Age verification laws hurt everyone. They force all websites and services to censor their content or manage sensitive customer data that’s highly sought after by criminals, making them liable for that data then. On top of that, they push the people they’re seeking to protect, curious children, into darker parts of the web. All while censoring topics, reinforcing bigotry about LGBTQ+ people, and preventing the news from covering stories. No one wins from this except the ideological self-absorbed fanatics who never had a thought that extended past the end of their own nose.
Discord is the most recent victim of a hack. The leaked documents contain the personal information, including scans and photos of government-issued IDs, often held by the people verifying they are the person in the IDs, now in the possession of hackers demanding ransom. They’ll potentially release the content no matter what, though some hacker groups have not leaked data after receiving ransoms.
No one’s safe as long as we need to verify our identities to use the web, and companies would rather self-censor than find themselves in this position. Neither safety nor freedom of speech can exist with age verification laws in place, and this hack proves that.
Details of the Hack
Hackers claim they have 70,000 photos of user IDs, addresses, contact information, and verification photos totaling 1.5TB of data. The data comes from users who requested recertification of their age verification, believing the initial system had made a mistake. Discord uses k-ID for this verification, and both say they do not store these photos after the verification is complete, but appeals would go through customer support, and that’s where this leak supposedly came from.
Initially, it had been suspected that ZenDesk, through the k_ID service Discord uses for age verification, could have been the victim of the hack. Zendesk is ubiquitous in the industry. If you’ve contacted customer service or even accessed an FAQ page, you’ve likely used ZenDesk. This was initially quite worrying. However, ZenDesk denied being the source of the hack. A few days later, Discord would point to the culprit, a less-popular customer service, 5CA, which Discord uses. k-ID does use ZenDesk for customer support, but Discord may be doing separate verification through 5CA when users claim initial verification failed. While k-ID and Discord claim they never store verification images, it seems not all parts of Discord’s customer experience chain have the same standards. Or, if they do, someone wasn’t following policy. This is why policy is never security.
Discord initially claimed that the hack was quite small, however 70,000 users affected doesn’t seem small. There is some good news in that it does not seem as though 5CA would have managed passwords or payment details for their users. Discord does say that this information is not in the leak. However, the data presented is enough to ID users, stalk them, find them elsewhere online, contact, them, and even place their information on a map so creeps could stalk people in their area. This is what happened with the Tea hack. Hackers placed the IDs of women with their personal information on maps to allow easier stalking of those who used the app to try to date more safely. Now, thanks to ID verification, they’re all in danger. Thanks to ridiculous age verification laws forcing users to give up this sensitive data, everyone’s in danger.
Misguided Age Verification Laws Did This
In the UK, there’s the “Online Safety Act,” which requires age verification like this for many services, including chat services, social networks, even news services. The move will lead to censorship of these services and, clearly, leaks of data. Most U.S. states have also introduced some form of age verification law.
These hacks will continue. Data storage and security are not what they should be online. Because companies know they will never be held accountable in any meaningful way, they don’t put the same attention into protecting this data as they should. They also had to rush development of age verification systems due to laws popping up with little debate or expert input, leaving these misguided laws created by people who do not understand technology now making everyone less safe.
VPN malware is on the rise, with hackers realizing that, since everyone needs a VPN to access the internet freely now, they’re an excellent source to obtain information. While a VPN from a reliable source like ProtonVPN can protect you, one from less reliable sources can actually collect your data. Hackers are setting up free VPNs that steal your personal data, financial information, and more. These attacks are on the rise thanks to these laws made by people who couldn’t open a PDF, let alone discuss online privacy and security.
You will have to take measures to protect yourself. Refuse to use services that force ID verification. If you must, use a VPN to access these services from a free country that does not have such misguided age verification laws or practice state-sponsored censorship. Use a trusted VPN, like ProtonVPN, NordVPN, or others well-reviewed in the community. Don’t trust a free VPN service. Even Meta (then Facebook) has used VPNs to collect user data. These services are easy to abuse, so only use trusted VPN services.
It’s sad that the people making laws about technology do not understand the first thing about online security or privacy. They would not pass such misguided laws if they did. However, we find ourselves in the position of being at the mercy of people who do not understand what they’re doing. The patients are in charge of the asylum. Leaks and hacks will be common, as this data is extremely valuable to identity thieves and stalkers. Do what you can to protect yourself, including only voting for politicians that oppose such harmful laws.
Sources:
- Robert Booth, The Guardian
- Joseph Cox, 404 Media
- Sam Chapman, Engadget
- Ethan Gach, Kotaku
- Dan Goodin, Ars Technica
- James Peckham, PCMag
- Josh Taylor, The Guardian