Why I refuse to provide my identity to online services

Oct '14

More and more services require some kind of identification. While it makes sense for some, it makes absolutely no sense for others. Not only this violate your rights but also can put your identity at risk. Read the rest of this article and learn how to say no.

About a year ago, I signup for digitalocean to try their services as I heard a lot of positive feedback. I was traveling back then in France and was using a public access point to get internet. After subscribing and entering my contact details and billing details (including my credit card numbers), I got an email asking me a proof of identity in order to let me go through.

I refused politely explaning that the credit card number hasn't been declined and that I have no past history with the company.

Recently, I used elance service and the same scenario happened, just a bit differently. I had an old account already with an old email address and I created a new account which is against the terms of service apparently. Anyway, the support asked me to prove my identity with a legit copy of my passport since I was breaking the terms. I explained that I already authenticated my account with paypal, which is a trusted partner. Moreover, I paid a couple of freelancer already summing up to a couple of hundred dollars. After a bit of negociation this time, I got my way around. In all fairness, someone could have abused my paypal account but why is elance authorizing multiple account with the same paypal and then ask me to prove my identity? This is puzzling to me.

Why does this matter ?

It's a simple fact of privacy. In the modern age of online services, companies should only care about receiving money. Nothing else. Of course, companies should be able to protect themselves against abuse of service, but I believe that this should be done in other mean than ID verification.

Moreover, real service abusers (I am talking about child porn for example) must have access to fake identity which could be accepted by the service. It simply put non-abusers (read: legit customer) at risk by allowing such practice. The end user has nothing to win here, and has way too much to lose (abuse of its personal identity).

Online services are using third parties like paypal that already verify your identity thoroughly. This is enough for a clean chain of trust.

What should be done ?

Companies should rely either on other third parties like paypal, or use another less intrusive way to verify your identity, like an sms code activation, a code of conduct monitoring, a prepayment for your account to ensure that money can come down the wire.

Scans of passport are just too dangerous nowadays when you consider how many companies get their data stolen from external (or even internal) people.

What can you do ?

Well, I always refuse. I explain that I understand that they may not trust me, but I can't trust them in storing securely my identity proofs, nor to abuse them. If this doesn't help, you can elaborate by stating that the only trust between you and them is a proof of good behavior and a paid bill. This takes a little bit of time but can be enough at times.

Last, engage a discussion on twitter like I did here with digitalocean, as sometimes, you may get trapped in a customer service loop where people are paid to simply apply the rules. If nothing works, simply walk away and use the competition, I am sure they will be willing to help.

Remember that by accepting to give your identity with a digital proof that is not designed againt copy and abuse not only put you at risk, but allow company to continue having such practicies.