from Hacker News

Stripe Identity

by thomaspark on 6/14/21, 2:32 PM with 536 comments

• by agwa on 6/14/21, 5:39 PM

  Considering that Stripe was originally known for letting websites accept credit card payments without seeing your credit card number, one might assume that Stripe Identity only allows websites to see the verification result, and not your selfies and scans of your identity documents.

  That would be an incorrect assumption. Per https://support.stripe.com/questions/managing-your-id-verifi... customers of Stripe Identity have API access to "captured images of the ID document, selfies, extracted data from the ID document, keyed-in information, and the verification result".

  Thus, when you use Stripe Identity to verify your identity, you have to trust that:

  1. The website doesn't download, retain, and later leak your selfie and identity information.

  2. The website's Stripe API token isn't compromised and exploited by identity thieves to access your selfie and identity information.

  Stripe appears to be leaning heavily on their claim that they don't disclose "biometric identifiers" to websites and that these "biometric identifiers" are deleted from their systems within 48 hours. This is extremely deceptive considering that biometric identifiers can be reconstructed from the selfie.

• by gruez on 6/14/21, 3:36 PM

  The landing page contains logos for clubhouse, discord, and shippo, which are presumably companies use the service. Does anyone find those usages to be unnecessarily intrusive? Maybe it's just me, but a chat app or shipping site asking me for a drivers license scan + selfie would make me never want to use the service again. It's appalling how this sort of stuff is getting normalized, eg. google asking for id scans for age verification.

• by motohagiography on 6/14/21, 4:57 PM

  Smart. Banks haven't been allowed to monetize their KYC data, but this new non-bank class of payments companies have this opportunity. Interac has been trying to do this for many years.

  Some years ago I worked on a system let banks do identity assertions with proofs via SAML attributes instead of sharing customer PII. It is now a federation of banks in wide use for govt services in Canada. The use cases were really limited because the federation partners were too conservative to extend the identity services to relying party consumer applications real people actually wanted to use, and institutional sales cycles meant product feedback was glacial, so it has existed for over a decade in this relative backwater of gov-tech. I think identity companies have mostly failed to get traction because of a terminal lack of consumer sexiness, whereas Stripe has the jelly.

  Other companies in the identity space have been working on protocols and platforms, but none of them had a user base to extend an identity federation services into, which means they have never been able to make a real or viable product, just interesting techs. An internet payment provider with young consumer traction getting into identity is a Very Big Deal.

  It's going to position Stripe to knock out a lot of retail banks who can't offer similar services. Imo, this could make them bigger than Apple.

• by elric on 6/14/21, 5:17 PM

  There's definitely a market for this. Back when I worked in porn (in the camming sphere), we had a team of moderators whose main job was verifying the identity (especially age) of performers. With over 10k performers, this was a lot of work. And you can't just do it once. You have to do it every time a performer starts a performance. People would try all sorts of tricks, like taking a picture of themselves with an older sister's ID, all kinds of fake IDs, some better than others. Verifying an identity over webcam is no easy feat, those moderators had to be able to tell different passports apart (many, many, nationalities), tease out the fakes, and then make sure that they person in the ID is the same person presenting the ID. Problem is multiplied by the number of performers in the room. Performers who are eager to start making money instead of satisfying the moderators checklist.

• by f38zf5vdt on 6/14/21, 3:04 PM

  Does Stripe intend to make a giant online database of international identity documents? Why should we trust Stripe to secure these? It could be Equifax levels of problematic if there would be a intrusion, but I also can't tell how Stripe plans to use this information.

• by tracedddd on 6/14/21, 3:27 PM

  I really despise this trend of uploading your ID and a selfie for verification. I know it makes sense in some legal frameworks, but beyond that I find it invasive and risky (and rude.)

• by pbowyer on 6/14/21, 3:23 PM

  At work we do eIDV of customers and we tested 5 companies. One was quality but too expensive and required too large commitments; two couldn't detect badly photoshopped frauds we threw together, another couldn't detect a printed or on-screen copy of a document being captured (vs the real document - difficult to do, but important). The fifth which we're using can detect printed copies of documents around half the time, but their OCR is shockingly poor when it comes to recognising DoBs so we have to manually check and update the age.

  We'll try Stripe and see how much fraud they can detect.

• by hn_throwaway_99 on 6/14/21, 2:47 PM

  The Stripe Identity product is fantastic. Some of the most impressive things:

  1. If you are at a desktop, there is an easy transition to using your phone to take a picture of your ID (or a selfie if that's the use case - it will match selfies with ID photos), and then complete verification on the desktop.

  2. It does all the image analysis (i.e. is the ID in focus, etc.) in browser without the need for a native app.

• by mikeiz404 on 6/14/21, 10:03 PM

  This seems like a really useful service but I am concerned this is going to normalize requiring identity info for sites which do not legally need it. I imagine the pretext for most will be fraud prevention, and while this might be true, I cannot see how this wouldn’t eventually be used for ad targeting and other “consumer is the product” funding models without regulation restricting it.

• by gima on 6/14/21, 4:41 PM

  EU is apparently about to design and roll out Europe-wide digital ID service: https://ec.europa.eu/commission/presscorner/detail/en/IP_21_...

• by troelsSteegin on 6/14/21, 3:19 PM

  Wow, I would like to know about this has been engineered and QA'd. Owning this system on the product side would keep me awake nights. One question is tolerance on false negatives (you don't look enough like your govt id) - maybe they collect additional information, and use third party service for corroboration.

  If my Stripe Identity can be used across vendors, it's almost like a digital passport. I'll ask, in jest, are Stripe and Estonia (https://e-resident.gov.ee/) in competition?

• by superasn on 6/14/21, 4:30 PM

  Had to do this on a site recently and it didn't work for me at all.

  It wanted to scan the back of my dl but Indian dls are totally blank at the back. Then it said my webcam wasn't good enough and showed me a QR code to use for my mobile. The link never opened. Tried it 3 times and 5 minutes later I just googled the next alternative site and bought it from there.

  Lesson being use this only if it is totally necessary. You may lose paying customers in your overzealousness to be super tech savvy to KISS sites using a Paypal button.

• by searchableguy on 6/14/21, 2:50 PM

  The pricing link on the top doesn't refer to any pricing section on the page. Is it missing?

  Edit: This seems to be an internationalization problem. I am from India. The pricing section for Indian page https://stripe.com/en-in/identity#pricing is missing so the link doesn't work.

• by ngoel36 on 6/14/21, 2:42 PM

  I've never seen a company release incredible products with as high velocity as Stripe has over the last few years. Truly incredible. $1.50/user may sound outrageously expensive at first, but having seen all the engineering power it takes to build something like this at Uber...it's a totally fair price.

• by ianhawes on 6/14/21, 3:01 PM

  This is a refreshingly affordable and beneficial offering.

  I did a deep-dive on KYC providers last year. The more well-known folks commanded 5 figure setup fees, wanted 1 to 2 year commitments, and sought to have you pre-pay for verifications. It reminded me of internet credit card processing pre-Stripe.

• by willeh on 6/14/21, 2:46 PM

  Absolute game changer, other actors in this market have big bulky sales processes with difficult pricing models and high commitment. If Stripe is competitive on pricing they will definitely win this market.

• by throwaway9398 on 6/14/21, 3:16 PM

  I gave up on Stripe because they clearly are a US-focused company, and do not have a global outlook. I find it disappointing that after so many years of being in business, their payment processing services are still only available to a few dozen countries. This for example makes it impossible to rely on them to build a global marketplace with Stripe Connect accepting merchants from all over the world.

  Stripe is not for those seeking to run truly international businesses. We've been patient, but we eventually realized that they simply do not care. We care about Sub-Saharan Africa and Latin America, but they do not. We do not trust them to prioritize the global availability of their offerings at this point, and as a result we no longer even bother checking out their offerings. What's the point if instead of empowering us, they restrict our business model.

• by maxehmookau on 6/14/21, 3:13 PM

  This just won in terms of simplicity, ease of use and cost. Especially in the UK. There are no other competitors at this price point right now.

• by sidcool on 6/14/21, 3:29 PM

  Isn't this a privacy nightmare? All that data in Stripe data centers.

• by AnssiH on 6/14/21, 4:50 PM

  The way domestic services (both public and private) in Finland verify user's identity is via bank credentials (Finnish Trust Network), via Mobile ID (Mobiilivarmenne), or via government FINeID. All these involve multi-factor authentication.

  The service then gets the user's personal identity code as a return value.

  Looks like that kind of flow is not supported.

  Finnish users will be very hesitant of giving scans of their ID documents to foreign companies as no domestic online services require them. And of course Finnish companies cannot practically use this for now, at least for domestic users.

• by gip on 6/14/21, 8:24 PM

  I've worked in risk & fraud for some time now. As online platforms become mainstreams and are easier to build I think Trust and Safety is going to become the key differientiator. Stripe Indentity will no doubt play a big role and benefit the whole internet.

  Are any accuracy numbers for Stripe Identity currently available? I'm working with a merchant in Europe who is struggling due to fraud. Would be cool to figure out if Stripe Identity will improve over their current solution.

• by SLWW on 6/14/21, 10:55 PM

  It really makes you wonder what kind of optics they are looking through when coming up with these things. Literally no one (at least not the majority of individuals) wants this.

  It's one of those things that you expect a more shady company to release. Then again (and it's all hearsay mind you) that they are not a good company to work with, and when talking to employees who left, they don't seem like a good company to work for.

  Stick to CCs, that's intrusive enough.

• by mvanga on 6/14/21, 2:45 PM

  Amazing how Stripe consistently executes fantastic solutions for all the very real and difficult pain points of building commercial products on the web. Fantastic work!

• by MattIPv4 on 6/14/21, 2:47 PM

  Having experienced the end-user flow for Identity when doing bot verification on Discord, this was an incredibly seamless product back then, when it was presumably in beta. Can only imagine its even cleaner and faster now its officially released.

• by pg_bot on 6/14/21, 3:08 PM

  Any folks at Stripe want to chat about a HIPAA compliant version of this? I know some folks who may be interested...

• by apexalpha on 6/14/21, 3:30 PM

  Is this new? (to the USA?)

  Because I've used similar services inside apps dozens of times. Sometimes to verify a drivers license to ride a car, sometimes to verify my ID to register a bank account.

  Every time is was done in a few seconds so I assumed the companies used an API rather than every car-share building it themselves.

• by jmuguy on 6/14/21, 3:23 PM

  We’ve been using this to verify short term rental guests (non-Airbnb) for the past year and it’s been extremely positive. Given that our guests have trouble even following a link for check-in the identity product has some great UX, they rarely get stuck on it.

• by endisneigh on 6/14/21, 2:50 PM

  It’s not clear to me how you can detect a fake ID with machine learning. A persons appearance can change drastically - seems intractable

• by float4 on 6/14/21, 3:15 PM

  Shout out to Stripe for translating all their web pages!

  When an HN post sends me to a Dutch page, it's always Stripe. 100% of the time.

• by pedalpete on 6/15/21, 12:58 AM

  I think we'd be a perfect customer for this product, as we're in the consumer HaaS space, and one of the issues I've been made aware of by other HaaS companies is that they were getting subscriptions which would get the hardware, and then just disappear, resulting in a loss due to theft.

  I had been warned that stripe just wasn't set-up for this type of environment, but I think identity could really help.

  At the same time I'm VERY concerned that stripe has allowed the API to download the proof of identity. Just like I don't want to be managing customer credit cards, I don't want to manage customer identity documents either, and I don't want to upload my identity to a company that allows the documents to be downloaded.

  When I'm buying something on the internet, maybe I trust the company I'm buying from, maybe not but I know if they are using stripe, they never get my credit card number, so at most, they are able to only get away with the value of my purchase.

  My identity is another matter! If I trust stripe to manage my identity, that's probably ok. I don't think stripe should blanket allow their customers to download my identity. I get that perhaps some companies have this requirement, and I'd suggest that they need to be able to work with Stripe directly to enable this for them, but for every company that signs up with stripe to be able to download the identity file...it seems like a huge risk not worth taking.

• by ngngngng on 6/14/21, 5:42 PM

  This is funny timing. My neighbor is the CTO at a company managing identity and building out frameworks and products to help other companies do it themselves. He was trying to pitch me on joining. Sounded neat until I found out how much they focus on the blockchain. It's far too likely it's a gimmick tacked on for no reason but getting hype and investment. Blockchain just attracts all the wrong people in my experience.

  This looks cool though, and no gimmicks.

• by client4 on 6/14/21, 4:10 PM

  It looks like it's missing the user side of the equation. As in a user can validate they-are-who-they-say-they-are *once*, but Stripe is missing an opportunity to allow users to: validate themselves to a website regularly (OTP tied to identity), allow individuals to update their information (address change), allow individuals to revoke authentication, etc. It is a great foundation and there's huge opportunity for growth in this product.

• by andymoe on 6/14/21, 3:01 PM

  Cross posting this from Twitter but please consider marketing to states. They are using a company called IDMe to verify eligibility for benefits in the US and a family member (and thousands of others) have wasted days on the phone with them trying to get them to do verifications because their automatic verification tech does not work. (There are class actions against this co they are so bad)

• by orliesaurus on 6/14/21, 2:54 PM

  If this even reduces 20% of having to call up a human to verify my account because 'our systems have detected that you have accessed your account from an unknown location' then, yes please and thank you! Also interested to see what form of IDs it will accept! Only negative: Expensive...but I guess it's fair for it doing all the heavy lifting.

• by donjh on 6/14/21, 3:56 PM

  This marketing page is really delightful. The ID scan is a nice touch.

• by jmatthews on 6/14/21, 3:28 PM

  Not to take away from the accomplishment, but hopefully the "selfie auth" isn't considered the penultimate verification. With no social engineering, just finding a public photo of someone, one could composite a short video that would be very hard to distinguish from reality.

• by axiom92 on 6/14/21, 4:05 PM

  This is very cool!

  Looks like they have been working on it for a few years now. Here's a video from 2019 where someone from Stripe is giving a demo: https://www.youtube.com/watch?v=TDocEZ4f5ow.

• by xtat on 6/14/21, 9:40 PM

  Really confused why this blew up so big when there are so many such KYC options. Someone enlighten me?

• by rbaxt on 6/14/21, 3:25 PM

  One of the creepiest products of the last decade. Let's wait for the inevitable data breach.

• by client4 on 6/14/21, 4:06 PM

  I've been waiting for a service like this. I suspect we're on the precipice of a new Internet split, where one can be accessed with identity and the other is anonymous as we know it now. In some arenas, like comment sections, I welcome removing anonymity [1]. In other arenas I wonder if it will be used to divide populations online in some futuristic dystopian manner. For instance, only citizens of the United States with Good Credit and Good Social Score are allowed to read the Financial Times.

  [1] https://www.penny-arcade.com/comic/2004/03/19

• by spywaregorilla on 6/14/21, 2:44 PM

  How does this work?

• by choppaface on 6/14/21, 4:51 PM

  Sift has a longer list of logos on their landing page, though I’d imagine even at this point that Stripe has more data. Sift got hit hard being unprepared for CCPA, I wonder what Stripe’s position would be. I’m naive but it strikes me that if Stripe were to offer a cheaper version of this product that does not transactions but for UGC, then Sift might have trouble retaining customers.

  I’m also impressed that Stripe called this “Identity” instead of something more like “Trust and Safety.” The current name makes it sound more like Okta or something but that’s not the case. At least today. Perhaps they want this to grow to overtake stuff like Experian.

• by odiroot on 6/14/21, 3:11 PM

  I'm really surprised they don't support Polish IDs. We've had them in the same format for ages and I've done automatic verification with some other companies (e.g. Revolut).

  Multiple much smaller countries' IDs are supported.

• by morpheuskafka on 6/14/21, 4:39 PM

  Worth noting that if you need the SSN verification for a marketplace type app for tax compliance purposes, the IRS has a free taxpayer ID validation service you can use. The SSA also has one that employers can use.

• by sublimefire on 6/14/21, 4:57 PM

  There is still some room for improvement:

  * country code search - allow to search by a full country name or by other types of code. Was searching for Ireland and "irl", "ire" does not yield any results, only a direct match to "ie" does.

  * "Provide personal information" - could default to the country where the text message went or at least could have a search instead of a <select>

  Not sure if it is possible but some of the orgs will ask to limit the phone numbers to just one region, e.g. only UK. I know I need to RTFM

• by traspler on 6/14/21, 4:55 PM

  Does anyone know if it does liveness checks for the "selfie verification"? The docs are a bit vague on that.

  And do I understand "Stripe uses a combination of machine learning models, automated heuristic analysis and manual reviewers to verify the authenticity of hundreds of different document types." correctly in that I do not only upload video/images of my passport, face to stripe for automatic analysis but in some cases a human would even review it? Or is this a specific option I could choose?

• by strifey on 6/14/21, 10:36 PM

  I used this for an online car rental service recently. My only main complaint was that it didn't work with FF for Android. Once I switched to Chrome, everything was great, but I'm disappointed in how often sites expect to be ran in a Chromium-based browser these days.

  Still appreciate seeing Stripe's name when taking a pic of my ID rather than just the rather small startup I was using. No offense to small startups, but I might've balked at it otherwise.

• by terminator38 on 6/14/21, 4:20 PM

  > Access captured images of ID documents and selfies

  Why is this necessary? I thought the point was to trust Stripe with this data instead of many small companies which could abuse the data

• by xyst on 6/14/21, 9:07 PM

  Besides banks, brokerage, my accountant, or the government. Why would I give a private entity my ID to store as a ‘global’ user?

  Sounds like an epic data leak that’s waiting to happen.

• by randompwd on 6/14/21, 4:14 PM

  The only way to verify an identity is to call out to the identity issuer and confirm the details and pics on the id.

  A fake ID is still a fake ID. Just because it passes a looks-similar test doesn't mean it's being verified.

  verify > verb > make sure or demonstrate that (something) is true, accurate, or justified.

  If it's not confirmed by issuer(in person or programmatically), it can never be 100% thus can never be verified.

• by Etheryte on 6/14/21, 3:36 PM

  Looks like the page was freshly edited to remove the pricing information (?), but it's telling they're targeting a very similar price range as Veriff [0], a startup that's been working in the same space for quite a while.

  [0] https://www.veriff.com/pricing#starter-plans

• by jsonne on 6/14/21, 5:51 PM

  Can't tell you what a lifesaver this is and we're so excited to give it a shot. One of the challenges of adtech is there's a lot of bad actors trying to defraud ad platforms and a non insignificant amount of our time is thinking about how to minimize (can't eliminate) fraud. Having this baked into Stripe is a small miracle for us.

• by ullevaal on 6/14/21, 4:08 PM

  I'm surprised that they are not providing PAdES signatures here at the same time, do you think this is a direction they will be moving in?

  Also surprised they are not leaning more heavily into the existing identity solutions in the countries they are already operating in, like the Netherlands and the Nordics. Maybe hard to differantiate from existing competitors?

• by Dowwie on 6/14/21, 7:01 PM

  @pc - This should be a pass-through / ephemeral type of service where a document is verified in-transit and then purged from memory. Stripe should not save any of these documents. Let Stripe customers deal with the decision whether to save in their own systems. Otherwise, this looks like yet another great value-added service -- congrats!

• by mleonhard on 6/15/21, 6:51 AM

  I'm making a dating app. After sending a potentially-fraudulent user to a Stripe VerificationSession, I would like to send Stripe their other photos and find out how well they match the ID. Does Stripe have any plan to support that?

  Also, how long does the VerificationSession verified_outputs field remain accessible?

• by evtothedev on 6/14/21, 3:09 PM

  I am so excited to see this!

  Previously, you'd have had to use something like Jumio for this, which was (to be generous) pretty wonky.

• by joshuarubin on 6/14/21, 4:07 PM

  Those are some seriously amazing photos on the example IDs. I'd kill to have anything half as good on mine.

• by gshakir on 6/14/21, 5:39 PM

  Any connection to NIST 800-63-3 (Digital identity guidelines) ? Does it provide Identity assurance level 2 ?

• by verytrivial on 6/14/21, 7:32 PM

  That's a mighty efficient process you've got there. I'll just leave this here: https://en.wikipedia.org/wiki/Bureau_of_Sabotage

• by kebman on 6/14/21, 5:44 PM

  How would you construct a secure zero knowledge proof to do this kind of thing over an API?

• by JacobiX on 6/14/21, 10:23 PM

  Unfortunately for this demo, they will successfully verify everyone. I was hoping for a real demo, in the past I had some interesting problems with selfie KYC checks because the photo in my passeport and my actual look are quite different …

• by jollybean on 6/14/21, 6:20 PM

  Please no.

  If we need to use our identity online for Age Vertification, then why doesn't the government step in with an anonymous service for that?

  That - and - sites should have to get some kind of basic regulatory approval for asking for id.

  And then liable if they leak the data.

• by areichert on 6/14/21, 2:58 PM

  Oh man, really excited about this. I'm curious how far Stripe wants to go down the path of KYC-related products... it feels like a huge market with a lot of pain points where having Stripe-quality APIs would be amazing.

• by edwardmp on 6/14/21, 3:55 PM

  Given their docs state that they use third-party services to offer this service, isn't Stripe just providing a wrapper API around Onfido and charging a premium? If so, how is this really a useful proposition?

• by plumeria on 6/14/21, 7:46 PM

  Curiously, they support validating identities from Costa Rica but so far they don't support processing payments there. I wonder if the payments service is in-the-works for this country.

• by boulos on 6/14/21, 4:16 PM

  Off-topic bug report: Montoya is the last name, not the first name. (Also, in the book / movie the spelling is Inigo not Iñigo nor Íñigo, but people use all the variants)

• by paul_f on 6/14/21, 3:16 PM

  Ooh, we could use this. Curious, can anybody point me to other similar products out there? I'd be interested in comparing. BTW, my uses case is USA only.

• by fenospro on 6/14/21, 10:15 PM

  Instead of being super serious, let me give a huge WELL DONE! to the UI/UX and frontend devs at Stripe to build such magnificent Web Pages!

• by snickmy on 6/14/21, 4:31 PM

  If I was an AWS, GCLOUD or AZURE I'd acquire stripe right now and go super vertical on 'Everything for your business'

• by howellnick on 6/14/21, 5:32 PM

  https://cognitohq.com/ is another YC company that's already in this space. I haven't tried either service, but I wonder how they compare.

• by rStar on 6/14/21, 6:01 PM

  this seems to be the opposite of what all the regular people getting into crypto are wanting. i will only adopt systems that give me more privacy, on balance, not less. make that decision a few times, even in modern life, and your privacy increases substantially from your naive neighbors.

• by methyl on 6/14/21, 7:51 PM

  This is a great way to provide free trials to your users while minimising the risk of frauds. Great job!

• by mtnGoat on 6/14/21, 6:17 PM

  looks like a cool solution. having researched these tools very recently, i will say, the pricing is very high. there are other offerings on the market for $0.50 per look up and only bill you if its a positive lookup.

• by PanosJee on 6/14/21, 5:38 PM

  Several richly valued startups must be having a nervous breakdown right now.

• by rognjen on 6/15/21, 1:52 AM

  If you aren't government regulated, I'm not giving you my ID.

• by tiffanyh on 6/14/21, 3:34 PM

  So is this simply a straight up competitor to Jumio? Or is it more.

• by arthur_sav on 6/14/21, 7:52 PM

  Yeah, let's make a for-profit corporation an identity management entity. What could go wrong.

  - Did you say something politically incorrect? Banned. - Stripe employees don't like you? Banned. - They just feel like it. Banned.

  Yeah. No.

• by pqdbr on 6/14/21, 6:09 PM

  Any estimates of when this will be available for Brazil?

• by paulcnichols on 6/14/21, 4:41 PM

  Was this product from an acquisition or home grown?

• by ericlewis on 6/14/21, 3:24 PM

  Has anyone used this? If so, how fast does it seem?

• by punnerud on 6/14/21, 5:28 PM

  Is Stripe’s backend still Ruby?

  And how is the development process?

• by Sr_developer on 6/14/21, 3:24 PM

  This is a little Big_Brother-esque for my taste.

• by hmate9 on 6/14/21, 3:53 PM

  I wish Stripe would go public so I could invest a good chunk. Who wouldnt want to invest in the backbone (or soon to be) of the entire internet payment infrastructure.

• by nceqs3 on 6/14/21, 2:45 PM

  If Stripe were to get hacked who would pay the GDPR fine?

• by grey-area on 6/14/21, 3:41 PM

  This is the problem I wish cryptocurrencies had focussed on - verified identity is the central problem in payments.

• by SN76477 on 6/15/21, 12:25 AM

  This needs regulation.

• by jokethrowaway on 6/14/21, 3:17 PM

  OnFido with a clear pricing.

  Love it.

• by toomuchredbull on 6/14/21, 4:02 PM

  Seems handy for building crypto companies

• by rootsudo on 6/14/21, 6:31 PM

  Stripe has lost it's way.

• by 3np on 6/14/21, 5:12 PM

  It doesn't have to be this way. What Stripe (and others) are doing is a compromise, specifically compromising integrity and privacy of individuals, or as we like to call them, users.

  There are ways to securely address the problems Stripe Identity is solving for that don't involve a single centralized honeypot that both collect and retain all identification documents, build profiles of individuals, and handles authentication and attestation. These should be broken up.

  A company like Stripe sets and maintains norms. They have the means to work towards something better, instead of bidding up on the status quo with a blackbox moated vertical integration where market capture wins over everything else. If we don't get either industry cross-collaboration on open federated standards and networks, the only option will be strong government regulation enforcing well-intended but poorly executed alternatives.

  There are a lot of existing work on more open protocols, federated standards, and whatnot. All of that is being ignored, and nothing else is proposed as an alternative.

  Both companies (Stripe Identity's customer base) and individuals deserve better.

  ---

  Anecdote:

  I apologize if I am more verbose than I would have been if I hadn't just spent most of the past 5h in a Kafkaesque series of phone calls with Paypal. Replace Paypal payments with Stripe Identity in the following and tell me I'm exaggerating when I say that this is a danger to society:

  I was trying to do a single webshop purchase where the vendor only had Paypal integrated as an option. Something (supposedly with my IP/browser) made them require registering an account to proceed, which required phone verification in the country of my credit card. Account immediately got flagged and completely locked before the purchase was completed, everything got changed to the language of my credit card country (which I don't speak or read) and they told me to call Paypal support in that country, on a given number. I called and despite speaking great English, they were unable to help me in English, and told me I had to call the NA support instead. The robot voice on the other end asked what I wanted and after a couple of honest attempts, I tried with "live agent". At first it seemed like there was no way to get to a real person instead of the robot. It demanded me to verify the credit card associated with the number I was calling from - a Skype number that is not on any account of mine. I persisted in saying only "live agent" as an answer whatever the question as the voice persisted in its demands for information, until after 6~8 I was actually patched through.

  I was after that escalated/sent around 5 different times, each agent taking a good time to repeat the same conversation from the beginning, making me repeat each line of information they had and a fresh round of either of SMS or e-mail validation. The final agent stayed with me for the last couple of hours as we went through everything in detail. They guided me through another e-mail validation, a password change, each step involving a browser taking painfully long time due to extended reCaptchas at every step. At some point it seemed like it would just not work as there was an infinite loop of reCaptcha and login form. The agent refused to proceed as apparently this was the only way to verify my e-mail address. All this as I was actually still logged into the blocked account and clicking links in e-mails. Trying from another device and network connection, that loop finally got broken. Eventually it came to that I had the option of an "appeal process", involving me uploading a photo ID. I said I was not comfortable doing that. My only option then was to close my account. Which requires providing a photo ID. At this point I was very frustrated and told the agent that as a resident of the EU, I would like to request data deletion. After arguing a bit about that, it turned out that there was another way to close the account, but it involved another appeal process. The agent told me that should take about 3-5 business days. After the call I received an e-mail saying account closure had been initiated but will take a minimum of 180 days to complete.

  As for the purchase, the same agent actually stayed with me on the line as we tried from the beginning to do a "guest checkout", which is what I had been attempting to do from the beginning. It took a bit of back and forth until the conclusion was "it usually works but computer says no and I can't tell you why".

• by baybal2 on 6/14/21, 3:22 PM

  I was once enticed by AirBnB's promise of "we don't store your ID data after validation"

  Few years down the line, it requested me to submit my ID data for a booking in China.

  All my ID data was pre-filled.

• by ape4 on 6/14/21, 3:03 PM

  I wonder... It can pull up a user's drivers license - so what about their covid vaccination record (maybe in the future).

• by kgraves on 6/14/21, 3:11 PM

  How does this compare to Onfido?

• by seaorg on 6/14/21, 5:18 PM

  I’ve been saying for years that identity services will be a huge deal. In a world where captcha is less and less reliable and where fake posts are cheaper, faster and more convincing (GTP), there are almost no websites that can function without using an identity service. I’ve been screaming from the rooftops and nobody listened.