Around 2012, I was walking through the Santa Monica promenade with some visiting friends. We did the tourist thing: looked at the performers, walked by the beach, and ate some delicious crepes. When the sun went down, we decided to go to the movie theater. Being well into my twenties, I was shocked when the clerk asked us to show our IDs before we could purchase tickets to what didn't look like a R-rated movie. The movie was Bernie. We presented our IDs by placing them against the thick glass while the clerk read each one with impressive speed and nodded at us.
I liked the movie. It was dark but funny, just what you'd expect from Jack Black. But it was the first time anyone had asked me to show proof of my age. I certainly thought I looked older than 18 and wouldn't need to be carded. In 2010, California had redesigned their IDs specifically to make it easier for merchants to verify age. They included a red strip to indicate when the cardholder would turn 21. So you didn't need to find the date of birth, written in small print, and do the math to figure out how old someone was. The date was printed in the red strip. Though these upgrades were slow to roll out.
But of course, IDs aren't perfect. It's easy to fool a person. A fake ID flashed behind thick acrylic glass won't be detected. As each state tries to improve the reliability of an ID, attempting to make it as secure as possible, people always find ways around them. With the prevalence of fake IDs, businesses started using UV light devices that show holograms only present in real IDs. But when the Department of Motor Vehicles (DMV) is the one issuing fake IDs, there's little chance anyone would detect them.
In any case, these security measures are at the discretion of a cashier, a bouncer at a club, or a movie theater clerk. They physically have to look at the card, confirm it, and hand it back to you. The information only exists in their head. This is fine by me. But why is it such a big deal when we're asked to verify our IDs online? This physical verification, flawed as it may be, keeps the risk contained to that single moment. Online verification, however, creates an entirely different category of risk.
A few years ago, I received a letter in the mail addressed to my then-toddler. It was from a company I had never heard of. Apparently, there had been a breach and some customer information had been stolen. They offered a year of credit monitoring and other services. I had to read through every single word in that barrage of text to find out that this was a subcontractor with the hospital where my kids were born. So my kid's information was stolen before he could talk. Interestingly, they didn't send any letter about his twin brother. I'm pretty sure his name was right there next to his brother's in the database.
Here was a company that I had no interaction with, that I had never done business with, that somehow managed to lose our private information to criminals. That's the problem with online identity. If I upload my ID online for verification, it has to go through the wires. Once it reaches someone else's server, I can never get it back, and I have no control over what they do with it.
When a company promises to delete your ID after they verify it, there's no way to verify that claim. Recently, an app called "Tea Dating Advice" was hacked and leaked users' information. This woman centric-app, required users to upload their IDs in order to prove that they were women. In their privacy policy, they stated that photos are “securely processed and stored only temporarily and will be deleted immediately following the completion of the verification process.” Yet when hackers breached the app, they released photos dating back years.
In other words, they had lied. They could hire an external auditor to assure us that their data is in fact deleted, that would be reassuring. But even with an external auditor, as the Enron scandal showed, assurances can be deceptive.
In computer parlance, there's no such thing as deleting a file. When you delete it, there's always the chance for it to be recovered. Companies that have robust backup systems may delete it from the principal source but never bother looking at the backups, where the file remains intact.
Sometimes, you can create an unintentional copy of a file. Let's say you upload a photo of your ID to a server from your iPhone. The image isn't optimized for the web, so the server converts it into several file sizes and formats. When there's a request to delete it, these new files may get deleted, but the original remains stored on a server somewhere. (S3 with default settings anyone?)
There's a possibility that the image gets uploaded to a third-party service that does the image processing. I'll assume that's what my kids' hospital did. They shared information with a third party for whatever reason, and now the data has leaked.
We can go further. There's the concept of Harvest Now, Decrypt Later. A malicious actor can monitor encrypted traffic from a server they deem important and siphon all the data they can get now. The hope is, in the future, once quantum computers are available, they could decrypt this information and make use of the data. This means that even if a company uses state-of-the-art encryption today, the data you've entrusted to them could be at risk years or even decades from now, after you've long since forgotten about it.
The contrast is stark. In that Santa Monica movie theater, showing my ID was a simple, controlled transaction: one person looked at it for three seconds, handed it back, and forgot about it. The information never left that moment. But online, that same verification process transforms into something far more risky. A digital journey through countless servers, databases, and third-party services, each one a potential point of failure.
What appears to be the same simple request "please verify your identity", becomes fundamentally different when mediated by technology. The question isn't whether these digital systems will be compromised, but when. And unlike that movie theater clerk who can't perfectly recall my birthdate minutes after seeing it, computers have perfect memory. They store, copy, backup, and transmit our most sensitive information through networks we don't control, to companies we've never heard of, under policies we'll never read.
The convenience of digital verification comes with a hidden cost: we trade the ephemeral nature of human interaction for the permanent vulnerability of digital storage. What looks simple online carries incalculable risks that we're only beginning to understand. The illusion of convenience may be the most dangerous security risk of all.
Did you like this article? You can buy me a coffee.
Share your insightful comments here.
Comments
There are no comments added yet.
Let's hear your thoughts