seems reasonable to think that a CRM of our size (which, again, is not very big) that served exclusively travel agents would have millions of actual "clients" with passport info. 1 million passports across 25k users would just be 40 per user. If you assume a typical trip is for a family of four, that would mean the average user has just booked 10 international trips ever which seems pretty low to me.
I want to reiterate that we're not travel-specific and we don't have a feature for capturing passport info, etc., so I'm really just commenting on the volume of records that might be impacted by something like this.
bonoboTP•Jun 30, 2026
I admire the naive optimism of someone who'd expect otherwise but why would you? If you want to pursue such a thing, get a lawyer because you're now legal enemies with the school leadership and this should be obvious the moment you start thinking getting yourself involved in such an affair.
croisillon•Jun 30, 2026
i could swear i have read that same story here before but can't find it
petit_robert•Jun 30, 2026
It tends to happen with a reasonable certainty to most whistleblowers, from what I gather.
So yes, you can swear you read that same story before, and I could swear you will read it again :-\
hahahaa•Jun 30, 2026
The cannabis link makes it much worse as you have a bit of information about the person in addition to the passport which is a perfect ID.
JSR_FDED•Jun 30, 2026
Well this should keep the transfer stations going for a bit longer.
monksy•Jun 30, 2026
Don't forget to send your congress person a reminder about what their vote for age verificiation systems does.
Find your rep at congress.gov. Email or mail them this article.
Ok, then changing the link to the verge article. Thanks for pointing that out
wolvoleo•Jun 28, 2026
The verge is not a good source as it's pay walled
gavinsyancey•Jun 29, 2026
From the HN FAQ:
> Are paywalls ok?
> It's ok to post stories from sites with paywalls that have workarounds.
> In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic. More here.
You can pay for the paywall, or there are ways around.
wolvoleo•Jun 28, 2026
Wow it's insane that Cambridge Analytica is still around after the scandals.
jazzyjackson•Jun 29, 2026
They dissolved and reconstituted as Emerdata. This domain was squatted.
dang•Jun 29, 2026
Ok, let's use that and put the other two in the toptext.
gnabgib•Jun 29, 2026
It was written by the Verge, and this Cambridge summary admits that (the first paragraph "journalist" is the original author at the Verge).. perhaps we can go back to original source? It's been submitted twice.
In EU, eIDAS 2.0 will fix all of these issues and future leaks alltogether.
Check authbound.io
ale42•Jun 30, 2026
Looks like this only works on smartphones? Well... no thanks.
lifestyleguru•Jun 30, 2026
Duh, and only on iOS and Android ones, and only on their latest versions... but don't worry they have good intents I would trust them.
mrweasel•Jun 30, 2026
This is the problem with pretty much all of the EUs attempts of getting away from US infrastructure. One of the VISA/MasterCard alternative is also a bloody app, on a smartphone, with an operating system from one of two US software gigants (One of which is know to give zero fucks about privacy).
If the EU wants to continue down this road, step on has to be a mobile operating system. Avoiding tying solution to people phones would be better.
lifestyleguru•Jun 30, 2026
The second part of my comment was /s. I wish banks, institutions, and governments would fuck off from my smartphone. Best I can do for them is web browser and email, if they want to be on my smartphone then do a mobile website.
dabber21•Jun 30, 2026
how did you come to this conclusion? its not even true
Edit: if it is only about authbound, maybe. But they are not the only ones offering this service
gempir•Jun 30, 2026
Ironic, using the domain of the British Indian Ocean Territory instead of a .eu domain
stef25•Jun 30, 2026
Back when S3 buckets were rarely protected, I found hundreds of passports of people operating in the diamond business here in Antwerp.
In another one I found all passports that had been scanned by a hostel in Bangkok.
lifestyleguru•Jun 30, 2026
Ahh so that's what they mean at the reception when they take photo of my ID and say "it's for the police". So that any police anywhere can freely download it at any time!
aand16•Jun 30, 2026
While visiting Italy I've had the hotel photocopy my ID. I've researched and the legal requirement for the hotel is to fill a form on the police website, nothing more. While doing the checkout I've pressed them on the reason for keeping the photocopy ("is it for identity theft? "), the duration they were going to keep the copy etc. Basic info they were bound to disclose because of GDPR _before_ the data processing, which of course never happened.
Turns out the local policemen asked verbally to make photocopies, just in case... The hotel is more afraid of the local police than of it's clients, so they just do it.
Since I was the only client who ever asked about it, and gaslighting me wasn't going to work ("everybody does it! what do you have to hide?"), they just gave me the copy to destroy.
Other places copy IDs because they're lazy and don't want to compile the required form on the spot. Not to mention ID photocopies floating around the reception desk in plain sight...
lifestyleguru•Jun 30, 2026
> Turns out the local policemen asked verbally to make photocopies, just in case... The hotel is more afraid of the local police than of it's clients, so they just do it.
In Italy occasionally they find mafia members hiding for years in... their home regions or even villages. They absolutely keep it "just in case" and I would trust their local police /s.
chrisjj•Jun 30, 2026
> Since I was the only client who ever asked about it
Says... this perpetrator?
aand16•Jun 30, 2026
To be able to push back you should know the law requirements for hotels in that jurisdiction, so they can't gaslighting you with fake "it's for police" reasons.
lifestyleguru•Jun 30, 2026
Ok then. What should I show or say in Spain, Italy, and Croatia?
Usually on plain "I don't consent on making copy, write down the data you need" they become more pushy and even aggressive.
aand16•Jun 30, 2026
I can talk about Italy because I've researched it.
The first step should be to show them the Privacy Authority press release[1] - "No to preservation of guest ID copies".
You should be prepared to be refused check-in if they're stubborn and feel like you "cause problems". The protection you have is that public service (hotel) is forbidden to refuse service by law[2][3], fine is €516 up to €3098.
If it happens you should call police to verbalise and apply the fine. Refusal by police (Rifiuto di atti d'ufficio) is criminal offence and punishable with imprisonment 6mo - 2yr [4].
You should present ID to allow identification. The host must insert, by law at most 24hrs after check-in [5], client data into police portal, like name, DOB, nationality etc.
Everything else is extra and by GDPR you should be informed of any data processing, basis of processing, duration of processing, and your rights.
You can write Garante della Privacy to signal violations of GDPR if you feel it's warranted. I know they're happy to investigate and apply big fines to larger companies, not sure about how they handle smaller companies, like hotels.
> The host must insert, by law at check-in time and not later(!), client data into police portal, like name, DOB, nationality etc.
> Everything else is extra and by GDPR you should be informed of any data processing, basis of processing, duration of processing, and your rights.
It's basically common sense yet they still insist they have to copy the document "for the police". Almost as if they are specifically sourcing these copies for someone.
aand16•Jun 30, 2026
[2] - Art. 187 of Regulation of execution of TULPS (public security law) - Public service [hotel,restaurant,bar] owners may not, without a legitimate reason, refuse to provide the services of their business to anyone who requests them and pays the price.https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:regio.d...
I have a real problem with the pretense posed by the article that the club has no blame. They should have understood the risk they were taking on by subcontracting a vendor to collect passports, and better vetted that vendor. Obviously the service provider was completely inept, but that doesn't absolve the fools using them.
I preach to my clients this sort of PII should be treated as a toxic, hazardous substance. Ideally don't touch it with a 10 foot pole, and if you can't help it then limit the scope, protect it with strong access policies that severely limit who can touch it (including encryption keys conservatively custodied), and securely delete it all as soon as possible.
Too many companies these days point you to shoddy third parties for some kind of functionality (e.g. book an appointment, perform KYC on you, host the online learning platform for your course, etc.), inappropriately foisting both a new business relationship on you that you never asked for along with their partner's terms of service that you have no bargaining power in negotiating.
This is a side-effect of the SaaS era, and the model is broken.
jwr•Jun 30, 2026
If these kinds of breaches were actually costly, then people would indeed treat PII as toxic. But they aren't. The media brouhaha blows over within a week or so, and things are fine again.
Leaking PII should be very, very expensive, and then this idiocy would stop.
nicbou•Jun 30, 2026
This one is a clear breach of the GDPR. If the Spanish enforcers have any teeth, there will be a hefty fine.
runroader•Jun 30, 2026
It looks like Spain is the most aggressive about pursuing cases, but they also settle for smaller fines than other countries.
It should be criminal to leak PII, and company leadership should face imprisonment.
animuchan•Jun 30, 2026
Yes please! Making PII leaks an expense (like rent and cloud costs) means it's paid by the customer.
I strongly believe we should distinguish the price of doing the operation (aka rent) and the price of doing crime (ideally, jail).
philipallstar•Jun 30, 2026
Everything is paid for by the customer. If you spend an absolute fortune protecting someone's named and address combination, that will be paid for by the customer.
animuchan•Jun 30, 2026
Yep -- and it's good.
Before: customer pays fines for bad security, rolled into the price of the offering.
After: customer pays for actual good security, rolled into the price of the offering.
If the customer doesn't care, no change. If the customer cares (and let's low key assume PII is important) -- they see net gain from this change.
bigfishrunning•Jun 30, 2026
If only! I would much rather the bill go up then my information get leaked. But instead, I get both.
zahlman•Jun 30, 2026
> If you spend an absolute fortune protecting someone's named and address combination, that will be paid for by the customer.
And then you get your lunch eaten by a competitor who understands that the PII is unnecessary for the business relationship.
But only if that externality is actually accounted for in regulation.
nroets•Jun 30, 2026
Then over confident, short sighted or shady characters will accept those directorships and/or sign off on the design because they think nothing will happen or don't care for jail.
cucumber3732842•Jun 30, 2026
So then the customer will just pay more, because the "prevent you from getting fined into oblivion" insurance businesses you just created with the flick of a pen will need to get paid their overhead and won't do it without a profit.
tiahura•Jun 30, 2026
I shouldn't be able to say your name? What sort of authoritarian regime do people like you want?
tiahura•Jun 30, 2026
I shouldn't be able to say your name?
There's always a budding authoritarian ready to trample freedom of expression for the common good.
Tangurena2•Jun 30, 2026
The Payment Card Industry takes breaches deadly seriously. It is my opinion that any organization that collects PII should be held to the same standard (and penalties) that any organization that collects/processes credit card information.
It is quite interesting how this is handled world wide.
For me PII is very sensitive and I advice people to be very cautious.
Every business in the EU (were I live) also has to be very careful with such data by law. Fines are now at a level were they can hurt the business significantly.
During vacation in an Asian country on the other side all of this was basically a no brainer for smaller to medium businesses.
I once rented a scooter there and the business owner had all her documents organised in WhatsApp chats.
Including now my passport plus drivers licence...
The people in general in that country were also very relaxed when it came to giving out their contact details to random businesses.
I don't want to throw shade on them, thus no country name.
Incredible friendly and welcoming people there.
kijin•Jun 30, 2026
WhatsApp probably has better security than random KYC-as-a-service vendors who upload all the documents to a publicly accessible bucket.
cobolcomesback•Jun 30, 2026
The article in the OP is about a company in the EU (the clubs) not taking this seriously by outsourcing their stuff to an Irish company, who also is not taking it seriously. Hell, in the article, the CEO pretty much says “yea we ignored EU law, we will get fined, whatever”.
So I’m not sure the EU law is really working.
BiteCode_dev•Jun 30, 2026
Why would they treat it as toxic?
They don't have a moral code, and they don't pay any price for mistakes.
They have zero incentive.
KellyCriterion•Jun 30, 2026
Processing such PII here with an external AI partner:
- last week, we had bug: I said: "couldnt you just re-run the same step with the same data again" - their answer: "we cant! look at paragraph XY in our GDPR agreement, we are deleting all input documents everything after it has been processed"
Very well implemented! :)
(though, I had to upload and re-initiate eveything again)
elAhmo•Jun 30, 2026
> This should be a wakeup call for data security.
Hah, author is funny.
kleiba2•Jun 30, 2026
I said if before, and I'll say it again: as long as they're is nothing to fear, companies will continue being lax with your valuable private data.
As long as there's no liability, there's no incentive to care.
vaylian•Jun 30, 2026
And they will continue to ask for data, that they don't actually need like phone numbers and home addresses.
w3ll_w3ll_w3ll•Jun 30, 2026
We should stop treating digital pictures of physical documents as some sort of crdentials.
There is a reason why numerous security features are embedded in physical documents like watermarks, holograms and NFC. That's so the authenticity can be inspected in person. A picture has none of those, so it should not be treated as a credential.
mrweasel•Jun 30, 2026
Different countries handle these things differently, but it's honestly surprising to me that a photo of a passport or drivers license have any value. It provides no security, so why would anyone ever accept it a proof of identity?
notpushkin•Jun 30, 2026
> It provides no security, so why would anyone ever accept it a proof of identity?
Because there is no other universal method that works online, and because companies don’t really care about identity verification – they just need something “good enough” so that they can say “hey, we’ve followed industry standard protocols, how could we have known this passport scan was photoshopped?”
And to be honest I think it’s for the best. I really don’t want to be scrutinized even more online (and give even more personal data so it gets leaked a couple years later).
mrweasel•Jun 30, 2026
There's certainly a point to reducing scrutiny online. However when companies are forced to do this verification, I just question why a photo of a password is considered "good enough", when it clearly isn't.
I don't think you should be able to do anything with your passport online. That's a document that should only have value if you're actively holding it in your hand.
Tangurena2•Jun 30, 2026
> We should stop treating digital pictures of physical documents as some sort of credentials.
This is how biometric "authentication" works - you slide a picture (of a face, or maybe a fingerprint or hand geometry) under a door, and the guard on the other side of the door looks at the picture, maybe compares it to some database somewhere and then says PASS/FAIL. Maybe the device taking the picture has some sort of cryptography to prevent yourself from shoving a picture of some authorized person. Usually not.
People keep trying to find the correct magic spell to make biometrics "foolproof". That's a waste of time. Blackhat/DEFCON type conferences were showing people how to make fingerprints out of (the gelatin that makes) gummy bears back in the late 90s. Make them thin enough and you can fool pulse detection (carjackers in some Asian countries were chopping fingers off to bypass theft deterrent systems that used fingerprints).
dabber21•Jun 30, 2026
I will never upload a picture of my passport or id online, ever.
I only recently started IDing myself online via eID (german) if available, before that it was usually that I went to the post office and get verified there
ExoticPearTree•Jun 30, 2026
It is not an option in every country to do what you do. Thinking of it, its probably a quirk if Germany that you can go to a Post Office to be “verified”.
m00dy•Jun 30, 2026
>>But how could the company be so careless?
Generally, these systems are designed by people whose only goal is to make money. Security is just treated as a liability until shit actually hits the fan.
roysting•Jun 30, 2026
That reminds me of the insanity in places like Spain where they want your passport or resident information for every little thing.
We really need to start building a new form of “Democracy” in the backbone of not only that anything that the ruling class wants to apply to everyone else needs to be first implemented on themselves so to double the degree, but that all politicians, bureaucrats, and even contractors need to be bonded against their personal wealth for things they say, promise, contract, or agree to. It is high time that liars, cheats,
frauds, and thieves just get to get away with little more than a shoulder shrug and their billions on plunder and lies.
anotheraccount9•Jun 30, 2026
I'm sorry to say this, but most people don't care. Most governments don't care. Companies don't care. Not that it's not important. But protecting people's ID is at the lower part of the list for most organizations. There are hardly any consequences. Leaking PII is still a joke nowadays.
sylware•Jun 30, 2026
IDs fest for scammers and fraudsters.
hephios•Jun 30, 2026
nice for fable 5
tufy123•Jun 30, 2026
"Let’s hope this is a wakeup call."
Narrator: it was, unfortunately, not a wakeup call...
tufy123•Jun 30, 2026
> Let’s hope this is a wakeup call.
Narrator: it was, unfortunately, not a wakeup call...
34 Comments
> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
https://ageverification.dev/av-doc-technical-specification/d...
We're talking about a major french institution here, either public or private but colluding with the government to have their monopoly (don't know, don't care: they're all the same worms to me).
Speaking of which... There's been a recent case in France where a very nice lady working for some public institution (basically the IRS) was giving the name/wealth of "targets" to her brother so that her brother and his friends could go and kidnap/torture (fingers of victims have been cut) family members of rich french persons.
It's sickening and the real culprits are those creating the laws mandating this full on surveillance apparatus.
So its a feature, not a bug and a clever revenue stream for the governments?
Store that fact in the computer. Good for one ID usage. Good for less critical stuff like this weed thing (versus say a visa application which may need to store).
The analogy is a nightclub bouncer checks your ID.
...the obvious thing to deploy is a cannabis club bouncer that checks your ID with only his eyes and hands and either bounces you or lets you in, depending on the outcome of that check.
That's far simpler than involving some unrelated third party and far more secure than storing any information about the event in any computer.
So dystopian
Well, see, for safety reasons we're not going to let consumers have those anymore. You could be doing all kinds of shenanigans, running LLMs locally like a pirate.
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
WHY THE F**k ARE THEY HOLDING ON TO THAT 10 YEARS LATER!?!?!?
Of course now I know better than to give out my SSN to anyone who asks for it, but I didn't know that as a teenager.
Until stupid s**t like this becomes illegal, it will just keep continuing.
Modern equivalent “move over here for your picture ‘for the doctor’.”
No thanks, I’d like to opt-out!
I was appalled when renewing my car this year that I now need a Texas by Texas account (https://www.texas.gov/texas-by-texas/), which wants... a social security number because why?!?!
Anyway, yet another data breach incoming.
Because of federal child support legislation. If you are $2500 (or more) in arrears, your passport gets cancelled. Most states will also suspend/revoke your professional licenses and possibly driving license when you cross that state's threshold.
https://travel.state.gov/en/passports/contact-support/legal-...
https://en.wikipedia.org/wiki/Child_support_in_the_United_St...
> In 1996, Congress passed and President Bill Clinton signed the Personal Responsibility and Work Opportunity Act (42 U.S.C. § 666), which required that states adopt UIFSA by January 1, 1998 or face loss of federal funding for child support enforcement. Every U.S. state has adopted either the 1996 or a later version of UIFSA.
https://en.wikipedia.org/wiki/Uniform_Interstate_Family_Supp...
When I worked for my state's motor vehicle bureau, one of the verification apis that the driving license/ID folks got to use was a verification of citizenship/lawful residence service. Which used SSNs.
https://www.upguard.com/breaches/social-insecurity-billions-...
In case you want to retrieve your test scores 10 years after you took it. They need some way to uniquely identify you. Sure, they could have given you a specific test taker ID, but what if you lost that? They could have created a way for you to log in with an e-mail address, but what if you changed e-mail addresses?
You might think "Why would I need my test scores from 10+ years ago?", but my wife just started a job and they demanded her college transcripts to prove she went there...over 20 years ago.
The problem here is using a username (the ID) as a password (security check)
In most countries, like most databases, our primary keys do not hold an expectation of secrecy.
I would even argue that the expectation of secrecy is what creates it's secret semantics, that is, it's secret because you make it secret. I get that it's a collective action thing, if you just publish your own SSN, a bank in another state might not be aware it's a public thing for YOU, and might open an account for a stranger.
Interestingly enough, for corporations, their identifiers, EIN, are not assumed to be private, in many states these are available through the DoS public records. So it turns out the system works just fine if you make the ID of a person (juristic or legal) public.
If someone takes a loan in my name and I don't receive the money it is not an identity theft it is fraud and the victim is the bank not me.
Over the years, it ended up becoming the de facto federal identity number. It has no check digits, so you can make up any you want (I used to use a phone number of a major customer - only dropping 1 digit). I was a rebel/jerk/butthead back then. Now I just yell at clouds.
Long ago, I worked at a place that handled electronic prescriptions, lab results and insurance claims. There were huge numbers of incorrect SSNs which meant there were huge numbers of duplicates. Someone transposed 2 digits? Yep. Someone remembered their number incorrectly? Sure. Someone made one up? Like from a phone number? Oh noes! Before 911, trying to match someone with faulty ID numbers and messed up names was called "patient matching" and after 911 all the academics doing research into this stuff disappeared into large defense contractors or 3-letter-agencies trying to find more terrorists/bad guys.
For a good start in this area of research, I recommend this dissertation:
> Adaptive detection of approximately duplicate database records and the database integration approach to information discovery
> AE Monge - 1997
https://scholar.google.com/citations?view_op=view_citation&h...
> The most misused SSN of all time was [see link]. In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each wallet. Company Vice President and Treasurer Douglas Patterson thought it would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher.
> The wallet was sold by Woolworth stores and other department stores all over the country. Even though the card was only half the size of a real card, was printed all in red, and had the word "specimen" written across the face, many purchasers of the wallet adopted the SSN as their own. In the peak year of 1943, 5,755 people were using Hilda's number.
https://www.ssa.gov/history/ssn/misused.html
Most state agencies redact the SSN from public records. I want to say that they all do, but I work for a state and I see too many in all the wrong places.
^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.
https://boingboing.net/2026/06/28/a-million-passports-leaked...
Why do these systems hold onto user's data post verification?
Set up a system so that it costs you nothing to do a bad thing but possibly wrecks you legally and financially to do the good thing, and people will inevitably do the bad thing. They shouldn't be collecting this information in the first place.
The people who design these policies are incapable of actually building things that work. They are not the intelligent, competent leaders exercising a careful craft that they like to pretend they are.
They keep going after age verification, online ID, central bank digital currencies, etc - keep this incident in mind. The people who implement and write these policies are morons. They don't game things out and plan for redundancy or resiliency. They don't take into account bad faith actors. They don't account for deliberate exploitation of the system.
They most likely weren't allowed to keep it past the verification per GDPR art.5. Once the passport has been verified for whatever purpose they needed it ("age verified to be > 18yo on 2026-06-12" or "identity verified to be XXXX YYYY"), there is no legitimate use for the passport photo and details anymore, and they should delete it.
You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.
Right, and keeping old passports used for verification should cause an audit to fail.
If there is a law about verifying buyers, how else are they going to pass that audit?
There's also laws mandating secure systems design.
Separately there's no _need_ to store the original document if the verification system is sound (and audit real, not some phony crap like in some of the scandals posted here on HN).
How else do you expect it to work? ‘Honest, we checked’ checkboxes?
The auditor can act as a customer and validate whether phony credentials are rejected.
At least - as you mention - until the rules catch up and there is some sort of one way hashing/signing or something possible, which for most of these industries is probably decades away (if ever). Most of these industries struggle with photocopies at this point.
If the government-affiliated agency decides to check, they can.
But back to my original statement - unless they're explicitly mandated to keep it longer, they are forbidden from doing so, and their DPO would know it.
I was working on a project, client is a Real Estate agency, they use a CRM where they upload houses and it in turn uploads it to various sites like Zillow. We needed a list of their listed houses, so we wanted to use that data source instead of making a CRUD where they have to add houses yet again.
We ask the CRM sales team about APIs, they tell us that there's no accounts for third parties, client accounts have APIs, so we have to ask the client for an API key (or for their account password).
Which makes sense in general I guess, but the data is public in our case, so the CRM sales staff 's idea was that we should ask the client to let us access their account in order to get public data. We proceeded to scrape the houses from a website like Zillow like cavemen.
As it happens, our project was ancilliary low-value. So I don't doubt that the clients of this CRM are vulnerable in a similar way, and the root cause of the issue isn't evident at all, I can see 2:
1- Paradoxically, having an API that always requires an API KEY (as opposed to allowing unauthenticated access for public data) is less secure, as credentials/tokens will be used more often when not necessary.
2- This CRM effectively acted as an aggregator, consuming the APIs to publish to other vendors, but they don't provide an API for other vendors to read data from them. This effectively causes third party vendors to authenticate as the client, which is just incorrect. Credentials should identify a person/group, not a usecase.
This statement is about as accurate as saying the US doesn't have a common language, or Vatican City residents don't have a common religion.
https://en.wikipedia.org/wiki/Economic_and_Monetary_Union_of...
The European Union consists of 27 countries.
25% of them did not adopt Euro as the currency.
"common" language is orthogonal here - it would be valid if you could legally use euro everywhere. You can't, it's not a currency in the quarter of the states. Sure, someone may accept it and offer you the exchange to the local currency.
Vatican City example is also not very good (to put it mildly), because Catholicism is a state religion. You're not going to be deported for being Sikh, yes, but it's akin to the Romanian not being deported form Portugal for carrying lei in his pocket.
Euro is NOT a common currency in the EU. It is by far the most popular. It is a common currency in the Eurozone countries. And these two are distinct from Europe as well.
I'd suggest you discuss your ideas with someone before posting them again.
Or, more politely, a suggestion to post arguments that are relevant.
No surprise you got back what you dished out.
Look, non sequitur doesn't hold as much as you think it does.
And I'd also like to point to something you missed:
>> *attempted* ridicule.
_If_ their arguments were sound and relevant, maybe. But, well, they weren't.
Note I wasn't even responding to you, just replied to someone else seemingly conflating EU with Eurozone, trying to make fun of one phrase out of several statements, omitting the key "EU is a loose federation".
Now I fully expect @bluebarbet descent again and either chastise me for being amused at your comment, or tell you off for rudely implying malicious intent that wasn't there.
Especially since I wasn't even talking to you right now, and from your first comment's first sentence it could be clearly inferred you expect some sort of the federal policy, and this is what I was trying to address concisely, in a good faith.
Do with it whatever you want, I wasted too much time on that already anyway.
Have a good day, sir or madam.
https://azcir.org/news/2025/04/10/are-az-medical-marijuana-c...
It’s somewhat understandable but also part of the problem.
Depending on the company, you could rate the reasons on a scale from "incompetence/naivete" to "revenue stream".
The real problem is that there aren't many options for real authentication over getting people to upload pictures of high-value credentials. Now every service has to be a security expert, like encrypting the images at rest so they aren't the ones who leak it.
It's kind of like how dumb our credit card system is where you have to both share a secret with everyone (from random websites to random restaurants) while hoping the bad guys never get it because the secret can be used anywhere. It kinda works against everyone except the bad guys.
Maybe it's time we come up with a deliberate system.
An incredible risk to take on someone elses behalf, for personal gain. Don't worry, market forces will surely fix this, no need for regulation.
We are decades beyond the days where the waitress uses a credit card imprinter to copy your credit card so the restaurant can charge your credit card later, yet that's still basically the state of our tech when it comes to authentication and payment.
Not even KYC institutions have better tech. You still upload a scan of your high value creds, maybe with your face in frame.
How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.
Friction and delay have always been aspects of security.
Or has that been fixed?
In terms of significant danger, perhaps you're thinking of nitrocellulose movie film that was phased out in the '50s.
Europe is as much ahead as it is behind.
Example of those mag tapes: https://www.computerhistory.org/revolution/memory-storage/8/...
How they were stored: https://www.hewlettpackardhistory.com/item/an-attractive-sol...
The newer stuff is a heck of a lot better than the olden stuff.
In the 90s, the French IRS seized massive amounts of files from Elf, then a major French oil company under investigation for various frauds.
Their offices where burglarized maybe a couple nights after that. All that was seized disappeared.
We are not there yet, Sir. First you must provide inheritance document showing the amount inherited and deed of purchase and sale of real estate. This is the law.
To second the photographed/photocopied requirements, as an expat, I am frequently asked to send a scan of my passport to people or entities that are not necessarily the most secure.
I also have a couple of important documents that are literally PDFs. My Canadian citizenship certificate is a PDF with a barcode in it, that I can print off a copy of if I need to mail it, or show on my phone to a consular office or a border guard if needed. My work visa here in New Zealand is a PDF with my passport number and a visa number, which my workplace and bank checked with an online database. Fundamentally, these and my passport are pointers to a row in various databases.
So you cant fake non-existing passport because of issuer signature, but cloning is not a rocket science for many countries passports.
Since then, I do not allow the scans anymore. It is a dreadful feeling showing up to a hotel not knowing if you'll get turned away at the last minute because you take a stand for your privacy. So far, none have been willing to lose the bookings, but I know sooner or later my luck will run out and I'll have to find last minute accomodations.
This. I hate it. People expect you to send your documents on messaging apps and god only knows where they end up. Unfortunately, I fear there's nothing we can do to stop this as govs enforce this kind of operations.
Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.
I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.
Any sort of convenience to access said data, is a possible surface of attack.
You would be surprised what some courts already count as hacking
At least we’re keeping the children safe though by verifying ages. It’s worth giving up privacy for that…
A family member was booking a school tour, when he noticed the URL of the Travel CRM included an id number. Sure enough, the CRM would return all his details given only the (sequential) id number without a need for credentials: high resolution passport scan, and all the other details provided when booking an overseas trip.
He notified the CRM company, and that email was ignored. He emailed again, proposing disclosure, and the problem was silently fixed with no response.
A few months later he mentioned it to the school, along with the fact that he had followed up and had the vulnerability fixed. The school went straight into panic mode, called him to the principal's office and forced him to write a statement so they could refer him to the Feds. I intervened, explaining that he was the good guy who got the vulnerability fixed, and the problem was the school's, since they had supposedly vetted the CRM for security when choosing a tour company.
All of a sudden from the school's point of view there was no problem and no need to mention it to any of the people whose information had been disclosed, despite my insistence. The people still haven't been notified. The school did acknowledge that the family member had done the right thing and verbally thanked him, but would not put anything in writing.
The people involved in the tour had their details leaked, but there was nothing special about those people in the system, so realistically every person whose details were in that CRM had their details, including passports, leaked. It was a major travel CRM provider, so the number of people in the system would have been 6 or 7 figures.
The kicker is that the family member was employed by a software company that had the school system as a customer. The IT person who was responsible for vetting the travel CRM (and had verbally thanked him) arranged for the school system to phone his employer and deliver an ultimatum: that the family member be sacked or they would risk losing a customer. The family member got the sack.
The image of people standing up for the noble whistleblower is far from the truth. Disclosing the company here won't achieve anything apart from garnering a few karma points and generating some short lived outrage at the company.
I'd consider disclosing it to the ICO, and made tentative steps in that direction at the time, but it's not clear that they are interested and whose interests they would protect.
Here's a question that might make this discussion useful: What is people's experience of reporting data breaches to the UK's ICO? In your case, was meaningful action taken by the ICO and was the person doing the reporting protected? .
But it's easier to say that people are removed by design from the consequences of their acts so it's not easy to take the right decision for anyone. It's just not convenient, instead.
Isn't this classic wrongful termination?
Most of those contacts are probably random leads that got imported, not actual clients that would have uploaded their passport info, but it seems reasonable to think that a CRM of our size (which, again, is not very big) that served exclusively travel agents would have millions of actual "clients" with passport info. 1 million passports across 25k users would just be 40 per user. If you assume a typical trip is for a family of four, that would mean the average user has just booked 10 international trips ever which seems pretty low to me.
I want to reiterate that we're not travel-specific and we don't have a feature for capturing passport info, etc., so I'm really just commenting on the volume of records that might be impacted by something like this.
So yes, you can swear you read that same story before, and I could swear you will read it again :-\
Find your rep at congress.gov. Email or mail them this article.
> Are paywalls ok?
> It's ok to post stories from sites with paywalls that have workarounds.
> In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic. More here.
https://news.ycombinator.com/newsfaq.html
You can pay for the paywall, or there are ways around.
Author: Sean Hollister https://www.theverge.com/tech/947157/passports-data-breach-c...
Similar sounding (recent) leak: Hotel check-in system exposed 1M passports and driver's licenses (4 points, May/2026) https://news.ycombinator.com/item?id=48152759
Check authbound.io
If the EU wants to continue down this road, step on has to be a mobile operating system. Avoiding tying solution to people phones would be better.
Edit: if it is only about authbound, maybe. But they are not the only ones offering this service
In another one I found all passports that had been scanned by a hostel in Bangkok.
Turns out the local policemen asked verbally to make photocopies, just in case... The hotel is more afraid of the local police than of it's clients, so they just do it.
Since I was the only client who ever asked about it, and gaslighting me wasn't going to work ("everybody does it! what do you have to hide?"), they just gave me the copy to destroy.
Other places copy IDs because they're lazy and don't want to compile the required form on the spot. Not to mention ID photocopies floating around the reception desk in plain sight...
In Italy occasionally they find mafia members hiding for years in... their home regions or even villages. They absolutely keep it "just in case" and I would trust their local police /s.
Says... this perpetrator?
Usually on plain "I don't consent on making copy, write down the data you need" they become more pushy and even aggressive.
The first step should be to show them the Privacy Authority press release[1] - "No to preservation of guest ID copies".
You should be prepared to be refused check-in if they're stubborn and feel like you "cause problems". The protection you have is that public service (hotel) is forbidden to refuse service by law[2][3], fine is €516 up to €3098. If it happens you should call police to verbalise and apply the fine. Refusal by police (Rifiuto di atti d'ufficio) is criminal offence and punishable with imprisonment 6mo - 2yr [4].
You should present ID to allow identification. The host must insert, by law at most 24hrs after check-in [5], client data into police portal, like name, DOB, nationality etc.
Everything else is extra and by GDPR you should be informed of any data processing, basis of processing, duration of processing, and your rights.
You can write Garante della Privacy to signal violations of GDPR if you feel it's warranted. I know they're happy to investigate and apply big fines to larger companies, not sure about how they handle smaller companies, like hotels.
1 - https://www.garanteprivacy.it/home/docweb/-/docweb-display/d...
2 -
4 - Italian penal code Art. 328 Refusal of office acts https://www.brocardi.it/codice-penale/libro-secondo/titolo-i...
5- Art. 109 TULPS - Identification of guests https://www.brocardi.it/testo-unico-pubblica-sicurezza/titol...
> Everything else is extra and by GDPR you should be informed of any data processing, basis of processing, duration of processing, and your rights.
It's basically common sense yet they still insist they have to copy the document "for the police". Almost as if they are specifically sourcing these copies for someone.
[3] - analysis by a police association of the Refusal of Service https://accademiapolizialocale.wordpress.com/wp-content/uplo...
I preach to my clients this sort of PII should be treated as a toxic, hazardous substance. Ideally don't touch it with a 10 foot pole, and if you can't help it then limit the scope, protect it with strong access policies that severely limit who can touch it (including encryption keys conservatively custodied), and securely delete it all as soon as possible.
Too many companies these days point you to shoddy third parties for some kind of functionality (e.g. book an appointment, perform KYC on you, host the online learning platform for your course, etc.), inappropriately foisting both a new business relationship on you that you never asked for along with their partner's terms of service that you have no bargaining power in negotiating.
This is a side-effect of the SaaS era, and the model is broken.
Leaking PII should be very, very expensive, and then this idiocy would stop.
https://www.enforcementtracker.com/statistics
It should be criminal to leak PII, and company leadership should face imprisonment.
I strongly believe we should distinguish the price of doing the operation (aka rent) and the price of doing crime (ideally, jail).
Before: customer pays fines for bad security, rolled into the price of the offering.
After: customer pays for actual good security, rolled into the price of the offering.
If the customer doesn't care, no change. If the customer cares (and let's low key assume PII is important) -- they see net gain from this change.
And then you get your lunch eaten by a competitor who understands that the PII is unnecessary for the business relationship.
But only if that externality is actually accounted for in regulation.
There's always a budding authoritarian ready to trample freedom of expression for the common good.
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec...
During vacation in an Asian country on the other side all of this was basically a no brainer for smaller to medium businesses. I once rented a scooter there and the business owner had all her documents organised in WhatsApp chats. Including now my passport plus drivers licence... The people in general in that country were also very relaxed when it came to giving out their contact details to random businesses.
I don't want to throw shade on them, thus no country name. Incredible friendly and welcoming people there.
So I’m not sure the EU law is really working.
They don't have a moral code, and they don't pay any price for mistakes.
They have zero incentive.
- last week, we had bug: I said: "couldnt you just re-run the same step with the same data again" - their answer: "we cant! look at paragraph XY in our GDPR agreement, we are deleting all input documents everything after it has been processed"
Very well implemented! :)
(though, I had to upload and re-initiate eveything again)
Hah, author is funny.
As long as there's no liability, there's no incentive to care.
There is a reason why numerous security features are embedded in physical documents like watermarks, holograms and NFC. That's so the authenticity can be inspected in person. A picture has none of those, so it should not be treated as a credential.
Because there is no other universal method that works online, and because companies don’t really care about identity verification – they just need something “good enough” so that they can say “hey, we’ve followed industry standard protocols, how could we have known this passport scan was photoshopped?”
And to be honest I think it’s for the best. I really don’t want to be scrutinized even more online (and give even more personal data so it gets leaked a couple years later).
I don't think you should be able to do anything with your passport online. That's a document that should only have value if you're actively holding it in your hand.
This is how biometric "authentication" works - you slide a picture (of a face, or maybe a fingerprint or hand geometry) under a door, and the guard on the other side of the door looks at the picture, maybe compares it to some database somewhere and then says PASS/FAIL. Maybe the device taking the picture has some sort of cryptography to prevent yourself from shoving a picture of some authorized person. Usually not.
People keep trying to find the correct magic spell to make biometrics "foolproof". That's a waste of time. Blackhat/DEFCON type conferences were showing people how to make fingerprints out of (the gelatin that makes) gummy bears back in the late 90s. Make them thin enough and you can fool pulse detection (carjackers in some Asian countries were chopping fingers off to bypass theft deterrent systems that used fingerprints).
I only recently started IDing myself online via eID (german) if available, before that it was usually that I went to the post office and get verified there
Generally, these systems are designed by people whose only goal is to make money. Security is just treated as a liability until shit actually hits the fan.
We really need to start building a new form of “Democracy” in the backbone of not only that anything that the ruling class wants to apply to everyone else needs to be first implemented on themselves so to double the degree, but that all politicians, bureaucrats, and even contractors need to be bonded against their personal wealth for things they say, promise, contract, or agree to. It is high time that liars, cheats, frauds, and thieves just get to get away with little more than a shoulder shrug and their billions on plunder and lies.
Narrator: it was, unfortunately, not a wakeup call...
Narrator: it was, unfortunately, not a wakeup call...