> [T]he recourse is the legal system for identity fraud.
Is it though? Are there sets of federal or state laws [in the United States] that say you must never misrepresent your identity to a private party (X) if they ask for it? Wouldn't their recourse just be their ToS? What if a retail store clerk asked you when buying toothpaste? I suppose the law would probably be around the fake identities themselves? (e.g. creating a fake driver's license) But that would still be up to the state to prosecute, right?
I presume there are of course laws about misrepresenting your identity to the government, but now I am curious to what extent that's the case for private parties.
That's true. I suspect if you provide a completely fabricated identity to X they could turn around and report that to the respective state or federal authority who could prosecute you for possessing it with evidence being the act of using it by uploading to that verification service.
I’m head of security at a fintech and working with our fraud team and general counsel to mitigate identity fraud is a component of my work. Statute around this is somewhat robust and effective as long as you put the effort in to pursue.
In interest to your circumstance, mitigating identity fraud in the sense of situations where people have stolen another person's identity, or people who create completely fake identities, where both of them then committing some other act like theft?
I am curious how it would play out for X, if someone created a new identity and simply attempted to subscribe to their service in that sense.
You cannot fake a new identity that doesn’t have any backing in canonical identity systems. With sufficient data enrichment, you can rapidly ascertain which systems are inaccurate or deficient. I recommend https://doi.org/10.6028/NIST.SP.800-63-3 for further reading on digital identity and identity assurance.
I admit my experience in this domain has primarily been in financial services. We have different motivations than say, a social network. We plug into…as much signal is as commercially reasonable. Regardless, your identity assurance level will be governed by the effort and resources you’re willing to sink into the effort (data sources, remote identity proofing, device fingerprinting, activity heuristics, etc). If X wants to make sure you are who you say you are, they can, for a few dollars per user. And if you can’t identity proof because you don’t have a government credential, I’d hazard you don’t have much economic value to the platform (just facts, not a sleight).
For X, if you can show a gov ID that matches your credit card you’re paying with, that’s pretty high confidence you are who you say you are. Otherwise, you’re breaking the law (financial fraud if it’s not your credit card, edge cases aside if someone else is authorizing you to use their plastic).
Sec. 16-30. Identity theft; aggravated identity theft.
(a) A person commits identity theft when he or she knowingly:
(1) uses any personal identifying information or personal identification document of another person to fraudulently obtain credit, money, goods, services, or other property;
I've known dozens of people who went to jail for this, but only when they obtained money, not for services, but the statute is clear.
Thanks for providing that. The section you include seems particular to using another person's existing identity, rather than generating / crafting a new one from thin air that isn't you or anyone else, which is what I think the ultimate parent was referring to:
> Nowadays, you could autogenerate both, and it's way more expensive to check the [id] than to generate one
This section seems the most relevant (?):
(5) uses, transfers, or possesses document-making implements to produce false identification or false documents with knowledge that they will be used by the person or another to commit any felony;
..but what if your intent is not for committing a felony, but simply such that X doesn't have your government-issued identification?
I did think about what you're saying when I was looking up the statute, but having looked at these ID scan services, they seem to have put a large amount of time into trying to verify the legitimacy of the ID from the scans and I'm not sure you could easily pass it with an identify crafted from whole cloth?
To your second point, yes, you would have to be committing a felony, which you wouldn't necessarily be. I got someone off a burglary charge that way once, since a burglary is defined as entering a premise for the purpose of committing a felony or a theft and the defendant only entered the premises for the purpose of slapping his girlfriend, which was a misdemeanor o_O
You do have to be careful though, violating the terms of service of a web site is at least a misdemeanor in a number of states (including Illinois), and is a felony for repeated violations.
1) do they actually check against government databases
2) it isn't even illegal to fake your identity towards a company, is it? I mean only if you do it to commit fraud, not pay, or get alcohol under the legal age or something like that.
> Elon's doing so many things that will gut Twitter/X.
They've just been on the front-page of all the Western media today, from the FT, to BBC to the NYTimes, they're doing quite all-right.
Meanwhile I realized today that I have genuinely forgotten the name of the Twitter clone put forward by Zuckerberg, C...something. Ah, no, I've just googled it now, it's Threads. Yeah, that project is dead in the water.
a) Twitter/X is not doing okay. They are valued at 1/3rd of what the company was purchased at. And their ill-conceived rebrand has seen them plummet on App Store charts indicating that many people don't know that it even happened.
b) After its initial peak Threads started to lose users largely because of missing features e.g. web app, search, hashtags, chronological sort etc. One by one these are being added and users are slowly coming back. Meta is not going to kill Threads whilst it is providing rich behavioural data into their Instagram/Facebook ad serving.
> They are valued at 1/3rd of what the company was purchased at
That's not really a very useful metric, because Musk paid way too much for it in the first place, and even without that it was probably overvalued to start with (IMHO). Besides, in the end a valuation, especially for a private company like Twitter/X, is not really all that useful and just a bunch of people going "well, I'd pay this much for it, I guess..."
I don't know if Twitter is doing okay or not, but I do know this is not a good metric.
Valuations are important when your business is unprofitable, core advertising revenue has cratered and new revenue streams eg. subscriptions have been a complete failure.
They are what investors will be looking at to decide if Twitter/X heads into bankruptcy or fights to live another day.
> No one is forcing you to be verified. It is not mandatory to use the platform.
I don't find that kind of an argument very convincing. It doesn't seem to hold true in the long run.
In the early days of the web, a username and password were typically enough for creating an account for the web sites that even required an account in the first place.
Then more and more sites started also requiring an email address be provided to create and/or keep using an existing account.
Then more and more sites started also requiring a phone number.
Then more and more sites started also requiring a real name.
Now more and more sites want to see some sort of government-issued ID.
Over time, more and more personal and private information seems to be demanded in order to use many web sites.
Even if some particular piece of information isn't demanded today, it seems likely enough to me that it will be demanded in the future.
IMO Twitter would be long backrupt if it wasn't for the idiot investors that loaned Elon all that money. They are so deep in the shit they are doing everything to keep this house of cards from collapsing and wiping them out in hopes of some miracle that Elon can turn this thing into a cash cow down the road.
> Problem’s that Elon ain’t trustworthy. Sure, verified users today, but next week?
It doesn’t really matter, because Musk isn’t even trying to hide that he is actively trying to gradually make X practically unusable if you aren’t a paying (“verified”) user.
This is literally why I left facebook almost 10 years ago. They locked me out and required I send them a photo of my ID. I said, "Y'all ain't the cops... imma not do that"
...but first I drew them an ID in crayon which they rejected, then one in acrylics, one in color pencil, one in pastels, etc, etc... My goal was to make one for each of the 50 states, but I only did like 5 before I got bored of sending them and having them rejected as not valid IDs.
Anyways, I'm not ever sending a social media company government issued IDs. Not gonna happen.
The only time I've submitted government ID online was for banking sites where it's only online sign up. I am OK with this because I understand this is a requirement set by the same government issuing the IDs with rules around how it can be used.
Social media sites have no such requirement. They have no such rules around the collection of this information. They can do whatever they want with it once collected. Privacy policies aren't enough. They can shift on a whim.
Must be some kind of local rules because I've signed up for accounts (BoA, Discover) and have never submitted a picture of myself (govt issued or not) to a company.
For me the only one that hurt was AirBnB when they imposed the picture requirement. That was a useful service.
Seems like they don't care unfortunately seeing how Facebook has been doing the same thing for a decade now. It happened to my dad's account and they just went and made a new account instead of dealing with the verification
linkedin also just made this an option (and are soft pushing it). payment apps likely started the trend - stripe, venmo - but that was driven (afaik) by kyc.
maybe x/twitter, linkedin etc. plan to add financial transactions and will need to be kyc compliant - so this is just a first step?
or is there a new 'driver' for this model to cause companies like these to prioritize this 'feature'? is there really that much destructive fraud or impersonation today?
If the entire point of verification is verifying one's identity, I do not see why requiring a photograph and government identification is a problem. That's the only reasonable way of proving someone's identity.
The question of whether the use of "Israeli software" (whatever it is specifically; too broad to make any useful comment) is appropriate is up for debate, but the fundamental act of verifying identity based off government identification is reasonable.
Besides, if you don't like it you don't have to get verified nor use the service for that matter.
> I do not see why requiring a photograph and government identification is a problem.
It’s a problem for services which have little need for that kind of (intermediate level) verification, because it increases the threat surface for identity theft that can be used againt the kind of services that actually do need it.
It’s also, on the other hand, a problem for services which need actually need strong identity verification, because while government IDs do generally have security features, they are generally not secure for use via a photograph.
Sidestepping the question of whether Twitter rises to the importance of needing verification, I believe that identity verification is a huge missed opportunity for banks. There’s no reason why US users should be sending personal info to an Israeli company for anything, especially this.
A bank has traditionally been the place where we keep our most valuable physical assets. They are secured and insured. Security is part of the service they’re providing. Moving to the digital world, banks could also have been a natural place to store digital assets such as identity info, credit info, and email addresses/phone numbers.
Then, instead of every random website asking for this info and storing it for an indeterminate amount of time, the bank would proxy it to them.
Being a “data bank” would be a highly regulated privilege, with license to store this info. Any non-licensed entity would be prohibited from storing things like SSNs. This reduces the attack surface to only the most important entities. As critical infrastructure, these data banks would also receive periodic stress tests, just as physical banks do today.
I always found the whole ID situation in the US comical.
Using the driver's license as a default document seems like it was an accidental thing. You then get the Department of Motor Vehicles involved in tasks outside their scope (i. e. the parallel non-license ID document), and it guarantees a lack of standardization and then trying to hack it back into place (see: Real ID).
We should have had a meaningful federal ID probably from the 1960s if not earlier-- once it became evident we needed some uniform way to identify people. Whatever department ended up owning it would be the obvious place to provide an API collection, which would probably end up looking a bit like oAuth with a variety of different grants (age, address, citizenship, other qualifications) that would be very evident through the login prompt.
But that would freak the hell out of the Mark of the Beast people.
Time someone to make a “verifyAI” startup that will generate photo, ID, name, and basically all the data needed, being passive about these blatant privacy violations won’t get us anywhere, time to feed it the wrong data (inspired by that Firefox addon that clicks ads for you), P.S. 20% equity share for the startup idea :)
Valve wanted me to send them a copy of my ID (amongst other things) in order to buy a Steam Deck. What they actually got was me closing my Steam account almost as soon as I opened it. Their "customer support" whose main training seems to revolve around how to be a smartass to their customers didn't exactly help, not that they were getting a copy of my ID regardless.
X is the new digital country club. You buy clout by buying a badge. Bad people can buy badges. Bad people can be legitimized by having a blue ribbon. Cows have blue ribbons.
75 comments
[ 0.23 ms ] story [ 152 ms ] threadI bet you could pay less than $10 per id+selfie combo
Nowadays, you could autogenerated both, and it's way more expensive to check the I'd than to generate one
If you fake it, of course the recourse is the legal system for identity fraud.
Is it though? Are there sets of federal or state laws [in the United States] that say you must never misrepresent your identity to a private party (X) if they ask for it? Wouldn't their recourse just be their ToS? What if a retail store clerk asked you when buying toothpaste? I suppose the law would probably be around the fake identities themselves? (e.g. creating a fake driver's license) But that would still be up to the state to prosecute, right?
I presume there are of course laws about misrepresenting your identity to the government, but now I am curious to what extent that's the case for private parties.
(I don't know much about the law in this area)
It it worth a night in jail, a couple thousand dollars in legal fees and being felon to find out?
I am curious how it would play out for X, if someone created a new identity and simply attempted to subscribe to their service in that sense.
I admit my experience in this domain has primarily been in financial services. We have different motivations than say, a social network. We plug into…as much signal is as commercially reasonable. Regardless, your identity assurance level will be governed by the effort and resources you’re willing to sink into the effort (data sources, remote identity proofing, device fingerprinting, activity heuristics, etc). If X wants to make sure you are who you say you are, they can, for a few dollars per user. And if you can’t identity proof because you don’t have a government credential, I’d hazard you don’t have much economic value to the platform (just facts, not a sleight).
For X, if you can show a gov ID that matches your credit card you’re paying with, that’s pretty high confidence you are who you say you are. Otherwise, you’re breaking the law (financial fraud if it’s not your credit card, edge cases aside if someone else is authorizing you to use their plastic).
720 ILCS 5/16-30)
I've known dozens of people who went to jail for this, but only when they obtained money, not for services, but the statute is clear.> Nowadays, you could autogenerate both, and it's way more expensive to check the [id] than to generate one
This section seems the most relevant (?):
..but what if your intent is not for committing a felony, but simply such that X doesn't have your government-issued identification?To your second point, yes, you would have to be committing a felony, which you wouldn't necessarily be. I got someone off a burglary charge that way once, since a burglary is defined as entering a premise for the purpose of committing a felony or a theft and the defendant only entered the premises for the purpose of slapping his girlfriend, which was a misdemeanor o_O
You do have to be careful though, violating the terms of service of a web site is at least a misdemeanor in a number of states (including Illinois), and is a felony for repeated violations.
2) it isn't even illegal to fake your identity towards a company, is it? I mean only if you do it to commit fraud, not pay, or get alcohol under the legal age or something like that.
This is my breaking point. I will not give up anonymity on this platform.
They've just been on the front-page of all the Western media today, from the FT, to BBC to the NYTimes, they're doing quite all-right.
Meanwhile I realized today that I have genuinely forgotten the name of the Twitter clone put forward by Zuckerberg, C...something. Ah, no, I've just googled it now, it's Threads. Yeah, that project is dead in the water.
b) After its initial peak Threads started to lose users largely because of missing features e.g. web app, search, hashtags, chronological sort etc. One by one these are being added and users are slowly coming back. Meta is not going to kill Threads whilst it is providing rich behavioural data into their Instagram/Facebook ad serving.
That's not really a very useful metric, because Musk paid way too much for it in the first place, and even without that it was probably overvalued to start with (IMHO). Besides, in the end a valuation, especially for a private company like Twitter/X, is not really all that useful and just a bunch of people going "well, I'd pay this much for it, I guess..."
I don't know if Twitter is doing okay or not, but I do know this is not a good metric.
They are what investors will be looking at to decide if Twitter/X heads into bankruptcy or fights to live another day.
I cannot recall the last time the-site-formerly-known-as-twitter was in the news for positive reasons.
I keep hearing this, but people keep using Twitter.
That he’s “gutting” Twitter seems more like something you hope to see, not something that’s actually happening.
I don't find that kind of an argument very convincing. It doesn't seem to hold true in the long run.
In the early days of the web, a username and password were typically enough for creating an account for the web sites that even required an account in the first place.
Then more and more sites started also requiring an email address be provided to create and/or keep using an existing account.
Then more and more sites started also requiring a phone number.
Then more and more sites started also requiring a real name.
Now more and more sites want to see some sort of government-issued ID.
Over time, more and more personal and private information seems to be demanded in order to use many web sites.
Even if some particular piece of information isn't demanded today, it seems likely enough to me that it will be demanded in the future.
I mean, the guy lies like ducks quack. How long has the cyber truck been a year away from purchase now? His reputation is garbage.
It doesn’t really matter, because Musk isn’t even trying to hide that he is actively trying to gradually make X practically unusable if you aren’t a paying (“verified”) user.
...but first I drew them an ID in crayon which they rejected, then one in acrylics, one in color pencil, one in pastels, etc, etc... My goal was to make one for each of the 50 states, but I only did like 5 before I got bored of sending them and having them rejected as not valid IDs.
Anyways, I'm not ever sending a social media company government issued IDs. Not gonna happen.
Only 45 more to go, send me the invite!
The only time I've submitted government ID online was for banking sites where it's only online sign up. I am OK with this because I understand this is a requirement set by the same government issuing the IDs with rules around how it can be used.
Social media sites have no such requirement. They have no such rules around the collection of this information. They can do whatever they want with it once collected. Privacy policies aren't enough. They can shift on a whim.
For me the only one that hurt was AirBnB when they imposed the picture requirement. That was a useful service.
maybe x/twitter, linkedin etc. plan to add financial transactions and will need to be kyc compliant - so this is just a first step?
or is there a new 'driver' for this model to cause companies like these to prioritize this 'feature'? is there really that much destructive fraud or impersonation today?
I hope someone archived this stuff. I never figured out how to pull all of Twitter myself.
The question of whether the use of "Israeli software" (whatever it is specifically; too broad to make any useful comment) is appropriate is up for debate, but the fundamental act of verifying identity based off government identification is reasonable.
Besides, if you don't like it you don't have to get verified nor use the service for that matter.
It’s a problem for services which have little need for that kind of (intermediate level) verification, because it increases the threat surface for identity theft that can be used againt the kind of services that actually do need it.
It’s also, on the other hand, a problem for services which need actually need strong identity verification, because while government IDs do generally have security features, they are generally not secure for use via a photograph.
A bank has traditionally been the place where we keep our most valuable physical assets. They are secured and insured. Security is part of the service they’re providing. Moving to the digital world, banks could also have been a natural place to store digital assets such as identity info, credit info, and email addresses/phone numbers.
Then, instead of every random website asking for this info and storing it for an indeterminate amount of time, the bank would proxy it to them.
Being a “data bank” would be a highly regulated privilege, with license to store this info. Any non-licensed entity would be prohibited from storing things like SSNs. This reduces the attack surface to only the most important entities. As critical infrastructure, these data banks would also receive periodic stress tests, just as physical banks do today.
Using the driver's license as a default document seems like it was an accidental thing. You then get the Department of Motor Vehicles involved in tasks outside their scope (i. e. the parallel non-license ID document), and it guarantees a lack of standardization and then trying to hack it back into place (see: Real ID).
We should have had a meaningful federal ID probably from the 1960s if not earlier-- once it became evident we needed some uniform way to identify people. Whatever department ended up owning it would be the obvious place to provide an API collection, which would probably end up looking a bit like oAuth with a variety of different grants (age, address, citizenship, other qualifications) that would be very evident through the login prompt.
But that would freak the hell out of the Mark of the Beast people.
Submitters: "Please submit the original source. If a post reports on something found on another site, submit the latter." - https://news.ycombinator.com/newsguidelines.html
Verifying Your Identity on X Will Require Taking a Selfie and a Gov. issued ID - https://news.ycombinator.com/item?id=37200989 - Aug 2023 (7 comments)