I am sure even my passport would be part of the breach, are the passport holders beign notified of the breach?
dgellow · 2026-06-28 19:51:39 UTC
Oh god that’s pretty bad
> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
real_chudson · 2026-06-28 20:51:17 UTC
The EU's verification laws will ensure much more of these leaks in the future, and therefore much more fines
dgellow · 2026-06-28 21:33:06 UTC
Yep… not sure about more fines, but for sure more leaks
Kuinox · 2026-06-28 21:40:18 UTC
How so, are you purely speculating or you found a hole in the zero knowledge proof system some countries are implementing ?
raron · 2026-06-30 02:15:51 UTC
It is not using ZKP. Zero knowledge proof is mentioned as an optional experimental feature in the next release.
Is it requirement to retain the documents? Many are waiting for gatekeeper tech companies to organise around attestation rather than submission to third parties. I hope they are making progress.
TacticalCoder · 2026-06-29 21:57:11 UTC
I had to receive a letter from France (I'm not french, I don't live in France, but we've got family real estate there). To be able to open this letter, online (!), I had to scan my EU ID card, tilt it, and scan my face (pointing at the camera, looking to the left, etc.).
We're talking about a major french institution here, either public or private but colluding with the government to have their monopoly (don't know, don't care: they're all the same worms to me).
Speaking of which... There's been a recent case in France where a very nice lady working for some public institution (basically the IRS) was giving the name/wealth of "targets" to her brother so that her brother and his friends could go and kidnap/torture (fingers of victims have been cut) family members of rich french persons.
It's sickening and the real culprits are those creating the laws mandating this full on surveillance apparatus.
axus · 2026-06-29 23:29:20 UTC
The governments want to retain their abilities to target people for kidnapping/finger-lopping.
ExoticPearTree · 2026-06-30 11:26:32 UTC
> The EU's verification laws will ensure much more of these leaks in the future, and therefore much more fines
So its a feature, not a bug and a clever revenue stream for the governments?
voakbasda · 2026-06-29 21:25:52 UTC
Show me the consequences. I hear there are supposed to be repercussions, but these asshats never seem to pay for their crimes.
hahahaa · 2026-06-30 02:31:24 UTC
Why can't verification simply be go to post office, clerk will affadavit that you presented correct ID via online form. Which could also do the photo lookup for good measure.
Store that fact in the computer. Good for one ID usage. Good for less critical stuff like this weed thing (versus say a visa application which may need to store).
The analogy is a nightclub bouncer checks your ID.
simoncion · 2026-06-30 03:03:13 UTC
> The analogy is a nightclub bouncer checks your ID.
...the obvious thing to deploy is a cannabis club bouncer that checks your ID with only his eyes and hands and either bounces you or lets you in, depending on the outcome of that check.
That's far simpler than involving some unrelated third party and far more secure than storing any information about the event in any computer.
raverbashing · 2026-06-28 19:56:23 UTC
That's good, just grab one of those whenever your need to prove your age online /s
Cider9986 · 2026-06-29 21:40:47 UTC
For liveness i suppose you need a good graphics card.
So dystopian
sebastiennight · 2026-06-30 11:02:21 UTC
> a good graphics card
Well, see, for safety reasons we're not going to let consumers have those anymore. You could be doing all kinds of shenanigans, running LLMs locally like a pirate.
jubilee33 · 2026-06-30 04:05:30 UTC
Not even needed many times, I was recently at an overseas airport that wanted you to scan your passport to log into the internet. Ya not happening. On another device I downloaded a "sample" passport image of a British passport, the first one on Google images, pointed the phone at the device screen. "This will never work" , he thought as he was immediately logged in.
All this stuff really hurts the people who follow the rules the most.
gertrunde · 2026-06-28 21:18:42 UTC
The lack of security is one thing, but why have they retained the information at all!
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
rationalist · 2026-06-29 01:37:35 UTC
10 years after I took the ACT, I received a letter from a university that I never went to, saying my SSN was leaked.
WHY THE F**k ARE THEY HOLDING ON TO THAT 10 YEARS LATER!?!?!?
Of course now I know better than to give out my SSN to anyone who asks for it, but I didn't know that as a teenager.
Until stupid s**t like this becomes illegal, it will just keep continuing.
robrtsql · 2026-06-29 21:41:11 UTC
Don't be so hard on 17-ish-year-old you. What exactly were you supposed to do? Not take the ACT (and probably not get into your desired college)?
DANmode · 2026-06-29 22:34:52 UTC
Ask if it’s required, instead of assuming it is, is the point.
Modern equivalent “move over here for your picture ‘for the doctor’.”
No thanks, I’d like to opt-out!
AgentOrange1234 · 2026-06-29 22:35:19 UTC
This is a real problem.
I was appalled when renewing my car this year that I now need a Texas by Texas account (https://www.texas.gov/texas-by-texas/), which wants... a social security number because why?!?!
Anyway, yet another data breach incoming.
axus · 2026-06-29 23:26:30 UTC
I'd hope that there's an in-person option for renewal. Maybe people without a data plan don't exist anymore?
Tangurena2 · 2026-06-30 13:23:06 UTC
> which wants... a social security number because why?
Because of federal child support legislation. If you are $2500 (or more) in arrears, your passport gets cancelled. Most states will also suspend/revoke your professional licenses and possibly driving license when you cross that state's threshold.
> In 1996, Congress passed and President Bill Clinton signed the Personal Responsibility and Work Opportunity Act (42 U.S.C. § 666), which required that states adopt UIFSA by January 1, 1998 or face loss of federal funding for child support enforcement. Every U.S. state has adopted either the 1996 or a later version of UIFSA.
When I worked for my state's motor vehicle bureau, one of the verification apis that the driving license/ID folks got to use was a verification of citizenship/lawful residence service. Which used SSNs.
cute_boi · 2026-06-29 22:28:10 UTC
I think every SSN is already leaked and government is doing nothing. I tried to change SSN and they told me it is not possible.
recursivecaveat · 2026-06-30 00:56:07 UTC
100s of millions have definitely been exposed already. The best defence is probably to be a baby so your risk window is minimal. I haven't been able to pull that off personally, so I follow the other recommended piece of advice which is to keep your credit checks permanently frozen with the agencies and only temporarily thaw it for specific usages.
Which is a shame, as there are only hundreds of millions possible… and they still have to include room in that 9-digit namespace for non-social-security-involved ITINs and employer ID numbers!
throwaway173738 · 2026-06-30 13:13:34 UTC
They’ll definitely issue loans to a child. You have to actually put a special freeze on your child’s credit account, which is insane but welcome to the US, where any obstruction to the wheels of commerce is an affront to our national dignity.
frollogaston · 2026-06-29 22:57:06 UTC
I've had stuff like this happen too, and always wondered if they really leaked my data or were just notifying everyone whose data they possibly leaked.
bigfishrunning · 2026-06-30 13:49:35 UTC
I think the argument is "if they didn't retain your data, it couldn't have possibly leaked"
frollogaston · 2026-06-30 14:36:12 UTC
Yeah I meant it's possible they didn't retain your passport, they just know you took the test at some point.
Sohcahtoa82 · 2026-06-29 23:16:26 UTC
The real answer?
In case you want to retrieve your test scores 10 years after you took it. They need some way to uniquely identify you. Sure, they could have given you a specific test taker ID, but what if you lost that? They could have created a way for you to log in with an e-mail address, but what if you changed e-mail addresses?
You might think "Why would I need my test scores from 10+ years ago?", but my wife just started a job and they demanded her college transcripts to prove she went there...over 20 years ago.
catlikesshrimp · 2026-06-29 23:50:24 UTC
Identify the student by full name, dob, date of admission, career, etc. It takes 5 minutes instead of one.
The problem here is using a username (the ID) as a password (security check)
throwaway173738 · 2026-06-30 13:11:13 UTC
And make them call the registrar during regular hours. That’s what I had to do to get a transcript from 15 years ago once. The registrar holds the records and should be able to provide them.
xmcp123 · 2026-06-30 00:36:34 UTC
I think the issue here is that it was the university, not ACT. ACT has a valid reason for holding it. A university he never went to does not.
TZubiri · 2026-06-30 01:05:38 UTC
I'm not american, but the idea that your SSN, which is effectively a (federal) unique identifier for a person, would be secret, is very foreign.
In most countries, like most databases, our primary keys do not hold an expectation of secrecy.
I would even argue that the expectation of secrecy is what creates it's secret semantics, that is, it's secret because you make it secret. I get that it's a collective action thing, if you just publish your own SSN, a bank in another state might not be aware it's a public thing for YOU, and might open an account for a stranger.
Interestingly enough, for corporations, their identifiers, EIN, are not assumed to be private, in many states these are available through the DoS public records. So it turns out the system works just fine if you make the ID of a person (juristic or legal) public.
smcin · 2026-06-30 03:23:43 UTC
So what prevents people applying for loans or doing identity theft, in other countries?
rightbyte · 2026-06-30 09:16:45 UTC
To sign on for a house, marry, claim a child as yours etc you need witnesses where I live. Web of trust I guess?
If someone takes a loan in my name and I don't receive the money it is not an identity theft it is fraud and the victim is the bank not me.
TZubiri · 2026-06-30 09:22:21 UTC
Key difference might be that most countries have centralized Federal ID document. The Americans never allowed the government such a power, which is a tremendous idea. But they did concede to an ID number through a federal tax entity which de facto served as an id number. Turns out one disadvantage there is that a document is easier to prove ownership of than a number.
bluebarbet · 2026-06-30 11:12:22 UTC
Sure but all countries have numbers (tax, SS, ID card) that serve de-facto as IDs. The question is why the number alone (i.e. a username without a password) would ever be considered sufficient to authenticate something.
Tangurena2 · 2026-06-30 13:46:06 UTC
My original SSN card has "not valid for identification" printed on it. Originally, it was supposed to only be used for filing taxes. The first 3 digits identified the state you applied in, the second 2 digits identified the office (in that state) and 2 of the last 4 digits identified the filing cabinet.
Over the years, it ended up becoming the de facto federal identity number. It has no check digits, so you can make up any you want (I used to use a phone number of a major customer - only dropping 1 digit). I was a rebel/jerk/butthead back then. Now I just yell at clouds.
Long ago, I worked at a place that handled electronic prescriptions, lab results and insurance claims. There were huge numbers of incorrect SSNs which meant there were huge numbers of duplicates. Someone transposed 2 digits? Yep. Someone remembered their number incorrectly? Sure. Someone made one up? Like from a phone number? Oh noes! Before 911, trying to match someone with faulty ID numbers and messed up names was called "patient matching" and after 911 all the academics doing research into this stuff disappeared into large defense contractors or 3-letter-agencies trying to find more terrorists/bad guys.
For a good start in this area of research, I recommend this dissertation:
> Adaptive detection of approximately duplicate database records and the database integration approach to information discovery
> The most misused SSN of all time was [see link]. In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each wallet. Company Vice President and Treasurer Douglas Patterson thought it would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher.
> The wallet was sold by Woolworth stores and other department stores all over the country. Even though the card was only half the size of a real card, was printed all in red, and had the word "specimen" written across the face, many purchasers of the wallet adopted the SSN as their own. In the peak year of 1943, 5,755 people were using Hilda's number.
Most state agencies redact the SSN from public records. I want to say that they all do, but I work for a state and I see too many in all the wrong places.
Tangurena2 · 2026-06-30 13:06:30 UTC
My first university, back in the 1970s, used my SSN as my student ID and was embossed into the ID card (who is that stranger in the photo?). Nowadays, no university uses SSN for student IDs. There's a saying that applies: the past is a foreign country.
dotancohen · 2026-06-29 21:34:38 UTC
> Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
Might KYC laws and general CYA policies prefer to keep the proof of age? For instance to protect e.g. against a minor altering the date on their passport. Especially in such a regulated industry.
charles_f · 2026-06-29 22:05:50 UTC
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
> Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.
Why do these systems hold onto user's data post verification?
observationist · 2026-06-29 21:42:53 UTC
Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement, and they're probably mandated to retain records for some period, with no consequences to extended retention.
Set up a system so that it costs you nothing to do a bad thing but possibly wrecks you legally and financially to do the good thing, and people will inevitably do the bad thing. They shouldn't be collecting this information in the first place.
The people who design these policies are incapable of actually building things that work. They are not the intelligent, competent leaders exercising a careful craft that they like to pretend they are.
They keep going after age verification, online ID, central bank digital currencies, etc - keep this incident in mind. The people who implement and write these policies are morons. They don't game things out and plan for redundancy or resiliency. They don't take into account bad faith actors. They don't account for deliberate exploitation of the system.
charles_f · 2026-06-29 21:54:41 UTC
> Why wouldn't they?
They most likely weren't allowed to keep it past the verification per GDPR art.5. Once the passport has been verified for whatever purpose they needed it ("age verified to be > 18yo on 2026-06-12" or "identity verified to be XXXX YYYY"), there is no legitimate use for the passport photo and details anymore, and they should delete it.
petercooper · 2026-06-29 22:08:02 UTC
(I'm naive in this area, but..) I wonder if the various "proof of age" laws coming into play will clash with the GDPR in insidious ways. Like requiring identity providers to hold definitive "proof" of why they made an assessment rather than merely proving and discarding. I assume/hope there is some cryptographic way to do this rather than hang on to passport and ID images, however.
lschueller · 2026-06-29 22:46:56 UTC
There are established ways / protocols to hold and provide cryptographically valid proof of a verification process, without any need to keep the actual id images in any storage. And to my knowledge there is no requirement for compliant KYC (Know your customer) to provide their ID as a proof as long as the verification process itself is compliant and audited in accordance to certain criteria.
You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.
charles_f · 2026-06-30 05:22:26 UTC
I'm somewhat knowledgable on privacy topics, pasting my answer to another comment:
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
I agree with the theory, but I guarantee you that in practice the vast majority of orgs are storing way more data than they should.
M95D · 2026-06-30 09:07:33 UTC
Can't find the reference by date. What's the name of the document?
TZubiri · 2026-06-29 21:57:08 UTC
>Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement,
Right, and keeping old passports used for verification should cause an audit to fail.
lazide · 2026-06-29 22:15:25 UTC
Not if there is no law about it.
If there is a law about verifying buyers, how else are they going to pass that audit?
subscribed · 2026-06-29 23:38:20 UTC
There's a law forbidding storage beyond necessary minimum and law punishing such behaviour unless another law necessitated storage of the original document in the unsecured, unencrypted form. Doubtful.
There's also laws mandating secure systems design.
Separately there's no _need_ to store the original document if the verification system is sound (and audit real, not some phony crap like in some of the scandals posted here on HN).
lazide · 2026-06-30 00:51:57 UTC
If you need to prove you sold to real people, storing their credentials is a necessary thing, for as long as your need to prove that. At least with the way things currently are.
How else do you expect it to work? ‘Honest, we checked’ checkboxes?
hackinthebochs · 2026-06-30 04:06:16 UTC
If the credentials are stored for some period of time, then an inspection will reveal those stored credentials within the preservation window. Unannounced inspections will then show with high certainty a legitimate validation process.
The auditor can act as a customer and validate whether phony credentials are rejected.
lazide · 2026-06-30 04:27:45 UTC
Thanks for agreeing with me?
hackinthebochs · 2026-06-30 04:30:06 UTC
I thought I was elaborating on how to minimize exposure. If this is just what you meant, then sure!
lazide · 2026-06-30 13:38:03 UTC
Yeah, my point is that there is a significant exposure they are required to have, if they need to be able to be audited and have to actually prove they are dealing with real people.
At least - as you mention - until the rules catch up and there is some sort of one way hashing/signing or something possible, which for most of these industries is probably decades away (if ever). Most of these industries struggle with photocopies at this point.
subscribed · 2026-06-30 05:06:48 UTC
You can store for example ID type and serial number AND hash of the personal information.
If the government-affiliated agency decides to check, they can.
But back to my original statement - unless they're explicitly mandated to keep it longer, they are forbidden from doing so, and their DPO would know it.
TZubiri · 2026-06-29 21:54:15 UTC
I have a story about this, although it's a bit convoluted and not entirely related. But it does showcase low-value usecase compromising a high-value auth mechanism.
I was working on a project, client is a Real Estate agency, they use a CRM where they upload houses and it in turn uploads it to various sites like Zillow. We needed a list of their listed houses, so we wanted to use that data source instead of making a CRUD where they have to add houses yet again.
We ask the CRM sales team about APIs, they tell us that there's no accounts for third parties, client accounts have APIs, so we have to ask the client for an API key (or for their account password).
Which makes sense in general I guess, but the data is public in our case, so the CRM sales staff 's idea was that we should ask the client to let us access their account in order to get public data. We proceeded to scrape the houses from a website like Zillow like cavemen.
As it happens, our project was ancilliary low-value. So I don't doubt that the clients of this CRM are vulnerable in a similar way, and the root cause of the issue isn't evident at all, I can see 2:
1- Paradoxically, having an API that always requires an API KEY (as opposed to allowing unauthenticated access for public data) is less secure, as credentials/tokens will be used more often when not necessary.
2- This CRM effectively acted as an aggregator, consuming the APIs to publish to other vendors, but they don't provide an API for other vendors to read data from them. This effectively causes third party vendors to authenticate as the client, which is just incorrect. Credentials should identify a person/group, not a usecase.
bee_rider · 2026-06-30 00:27:59 UTC
This is a really great story. It is super short and understandable, and nails the point that just falling into the default case of authenticating everything can hurt security. If someone was teaching a some sort of software engineering seminar, they should totally steal it.
mothballed · 2026-06-29 22:41:29 UTC
I'm not sure how it works in the EU, but in the US, most states have a "PMP" (prescription monitoring program) that tracks the sale of marijuana in many states (nevermind that its not an actual prescription, but it is a controlled substance) and viewable by your doctor back up to ~12 months or so. Most people don't know this however and think it works like alcohol sales where it's sold after ID verification and then everyone forgets about it. Some states treat marijuana sales like prescription drug dispensing, it has to be reported to a central database including the intimate details of the persons involved. I have no idea if this is the case in Spain, however.
subscribed · 2026-06-29 23:39:36 UTC
EU is not a country and the laws covering illicit substances vary wildly between member states.
wil421 · 2026-06-30 00:09:54 UTC
How’s that any different than the US? States determine what they can do.
subscribed · 2026-06-30 05:08:48 UTC
Still, EU is a loose federation with some common laws and mostly common border policy. It doesn't even have common currency.
sebastiennight · 2026-06-30 09:29:49 UTC
> It doesn't even have common currency.
This statement is about as accurate as saying the US doesn't have a common language, or Vatican City residents don't have a common religion.
Economic and monetary union is as a group of policies aimed at CONVERGING the economies. From your link.
The European Union consists of 27 countries.
25% of them did not adopt Euro as the currency.
"common" language is orthogonal here - it would be valid if you could legally use euro everywhere. You can't, it's not a currency in the quarter of the states. Sure, someone may accept it and offer you the exchange to the local currency.
Vatican City example is also not very good (to put it mildly), because Catholicism is a state religion. You're not going to be deported for being Sikh, yes, but it's akin to the Romanian not being deported form Portugal for carrying lei in his pocket.
Euro is NOT a common currency in the EU. It is by far the most popular. It is a common currency in the Eurozone countries. And these two are distinct from Europe as well.
I'd suggest you discuss your ideas with someone before posting them again.
bluebarbet · 2026-06-30 11:02:18 UTC
The last line was unnecessary.
subscribed · 2026-06-30 11:58:10 UTC
That was the measured response to the attempted ridicule (that's not nice too).
Or, more politely, a suggestion to post arguments that are relevant.
mothballed · 2026-06-30 14:29:02 UTC
You were ridiculed because I never stated the EU was a country. I said I didn't know how things work in the EU, not that everywhere you go in the EU it would be the same (in fact, I explicitly stated, I did not know how the system worked in Spain specifically to denote national differences in law in the EU). Your malicious use of feigned lack of reading comprehension merits the response.
No surprise you got back what you dished out.
someonebaggy · 2026-06-30 09:23:39 UTC
Cannabis is federally illegal in the US, and the federation has its own enforcement teams that can come and get you even if your state's enforcement teams won't.
mothballed · 2026-06-30 14:25:33 UTC
This is half true. Medical cannabis is now schedule III, with state programs explicitly placed into sched III (even without FDA approval) making it fully federal legal in that case.
edoceo · 2026-06-30 00:21:13 UTC
It's not like this in USA for cannabis. States with medical programs issue medical cards and the dispensary uses that as the only form of ID. For adult-recreational the dispensary can choose their ID verification system. Many use ID scanners connected to their online POS provider. The State run system doesn't track retail sales to an individual.
mothballed · 2026-06-30 00:29:25 UTC
Medical marijuana is linked to the PMP in my state.
OMG, I forgot that AZ and VT have very unique programs. Basically everyone else is on BioTrack or Metrc which are dedicated cannabis "track and trace" - ex-pharmacy infrastructure
baliex · 2026-06-30 01:09:12 UTC
In a word: complaints.
It’s somewhat understandable but also part of the problem.
ishouldstayaway · 2026-06-30 01:38:51 UTC
> Why do these systems hold onto user's data post verification?
Depending on the company, you could rate the reasons on a scale from "incompetence/naivete" to "revenue stream".
hombre_fatal · 2026-06-30 03:38:23 UTC
There are various reasons. What if it turned out someone was using a stolen ID or a fake ID, or the ID didn't match the face, or it wasn't even an ID? You'd want to be able to see how your process missed it.
The real problem is that there aren't many options for real authentication over getting people to upload pictures of high-value credentials. Now every service has to be a security expert, like encrypting the images at rest so they aren't the ones who leak it.
It's kind of like how dumb our credit card system is where you have to both share a secret with everyone (from random websites to random restaurants) while hoping the bad guys never get it because the secret can be used anywhere. It kinda works against everyone except the bad guys.
Maybe it's time we come up with a deliberate system.
ehnto · 2026-06-30 06:20:09 UTC
> You'd want to be able to see how your process missed it.
An incredible risk to take on someone elses behalf, for personal gain. Don't worry, market forces will surely fix this, no need for regulation.
hombre_fatal · 2026-06-30 14:51:02 UTC
But, once again, it's the only mechanism we have.
We are decades beyond the days where the waitress uses a credit card imprinter to copy your credit card so the restaurant can charge your credit card later, yet that's still basically the state of our tech when it comes to authentication and payment.
Not even KYC institutions have better tech. You still upload a scan of your high value creds, maybe with your face in frame.
somenameforme · 2026-06-30 04:05:56 UTC
The leak came from a third party ID/age verification service for a regulated substance in a heavily regulated region. I think there's a good chance that they're under various regulatory/KYC type laws that would make holding onto user data mandatory. One practical scenario where this would come into play is if they were suspected of intentionally accepting fraudulent credentials, basically acting like a fake ID service for hire. In that case authorities would want to be able to see all data that they were basing acceptance on.
vfclists · 2026-06-29 21:41:14 UTC
Do the laws that mandate identity verification set security standards that the websites which collect and verify the data must meet?
Comments
> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
https://ageverification.dev/av-doc-technical-specification/d...
We're talking about a major french institution here, either public or private but colluding with the government to have their monopoly (don't know, don't care: they're all the same worms to me).
Speaking of which... There's been a recent case in France where a very nice lady working for some public institution (basically the IRS) was giving the name/wealth of "targets" to her brother so that her brother and his friends could go and kidnap/torture (fingers of victims have been cut) family members of rich french persons.
It's sickening and the real culprits are those creating the laws mandating this full on surveillance apparatus.
So its a feature, not a bug and a clever revenue stream for the governments?
Store that fact in the computer. Good for one ID usage. Good for less critical stuff like this weed thing (versus say a visa application which may need to store).
The analogy is a nightclub bouncer checks your ID.
...the obvious thing to deploy is a cannabis club bouncer that checks your ID with only his eyes and hands and either bounces you or lets you in, depending on the outcome of that check.
That's far simpler than involving some unrelated third party and far more secure than storing any information about the event in any computer.
So dystopian
Well, see, for safety reasons we're not going to let consumers have those anymore. You could be doing all kinds of shenanigans, running LLMs locally like a pirate.
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
WHY THE F**k ARE THEY HOLDING ON TO THAT 10 YEARS LATER!?!?!?
Of course now I know better than to give out my SSN to anyone who asks for it, but I didn't know that as a teenager.
Until stupid s**t like this becomes illegal, it will just keep continuing.
Modern equivalent “move over here for your picture ‘for the doctor’.”
No thanks, I’d like to opt-out!
I was appalled when renewing my car this year that I now need a Texas by Texas account (https://www.texas.gov/texas-by-texas/), which wants... a social security number because why?!?!
Anyway, yet another data breach incoming.
Because of federal child support legislation. If you are $2500 (or more) in arrears, your passport gets cancelled. Most states will also suspend/revoke your professional licenses and possibly driving license when you cross that state's threshold.
https://travel.state.gov/en/passports/contact-support/legal-...
https://en.wikipedia.org/wiki/Child_support_in_the_United_St...
> In 1996, Congress passed and President Bill Clinton signed the Personal Responsibility and Work Opportunity Act (42 U.S.C. § 666), which required that states adopt UIFSA by January 1, 1998 or face loss of federal funding for child support enforcement. Every U.S. state has adopted either the 1996 or a later version of UIFSA.
https://en.wikipedia.org/wiki/Uniform_Interstate_Family_Supp...
When I worked for my state's motor vehicle bureau, one of the verification apis that the driving license/ID folks got to use was a verification of citizenship/lawful residence service. Which used SSNs.
https://www.upguard.com/breaches/social-insecurity-billions-...
In case you want to retrieve your test scores 10 years after you took it. They need some way to uniquely identify you. Sure, they could have given you a specific test taker ID, but what if you lost that? They could have created a way for you to log in with an e-mail address, but what if you changed e-mail addresses?
You might think "Why would I need my test scores from 10+ years ago?", but my wife just started a job and they demanded her college transcripts to prove she went there...over 20 years ago.
The problem here is using a username (the ID) as a password (security check)
In most countries, like most databases, our primary keys do not hold an expectation of secrecy.
I would even argue that the expectation of secrecy is what creates it's secret semantics, that is, it's secret because you make it secret. I get that it's a collective action thing, if you just publish your own SSN, a bank in another state might not be aware it's a public thing for YOU, and might open an account for a stranger.
Interestingly enough, for corporations, their identifiers, EIN, are not assumed to be private, in many states these are available through the DoS public records. So it turns out the system works just fine if you make the ID of a person (juristic or legal) public.
If someone takes a loan in my name and I don't receive the money it is not an identity theft it is fraud and the victim is the bank not me.
Over the years, it ended up becoming the de facto federal identity number. It has no check digits, so you can make up any you want (I used to use a phone number of a major customer - only dropping 1 digit). I was a rebel/jerk/butthead back then. Now I just yell at clouds.
Long ago, I worked at a place that handled electronic prescriptions, lab results and insurance claims. There were huge numbers of incorrect SSNs which meant there were huge numbers of duplicates. Someone transposed 2 digits? Yep. Someone remembered their number incorrectly? Sure. Someone made one up? Like from a phone number? Oh noes! Before 911, trying to match someone with faulty ID numbers and messed up names was called "patient matching" and after 911 all the academics doing research into this stuff disappeared into large defense contractors or 3-letter-agencies trying to find more terrorists/bad guys.
For a good start in this area of research, I recommend this dissertation:
> Adaptive detection of approximately duplicate database records and the database integration approach to information discovery
> AE Monge - 1997
https://scholar.google.com/citations?view_op=view_citation&h...
> The most misused SSN of all time was [see link]. In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each wallet. Company Vice President and Treasurer Douglas Patterson thought it would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher.
> The wallet was sold by Woolworth stores and other department stores all over the country. Even though the card was only half the size of a real card, was printed all in red, and had the word "specimen" written across the face, many purchasers of the wallet adopted the SSN as their own. In the peak year of 1943, 5,755 people were using Hilda's number.
https://www.ssa.gov/history/ssn/misused.html
Most state agencies redact the SSN from public records. I want to say that they all do, but I work for a state and I see too many in all the wrong places.
^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.
https://boingboing.net/2026/06/28/a-million-passports-leaked...
Why do these systems hold onto user's data post verification?
Set up a system so that it costs you nothing to do a bad thing but possibly wrecks you legally and financially to do the good thing, and people will inevitably do the bad thing. They shouldn't be collecting this information in the first place.
The people who design these policies are incapable of actually building things that work. They are not the intelligent, competent leaders exercising a careful craft that they like to pretend they are.
They keep going after age verification, online ID, central bank digital currencies, etc - keep this incident in mind. The people who implement and write these policies are morons. They don't game things out and plan for redundancy or resiliency. They don't take into account bad faith actors. They don't account for deliberate exploitation of the system.
They most likely weren't allowed to keep it past the verification per GDPR art.5. Once the passport has been verified for whatever purpose they needed it ("age verified to be > 18yo on 2026-06-12" or "identity verified to be XXXX YYYY"), there is no legitimate use for the passport photo and details anymore, and they should delete it.
You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.
Right, and keeping old passports used for verification should cause an audit to fail.
If there is a law about verifying buyers, how else are they going to pass that audit?
There's also laws mandating secure systems design.
Separately there's no _need_ to store the original document if the verification system is sound (and audit real, not some phony crap like in some of the scandals posted here on HN).
How else do you expect it to work? ‘Honest, we checked’ checkboxes?
The auditor can act as a customer and validate whether phony credentials are rejected.
At least - as you mention - until the rules catch up and there is some sort of one way hashing/signing or something possible, which for most of these industries is probably decades away (if ever). Most of these industries struggle with photocopies at this point.
If the government-affiliated agency decides to check, they can.
But back to my original statement - unless they're explicitly mandated to keep it longer, they are forbidden from doing so, and their DPO would know it.
I was working on a project, client is a Real Estate agency, they use a CRM where they upload houses and it in turn uploads it to various sites like Zillow. We needed a list of their listed houses, so we wanted to use that data source instead of making a CRUD where they have to add houses yet again.
We ask the CRM sales team about APIs, they tell us that there's no accounts for third parties, client accounts have APIs, so we have to ask the client for an API key (or for their account password).
Which makes sense in general I guess, but the data is public in our case, so the CRM sales staff 's idea was that we should ask the client to let us access their account in order to get public data. We proceeded to scrape the houses from a website like Zillow like cavemen.
As it happens, our project was ancilliary low-value. So I don't doubt that the clients of this CRM are vulnerable in a similar way, and the root cause of the issue isn't evident at all, I can see 2:
1- Paradoxically, having an API that always requires an API KEY (as opposed to allowing unauthenticated access for public data) is less secure, as credentials/tokens will be used more often when not necessary.
2- This CRM effectively acted as an aggregator, consuming the APIs to publish to other vendors, but they don't provide an API for other vendors to read data from them. This effectively causes third party vendors to authenticate as the client, which is just incorrect. Credentials should identify a person/group, not a usecase.
This statement is about as accurate as saying the US doesn't have a common language, or Vatican City residents don't have a common religion.
https://en.wikipedia.org/wiki/Economic_and_Monetary_Union_of...
The European Union consists of 27 countries.
25% of them did not adopt Euro as the currency.
"common" language is orthogonal here - it would be valid if you could legally use euro everywhere. You can't, it's not a currency in the quarter of the states. Sure, someone may accept it and offer you the exchange to the local currency.
Vatican City example is also not very good (to put it mildly), because Catholicism is a state religion. You're not going to be deported for being Sikh, yes, but it's akin to the Romanian not being deported form Portugal for carrying lei in his pocket.
Euro is NOT a common currency in the EU. It is by far the most popular. It is a common currency in the Eurozone countries. And these two are distinct from Europe as well.
I'd suggest you discuss your ideas with someone before posting them again.
Or, more politely, a suggestion to post arguments that are relevant.
No surprise you got back what you dished out.
https://azcir.org/news/2025/04/10/are-az-medical-marijuana-c...
It’s somewhat understandable but also part of the problem.
Depending on the company, you could rate the reasons on a scale from "incompetence/naivete" to "revenue stream".
The real problem is that there aren't many options for real authentication over getting people to upload pictures of high-value credentials. Now every service has to be a security expert, like encrypting the images at rest so they aren't the ones who leak it.
It's kind of like how dumb our credit card system is where you have to both share a secret with everyone (from random websites to random restaurants) while hoping the bad guys never get it because the secret can be used anywhere. It kinda works against everyone except the bad guys.
Maybe it's time we come up with a deliberate system.
An incredible risk to take on someone elses behalf, for personal gain. Don't worry, market forces will surely fix this, no need for regulation.
We are decades beyond the days where the waitress uses a credit card imprinter to copy your credit card so the restaurant can charge your credit card later, yet that's still basically the state of our tech when it comes to authentication and payment.
Not even KYC institutions have better tech. You still upload a scan of your high value creds, maybe with your face in frame.