The government already operates an identity service via passports. The only reason they do not have an electronic identity service yet is because it is beneficial for them to be able to blame private actors when things go wrong.
I don't think the question GP is asking is whether or not Stripe is a good way to confirm someone's real-life identity, or whether it would be better for the government to do it. I think what they're asking why we're doing identity verification for chat applications. Is this a good direction overall for the Internet to be moving in?
I don't like the idea that I should have one real-life identity that every service I sign up for online knows, even trivial services like social networks. I would argue a world like that is abridging on people's Right to Hide (https://anewdigitalmanifesto.com/#right-to-hide)
Discord are doing it for verifying bot ownership, because bots can do a lot of damage if they're just free to sign up to Discord and start "talking" to people. A good way of omitting bad bots from the network is by verifying and tying the bot to the (verified) identity of a real person.
I run a server with 1,200 people on it - I've never needed to verify my identity. You don't need to verify your identity for using Discord.
Is it?
I am much less charitable than you about whether Discord's bot verification is intended purely for user safety or whether it's a combination of laziness and a way of slowly clamping down control over how users access the service, how it can be extended, and what services/clients can interop.
I disagree that 100 servers is a particularly large number for a popular bot to join, but more importantly I think the threat model you describe illustrates a deeper problem with Discord overall. If the issue is that bots can sign up to Discord and just start talking to people, that's a permissions issue. Why can bots do that? And why is it OK for bots to keep doing that as long as they're in fewer than 100 servers?
So sure, we can have an extremely invasive form of verification, but we could also just... not let bots join random servers in the first place. We're jumping straight to real-life identification in a system that doesn't even support granular control over invites. In my opinion Discord's moderation and user-vetting tools are basically non-existent, so I am at least a little bit skeptical about whether verification is a completely necessary tradeoff between security and privacy.
For the same reason that Facebook required proof that you were a college student. A platform with a barrier to entry and a degree of exclusivity (but not too exclusive), will tend to have higher quality content and interactions than an anonymous forum that anybody (and anybot) can join.
Whether it's a good direction for the internet to be moving in, I have no idea. But it's certainly good business, which naturally makes me suspect it's the wrong trajectory.
Maybe not those two, but your bank does, your insurance company does, your employer does, your business partner does.
There's a lot of places where there's trust placed in a specific citizen and their identity. The "root of trust" of being a citizen is the government, it'd be nothing new really to provide that digitally.
The proof of it being doable are the governments providing electronic ID's for decade or two now. Solving those really hairy problems hundreds of millions of Americans are struggling or encumbered by daily.
There are a ton of legal requirements around you having to verify a person's identify before sending them money. These laws are often put in place to avoid money laundering, etc.
I doubt they'd require every single user to go through the friction of verifying their identity.
Because of credit card fraud. I've run services where >5% of attempted transactions were done using stolen credit cards. So we used services that determine the risk of a transaction being fraudulent, and if the risk was too high, we required identity verification.
The alternative was to reject those transactions outright and permanently lose those customers, which is terrible when there is a false positive.
If credit card fraud is high, it doesn't matter whether you are a chat app or a bank app.
Does Discord need to know my identity, or does it need to know that my card hasn't been stolen? If it's the latter, then I'm unsure why Stripe is offering the business access to my passport/license, and I'm unsure why we would want to build a government ID system for Discord instead of a government payment system.
The proper way to do it is to either enforce 3D-Secure or offer passport as an option when 3DS is unavailable, but because ID verification is getting easier and cheaper with services such as this one, there will be no reason to spend extra engineering time to implement solutions such as this one when you can just ask for everyone's passports especially when this also allows you to use the data for marketing purposes or be able to reliably ban "undesirable" people (and "undesirable" in this case doesn't mean "bad" or "illegal", it could simply be someone who uses an ad-blocker or doesn't "engage" with dark patterns like the company wants them to).
I am not suggesting all businesses be required to do it. But I do not see why businesses should be prohibited from doing it. If you do not want an identity linked service, then buy a website name, and start a business and do not require people to identify.
We can't justify every architecture decision about the web via only business costs, if that was the case we'd make adblockers illegal and deprecate HTML. You need a stronger argument if you want me as a user to care about or support your business interests. If you want my support you have to show how this benefits the web overall, not just your company.
Misc governments already operate 1,000s of identity, credentialing, and licensing services.
Wouldn't it be great if profiles on DoorDash, Yelp, Hotels, etc. were required to be linked to IRL identities and licenses?
1. I don't trust my government to have better security than anybody else.
2. I'm worried that I would lose the ability to opt out of a government-provided IaaS. Unlike Stripe, and I can't avoid using the government even if I try really hard. They already have my identity, so my privacy is dependent upon whatever their current policy happens to be. I do not trust unknown future administrations not to sell my data to the highest bidder.
3. The U.S. government has an... uneven track record delivering services and software, especially when there is no competition.
Those are my anxieties: what are the advantages to this approach that I'm not seeing?
It is all the same reasons the government does not outsource issuing of passports. It needs to be from an official source with legal protections.
The government (in the US at least) does offer some form of identity services like everify for employment.
The government is using 2FA SMS as your identity (for government services themselves), effectively offloading their liability into the mobile operators. But not really, because the mobile operators are not liable either. So as a little person, you are screwed all around.
If the government were to make an electronic identity, which it needs to for its own services, it might as well be accessible for all so you do not have to trust private businesses with it.
Agreed. An example: https://www.realme.govt.nz/
