upvote

points

by accrual11 hours ago |
comments
upvoteby pavel_lishin10 hours ago|
next
[-]
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.

This is also contradicted by what Discord actually says:

> Quick deletion: Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation.

What are the non-most cases?

reply
upvoteby rsynnott9 hours ago|
parent|
next
[-]
Also, _Discord_ deleting them is really only half the battle; random vendors deleting them remains an issue.
reply
upvoteby rockskon8 hours ago|
parent|
next
[-]
Not to mention collecting them at all means those servers are a primo location for state actors to stage themselves to make copies of data before being deleted.

To say nothing of insider threats of which likely exist across every major social media platform in service to foreign govs.

reply
upvoteby AlienRobot4 hours ago|
parent|
prev|
[-]
Weird that I have to get a list of all the cookie vendors that know I visit a website to show me an ad about something I already bought but the guys with my ID don't need to be listed.
reply
upvoteby throw202512208 hours ago|
parent|
prev|
[-]
Since when the city one lives in is mentioned in the birth certificate?
reply
upvoteby smcin7 hours ago|
parent|
[-]
It was only one example they gave, and they accept multiple different types of ID; a driver's license or national ID card being other likely ones, and DLs do say where you live.
reply
upvoteby kvdveer6 hours ago|
parent|
next
[-]
None of those documents reliably state my city of residence. At best they document where I once lived, but not even that is guaranteed.
reply
upvoteby xnyan2 hours ago|
parent|
next
[-]
Not updating your DL after changing your address is a crime* in all US states. I'm not as familiar with law elsewhere, but would be surprised if that's not true most other places.

*There are exceptions for active duty military personal and other limited exceptions.

reply
upvoteby malfist4 hours ago|
parent|
prev|
[-]
You are legally required to update those within 10 days of moving.
reply
upvoteby throw202512205 hours ago|
parent|
prev|
[-]
What kind of tyranny do you live in? None of the documents I have on me say where I live.
reply
upvoteby swiftcoder5 hours ago|
parent|
next
[-]
It's pretty standard in a lot of Europe, one is required to update ones license with each change of address (although many people don't).

Along with such weird (to us) things as applying for an exit visa from your current town when you want to move to a new town...

reply
upvoteby throw202512205 hours ago|
parent|
[-]
Which parts of Europe have a town of where the person lives on their driving license? And what do you mean by “us”?
reply
upvoteby swiftcoder5 hours ago|
parent|
next
[-]
My Spanish identity card has my full address. Not sure if the DNI does as well, or only the foreign resident version.

> And what do you mean by “us”?

US folks are pretty used to being able to up and drive across the country with a suitcase, without filing any paperwork (at least till the taxman comes knocking next April)

reply
upvoteby Forgeties793 hours ago|
parent|
next
[-]
Have to get your vehicle registered in your new state as well (if you own one) as well as your driver’s license. God help you if your vehicle is towed and your license/vehicle is not registered in the current state. Absolute mess.
reply
upvoteby throw202512205 hours ago|
parent|
prev|
[-]
I ask you about drivers license, you tell me about the national ID.
reply
upvoteby azernik1 hours ago|
parent|
[-]
You did not ask about driver's licenses. You asked about "document I have on me".

Many people in many countries carry their national ID card in instances where Americans would carry their driver's license.

(And, to be clear, if you are American and drive, your driver's license contains your address.)

reply
upvoteby gambiting5 hours ago|
parent|
prev|
[-]
UK driver's licence has my full home address on it. Come to think of it I think my Polish one used to as well.
reply
upvoteby mcapodici5 hours ago|
parent|
prev|
[-]
Australia and UK goes the full distance. Your full address: https://en.wikipedia.org/wiki/Driver%27s_licences_in_Austral...
reply
upvoteby CGMthrowaway6 hours ago|
prev|
next
[-]
> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.

Everyone says this, including the TSA. But they never say they don't keep a hash, or an eigenvector of your biometric. Which is equally as important.

reply
upvoteby hinata085 hours ago|
parent|
[-]
They also never say it goes through datacenters in room 641A or though Utah before it's "deleted", because it's a US company and they can't refuse that.
reply
upvoteby debo_8 hours ago|
prev|
next
[-]
I believe the original finding was that they were not deleting IDs that were involved in disputes.
reply
upvoteby wolvoleo11 hours ago|
prev|
next
[-]
And do they really actually delete it this time?
reply
upvoteby fruitworks1 hours ago|
parent|
[-]
I have it on good authority that they really truly delete it this time, super duper pinky promise
reply
upvoteby Aurornis7 hours ago|
prev|
next
[-]
They explained it in their announcement at https://discord.com/press-releases/update-on-security-incide...

TL;DR: The IDs were used in age-related appeals. If someone's account was banned for being too young they have to submit an ID as part of the appeal. Appeals take time to process and review.

Discord has 200,000,000 users and age verification happens a lot due to the number of young users and different countries.

reply
upvoteby plorg7 hours ago|
parent|
next
[-]
Why should we suspect the age verification and age-related appeals would involve different teams or processes?
reply
upvoteby elpasi5 hours ago|
parent|
next
[-]
Age verification is done by an iframe to k-id.com.

Appeals are done in the actual Discord ticketing system.

reply
upvoteby Aurornis5 hours ago|
parent|
prev|
[-]
Appeals are like escalations. They bypass automations and move to manual review.
reply
upvoteby reactordev6 hours ago|
parent|
prev|
[-]
This is corporate cover speak for “we keep all data”
reply
upvoteby bilekas6 hours ago|
prev|
next
[-]
Until we have some kind of "One Time ID Verification" service that would work, the ID will never be deleted. Or a hash of the info or some kind of identifiable info.
reply
upvoteby varispeed8 hours ago|
prev|
next
[-]
> The ID is immediately deleted.

I call it bollocks. Likely they have to keep it for audit and other purposes.

reply
upvoteby smaudet7 hours ago|
parent|
next
[-]
"delete" doesn't mean delete anymore, like you say, there are always audit logs, and there is "soft" deleting.

Expect any claims that things are being deleted to be a bold faced lie.

reply
upvoteby subscribed6 hours ago|
parent|
prev|
[-]
They wouldn't _have to_, audit checks if you stick to law, your own policies and such, but I think they will.
reply
upvoteby varispeed6 hours ago|
parent|
[-]
So how do they prove they actually checked someone's age?
reply
upvoteby Gigachad5 hours ago|
parent|
next
[-]
They don’t need to prove that. The government or whatever would have to prove that they aren’t checking ages, by going to the site and seeing a lack of age verification.
reply
upvoteby lII1lIlI11ll5 hours ago|
parent|
prev|
[-]
How does shop clerk proves they checked someone's age before selling them alcohol?
reply
upvoteby observationist8 hours ago|
prev|
next
[-]
They're a nonsense company, and trusting them with any information is foolish. They'll store everything and anything, because data is valuable, and won't delete anything unless legally compelled to and held accountable by third party independent verification. This is the default.

The purpose of things is what they do. They're an adtech user data collection company, they're not a user information securing company.

reply
upvoteby Hikikomori10 hours ago|
prev|
next
[-]
>Why they didn't do that the first time?

The company they hired to do the support tickets archived them, including attachments, rather than deleting them.

reply
upvoteby engineeringwoke8 hours ago|
parent|
next
[-]
Ah sorry our contractor did all that highly illegal stuff. Too bad we can't pierce the corporate veil anymore... shucks.
reply
upvoteby malfist10 hours ago|
parent|
prev|
next
[-]
Ah, so it was the "staffer" excuse.
reply
upvoteby hn_acc16 hours ago|
parent|
[-]
rogue engineer
reply
upvoteby joquarky10 hours ago|
parent|
prev|
[-]
How convenient.
reply
upvoteby einpoklum2 hours ago|
prev|
next
[-]
> We do not keep any information around like your name

But they might be sending a copy to the NSA, similarly to how Alphabet, Yahoo, Apple, Meta etc. have been doing (PRISM program, part of the Snowden revelation [1]). The US has the legal mechanisms of requiring this to happen, secretly, such as NSLs [2].

[1] : https://en.wikipedia.org/wiki/PRISM

[2] : https://en.wikipedia.org/wiki/National_security_letter

reply
upvoteby _ink_7 hours ago|
prev|
next
[-]
Compliance
reply
upvoteby moffkalast3 hours ago|
prev|
next
[-]
Sigh, I guess it's time to move platforms again or get your identity stolen. The more a company makes a fuss about trusting users, the more likely they store all of their shit in plaintext with vibe coded server security.
reply
upvoteby reactordev6 hours ago|
prev|
next
[-]
Liars…
reply
upvoteby IhateAI_38 hours ago|
prev|
[-]
[dead]
reply