Consumer Rights Wiki - User contributions [en]

Forced identification

2025-12-04T16:29:32Z

2A00:23C8:2384:101:E65D:E107:D7AB:5C1E: /* External links */ link to global age verification laws

{{See also|Age verification|De-anonymization}}

Forced Identification is the practice of forcing the user to unnecessarily provide their ID in order to access a product or service. The primary concern for forced identification comes from how services neglect to adequately secure this sensitive information for its user base, leading to dangerous security breaches occurring.

Unlike with traditional consumer protection incidents, Forced Identification is typically caused by governmental laws, such as the ''[[UK Online Safety Act]]'', rather than any sort of intentional data collection completed by other companies.

==How it works==
Forced Identification's functionality varies based on the region it is enforced within and how it is integrated by the company that uses it. Regardless, the result traditionally leads to sensitive information that is stored on servers that may be breached at any moment.

The traditional usage of forced identification is for [[age verification]], however there have been other uses as well, such as spam prevention.

==Why it is a problem==

===Risk of lost or stolen data===
<blockquote>“Any system can be hacked—this is no longer a secret.”

― ''Dan Kaminsky, Security Researcher and DNS Expert''</blockquote>There is no such thing as a system that is unable to be breached,<ref>{{Cite web |last=Aj |first= |date=Sep 7, 2025 |title=Why “Unhackable” Systems Don’t Exist: Lessons from the Frontlines |url=https://osintteam.blog/why-unhackable-systems-dont-exist-lessons-from-the-frontlines-6fd517d117ba |access-date=Oct 22, 2025 |website=osintteam.blog}}</ref> and IDs are a valuable product that malicious actors are incentivized to hijack.<ref>{{Cite web |last=Weissmann |first=Shoshana |date=May 22, 2023 |title=If platforms are required to have your government IDs and face scans, hackers and enemy governments can access them too |url=https://www.rstreet.org/commentary/if-platforms-are-required-to-have-your-government-ids-and-face-scans-hackers-and-enemy-governments-can-access-them-too/ |access-date=Oct 22, 2025 |website=RStreet}}</ref> These 2 facts tend to lead to an increase in attempted security breaches. As an example, in late September 2025, attackers breached [[Discord]]'s 3rd-party customer service portal,<ref name=":2">{{Cite web |date=2025-10-03 |title=Update on a Security Incident Involving Third-Party Customer Service |url=https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service |url-status=live |archive-url=https://web.archive.org/web/20251006163040/https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service |archive-date=2025-10-06 |access-date=2025-10-07 |website=Discord}}</ref> leading to an estimated 70,000 photo IDs for the United Kingdom being stolen from the platform.<ref>{{Cite web |last=Hunt |first=Troy |date=2025-10-04 |title=X |url=https://x.com/troyhunt/status/1974558088847102289}}</ref>

===Loss of privacy===
Some legal agreements with platforms will allow them to sell user data to 3rd parties,{{Citation needed|reason=read comment}} and this may include any legal identification that is given to these companies when signing up. This data can also be given to governments for the purpose of tracking users.

===Censorship===
Users who are forced to give their ID when using a platform may be forced to see feeds only curated for their region,<ref>{{Cite web |date=2025-09-01 |title=Strict Age Verification Laws: Balancing Content Restriction and Educational Rights |url=https://www.thinkacademy.ca/blog/strict-age-verification-laws-impact-k12-education/#:~:text=Impact%20on%20K12,affect%20these%20groups |access-date=2025-09-04 |website=Think Academy}}</ref><ref name=":0">{{Cite web |last=Kelley |first=Jason |last2=Mackey |first2=Aaron |last3=Mullin |first3=Joe |date=2024-02-15 |title=Don’t Fall for the Latest Changes to the Dangerous Kids Online Safety Act |url=https://www.eff.org/deeplinks/2024/02/dont-fall-latest-changes-dangerous-kids-online-safety-act |access-date=2025-09-04 |website=Electronic Frontier Foundation}}</ref> as well as have their content specifically moderated more harshly depending on the region's government. This also can lead to methods where [[wikipedia:Virtual_private_network|VPNs]] are used to access content that may otherwise be inaccessible in some regions to no-longer be viable. Besides that, dissidents or exiles of certain authoritarian countries may face transnational repressions if the databases containing their ID details suffer data breaches.

==See also==
*[[Anti-privacy legislation]]

==External links==
*https://action.freespeechcoalition.com/age-verification-bills/all
*https://action.freespeechcoalition.com/age-verification-resources/global-age-verification-policies

==References==
{{reflist}}

[[Category:Common terms]]

Forced identification

2025-12-04T16:01:13Z

2A00:23C8:2384:101:E65D:E107:D7AB:5C1E: /* External links */ removed chatcontrol link. unrelated to forced identification

{{See also|Age verification|De-anonymization}}

Forced Identification is the practice of forcing the user to unnecessarily provide their ID in order to access a product or service. The primary concern for forced identification comes from how services neglect to adequately secure this sensitive information for its user base, leading to dangerous security breaches occurring.

Unlike with traditional consumer protection incidents, Forced Identification is typically caused by governmental laws, such as the ''[[UK Online Safety Act]]'', rather than any sort of intentional data collection completed by other companies.

==How it works==
Forced Identification's functionality varies based on the region it is enforced within and how it is integrated by the company that uses it. Regardless, the result traditionally leads to sensitive information that is stored on servers that may be breached at any moment.

The traditional usage of forced identification is for [[age verification]], however there have been other uses as well, such as spam prevention.

==Why it is a problem==

===Risk of lost or stolen data===
<blockquote>“Any system can be hacked—this is no longer a secret.”

― ''Dan Kaminsky, Security Researcher and DNS Expert''</blockquote>There is no such thing as a system that is unable to be breached,<ref>{{Cite web |last=Aj |first= |date=Sep 7, 2025 |title=Why “Unhackable” Systems Don’t Exist: Lessons from the Frontlines |url=https://osintteam.blog/why-unhackable-systems-dont-exist-lessons-from-the-frontlines-6fd517d117ba |access-date=Oct 22, 2025 |website=osintteam.blog}}</ref> and IDs are a valuable product that malicious actors are incentivized to hijack.<ref>{{Cite web |last=Weissmann |first=Shoshana |date=May 22, 2023 |title=If platforms are required to have your government IDs and face scans, hackers and enemy governments can access them too |url=https://www.rstreet.org/commentary/if-platforms-are-required-to-have-your-government-ids-and-face-scans-hackers-and-enemy-governments-can-access-them-too/ |access-date=Oct 22, 2025 |website=RStreet}}</ref> These 2 facts tend to lead to an increase in attempted security breaches. As an example, in late September 2025, attackers breached [[Discord]]'s 3rd-party customer service portal,<ref name=":2">{{Cite web |date=2025-10-03 |title=Update on a Security Incident Involving Third-Party Customer Service |url=https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service |url-status=live |archive-url=https://web.archive.org/web/20251006163040/https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service |archive-date=2025-10-06 |access-date=2025-10-07 |website=Discord}}</ref> leading to an estimated 70,000 photo IDs for the United Kingdom being stolen from the platform.<ref>{{Cite web |last=Hunt |first=Troy |date=2025-10-04 |title=X |url=https://x.com/troyhunt/status/1974558088847102289}}</ref>

===Loss of privacy===
Some legal agreements with platforms will allow them to sell user data to 3rd parties,{{Citation needed|reason=read comment}} and this may include any legal identification that is given to these companies when signing up. This data can also be given to governments for the purpose of tracking users.

===Censorship===
Users who are forced to give their ID when using a platform may be forced to see feeds only curated for their region,<ref>{{Cite web |date=2025-09-01 |title=Strict Age Verification Laws: Balancing Content Restriction and Educational Rights |url=https://www.thinkacademy.ca/blog/strict-age-verification-laws-impact-k12-education/#:~:text=Impact%20on%20K12,affect%20these%20groups |access-date=2025-09-04 |website=Think Academy}}</ref><ref name=":0">{{Cite web |last=Kelley |first=Jason |last2=Mackey |first2=Aaron |last3=Mullin |first3=Joe |date=2024-02-15 |title=Don’t Fall for the Latest Changes to the Dangerous Kids Online Safety Act |url=https://www.eff.org/deeplinks/2024/02/dont-fall-latest-changes-dangerous-kids-online-safety-act |access-date=2025-09-04 |website=Electronic Frontier Foundation}}</ref> as well as have their content specifically moderated more harshly depending on the region's government. This also can lead to methods where [[wikipedia:Virtual_private_network|VPNs]] are used to access content that may otherwise be inaccessible in some regions to no-longer be viable. Besides that, dissidents or exiles of certain authoritarian countries may face transnational repressions if the databases containing their ID details suffer data breaches.

==See also==
*[[Anti-privacy legislation]]

==External links==
*https://action.freespeechcoalition.com/age-verification-bills/all

==References==
{{reflist}}

[[Category:Common terms]]

Forced identification

2025-12-04T15:59:15Z

2A00:23C8:2384:101:E65D:E107:D7AB:5C1E: added /*See also */ and /* External links */

{{See also|Age verification|De-anonymization}}

Forced Identification is the practice of forcing the user to unnecessarily provide their ID in order to access a product or service. The primary concern for forced identification comes from how services neglect to adequately secure this sensitive information for its user base, leading to dangerous security breaches occurring.

Unlike with traditional consumer protection incidents, Forced Identification is typically caused by governmental laws, such as the ''[[UK Online Safety Act]]'', rather than any sort of intentional data collection completed by other companies.

==How it works==
Forced Identification's functionality varies based on the region it is enforced within and how it is integrated by the company that uses it. Regardless, the result traditionally leads to sensitive information that is stored on servers that may be breached at any moment.

The traditional usage of forced identification is for [[age verification]], however there have been other uses as well, such as spam prevention.

==Why it is a problem==

===Risk of lost or stolen data===
<blockquote>“Any system can be hacked—this is no longer a secret.”

― ''Dan Kaminsky, Security Researcher and DNS Expert''</blockquote>There is no such thing as a system that is unable to be breached,<ref>{{Cite web |last=Aj |first= |date=Sep 7, 2025 |title=Why “Unhackable” Systems Don’t Exist: Lessons from the Frontlines |url=https://osintteam.blog/why-unhackable-systems-dont-exist-lessons-from-the-frontlines-6fd517d117ba |access-date=Oct 22, 2025 |website=osintteam.blog}}</ref> and IDs are a valuable product that malicious actors are incentivized to hijack.<ref>{{Cite web |last=Weissmann |first=Shoshana |date=May 22, 2023 |title=If platforms are required to have your government IDs and face scans, hackers and enemy governments can access them too |url=https://www.rstreet.org/commentary/if-platforms-are-required-to-have-your-government-ids-and-face-scans-hackers-and-enemy-governments-can-access-them-too/ |access-date=Oct 22, 2025 |website=RStreet}}</ref> These 2 facts tend to lead to an increase in attempted security breaches. As an example, in late September 2025, attackers breached [[Discord]]'s 3rd-party customer service portal,<ref name=":2">{{Cite web |date=2025-10-03 |title=Update on a Security Incident Involving Third-Party Customer Service |url=https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service |url-status=live |archive-url=https://web.archive.org/web/20251006163040/https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service |archive-date=2025-10-06 |access-date=2025-10-07 |website=Discord}}</ref> leading to an estimated 70,000 photo IDs for the United Kingdom being stolen from the platform.<ref>{{Cite web |last=Hunt |first=Troy |date=2025-10-04 |title=X |url=https://x.com/troyhunt/status/1974558088847102289}}</ref>

===Loss of privacy===
Some legal agreements with platforms will allow them to sell user data to 3rd parties,{{Citation needed|reason=read comment}} and this may include any legal identification that is given to these companies when signing up. This data can also be given to governments for the purpose of tracking users.

===Censorship===
Users who are forced to give their ID when using a platform may be forced to see feeds only curated for their region,<ref>{{Cite web |date=2025-09-01 |title=Strict Age Verification Laws: Balancing Content Restriction and Educational Rights |url=https://www.thinkacademy.ca/blog/strict-age-verification-laws-impact-k12-education/#:~:text=Impact%20on%20K12,affect%20these%20groups |access-date=2025-09-04 |website=Think Academy}}</ref><ref name=":0">{{Cite web |last=Kelley |first=Jason |last2=Mackey |first2=Aaron |last3=Mullin |first3=Joe |date=2024-02-15 |title=Don’t Fall for the Latest Changes to the Dangerous Kids Online Safety Act |url=https://www.eff.org/deeplinks/2024/02/dont-fall-latest-changes-dangerous-kids-online-safety-act |access-date=2025-09-04 |website=Electronic Frontier Foundation}}</ref> as well as have their content specifically moderated more harshly depending on the region's government. This also can lead to methods where [[wikipedia:Virtual_private_network|VPNs]] are used to access content that may otherwise be inaccessible in some regions to no-longer be viable. Besides that, dissidents or exiles of certain authoritarian countries may face transnational repressions if the databases containing their ID details suffer data breaches.

== See also ==
* [[Anti-privacy legislation]]

== External links ==
* https://action.freespeechcoalition.com/age-verification-bills/all
* https://fightchatcontrol.eu

==References==
{{reflist}}

[[Category:Common terms]]

General Data Protection Regulation

2025-11-21T17:12:08Z

2A00:23C8:2384:101:E65D:E107:D7AB:5C1E: added link to Digital Omnibus - weakens gdpr

The '''{{Wplink|General Data Protection Regulation}}''' (GDPR) is the European Union's comprehensive data privacy and security law that went into effect on May 25, 2018.<ref>[https://gdpr.eu/what-is-gdpr/ "What is GDPR, the EU’s new data protection law?"] - gdpr.eu - 25 May 2018</ref> The regulation applies to any organization worldwide that processes data related to EU residents, regardless of the organization's location. It represents the world's most stringent approach to data protection, with potential fines for violations reaching up to €20 million or 4% of global revenue, whichever is higher.

The regulation mandates several key requirements for organizations processing EU residents' personal data. These include obtaining explicit consent for data collection, ensuring data minimization and purpose limitation, implementing appropriate security measures, and honoring individuals' rights regarding their personal data. Organizations must also maintain detailed documentation of their data processing activities, report data breaches within 72 hours, and in some cases appoint Data Protection Officers. The regulation defines personal data broadly, encompassing everything from basic identifiers like names and email addresses to more complex data like location information, biometric data, and online identifiers.

The GDPR has established a new global standard for data protection by codifying several fundamental principles, including transparency, accountability, and privacy by design. Organizations must not only comply with these principles but also be able to demonstrate their compliance through documentation and organizational measures. This comprehensive approach to data protection reflects the EU's position that privacy is a fundamental human right, building upon the privacy protections first established in the 1950 European Convention on Human Rights and updated for the digital age.

The United Kingdom still enforces the GDPR,<ref>https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/</ref> allowing persons physically located within the UK the ability to request data exports and deletions from online services.<ref>https://www.vpaa.uillinois.edu/resources/policies/u_of_i_system_and_international_privacy_laws/the_eu_and_uk_general_data_protection_regulations</ref>

==Summary==

===Chapter 2: Principles===

Chapter 2 of the GDPR addresses personal data, legal ways to process it, and consent of the user.<ref>[https://gdpr-info.eu/chapter-2/ "Chapter 2: Principles"] - gdpr-info.eu - 25 May 2018</ref>

====Article 5: Principles relating to processing of personal data====
''Main wiki: [https://gdprhub.eu/index.php?title=Article_5_GDPR Article 5 GDPR]''

Personal data processing under GDPR mandates that data must be handled lawfully, fairly, and transparently; collected for specific legitimate purposes; kept accurate and up-to-date; minimized to only what's necessary; stored only as long as required; and protected with appropriate security measures.

====Article 7: Conditions for consent====
''Main wiki: [https://gdprhub.eu/index.php?title=Article_7_GDPR Article 7 GDPR]''

When applicable, data subjects must consent to the processing of his or her personal data. Written requests for consent must use clear and plain language. Any portion of a written request violating the GDPR is not considered binding.

The data subject may also withdraw his or consent at any time and it should "be as easy to withdraw as to give consent."

Consent also must be freely given as defined in Recital 43. Consent is not considered freely given when a power imbalance exists between the data collected and the data subject, when consent for different data operations is improperly bundled together, or when access to services is made conditional on consenting to unnecessary data collection.

===Chapter 3: Rights of the data subject===

Chapter 3 of the GDPR covers transparency, information and access to personal data, the right to change, erase, or restrict processing of personal data, and the right to object.<ref>[https://gdpr-info.eu/chapter-3/ "Chapter 3: Rights of the data subject"] - gdpr-info.eu - 25 May 2018</ref>

====Article 17: Right to erasure (‘right to be forgotten’)====
''Main wiki: [https://gdprhub.eu/index.php?title=Article_17_GDPR Article 17 GDPR]''

Data subjects have the right to request erasure of their personal data by the data processor and the data processor is required to erase said data in a timely manner. This includes unnecessarily stored data, unlawfully processed data, and publically availabe information.

This article does not cover free of expression and information, public interest, archiving purposes, or legally-relevant information.

====Article 21: Right to object====
''Main wiki: [https://gdprhub.eu/index.php?title=Article_21_GDPR Article 21 GDPR]''

Data subjects have the right to object to processing of their personal data in several key contexts, including when processing is based on public interest or legitimate interests grounds, for direct marketing purposes, or for research purposes - and in the case of direct marketing, this objection must be honored without exception.

When such an objection is made, the controller must cease processing unless they can demonstrate compelling legitimate grounds that override the data subject's rights and freedoms, with special provisions requiring that this right to object must be explicitly communicated to data subjects and made easily accessible, particularly in digital contexts.
====Article 22: Automated individual decision-making, including profiling====
''Main wiki: [https://gdprhub.eu/index.php?title=Article_22_GDPR Article 22 GDPR]''

Under Article 22, individuals have the right to not be subject to decisions based solely on automated processing or profiling that have legal or similarly significant effects, with three key exceptions: when the automated decision is necessary for a contract, authorized by law, or based on explicit consent.

When automated decisions are made under contractual necessity or explicit consent, the data controller must implement safeguards including human intervention options, allowing individuals to express their views and contest decisions. Automated decisions cannot be based on special categories of personal data (such as race, health data, or political opinions) unless specific conditions are met and appropriate safeguards are in place.

===Chapter 4: Controller and processor===
Chapter 4 of the GDPR covers general obligations of controllers and processors of data, their security, impact assessments and responsibility.<ref>[https://gdpr-info.eu/chapter-4/ "Chapter 4: Controller and processor"] - gdpr-info.eu - 25 May 2018</ref>

====Article 28: Processor====
''Main wiki: [https://gdprhub.eu/index.php?title=Article_28_GDPR Article 28 GDPR]''

Outsourcing data processing to service providers is no excuse not to comply with GDPR, it is still up to the controller to ensure that the GDPR is complied with.

==See also==
*[[Consent-or-pay]]
*[[Digital Omnibus]]
*https://gdprhub.eu, a wiki summarizing GDPR-related decisions by authorities and courts across Europe

==References==
<references />

[[Category:Pro-consumer articles]]
[[Category:Legislation]]
[[Category:EU legislation]]