This looks interesting but I’m struggling to understand why the user’s data are being sent and retrieved from the server. I would understand it when the request was initiated from a web browser and the user needs to continue the flow on their phone but from what I understand this only works on mobile apps. So why doesn’t the library simply return the information and why are my users’ information sent to a third party server?
The dpa states that no data are being stored, so I’m not sure I understand how the flow actually works. What does the developer exchange in return for the user’s info? The docs mention a client token. Is that a jwt or something that contains the users info? If so why does the dev need to send it to the server to unmarshall it? If not, it means that the library has sent the user’s data to the server and they are being stored between requests right? I’m most likely missing something though.
Ps. The download links also don’t seem to work (404).
A device can be tampered with, that's why a backend verification is always needed. There may be use-cases where such security is not needed, but I think that's a separate discussion.
The developer exchanges the token for the data. In the current implementation the token contains the user data (encrypted).
You can reach me directly at robert@passportreader.app to discuss more
This is not really the point. This is to be used where its necessary to know who the user is, for example when opening a bank account or checking in with an airline
Yeah, it's sad that it caught on for those things, too. I hope it becomes harder to do those things as a result, not easier, so that the day it goes away comes about sooner.
KYC (know your customer) is a legal requirement in many countries if you are dealing in services that might allow your users to launder money, so I don’t see how it harder for users benefit anyone.
At one point it wasn't a legal requirement, and then it became one, just like air transport.
Financial privacy could be restored, given sufficient will to do so. Making ubiquitous identity-linked financial surveillance easier and more convenient does not advance this goal.
8 comments
[ 2.0 ms ] story [ 32.7 ms ] threadThe dpa states that no data are being stored, so I’m not sure I understand how the flow actually works. What does the developer exchange in return for the user’s info? The docs mention a client token. Is that a jwt or something that contains the users info? If so why does the dev need to send it to the server to unmarshall it? If not, it means that the library has sent the user’s data to the server and they are being stored between requests right? I’m most likely missing something though.
Ps. The download links also don’t seem to work (404).
The developer exchanges the token for the data. In the current implementation the token contains the user data (encrypted).
You can reach me directly at robert@passportreader.app to discuss more
Edit: links fixed
The last thing on earth I want is to have to provide full identity information to every last website on which I need to use an account.
Financial privacy could be restored, given sufficient will to do so. Making ubiquitous identity-linked financial surveillance easier and more convenient does not advance this goal.