(no title)

It is a common misconception that facts are reported because they are surprising. Facts are reported because they are important. More and more governments are passing age verification laws which put exactly this data in to the hands of even more shady private companies. This breach serves as evidence that those laws are misguided, and spreading news of this event may help build public support for those efforts.

> I don't particularly blame any one corporation, this is a systemic issue of governments not having/not enforcing serious security measures

Wrong, governments caused the issue because they demand customers to ID themselves. There exists not a single viable security measure aside from not collecting the data. Government is also not able to propose any security measures.

Unlikely that the data will ever be deleted now, no matter if Discord pays any ransoms or not.

It's not surprising because there's never been a significant penalty for it, I guess because everybody just got completely used to massive breaches without much reaction. But then again it's very hard to get legislation passed that's not in the interests of big business.

ZK proofs for identity can't go mainstream quick enough. I agree with what you're saying completely. It's frustrating that we have the technology now to verify aspects of someone's identity without revealing it, but that it's going to take forever to become robust enough for mainstream use.

What's wild is that the burden keeps falling on individuals to be ultra-cautious, while the systems handling the data rarely face meaningful consequences

For years, I resisted TSA Pre check on principle, even though I was a frequent traveler. I finally relented when I realized there were places like Thailand that force you to give your biometrics, and almost certainly sell them back to shadowy US agencies.

Developer time is more valuable than user data. The market is being efficient.

Also this is an issue with people willing to send important documents to some company with which they do not even have a written agreement.

I told the 2 servers I hang in about a month ago that if I randomly disappear it’s because I can’t login without an ID and I’m simply not doing it/that they should consider the post my preemptive “goodbye.” I included where to contact me for those who want to. Frankly I think anyone on discord should do the same

There's a surprising amount of people pro-age verification in this thread https://news.ycombinator.com/item?id=45424888

(I don't really want to call out specific comments)

So I'm sure this article may be surprising to them.

> "or there will, sooner or later, be a breach of their poorly secured system."

It doesn't even need to be poorly secured. The oldest form of hacking is social engineering. If a company is storing valuable enough information, all one needs to do is compel the lowest common denominator with access to it to intentionally or inadvertently provide access.

You can try to create all the sort loopholes and redundancies but in general the reality is that no system is ever going to be truly secure. Another reality is that many of the people with the greatest level of access will not be technical by nature. For instance apparently the DNC hacks were carried out by a textbook phishing email - 'You've like totally been hacked, click on this anonymizer link to leads to Goog1e.com so we can confirm your identity.'

I blame companies (including discord) for collecting as much information as they can instead of as little as possible. More data collected -> more data that will eventually get sold / leaked / hacked.

I very much do blame the corporations and governments that push for these kinds of policies in some way or another.

We see things like this, which happen about as often as fucking rainfall in a mountain forest, and then also see the ever increasing push towards ID verification by corporations and government organizations that pinkie-promise to secure or not retain any of the personal data you were wrist-burned into handing over to them.

What a toxic mix of garbage that becomes. The result is crap like the above, making the internet ever worse and basic personal data security (to not even speak of lofty things like digital privacy and using the internet anonymously) pretty much null and void even if you really do try to take the right steps.

> "this is a systemic issue of governments not having/not enforcing serious security measures"

Is it this, or is it a "systemic issue of governments not minding their own damn business"???

If “serious security measures” involves anything to that 2fa authentication that any normal person hates with a passion then you can forget about it.

The real, long term answer to all this consists in having less of our lives in digital presence, that even means less digital government thingies and, yes, less payments and other money-related issues being handled online.

Honestly I don't understand why so many things are tied to one secret _that you have to share with others_ all the time.

Why is there no rotation possible? Why is there no API to issue a new secret and mark the previous one as leaked? Why is there no way to have a temporary validation code for travels, which gets auto revoked once the citizens are back in their home country?

It's like governments don't understand what identity actually means, and always confuse it with publicity of secrets.

I mean, more modern digital passports now have a public and private key. But they put the private key on the card, which essentially is an absolute anti pattern and makes the key infrastructure just as pointless.

If you as a government agency have a system in place that does not accommodate for the use case that passports are stolen all the time, you must be utterly out of touch with reality.

I don't think you have become jaded. It's just the truth of the internet.

If you upload anything to the internet, it's public. Even the passwords you type are potentially public.

Same. I automatically assume that all information I send to any organisation will end up on the Internet sooner or later be it by accident or sold to some shady third party.

> I basically treat it as 'any member of public can now access it'.

Still remember the conversation over "mega apps"?

Based on my experience with Alipay, which was a Chinese financial focused mega app but now more like a platform of everything plus money, the idea of treating every bit information you uploaded online as public info is laughable.

Back when Alipay was really just a financial app, it make sense for it to collect private information, facial data, government issued ID etc. But now as a mega app, the "smaller app" running inside it can also request permission to read these private information if they wanted to, and since most users are idiots don't know how to read, they will just click whatever you want them to click (it really work like this, magic!).

Alipay of course pretends to have protection in place, but we all know why it's there: just to make it legally look like it's the user's fault if something went wrong -- it's not even very delicate or complex. Kinda like what the idea "(you should) treat it (things uploaded online) as 'any member of public can now access'" tries to do, blame the user, punch down, easy done.

But fundamentally, the information was provided and used in different context, user provided the information without knowing exactly how the information will be used in the future. It's a Bait-and-switch, just that simple.

Of course, Discord isn't Alipay, but that's just because they're not a mega app, yet. A much healthier mentality is ask those companies to NOT to collect these data, or refuse to use their products. For example, I've not ever uploaded my government ID photos to Discord, if some feature requires it, I just don't use that feature.

Couldn't agree more, save for your last sentence. How do you avoid that? We need to provide o Digital papers to a number of different people for proper handling

For us it's too late. But we must push for better laws and build better systems for those that come after us.

> this is a systemic issue of governments not having/not enforcing serious security measures.

To do so seems impractical. Imagine the government machinery that would be required to audit all companies and organizations and services to which someone can upload PII.

Not tractable.

> I just completely dropped the expectation of my information being private

There are all the reasons in the world to feel that way. The scary thing (says troyvit as he passes out the tinfoil hats) is that privacy laws are all about an "expectation of privacy." In other words we all expect privacy when we're in our bathrooms, so government surveillance in the bathroom is hard to justify. Now that there are cameras in supermarket checkouts, and we all expect them, legally that's no longer a privacy concern and we can't claim that our privacy is being unreasonably infringed.

And what you're saying is that now we've reached the stage in history where through incompetence and greed we shouldn't expect any privacy anyway, and that opens the door for all kinds of surveillance because our expectations have fallen so low. I'm not a lawyer btw so take it all with a grain of salt.

You really think governments could write rules that would help this?

The only rule I can imagine is big penalties for data being breached, no matter the cause, but do we actually think it's a multi million dollar problem for 70k photos to be released? Hard problem.

It’s surprising that it happened to a big name like Discord in this day and age. Huge data breaches of large tech companies are becoming increasingly rare as security in general is getting better.