Mastodawn

Today I tried to register a #hetzner account for Gecos Analytics. All went fine, except that "an automated system" determined that an additional verification step was required. That additional verification step would have involved scanning my passport (bad) and scanning my face (also bad) and sending them them to an external service provider, #idenfy.

1/n

Show thread

Gecos Analytics Mar 9

According to LinkedIn Idenfy is a Lithuanian company with headquarters in Kaunas:

https://www.linkedin.com/company/idenfy/

#idenfy

2/n

iDenfy | LinkedIn

iDenfy | 8,416 followers on LinkedIn. Powerful, All-In-One Identity Verification, Fraud Prevention and Compliance Platform. | iDenfy is a leading all-in-one identity verification and fraud prevention platform, helping businesses automate KYC/KYB/AML compliance. With the power of AI, selfie biometrics, and a highly trained in-house team, we ensure the highest accuracy rates along with a simple onboarding journey. Integrate our compliance solutions and streamline fraud investigations without heavy coding.

Show thread

Gecos Analytics Mar 9

#idenfy has offices in the U.S. and UK as well:

https://www.idenfy.com/contact-us/

The former is problematic, because it forces IDenfy to comply with the Cloud Act:

https://en.wikipedia.org/wiki/CLOUD_Act

In practice the Unites States administration can access any data on IDenfy servers.

3/n

Contact us - How to Contact iDenfy

Contact iDenfy's technical support, customer support or sales department. Send us a message here and we'll get back to you.

iDenfy

Show thread

Gecos Analytics Mar 9

To make matters worse #idenfy stores data in AWS datacenters in Ireland, see section 5 in

https://www.idenfy.com/privacy-policy/

This makes it quite convenient for the U.S. administration to access the data if it wants to.

4/n

Privacy Policy - iDenfy

Data protection is our top priority. Learn more how we process and manage data such as the name, address, e-mail address, or telephone number

iDenfy

Show thread

Gecos Analytics Mar 9

#idenfy identity verification service product page does not concern itself with privacy issues like retention of identity verification data:

https://www.idenfy.com/identity-verification-service

However, they do mention that by default data is only retained for the duration of identity verification:

https://idenfy-ivs.atlassian.net/wiki/spaces/SC/pages/1454473222/Data+Retention

The water is muddied by the fact that Idenfy customers (e.g. #hetzner) can apparently define their own data retention policies.

5/n

Identity verification service online | ID verification - iDenfy

Identity verification services, automated and enforced with manual oversight. Verify the customer's identity quickly and securely.

iDenfy

Show thread

Gecos Analytics Mar 9

We believe that using passport and face scans to prove identity in the European context is not a good approach. There are many other, better and less intrusive options available, at least on a national level. For example, in Finland you typically apply strong authentication using your banking app.

So, instead of complying, we decided to send a support request to Hetzner explaining the situation. We'll see shortly what it leads to.

6/n

Show thread

Gecos Analytics Mar 15

Update: it seems that a real person at Hetzner had a look at our case and dropped the IDenfy-based extra verification step for us 👍 . Time to get to work.