logoalt Hacker News

observationistlast Monday at 9:42 PM3 repliesview on HN

Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement, and they're probably mandated to retain records for some period, with no consequences to extended retention.

Set up a system so that it costs you nothing to do a bad thing but possibly wrecks you legally and financially to do the good thing, and people will inevitably do the bad thing. They shouldn't be collecting this information in the first place.

The people who design these policies are incapable of actually building things that work. They are not the intelligent, competent leaders exercising a careful craft that they like to pretend they are.

They keep going after age verification, online ID, central bank digital currencies, etc - keep this incident in mind. The people who implement and write these policies are morons. They don't game things out and plan for redundancy or resiliency. They don't take into account bad faith actors. They don't account for deliberate exploitation of the system.


Replies

charles_flast Monday at 9:54 PM

> Why wouldn't they?

They most likely weren't allowed to keep it past the verification per GDPR art.5. Once the passport has been verified for whatever purpose they needed it ("age verified to be > 18yo on 2026-06-12" or "identity verified to be XXXX YYYY"), there is no legitimate use for the passport photo and details anymore, and they should delete it.

show 1 reply
TZubirilast Monday at 9:57 PM

>Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement,

Right, and keeping old passports used for verification should cause an audit to fail.

show 1 reply
onetokeoverthelast Monday at 9:45 PM

[dead]