As more and more governments try to pass more and more laws requiring age verification, some of us keep pointing out that age verification will cause a ton of harm. For all the talk of how it's necessary to "protect the children," the only way to verify ages is to collect a ton of private information on people, which then makes that information a target.
People like Jonathan Haidt in his new book like to pretend that there's some magical way of doing privacy-protective age verification by outsourcing it to a third party, but that just passes the buck and makes that third party a target. Just a few weeks ago, we talked about this a bit in the context of Australia, where a third-party age ID verification vendor used by bars had a breach, leaking more than 1 million customer records.
Of course, some people would say, "but that's a bar, that's different than a website."
Well, then, this new story should catch your attention. First reported by 404 Media, AU10TIX, an Israeli-based online identification company used by TikTok, ExTwitter, Uber, LinkedIn, PayPal, Fiverr and others has been leaking drivers' licenses. For over a year.
The set of credentials provided access to a logging platform, which in turn contained links to data related to specific people who had uploaded their identity documents, Hussein showed. The accessible information includes the person's name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers' license. A subsequent link then includes an image of the identity document itself; some of those are American drivers' licenses.
The data also appears to include results from AU10TIX's verification process, with a field for "liveness" reading "true"; the "probability" of that conclusion on a scale of 0 to 1, with a potential result being 0.9486029; and other fields called "DocumentAuthenticity" and "OverallQuality." More results appear to relate to AU10TIX's comparison of a photo of the person's face to their uploaded document, with another section referencing a photo called "PhotoForFaceComparison.jpg."
Another screenshot from the tool shows a line chart with one axis labeled "clientOrganizationName." That axis includes "TikTok_Shop_Creator," "Impersonation_XCorp," and "uber-carshare-passport," apparent references to the three tech giants.
Cool, cool. Nothing to be concerned about there at all.
Just last year, when Elon first hired this company to provide identification services for ExTwitter, we warned that these systems are not at all reliable and can be a threat to privacy. Turns out we were right.
As always, collecting unnecessary data makes you a target. And this data became a target and was exposed. The way we minimize that is not by forcing more companies to collect more such data. It's to not need to collect such data in the first place.
This isn't a case where someone just discovered this breach and no harm was done. Indeed, it appears that significant harm was done here:
The credentials appear to have been harvested by malware in December 2022, and first posted to a Telegram channel in March 2023, according to timestamps and messages from the Telegram channel that posted the credentials online. 404 Media downloaded these credentials and found the name matched that of someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX. The file contained a wealth of passwords and authentication tokens for various services used by the employee, including tools from Salesforce and Okta, as well as the logging service itself.
So this data has been out there for over a year. And shared. Widely. For over a year.
Can lawmakers please stop requiring more companies to harm everyone's privacy this way? These breaches are only going to keep happening, and they're only going to get worse the more and more ignorant policymakers keep forcing more companies to collect more such data, based on a myth that age verification will magically make the internet safe and wholesome. It won't.