Another ID Verification System Has Been Leaking Data for Over a Year

Drivers licenses and other forms of ID has been accessible in another ID verification system, highlighting low security standards.

Throughout the Bill S-210 (Age Verification) debate, supporters of this disastrous bill have made wild claims about how the proposed legislation is safe, secure, and common sense. This despite it objectively being none of the above. The latest development we are aware of is that this terrible bill got delayed for the Summer, so Canadian’s got a reprieve from this angle on making people less safe on the internet.

A major problem with age verification is the fact that it requires third party websites to hoover up even more highly sensitive personal information from its users. At the same time, the legislation does nothing to require those third party services to protect that information apart from essentially saying “pretty please”. The security measures proposed are so bad, PornHub has actively contemplated blocking Canada entirely in an effort to protect people’s personal information.

Yet, for the delusional supporters, they insist that such systems are safe and secure. In a number of cases, they did this by throwing around the buzzword phrase “industry standard”, as if buzzwords are the magical solution to making all security concerns go away on their own.

In the wake of this, some people might reasonably ask something along the lines of, “Well, how secure are age verification systems these days anyway?” The answer here is, not really any more secure than any other sector handling personal information (in other words, not that great). Last month, we reported on an Australian Age verification suffering from a data breach. An estimated 1 million Australians were impacted by this.

Desperate apologists might look at that and say, “well, that’s just a one off. Identification systems are secure!” To those people, I say, “Boy do I have some bad news for you.”

News has broke that another ID verification system has suffered from a massive data leak. Apparently, information like people’s drivers licenses have been accessible for over a year. From TechDirt:

Of course, some people would say, “but that’s a bar, that’s different than a website.”

Well, then, this new story should catch your attention. First reported by 404 Media, AU10TIX, an Israeli-based online identification company used by TikTok, ExTwitter, Uber, LinkedIn, PayPal, Fiverr and others has been leaking drivers’ licenses. For over a year.

The set of credentials provided access to a logging platform, which in turn contained links to data related to specific people who had uploaded their identity documents, Hussein showed. The accessible information includes the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license. A subsequent link then includes an image of the identity document itself; some of those are American drivers’ licenses.

The data also appears to include results from AU10TIX’s verification process, with a field for “liveness” reading “true”; the “probability” of that conclusion on a scale of 0 to 1, with a potential result being 0.9486029; and other fields called “DocumentAuthenticity” and “OverallQuality.” More results appear to relate to AU10TIX’s comparison of a photo of the person’s face to their uploaded document, with another section referencing a photo called “PhotoForFaceComparison.jpg.”

Another screenshot from the tool shows a line chart with one axis labeled “clientOrganizationName.” That axis includes “TikTok_Shop_Creator,” “Impersonation_XCorp,” and “uber-carshare-passport,” apparent references to the three tech giants.

Cool, cool. Nothing to be concerned about there at all.

Just last year, when Elon first hired this company to provide identification services for ExTwitter, we warned that these systems are not at all reliable and can be a threat to privacy. Turns out we were right.

As always, collecting unnecessary data makes you a target. And this data became a target and was exposed. The way we minimize that is not by forcing more companies to collect more such data. It’s to not need to collect such data in the first place.

This isn’t a case where someone just discovered this breach and no harm was done. Indeed, it appears that significant harm was done here:

The credentials appear to have been harvested by malware in December 2022, and first posted to a Telegram channel in March 2023, according to timestamps and messages from the Telegram channel that posted the credentials online. 404 Media downloaded these credentials and found the name matched that of someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX. The file contained a wealth of passwords and authentication tokens for various services used by the employee, including tools from Salesforce and Okta, as well as the logging service itself.

Don’t you feel safer already?

The biggest scandal in all of this for the Canadian perspective is the fact that if something like this happened here, the Canadian government is simply not equipped to handle this. There are no provisions on Bill S-210 that says that this negligence could possible result in a fine. No matter the handling of the information, the outcome would be the same. The service could literally send administration login credentials to every bad actor on the dark web and say “come on in!” and there would be no mechanism for the Canadian government to fine that company.

Some people might think that current existing privacy laws would handle that. They don’t. The only outcome that would come from such a scenario is the privacy commissioner issuing a strongly worded letter. When the company does what Facebook did during the Cambridge Analytica scandal and tells the commissioners to pound sand, that ultimately is the end of it.

The only possible legal recourse is Canadian citizens coughing up the money to fund a litigation effort against the company. This puts the Canadian public on the hook for everything including trying to find evidence that what the company did was wrong. It’s an unfair situation because it would be the Canadian government that put Canadian citizens at risk and Canadians would have to go through the financial resources to try and protect themselves as a result. It’s wrong on every level.

For Conservatives pushing this legislation, however, none of this matters. They want their mass internet censorship and if it means endangering the lives of Canadians, that’s a sacrifice the party is willing to make because ideology overrules everything else for them – evidence be damned.

This is a big reason why I hope that if the worst case scenario happens and this legislation passes, it would get slapped down in the courts as being blatantly unconstitutional. It’s a violation of freedom of expression because we are talking about a government censoring otherwise legal forms of speech. It’s this very scenario that civil rights like freedom of expression sought to protect against.

As for people who freak out about the existence of pornographic material, the simple answer here is to not watch or otherwise consume it. No one is saying you have to. If you don’t like it, don’t check it out. There’s a LOT of other kinds of material on the internet.

If you are freaked out about your kid consuming it, there’s plenty of solutions like NetNanny that are designed for this particular scenario. Solutions like that have existed for years and nothing stopped parents from using such services. What’s more, major social media services offer similar controls as well. Major Canadian ISP, Telus, offers information resources on this subject. This is not rocket science. Contrary to what the alarmists would have you believe, parenting can, in fact, make a difference in protecting kids online safety. Parents aren’t, in fact, helpless here and its insulting to suggest otherwise.

At any rate, the ends don’t even come close to justifying the means. At best, larger services will end up getting swept up into this censorship regime while smaller, more unsafe services, will fly under the radar. As a result, people will become less safe as a result because who knows how many of these smaller websites distribute malware. What’s more, even supporters admit that nothing will stop children from circumventing these government censorship measures by using a VPN or whatever other methods that would likely be employed. After all, kids who grow up with the internet aren’t stupid – contrary to what Bill S-210 supporters would have you believe. Not exactly an “industry standard” to be proud of.

Drew Wilson on Mastodon, Twitter and Facebook.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top