Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

hilariously, it is because of increasing regulation that users will need to upload more sensitive data to more services.

Even requesting to delete your data in the EU requires the submission of sensitive data in order to verify your identity and fulfill the request.



Of course it is. They regulate what information you have to collect and then how you're supposed to collect it, while trying to make sure you don't collect too much or store it in the wrong way and that you you show the correct messages on your website.


> EU requires the submission of sensitive data in order to verify your identity

The EU created eIDAS to enable people to authenticate without submission of sensitive data by using digital signatures, based on public key cryptography, using an id card with an embedded hardware security module and a pin. Those are strong factors: "what you have" is not easily copied and "what you know" may have low entropy, but the embedded hsm has anti-hammering. When interacting with companies in a kyc flow, or to claim rights under gdpr, the people sign a statement of purpose and time, creating data that can not be reused to authenticate as them at a later time for a different purpose.

But no one implements that. Instead companies implement the worst possible authentication method from the set of allowed methods, the bottom of the barrel solution that is only still legal in the EU due to the industry lobbying for backwards compatibility with existing manual workflows from the age of snail mail: uploading photos of identity documents and smiling into a webcam. Those are weak factors: "what you have" and "who you are" using a webcam to scan documents and biometry are vulnerable to deepfakes. But most importantly this method lacks an inherent protection against reuse. This leaves the customers vulnerable to identity theft should their data ever be stolen.

In the worst case the collected data is stored raw, without any mitigation like timestamp and purpose watermarks, or those marks are easily removed. In the worst-worst case the data is also accessible by anyone with even the most far fetched claim to need to know, without rate limiting or misuse detection, so that phishing any internal account is enough to put all this sensitive data on sale at a darknet market.

I do not agree that the EU requires that. It allows it and failed to require that companies offer at least one better method as well.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: