While there’s plenty of merit to what you’re saying, I’m too sick to have a coherent thought beyond maybe pointing out that the main issue with legislation like this isn’t that it doesn’t specify security requirements, but that it’s forcing people who do not have infrastructure established to collect and manage sensitive info of this nature in the first place.
Discord never set out to collect this much PII, and as far as I’m aware there’s never been a breach of their payment information processing. Like you say, it’s an established thing to handle payments and is fairly routine to implement. There is no routine method of handling ID verification yet, and the solutions that exist were forced to be developed rapidly and with no standards.
The legislation is at fault for putting people in this situation - that they used Zendesk was a boneheaded move (I haven’t seen details of the breach, was that really the vector that got attacked?) and sure, they’re at some degree of fault for letting this happen. But the vast majority of the blame lies at the feet of the asinine legislation that all but explicitly mandated that this situation arise.
Oh, of course the legislation is to blame for a lot of this in the end. I’m just saying that Discord could have already partnered with a number of identity verification services that do already have this infrastructure up and running, with standardized and documented ways to call their APIs to both verify and check the verification of a user.
At the end of the day, Discord chose to implement a convoluted process of having users email Discord, upload IDs, then have Discord pull the IDs back down from Zendesk and verify them, rather than implementing a system where users could have simply gone to a third-party verification website, done all the steps there, had their data processed much more securely, then have the site just send Discord a message saying “they’re cool, let 'em in”
While there’s plenty of merit to what you’re saying, I’m too sick to have a coherent thought beyond maybe pointing out that the main issue with legislation like this isn’t that it doesn’t specify security requirements, but that it’s forcing people who do not have infrastructure established to collect and manage sensitive info of this nature in the first place.
Discord never set out to collect this much PII, and as far as I’m aware there’s never been a breach of their payment information processing. Like you say, it’s an established thing to handle payments and is fairly routine to implement. There is no routine method of handling ID verification yet, and the solutions that exist were forced to be developed rapidly and with no standards.
The legislation is at fault for putting people in this situation - that they used Zendesk was a boneheaded move (I haven’t seen details of the breach, was that really the vector that got attacked?) and sure, they’re at some degree of fault for letting this happen. But the vast majority of the blame lies at the feet of the asinine legislation that all but explicitly mandated that this situation arise.
Oh, of course the legislation is to blame for a lot of this in the end. I’m just saying that Discord could have already partnered with a number of identity verification services that do already have this infrastructure up and running, with standardized and documented ways to call their APIs to both verify and check the verification of a user.
At the end of the day, Discord chose to implement a convoluted process of having users email Discord, upload IDs, then have Discord pull the IDs back down from Zendesk and verify them, rather than implementing a system where users could have simply gone to a third-party verification website, done all the steps there, had their data processed much more securely, then have the site just send Discord a message saying “they’re cool, let 'em in”