Their authentication check doesn't do much. They aren't validating drivers licenses against a database. Has anybody tested this thing with common fake IDs? If you show it a color copy of a driver's license, can it detect that? How? They're looking only at a flat photo. They can't tell a hologram from a photo of a hologram. They don't make you take pictures from several different angles. You could probably take a picture of an ID, alter it in Photoshop, and get it through this thing.
Their privacy policy looks like a standard web site privacy policy. It says nothing about how they handle ID data. That's a big deal, because Confirm is handling personal data that isn't about Confirm's own customers. This can create liability for Confirm or Confirm's customers under various identity theft laws.
There are actually valid driver's licenses in the US without holograms. They are usually temporary IDs valid for 3 months or so.
The one I had when I moved was printed on a very low quality inkjet printer... it looks more fake than a fake ID, but it is a legal, US government issued ID.
Same. It actually takes them about a month to mail the plasticy version.
I find it odd since I used to get the plasticy version while I was there at the DMV, but I figured it was probably more expensive to have one of those machines at all the DMVs, rather than just having a few in select locations.
Part of the Real ID program is physical security and internal controls at printing facilities beyond what DMV branch offices are generally capable of, as well as printing processes that require $300k+ of specialized equipment.
The best route to a fake ID was previously to bribe a DMV clerk to use the printer after hours. Those fakes were basically undetectable by physical inspection.
Very few convincing fakes (that are caught) are built to modern standards. Fake ID makers almost always imitate designs from before the institution of Real ID.
I get the point of that, but doesn't that make it easy to "fake" a temp one because the temporary ones are really just printed on a poor inkjet printer?
The piece of paper they give you at the DMV will work in a traffic stop, and maybe for voting (not doing so is a civil rights lawsuit waiting to happen) but is unlikely to be accepted anywhere else.
Most organizations would rather see your slightly expired card, demand a second factor, or just refuse service rather than trust a piece of printer paper. You're definitely not getting into a bar with a temporary ID if you look plausibly underage, or the kids would be doing that already.
I had two recently (renewed, then moved states). I've been able to use my temp ID at several bars & also to redeem tickets at an event. Sometimes they looked a little unsure for a moment, but they shrugged and went on with it.
FWIW, my understanding is that their competitor IDNow (based in Germany) requires you to "wriggle" the ID a bit while you're holding it in front of the smartphone camera, while the flash light is forced on. They claim that they can then detect holograms and/or the three-dimensional structure of the plastic lamination of the ID, distinguishing it from a copy/photo/printout.
IDnow takes video and audio while the user shows their face and ID. It's not fully automatic; a person in a call center is involved.[1] The video shows the "wriggling" of the ID.
They claim to be approved by the German Federal Financial Supervisory Agency. Big banks use their services to authenticate account holders.
If that's a euphemistic way to say "sell a product that doesn't work and hope you can make it work before anyone notices", you're talking about a fundamentally dishonest business practice.
Airbnb is exactly that, violating countless zoning laws throughout the known universe. And yet, at a recent $30 billion, it's one of the most richly valued unicorns.
We're living in a world that has little use for "honest" business practices.
A more honest statement would be: "We're living in a world where rich investors have little use for honest business practices". The communities these businesses operate in have to bear the true costs of the business practices of companies like AirBnB
Sending photos of government issued IDs to third parties looks like a very dangerous approach to the problem.
These photos could be stolen and reused for fraud and identity theft.
Electronic IDs provide a much safer and more reliable way to check the identity of a user. Eg: every citizen in Belgium can authenticate HTTPS connections with his ID card.
That would be great if the US had eID cards, which we don't, and probably won't for decades. If the states hated REAL ID,[1] then they sure won't like eID.
When someone solves a problem in a particular technology stack in a suboptimal way, it is generally considered unhelpful to tell them they should have just used a totally different stack. "Why bother working around that registry issue in Windows, when you could have just used a superior operating system, such as OS X?", etc.
The US doesn't and probably will never have eID, for several reasons:
1. The US does not have a compulsory national ID. No, Social Security is in fact opt-in, it's just that these days most people are opted in without their consent. Passports are clearly optional.
2. The US is unique in the states/federal struggle, which has been ongoing since before 1776. One of the reasons REAL ID will never get adopted is because many states fight strongly against it.
3. There is a real question of jurisdiction. Does the Constitution grant the right for the federal government to force citizens to have an ID? If you invoke the supremacy clause, the states will invoke the 10th amendment right back at you :)
4. Do you really want the US to have a federal ID database? Between the Hillary emails, the OPM hack, and the general spirit in which the federal government seems to be operating, the last thing I'd want is for them to have more power.
My first thought as well: why am I trusting a middleman with this? IMO if you're trusting a third-party to provide government-issued ID verification you're asking for trouble.
Coinbase decided I had to do that, even to access coins already in my wallet. Then it decided that my ID wasn't compatible with my existing bank (only account I have) info and removed the connection without warning. They informed me they would not remove my information and could not do anything. Scammy.
So, what exactly are they promising to do? Let's look at what they say in their terms of use:
EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE LICENSED TECHNOLOGY IS PROVIDED ON AN “AS-IS” BASIS AND CONFIRM DISCLAIMS ANY AND ALL WARRANTIES. CONFIRM DOES NOT WARRANT THAT THE LICENSED TECHNOLOGY IS ERROR-FREE OR THAT OPERATION OF THE LICENSED TECHNOLOGY WILL BE UNINTERRUPTED. EXCEPT AS OTHERWISE EXPRESSLY PROVIDED IN THIS AGREEMENT, NEITHER PARTY MAKES ANY ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER. ... EACH PARTY EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, TITLE, AND NON-INFRINGEMENT.
7 LIMITATIONS OF LIABILITY
7.1 Disclaimer of Consequential Damages. THE PARTIES HERETO AGREE THAT, NOTWITHSTANDING ANY OTHER PROVISION IN THIS AGREEMENT, EXCEPT FOR (A) CUSTOMER’S BREACH OF SECTION 1 OR 6.2, (B) EITHER PARTY’S BREACH OF SECTION 5 , AND (C) LIABILITY ARISING FROM A PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 8.1 AND 8.2 BELOW, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, LOST OR DAMAGED DATA, LOST PROFITS OR LOST REVENUE, WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF A PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY THEREOF.
Which is to say, it could tell you that Lovin McSpoonful is a totally valid CA driver's license, and you have no remedy if you rely on that to sell the 18 year old alcohol.
If you have a need to verify IDs, a tool to help is helpful even its maker isn't going to pay for the consequences of getting the wrong answer. I doubt the people who make the black light flashlights are making stronger promises.
A blacklight flashlight is a simple tool where you can understand how it works. This is a opaque service and you cannot reasonably know what's going on behind the scenes.
"Contact sales" is a clear, absolute dinosaur warning.
I want transparent pricing right on the page, instant SDK access for self evaluation, instant purchase if I want more, and no slimy sales process that depends on my region or what I negotiate.
Yes, but you are probably also worried about the many technical and legal issues listed above, and want them corrected before signing up, rather than negotiated in a series of conference calls and meetings with your legal team. You likely want to pay for this with a "credit card" and monthly subscription, rather than by passing them the fax number if your purchasing department. You expect detailed API documentation and example code to be easy to find online, rather than in a training seminar and behind an NDA.
Companies can make money in lots of ways. "Contact Sales" is not an invalid way to do so, just an unpopular one.
What a great way to open your company up to a huge liability. When (and not if) this place gets hacked, expect to foot the bill for identity protection service for a few years for anyone you have scanned using this thing. The burden is usually on the person who originally handles the identity documents, even if a service they are using has been compromised. There's a reason why many nightclubs no longer scan ID's.
Also I don't see any data or information about any guarantees, no case studies, etc. A service like this is worthless unless they are willing to provide something for when fraud does occur, or provide a guarantee that the service actually works and the results can be trusted.
Reading through their terms of service, there is no warranty what so ever. Their technology could be completely bogus, or do nothing for all you know. It's a black box.
You're basically opening yourself up to liability for questionable benefit.
By "any government issued ID" do they mean "some US government issued IDs"? The website has no indication on what countries are covered, or whether e.g. US military IDs or FAA pilot licenses are covered.
Reminiscent of IDnow ( https://www.idnow.eu/ ), which has been around for a while now. IDnow claims that it
"is available worldwide. IDnow supports identification documents (passports and personal ID cards) in accordance with the common ICAO standard, which is valid in more than 190 countries."
and the Privacy Policy states "In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Data may be part of the transferred assets."
Sending images to do this is bad enough, but I'd hope that they have some serious protections around that data in transit and on the servers themselves. If they are saving these images at all that's not any good.
From the website, it looks like they're doing image analysis on the ID scans to verify its authenticity. Given that it's hard for a human to spot a high quality fake, I doubt that some machine learning model can do much better. The only thing I'd imagine it being useful for would be for checking off a regulatory requirement.
>The only thing I'd imagine it being useful for would be for checking off a regulatory requirement.
I think the company I work for could benefit from a service like this for two reasons, but neither of them have anything to do with the authenticity of the ID itself. Basically, we just need a reliable OCR system to capture the name and address to avoid manual entry, and an automated OFAC list[0] check would be nice as well (for the regulatory requirements, as you say).
Information theory can sometimes do wonders with "simple" photos, using for example scale invariant feature transformations where the position of the camera doesnt matter.
Sure, but lets encrypt costs nothing and takes one engineer a couple hours to set up, at most. It shows that corners are being cut, which is the opposite of what you want to see in a product like this.
Seems like a sketchy business to me. Who founds a company, raises 4M out of the gate, and the acquires a competitor a month later? http://www.confirm.io/#!our-story/h6arz.
Combine that with a "partnership" six months after that, and it really seems like there is zero proprietary technology that was built by this company in the first place.
There's an existing company that has nice technology (
Advanced ID Detection, the company that was acquired [1]), but it is missing the hype factor and targets brick and mortar market. Somebody has an idea that there's big potential fort offering this technology as service. Outside money is brought in and a deal is made. Based on quick look a the web pages, the existing team and founders continues in the new company.
I don't think this necessarily means that there's something shady going on. Could be just a way to structure the deal, compensate the founders for their work so far and get money to focus on sales and expanding the business.
FYI it is probably the same technology. The whois record for confirm.io references the same address as that is listed on the contact page of advancediddetection.com The Owner orgname is also listed as 'Advanced ID Detection'.
Consider that to verify these ID's they would need bi-lateral agreements AND api access to each issuing authority for the cards to lookup up the card to verify it against the "real" data. Unlikely they have achieved that given governments are not in the business of offering this service to the market these days.
The question becomes, who takes on the liability for the identity asserted by the user who has presented the card? They could compare it to all previous images of the card, but again, was that original?
All eID solutions have a bootstrapping problem related to the "fons honoram" that creates the legitimate "original."
The use cases for ID are all law enforcement related, and the integrity of these processes does not withstand even basic scrutiny.
What is the problem they need to solve? Limited liability broker for proof of legal identity over a communications channel.
"ah takez teh picturez of teh cardz and ah sendz to tehm."
This company may have solved these other problems. If they have, I would be yelling it from the rooftops because the technology doesn't matter, they would literally have been given the right to print money.
They're not claiming to verify them against a govt database which doesn't exist, there just claiming to be the smartphone equivalent of the id scanners that liquor stores have.
Oh is that where all these awful "need js to display text" websites were coming from? I had originally thought that they all switched to React or some silly CMS.
There are a ton of players in the "ID verification" space (LexisNexus, Jumio, MiTek, KoFax). Most of them are only verifying the formatting of the ID, not the information.
I've yet to find an API based solution that can reliably verify information solely based on the picture of someones drivers license.
I'd be interested to know if that is the exception or the rule. My Michigan license has a mag strip and bardcodes, while my Tennessee ID only has a barcode.
I did some work on a similar app a few years ago so I have some insight on the subject.
The magnetic strip varies by state but the PDF417 barcode is supposed to follow DL/ID Card Design Standard (CDS) as defined by the AAMVA.
Unfortunately, there isn't a national system for encoding the data as described in the specification and some states still maintain different fields than others. As a result, it's a real pain to try and use the standard without accounting for each state's unique set of quirks which tend to change from year to year.
I assume they've built a system to handle all of these unique cases and use some type of OCR to verify everything matches up with both the encoded barcode data as well as the Driver's License number which is partially derived from the demographic data. The facial image comparison is nice but it's not the most reliable test (especially when it depends on the phone's camera and a 2cm x 2cm photo.
Combining that process with a background check of some type will guarantee that the person actually exists but the whole system system can still be duped by a good enough fake ID if the data checks out.
I went to a bar/restaurant in Utah recently that scanned everyone's IDs at the entrance - their little handheld reader pulled my name and computed my age from the barcode on the back of my NC DL. They said it works for most states, but it didn't work on a friend's from MN
Edit: Also, the new (ugly, pastel-ey) NC drivers licenses also appear to have a 1-D barcode on them as well
I was poking around for fun a while ago looking into the barcode and you could buy scanners that could read from NC IDs but they weren't free/cheap.
I haven't seen a new ID, haven't bothered getting a new one since I turned 21 a few years back so I have no idea what the newer ones have or don't have.
Reading through the comments I'm enjoying thinking about this as an elaborate honeypot set up by a state actor for recruiting. Looking forward to the longform Wired article in a few years!
Their privacy policy looks like a standard web site privacy policy. It says nothing about how they handle ID data. That's a big deal, because Confirm is handling personal data that isn't about Confirm's own customers. This can create liability for Confirm or Confirm's customers under various identity theft laws.
Here's their founder: [1]
[1] https://www.linkedin.com/in/kylekilcoyne