Experts say that might be risky, too. Last September, YouTube became the latest in a slew of platforms that now ask users to submit their identity documents for verification. Although the company explained in a blog post that the new policy was in line with upcoming European regulations and parent company Google’s country-specific age rules, other companies like Facebook, Instagram, and LinkedIn all have enforced similar identity verification policies for years. “The more documents and items that you provide to any organization, there’s always a risk,” James E. Lee, chief operating officer at the Identity Theft Resource Center, told Lifewire in a phone interview.
Understanding the Risks
According to Lee, identity verification policies like the ones used by LinkedIn, Facebook, Instagram, and others stem from a somewhat recent shift from anonymity to “real name” requirements for users on social sites. “From a privacy perspective, if you allowed anonymity, then you didn’t have the risk of either a privacy violation or a cybersecurity issue,” Lee said. “It didn’t have the same level of risk to the individuals. So most social media, in particular, began with the idea of anonymity.” That anonymity had a flip side, though, and over time companies began to recognize the potential safety risks of not knowing who you’re interacting with on the other side of the screen. “When [those issues] first started to surface, they were more around public safety. You didn’t realize who you were dealing with on the other end…” Lee said. “So then you started seeing organizations saying, ‘Okay, you have to give us your real name.’” To mitigate the risks associated with anonymity, some companies began to implement “real name” policies—which were, ironically, not without controversy themselves. In 2014, Facebook Chief Product Officer Chris Cox posted an apology for the unanticipated account lockouts of members of the drag and LGBTQ communities due to the company’s policy. He noted, “The way this happened took us off guard. An individual on Facebook decided to report several hundred of these accounts as fake,” explaining that the then-10-year-old policy still served to protect users from actual fake accounts. Although most social media networks initially asked users to verify their identity in more innocuous ways, like confirming their email address or phone number, over time many expanded to require government-issued ID or other similarly sensitive documents. “Now we’re getting to a point where we’re actually collecting credentials,” Lee said. “And that’s where we’re back full circle to where there’s a problem—at least, there’s a risk of a problem.”
Security Questions
Although verifying that social media users are real people is generally a good thing, the risk of identity theft is unavoidable when companies collect users’ IDs to confirm their identity. “It’s good to verify that a person is who they say they are in any social media setting. It solves a multitude of ills…” Lee said. “But where we believe you’re crossing the line is when you begin to collect credentials.” One of the more obvious risks to the collection of identifying documents is the risk of a data breach—a seemingly endless phenomenon that resulted in a dramatic increase in the number of records exposed last year. Those risks aren’t without precedent. In 2016, Uber experienced a data breach that resulted in hackers accessing around 600,000 drivers licenses, according to a post on the company’s blog. Lifewire reached out to Google, YouTube, Facebook, Instagram, and LinkedIn to find out how users’ identity documents are used and maintained, but we have not yet received a response.
Trust Issues
Although most companies’ identity verification policies promise to delete users’ IDs within a specific timeframe, those promises rely on trust. “As the person submitting the data, you don’t know. You’re not given a notice every time it’s shared. You’re not given a notice when it theoretically is destroyed,” Lee said. “And because you don’t know with whom it’s been shared, you don’t know what their policies are.” Because of that, Lee advises users to carefully weigh the potential consequences of providing their ID to companies online. “If you give someone your driver’s license, are you comfortable if they lose control of it? Your first instinct is usually your best instinct,” Lee said.