3

Recently I've had two nonprofit organizations ask me to email them a photo of my driver's license. No money is changing hands, and both of these are legitimate and well-known nonprofits.

Organization A wanted me to sign a document with a notary, but they also wanted me to email them a photo of my driver's license. This seemed weird to me, since it's the notary's job to check my ID. I told them that for security reasons I didn't want to email my driver's license, at which point they refused to go forward, which was OK with me.

Organization B is one that I'm going through a training process to volunteer with. This involves working with foster youth, and they have background checks, fingerprinting, and checks on my driving record. I assume they want my driver's license in order to verify my identity. (I would imagine that since they're getting my DMV records, they will be able to verify that I'm a licensed driver.) I explained my concerns about security and identity theft: that unencrypted email isn't secure, and that the image of my ID would potentially wind up on a bunch of different devices (server, desktop, phone), whose security could later be compromised. I suggested a couple of alternatives: snail-mailing them a copy, or doing a zoom call and holding the card up to the camera (while asking that they not take a screenshot).

Are my concerns reasonable? Are my suggested alternatives good ones?

I trust the intentions of the people making the requests, I just don't trust their knowledge of computer security and their ability to keep my information secure once it's on some random collection of devices, some of which may be people's phones, or devices managed by third parties.

1 Answers1

1

Your concerns are reasonable if the server you/they are using isn't using an encrypted channel to communicate. However, if your concerns are your private information, the security risk of an employee that takes a picture of your license and save it to his, hypothetically, backdoored computer isn't much different from using an unencrypted connection. You are just assuming that the employee is honest enough to accommodate your request to not take screenshots.

void
  • 11
  • 1
  • I think these people are trustworthy. I trust their intentions, I just don't trust their knowledge of computer security and their ability to diligently manage my information once it's on some random collection of devices controlled by them, their employees, and whoever supplies their apps and server stuff. –  Jan 14 '21 at 18:25
  • Your trust on them and their honest intentions aren't enough to guarantee that your information will be delivered unsniffed. The employee's machine could be infected with a malware that take desktop screenshots every N seconds. If there aren't other ways, like phisically delivering your ID, i think you should blindly put some trust on them. – void Jan 14 '21 at 18:39