Forced Identification

❗Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

Forced Identification is the practice of forcing the user to unnecessarily provide their ID in order to access a product or service. The primary concern for forced identification comes from how services neglect to adequately secure this sensitive information for its user base, leading to dangerous security breaches occurring.

Unlike with traditional consumer protection incidents, Forced Identification is typically caused by governmental laws, such as the UK Online Safety Act, rather than any sort of intentional data collection completed by other companies.

How it works

Forced Identification's functionality varies based on the region it is enforced within and how it is integrated by the company that uses it. Regardless, the result traditionally leads to sensitive information that is stored on servers that may be breached at any moment.

The traditional usage of forced identification is for age verification, however there have been other uses as well, such as spam prevention.

Why it is a problem

Risk of lost or stolen data

“Any system can be hacked—this is no longer a secret.” ― Dan Kaminsky, Security Researcher and DNS Expert

There is no such thing as a system that is unable to be breached,^[1] and IDs are a valuable product that malicious actors are incentivized to hijack.^[2] These 2 facts tend to lead to an increase in attempted security breaches. As an example, in late September 2025, attackers breached Discord's 3rd-party customer service portal,^[3] leading to an estimated 70,000 photo IDs for the United Kingdom being stolen from the platform.^[4]

Loss of privacy

Some legal agreements with platforms will allow them to sell user data to 3rd parties, and this may include any legal identification that is given to these companies when signing up. This data can also be given to governments for the purpose of tracking users.

Censorship

Users who are forced to give their ID when using a platform may be forced to see feeds only curated for their region,^[5]^[6] as well as have their content specifically moderated more harshly depending on the region's government. This also can lead to methods where VPNs are used to access content that may otherwise be inaccessible in some regions to no-longer be viable.

Examples

Legal acts

The United Kingdom Online Safety Act (OSA)
EU Digital services act (DSA)
US Kids Online Safety Act (KOSA) Texas H.B. 1181 Louisiana SB 162 Virginia SB 1515

Platforms with forced identification

Discord: United Kingdom
Google: United Kingdom, United States

Incidents involving forced identification

Discord: Customer service portal had a breach that led to an estimated 70,000 UK IDs stolen.^[3]
Tea Dating Advice: A 4chan post leaked over 72,000 sensitive images, including those with US state IDs.^[7]^[8]^[9]

References

↑ Aj (Sep 7, 2025). "Why "Unhackable" Systems Don't Exist: Lessons from the Frontlines". osintteam.blog. Retrieved Oct 22, 2025.
↑ Weissmann, Shoshana (May 22, 2023). "If platforms are required to have your government IDs and face scans, hackers and enemy governments can access them too". RStreet. Retrieved Oct 22, 2025.
↑ ^3.0 ^3.1 "Update on a Security Incident Involving Third-Party Customer Service". Discord. 2025-10-03. Archived from the original on 2025-10-06. Retrieved 2025-10-07.
↑ Hunt, Troy (2025-10-04). "X".
↑ "Strict Age Verification Laws: Balancing Content Restriction and Educational Rights". Think Academy. 2025-09-01. Retrieved 2025-09-04.
↑ Kelley, Jason; Mackey, Aaron; Mullin, Joe (2024-02-15). "Don't Fall for the Latest Changes to the Dangerous Kids Online Safety Act". Electronic Frontier Foundation. Retrieved 2025-09-04.
↑ Maiberg, Emanuel; Cox, Joseph (2025-07-25). "Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan". 404 Media. Archived from the original on 2025-07-27. Retrieved 2025-07-27.
↑ Lanz, Jose (2025-07-25). "Tea App That Claimed to Protect Women Exposes 72,000 IDs in Epic Security Fail". Decrypt. Archived from the original on 2025-07-27. Retrieved 2025-07-27.
↑ u/B_drgnthrn (2025-07-27). "Is teaspill just the start?". Reddit. Archived from the original on 2025-07-28. Retrieved 2025-07-28.

[1] Aj (Sep 7, 2025). "Why "Unhackable" Systems Don't Exist: Lessons from the Frontlines". osintteam.blog. Retrieved Oct 22, 2025.

[2] Weissmann, Shoshana (May 22, 2023). "If platforms are required to have your government IDs and face scans, hackers and enemy governments can access them too". RStreet. Retrieved Oct 22, 2025.

[:2-3] 3.0 ^3.1 "Update on a Security Incident Involving Third-Party Customer Service". Discord. 2025-10-03. Archived from the original on 2025-10-06. Retrieved 2025-10-07.

[4] Hunt, Troy (2025-10-04). "X".

[5] "Strict Age Verification Laws: Balancing Content Restriction and Educational Rights". Think Academy. 2025-09-01. Retrieved 2025-09-04.

[:0-6] Kelley, Jason; Mackey, Aaron; Mullin, Joe (2024-02-15). "Don't Fall for the Latest Changes to the Dangerous Kids Online Safety Act". Electronic Frontier Foundation. Retrieved 2025-09-04.

[7] Maiberg, Emanuel; Cox, Joseph (2025-07-25). "Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan". 404 Media. Archived from the original on 2025-07-27. Retrieved 2025-07-27.

[8] Lanz, Jose (2025-07-25). "Tea App That Claimed to Protect Women Exposes 72,000 IDs in Epic Security Fail". Decrypt. Archived from the original on 2025-07-27. Retrieved 2025-07-27.

[9] u/B_drgnthrn (2025-07-27). "Is teaspill just the start?". Reddit. Archived from the original on 2025-07-28. Retrieved 2025-07-28.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]