Stack to Stake

Insights on turning technical work into clear business communication

Why Uploading Your ID Online Is Risky — And What to Do Instead

August 6, 2025

So, Another Website Wants a Photo of Your ID. Let’s Talk About Why That’s a Terrible Idea.

You know the moment. You’re signing up for some new, hyped-up service—a dating app, a crypto exchange promising to make you rich, maybe even a game—and then you hit the wall. “To continue, please upload a photo of your government-issued ID.”

My stomach drops every time I see it.

As an engineer who has spent over a decade building, breaking, and fixing systems that handle user data, that prompt doesn’t just feel invasive to me. It feels reckless. It’s a sign that I’m about to hand the digital keys to my life over to a system that I have zero visibility into, built by a team I don’t know, who are probably underpaid, overworked, and just trying to ship the next feature before their deadline.

And you, the user, are stuck. You just want to use the thing. Do you really have to trade a copy of your driver’s license for it?

The answer is complicated, but here’s the short version: The current standard for age verification is broken, lazy, and puts all of the risk on you. But you’re not helpless. Let’s pull back the curtain on this whole mess. I’ll show you what’s really happening on the other side of that “Upload” button, the corners that get cut, and how you can navigate this without giving away your identity.

1. Why Is Everyone Suddenly Asking for My ID?

Let me translate the corporate-speak for you. This surge in ID verification isn’t happening because companies suddenly developed a conscience about protecting kids. It boils down to two things: lawyers and liability.

Some new regulation like COPPA in the U.S. or GDPR and AVMSD in Europe gets passed, and a wave of panic ripples through every legal department. I’ve seen the frantic Slack messages from the legal team: “Are we compliant?! The new EU directive requires ‘robust’ age verification! What are we doing about it?!”

And what does “robust” mean to a company that just wants to cover its ass? It means outsourcing the problem to the most stringent, high-friction method they can find: making you upload your passport. It’s not about what’s best for you; it’s about what their lawyers can point to in a courtroom and say, “See? We did the most we could.”

So you see it everywhere: Tinder wants your ID to prove you’re not a teen. A gaming platform wants it before you can turn on the in-game blood effects. Coinbase wants it because financial regulations demand “Know Your Customer” (KYC) checks.

The tension is obvious. They have a legal problem, and their solution is to make it a privacy and security nightmare for you. It’s the laziest path of least resistance for them, and the most dangerous one for you.

2. The Messy Reality of Where Your ID Actually Goes

Okay, so you clicked “upload.” You snapped a photo of your license, the upload bar finished, and you moved on. Here’s what you didn’t see.

That image of your ID—with your full name, home address, date of birth, license number, and signature—is now a file, probably a jpeg or png, sitting on a server somewhere. And “somewhere” can get real sketchy, real fast.

It’s Not Just Their Server

Most companies don’t build their own ID verification systems. Why would they? It’s a headache. Instead, they pay a few cents per check to a third-party service. So, your ID is immediately piped through an API to some other company you’ve never heard of. Now your data exists in at least two places. We once integrated a service like this, and their documentation was a mess. Their security posture? We basically had to take their word for it. Our product manager just cared that it was cheap and “worked.”

Your ID image might be sitting in an Amazon S3 bucket, a Google Cloud Storage folder, or some Azure blob. Was that bucket configured correctly? I’ve personally discovered production S3 buckets left publicly accessible more times than I care to admit. It’s one of the most common, and most devastating, security screw-ups. A single typo in a configuration file, and suddenly every ID is open to the entire internet.

You’ve Just Handed Over the Keys to Your Kingdom

We get so used to data breaches that we’ve become numb to them. “Oh, my email and password leaked from another service. I’ll just change my password.”

This is not that.

You can’t change your date of birth. You can’t easily change your driver’s license number. Once a criminal has that data, they have the “secret questions” to your entire life. They can try to open credit cards, file for unemployment in your name, or take out loans.

I have a friend who spent two years untangling his life after his identity was stolen from a much smaller breach than this. It wasn’t just the money. It was the hours on the phone with credit agencies, the constant paranoia, the feeling of being violated. The emotional toll is the part nobody talks about.

Startups Move Fast and Break Things (Like Your Security)

I love the energy of startups, but let’s be honest. When you’re a 10-person company trying to find product-market fit before the money runs out, robust security is often one of the first “best practices” to get thrown out the window.

I’ve seen it all: ID images stored unencrypted to “make it easier for the support team to access.” Devs using a shared admin password for the production database that was literally password123. Credentials for third-party services checked into a public GitHub repository. These aren’t hypothetical stories I read in a security blog; this is the messy, terrifying reality of how software often gets built.

Do you trust that brand-new, flashy app with your permanent identity record? I sure as hell don’t.

3. The “Oh Sh*t” Moment: When It All Goes Wrong

The risks aren’t theoretical. Let me tell you what a data breach feels like from the inside.

It usually starts with a weird tip, maybe an email from a security researcher or a customer complaining on Twitter that they found their data somewhere strange. Then, the panic sets in. You’re in a digital war room at 2 AM, chugging coffee, frantically digging through logs trying to figure out how bad the damage is.

I was part of a cleanup effort once where we discovered an old, forgotten database backup was left on a misconfigured server. It contained copies of thousands of user IDs that were supposed to have been deleted years ago according to our privacy policy. We followed the “best practice” of deleting the live data, but a junior engineer had made a backup for a migration test and never cleaned it up. That one mistake sat there like a time bomb for three years.

For the users whose IDs were in that dump, the consequences were real. We saw evidence of their info appearing on dark web forums, sold in a package for less than the price of a pizza. These weren’t just faceless users; they were people who trusted us. People who had uploaded their passports to access adult content, only to have that information exposed and used to try and blackmail them.

It’s a gut-wrenching feeling, knowing your code, or your team’s mistake, led to that kind of violation. It’s the reason I’m so paranoid now.

4. The Frustrating Part: We Have Better, Safer Tools

Here’s what really gets me: we don’t have to do it this way. The technology exists to verify age without forcing you to hand over your entire identity. Companies are just too lazy or cheap to implement it.

The “Bouncer” Method (Third-Party Verifiers)

Think of a bouncer at a bar. They look at your ID, see you’re over 21, and hand it back. They don’t take a photocopy and file it in a cabinet behind the bar. That’s how services like Yoti work. You create a secure digital identity with them once, and then they can just send a simple “Yes, this person is over 18” confirmation to the app you’re using. The app never sees your ID, your address, or your actual birthday. It’s simple, it’s more secure, but it requires companies to actually care enough to integrate it.

Facial Age Estimation (It’s Less Creepy Than It Sounds)

This one feels a bit Minority Report, but it’s a hell of a lot better than the alternative. You take a selfie, and an AI model estimates your age from your facial geometry. It doesn’t know who you are, it just makes a guess: “This face is likely between 25-30.” The photo is analyzed and then immediately discarded. No name, no ID number, no permanent record. It’s not perfect—these systems can have biases—but it’s a massive step up in privacy.

You Have More Power Than You Think

Push back. If a service demands your ID, ask them why. Send an email to their support. Ask them:

Their response (or lack thereof) will tell you everything you need to know about how seriously they take your security. If their answer is a canned, vague paragraph about “taking your privacy seriously,” run.

5. My Personal, Paranoia-Fueled Checklist for Staying Safe

Look, you can’t be 100% safe online unless you go live in a cabin. But you can be smarter than the average user. Here’s what I do:

Your ID is Not a Username

This whole situation keeps me up at night. We’re training a whole generation of internet users to believe that handing over a copy of their most sensitive document is a normal, acceptable part of being online. It’s not.

Your identity is the root key to your entire life. It deserves to be protected with the same ferocity as your bank account password or your house keys. Companies that ask for it need to earn that trust, and right now, most of them haven’t.

Demand better. Vote with your feet and choose services that respect your privacy. And for the love of God, think twice before you hit that upload button. Your future self will thank you.

Recent Posts