Conflating credit card #'s and personal biometrics/SSNs is your first mistake. You think they are the same, they feel the same, but the risk to the customer is so much bigger.
When a hotel copies my passport, they get a jpg. If they use Stripe, now I know they have my biometrics serialized to JSON. That feels way riskier and scarier to me, especially now that it's all centralized by Stripe.
We hear about our personal data getting leaked and hacked every day, and here is Stripe making themselves an enormous target and serializing all the data for malicious actors.
This feels like a really tone deaf misstep by the company.
Hotels don't even get a full copy of passport but a redacted version of my passport. That's my government's guidance only select entities should get unredacted copies.
If not possible, I should mark the copy to the specific user.
I’m an engineer on the Identity team. There are two somewhat separate questions here. (1) Whether the business should ever have access to this data. And (2) how exactly the business should access that data and the security properties around it.
On (1) this data is fundamentally the user’s, and there are often important compliance reasons as to why the user needs access to the raw data because of obligations that they themselves are subject to. It’s important to remember that you should trust both Stripe and the business that’s asking you to verify your identity. They are in control of explaining to you how they are using this data and giving you an option to opt out—or lose you as a customer.
On (2) we’re working on a way to restrict access via secret keys very soon.
How large percentage of Stripe
Identity customers do you foresee actually are required by legal regulation to retain all this information, as opposed to verifying certain aspects of an individual, as opposed to wanting it and likely handling it in ways violating GDPR and similar regulation?
I’d argue that before Stripe sends any PII other than validation results to a customer, it needs to verify that the business indeed is under regulatory requirements to gather this data, and only sell the required part.
Alternatively, you could invert the process, allowing integrating businesses to send documents to Stripe, who replies if they’re legit or not.
Finally, if there is a need for sharing data with customers for e.g. KYC, shouldn’t this be priced significantly higher than verification/validation, so that Discords and Clubhouses can’t justify it from a business perspective?
What is the reasoning for doing neither of the above?
Right but -- the attack vector is different. Scan/parse 10000s of JPG, and all that jazz -- to get identites. Not Trivial. Or if the hotel stored the copy as a physical photo copy -- you're not bulk scanning 10k pieces of parchment at super speed for your identity-theft ring.
But download JSON blobs? From 10k records the hotel didn't store properly (cause they are not IT experts, or don't have experts at close hand) -- if you get in to their system the JSON is loads easier to parse than the JPEG.
But like one of the Identity team folks said, the hotel would only have the OPTION to download and store those blobs. They aren't required to, and I'm assuming they would not. They'd be happy with the verification result and letting Stripe handle storing the PII.
Speaking from experience as we use Stripe Identity, and love not having to store the PII.
Isn't the problem that businesses are required to store this type of information (kyc verification information)? At what point are we going to have a logical system for verifying identity that doesn't require transferring the same list of data that every other 3rd party you've verified with also has?
One of the challenges the EU often has when negotiating is dealing with the need for consensus among their 27 member states, and trying to reflect so many diverse political desires in negotiations.
While the result is a "civil service" style European Commission, the end result is generally some kind of compromise or "average". It's hard for the EU to conduct a negotiation over vaccines when there's national interests lobbying for bulk buying of French candidate vaccines vs. German-made vaccines etc.
This makes it far harder for them to negotiate anything, unless they can all pre-arrange their own position. As soon as their desires diverge, the negotiation gets much harder for them, as they have to try and negotiate a compromise position that keeps everyone equally unhappy.
Isn't this because the EU let the US/UK take priority of production? I was under the impression AZ was filling their fulfillments to US/UK just fine. This seems like EU just couldn't keep up in the horse race negotiating.
This is still the subject of debate, and, at some point, possibly a matter for the courts.
What has emerged more recently is that the UK contract was, in contradiction of earlier statements, signed a day after the EU contract.
The UK contract's text was also leaked somewhat accidentally, and it is almost identical to the previously-released EU contract. I've looked at them side-by-side and I'm just not enough of an armchair lawyer to make too much sense of 60-page contracts, but I couldn't quite see how the existing differences would constitute any clear priority for the UK.
The UK signed a day later than the EU (August 28th vs 27th), but that was the 2nd agreement. They already had one in May last year that legally committed AZ to "a dedicated supply chain for the UK".
The UK contract says the supply chain "will be appropriate and sufficient", and the EU one talks about "best reasonable efforts".
The UK contract gives the power to penalise for non-delivery, whereas the EU one waives all rights to sue other than for bad production practices or wilful misconduct - and even then all it can do is withhold money.
The EU also agreed in regard to other contracts (eg the UK one) that when being "impeded by any such competing agreements, AstraZeneca shall not be deemed in breach".
Given that (plus the AZ vaccine belongs to a UK university and the UK government has been on the decision board for the project since April 2020) it was inevitable which 'side' would go short if production slowed.
Thanks! Your post is definitely not too biased, and I am far from having confidence in any particular opinion regarding this affair. The two separate agreements, for example, weren’t mentioned before it became convenient to do so after the date of the supposedly second agreement was leaked against their wishes.
From the EU’s point of view, one might wonder if any prior agreement with a potential to interrupt supplies should have then been disclosed during negotiations. Maybe there was no legal requirement to do so, but I wonder how good a strategy that is in a long-term game against a party that literally makes the law.
The EU can be legally inept, as we’ve learnt, in everything that isn’t Brexit. AZ might allow us to learn how good they are at what’s, conversely, been the Brexiteers’ domain so far, carrying grudges.
I should withdraw my point about competing agreements (I cannot edit it now). As has been pointed in another comment - https://news.ycombinator.com/item?id=26350113 - there is a better reading which changes the context of the 'breach' being discussed.
I have been following this quite closely, and this is complete new to me. I would really like to see a source on this, otherwise it should be considered false information.
“Assume good faith” is among the site rules here, so if you have doubts you’re free to do a quick Google search and come back with proof of any lies ou may suspect,or to shut up.
Context is important, as outlined from the article:
> However, the key lies in an earlier agreement that AstraZeneca made back in May with the U.K., which was a binding deal establishing “the development of a dedicated supply chain for the U.K.,” an AstraZeneca spokesperson said.
One official close to the U.K. contract said the agreement began as an email in April from the U.K. government saying it would provide £65 million to help the University of Oxford execute its production plan. It later evolved into a fully-fledged contract between the government and the British-Swedish company, which also might explain why it took until August for the contract to be signed.
Most important, however, is that it meant that the British government was “effectively a major shareholder” in the jab’s development as early as April. After Oxford and AstraZeneca agreed to team up at the end of April, for example, the British government filled seats on Oxford-AstraZeneca joint liaison committees.
“Protecting the U.K.‘s supply was a central objective ... as that was being negotiated from April onwards,” the official said. Even though this isn't explicitly stated in the contract, the official said that the government’s role in the early stages of the vaccine meant “there is absolutely no way that AstraZeneca would have been able to enter a contract which gave away equal priority of access to the U.K. doses.”
This British supply was therefore already secured by the time four EU countries — Germany, the Netherlands, France and Italy — signed an agreement in June to obtain up to 300 million doses of the vaccines. The countries’ deal at the time was a fairly bare-bones agreement, and it’s unclear whether it established a European supply chain, but over the summer it was transferred into the formal purchasing agreement managed by the Commission.
Now all of the sudden agreements with UK and US are fulfilled and with EU are not.
Countries are currently outbidding each other and stealing the supplies. It was naive of EU bureaucracy to think that the cheapest price is the priority.
I keep seeing it mentioned that the US agreement is being fulfilled. I've seen nothing about AZ being delivered to the US, and it isn't even approved yet.
I think the main point of that particular argument is that folks in the UK claimed that "they came first" while EU reps said "doesn't matter who came first, what matters is what the contracts say". (I tend to agree with the latter)
There's some minor amount of irony if the UK contract really was a day later than the EU's (in a 3 year old screaming "gotcha" kind of way), but it still shouldn't change a thing about who gets how many vaccines at which point in time.
In the end it seems to boil down to AZ not meeting the numbers they promised and having to cut corners _somewhere_, and the EU doesn't want to be the one bearing the load - at least not alone: other vaccine suppliers cut down deliveries due to production issues as well (e.g. biontech/pfizer, also due to retooling a Belgian factory), but they split it across the board and apparently handled that transparently with all customers. What goes around comes around, and so that was a pretty painless experience for all involved.
With AZ there was the additional complication that the company is part British (and it's generally presented as a British company only) and those contractual disagreements happened in parallel to those other contractual disagreements between the EU and Brits about shipping goods, so there was already a higher base temperature in the public discussion of the AZ delivery schedule.
Yeah, I was mainly just commenting on the US aspect of it. Seems like it's just being thrown in there because it helps some sort of narrative that has no basis in reality.
The USA had this position from the outset, everyone was able to plan around it. I don't think it was the best position, but I think there is value in making its position clear.
This move by the EU just shows Van der Leyen's floundering and the EU showing again the limits of its efficacy as a governing organization.
My question for these kinds of complaints is, how do is it proposed we implement the same features and value that can be provided currently, with fewer downloas?
Could we have Facebook without a huge download? Is this saying the web should not have these features? Are we intended to download each new application separately on a PC like we do mobile?
I see so many complains about "the bloated web", but no solution that let's us keep the tremendous value the internet has given to the world. It just comes across so short-sighted and reactionary.
When a hotel copies my passport, they get a jpg. If they use Stripe, now I know they have my biometrics serialized to JSON. That feels way riskier and scarier to me, especially now that it's all centralized by Stripe.
We hear about our personal data getting leaked and hacked every day, and here is Stripe making themselves an enormous target and serializing all the data for malicious actors.
This feels like a really tone deaf misstep by the company.