It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.
This is the essential point, and why it’s always a bit frustrating seeing ‘is anyone surprised’ take come up so often here. It lowers the quality of the possible discussion by trivialising it.
"Is anyone surprised" is an important question to ask, although in this case it would be more valuable to ask on a less techy forum. I'm not surprised and many people here are not surprised, but most people are still surprised when they hear something like this, which is why they gladly give their information to anyone that asks. If the majority of Discord users knew breaches are inevitable and refused to give their information or at least took some protective measures like partial redaction and use-case watermarking, this breach would be less of an issue and/or such breaches would be less common.
We need to make sure nobody is surprised. Everyone should rewrite every "upload" button in their head to say "publish".
It does feel like it hide the important context often summarized as a meme: a) it doesn't happen b) ok it happens, but it's rare c) ok it's not rare but the impact is minimal d) ok it's not rare and the impact is not minimal but here's why it is necessary and a good thing
Of course blanket "not surprised" is perhaps not helpful without linkage to the people who denied the risks at steps a, b, c etc. But this is why we really need decision makes and politicians to be treated like anyone making a bet: we need to have collateral takes and enforcers. The "I am surprised" people who are silent would be forced to show they believe "it does not happen" by backing the bet and the "I'm not surprised" people would be raking it in.
With no bets, no collateral (or rather other people's lives), you just get this kind of lying in accounting and a scam. It happens in all kinds of domains with commons risk. This is a particularly good example because it is not so emotionally triggering and divisive (most people presumably don't want their data leaked and can't argue immediately that you are Xist or whatever).
Anyway, I love thinking about this stuff. Hopefully HN does not think these meta-discussions are spammy.
...which could also be a PTSD-esque reaction and not a sign of ignorance. As in "I'm so tired of being affected by this nonsense, when this would even stop".
People who don't really care would, in my experience, use sarcastic tone more often.
The person might not intend to be trivializing the problem, but that is the common outcome. This was very observable in the wake of the Snowden leaks, where "is anyone actually surprised?" was a key prong in the narrative that argued that you shouldn't actually care about what the NSA was getting up to.
To me it's an important point. We're all being worn down so much by these idiotic mistakes and intrusions that it's just another Thursday when it happens, like school shootings. I don't know what the great filter looks like on other planets, but here it's because we're smart enough to make all sorts of incredible toys and stupid enough to not know how to use them properly and we're just going to drive ourselves into the ground.
Reminds me of the Panama Papers, which exposed a huge international money laundering/tax evasion ring that no one seemed to care about because "everyone knows they're doing this stuff"
I think it's a combination of "everyone knows they're doing this stuff" and "the ones who could do something about it (i.e. charge/prosecute, change laws, etc.) are implicated".
Much like the problem in the US Congress: they are not subject to insider trading laws, so they can make huge sums of money acting on non-public information. The only people that can change that are ... members of the US Congress.
It might give momentum to age-verification schemes like Apple Wallet [0]. Apple gets the state ID in wallet and exposes an age verification API to apps like Discord; Discord queries the API and relies on Apple's age verification without ever getting access to the personally-identifying information.
Maybe not wallets but regular "sign in with X" SSO.
If all the X's can agree that one of the claims in the SSO is "is_adult", then at least you limit the exposure of your government ID to X getting breached, while all the "sign in with X" sites won't have access to the ID itself, just the claim.
Of course, pretty much every X gets breached anyway, and the walled garden shenanigans are not attractive, but it's better than ever site getting your ID.
That's why Apple's Wallet might be better: it depends on device-level security including elements stored on-device that Apple does not have and without which Apple cannot decrypt the information. There is obviously some sort of syncing between devices, but each device is authorized separately, and apparently Apple cannot view the Wallet data on its servers. Yes, it's a walled garden, but I trust Apple more than Facebook, Google, or X.
This makes me hate the Twitter rebrand even more. I'm reading your use of "X" as generic name to be filled in as needed vs the poorly rebranded Musk owned platform. Then again, I could see that platform actually promoting its services to do this very thing.
Might that be a business model for an enterprising Secretary of State? They carefully verify your real ID, the fake ID's trivially tie back to that if the cops ask (not so useful for committing crimes), there are upcharges for multiple fake ID's, or tweaked ages / weights / photos. More upcharges for "vanity" names...
"Really, your honor, it's hardly different from an author getting a DBA or LLC for his pen name."
So many were issuing IDs for illegal immigrants. I was like, why can't I have one? I'd love to erase my past arbitrarily and be unidentifiable. I decided that it was for the same reason that I couldn't get a civil union for a heterosexual partnership; politics and control.
Don't we still have states and countries issuing new IDs for trans people that don't link to their old identities? Do I have to threaten to kill myself because people won't treat me like a pretty girl in order to get one; or should erasing your past, anonymity, or at least pseudoanonymity be a right that we all get?
> "Really, your honor, it's hardly different from an author getting a DBA or LLC for his pen name."
This is the worst, really. The only way to be truly anonymous is to open corporations, because corruption relies on laundering money through corporations.
I'm aware of the culture war battles around ID cards for illegal, trans, etc. people. A reasonable, business-like SoS - trying to boost revenue while protecting people from data breaches and other such hazards - would stay far away from those minefields.
Also, it'd only be a DBA/LLC depth of "identity". Those do not give you a citizenship, nor clean police record, nor new gender, nor legal adult status, nor marriage, nor SSN/EIN, nor voting rights, nor ...
In the example you give there is no needed provision to store the id or all information in the document. Only extracting the date of birth, name and document number is sufficient.
Yes I know this a utopia and it won't happen.
Edit: afaik storing the photo is only needed in medical cases to alternatively asses having the correct person. Bit much for something simple as age verification.
This breach is them being irresponsible with customer support software. In the case of automated age verification, the providers say that nothing identifiable gets stored and they might be lying but it’s feasible that you could run that service the way they say they do.
This breach is about the manual alternative to that, where you can appeal to Discord customer support if the automated thing says you’re not the right age. They seem to do that in part by having you send a picture of your ID.
I’m sure in their database they’re then just storing the date of birth etc, but then they obviously just don’t bother deleting the private image from the customer service software.
Sounds like a great use case for an automated ML cleanup/reporting feature. Maybe as a daemon as a bolt-on fix, or integrated as a feature into the support software itself.
Yeah ok. Using a small purpose-built model to see if a picture has an ID in it to protect PII isn’t exactly a hype-driven “check out our brand new product — it’s exactly like our old product but with av useless chat bot” idea. You’re overcorrecting.
Even then, for age verification, just verify the ID, record + sign the verification, and DESTROY THE DATA! Don't retain the original document "just in case", or even the birthday or name.
But why? I mean... this data might be valueable at some time, if nothing else, when the company is sold to some other data-gathering company... and the punishment for such a breach will be less than the data is worth.
I mean.. if the governments did their jobs and multipled the punishment for a single breach by 70.000 (in this case) and cause the company to go bankrupt.... well, only then would the companies reconsider. But until then, they won't.
Without going too much off-topic: In a vacuum, you are right. In reality, facts are reported because they sell.
It is a good day when important facts like this one happen to coincide with what people what to know more about. (the recent UK attempt at stripping the rights of its citizens)
Tomorrow, people will have forgotten all about it, and the government can continue to expand its powers without anyone talking about it.
