Proliferating Age Verification Systems a Hacker Target
An attack against a Discord third-party customer service provider storing mandatory age verification data is likely part of a proliferating wave of hacks against databases created by new laws meant to shield minors from inappropriate content, warn cybersecurity experts.
See Also: When Identity Protection Fails: Rethinking Resilience for a Modern Threat Landscape
The social platform said Friday that a vendor was compromised in an apparent extortion attempt in a breach that exposed names, emails, payment information, IP addresses and copies of some government IDs submitted for age verification. Discord said it revoked the partner’s access and is notifying affected users.
“This case lays bare the privacy risks of even so-called ‘privacy-protective’ age-assurance approaches,” said Aliya Bhatia, senior policy analyst at the Center for Democracy and Technology. Discord is the latest service where hackers accessed ID data collected to help users appeal age determinations. “When companies pursue less invasive age assurance means, they may still have to collect more sensitive data like government IDs to help users fix incorrect age determinations made by less-invasive assurance processes.”
“Regardless of the approach then, users are vulnerable to privacy risks which can have immense implications for their safety,” she added.
Discord said its core platform wasn’t directly breached and the impact of the hacking was limited to users who had communicated with its customer support or trust and safety teams. Internet security groups have increasingly pointed to a growing pattern of third-party exposures across the tech industry involving age verification systems and other portals that collect and at times retain sensitive customer information.
“Online age verification is not like flashing an ID card in person to buy particular physical items,” the Electronic Frontier Foundation wrote in a recent blog post. “In places that lack comprehensive data privacy legislation, the risk of surveillance is extensive.”
As more states move to enforce age-verification mandates for access to certain websites, experts say companies now face both complex compliance hurdles and growing cybersecurity risks tied to the collection of sensitive personal data. Requiring users to upload a government ID introduces privacy threats that other verification methods – like confirming credit card ownership – do not, said Tom McBrien, an attorney at the Electronic Privacy Information Center.
“There are many ways to assure age online, not all of which implicate the same privacy concerns,” McBrien. Laws requiring or incentivizing age assurance should explicitly require data processors to follow best security practices and levy heavy penalties for non-compliance, he said. “The gold standard would be a strong federal comprehensive privacy bill requiring things such as data minimization, but Congress has failed to pass one.”
Discord did not immediately respond to a request for comment. “Users lose when they have to provide access to sensitive data to access information,” Bhatia said. “By requiring users to show ID to access the web, users’ ability to access the web anonymously or without identifying themselves ceases to exist.”