And for things like passport or other ID details, there's also no reason to expose them publicly at all after they've been entered. If you want an API available to fetch the data so you can display it in the UI, there's no need to include the full passport/ID number; at the very least it can be obscured with only the last few digits sent back via the API.

But for something like a dating site, It's enough for the API to just return a boolean verified/not-verified for the ID status (or an enum of something like 'not-verified', 'passport', 'drivers-license', etc.). There's no real need to display any of the details to the client/UI.

(In contrast with, say, and airline app where you need to select an identity document for immigration purposes, where you'd want to give the user more details so they can make the choice. But even then, as they do in the United app, they only show the last few digits of the passport number... hopefully that's all that's sent over their internal API as well.)

The UK government are trying really hard to mandate IDs for access to porn sites. Can't wait for that to blow up in their faces.

"They" don't care, the entire point of many of these laws is to increase the friction and fear of being disclosed that you don't visit these sites in the first place.

Generally speaking, the UK government doesn’t care about it's citizens. That’s why so many left to the USA for a better life.

There should to be some kind of government operated identity confirmation service that is secure/private.

Or by someone "government-like" such as Apple or Google.

OAuth exists and can be used to confirm someone's identity by linking their Google account.

To be fair, I wouldn't want my google account linked to my dating profile. Aggregating services has risks too.

Maybe secondary google account.

Yea, but then what I have to upload my passport through a service linked to that secondary. It's not really tenable.

Linking a Google account doesn't confirm your identity, though. It just confirms that you created a Google account with a particular name.

A Google account does nothing to prove identity

Government is the worst possible solution to every problem.

(not an attack on you. I have to say that every time I see someone say anything along the lines of "the government should do it")

Government is made the worst possible solution thanks to lobbying and lawyers. It doesn't have to be this way.

I would rather see an FDPA (Federal Data Protection Administration) which goes after people who get this stuff wrong.

when I worked for the government, within 2 months they had leaked all of my data to the black market.

Governments should not be confirming shit.

The government already has all your data so I'm not sure who you think should be confirming identity.

and my point is that they leak it. So it's hardly useful to have them both house and confirm the data when they can't house it properly.

They'll be confirming data that is publicly available.

But what additional data are you worried about them having?

If a private company can't do it. You can bet double or nothing that the government can't do it:

https://news.ycombinator.com/item?id=43996307

See; GDPR

https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

The US desperately needs similar legislation.

Were they not using some kind of third party identity verification service? That's what I usually see apps do. Don't tell me those third party services still share your ID with the app (like the actual images)?

Read the article. They clearly have their own OTP setup.

But if they are asking for your passport, then they have access to it. It's not a third party asking and providing them with some checkmark or other reduced risk data.

I have read the article and OTP has nothing to do with identity verification. I'm asking because every single time I went through identity verification the app used a third party service that is supposed to be trustworthy.

I see what you mean. But they literally had passport front/back URLs, so they aren't using a third party for that either.