[members-discuss] End user (natural person) ID check: sensitive documents stored to "idenfy.com" ?

Dear members,

One of our primary objectives is to ensure an accurate registry. As
part of this, we need to perform due diligence checks to verify all
resource holders [1] and to determine the legitimacy of requests that
we receive. We carry out these verifications both reactively when
evaluating resource requests or providing support, and proactively
(e.g. through our Assisted Registry Checks [2] or when notified by our
registry data monitoring system about a potential change to a resource
holder’s data). For natural persons, there are no public records, so
we need to verify their existence by asking for an identification
document. To be most effective, we use the third-party service iDenfy
to validate these documents.

We began using iDenfy in 2021 to automate some of our verification
processes in the Registry. Prior to this, we were manually verifying
identification documents, which took a great deal of time and effort
from our Registry staff. I will publish a RIPE Labs article very soon
that shares more insights into Registry workloads. We announced our
switch to using this third-party service also in a RIPE Labs article,
which goes into more detail about the process and why we chose this
platform [3].

iDenfy is based in the EU and is therefore also subject to GDPR. They
delete all IDs 14 days after being submitted.

Using this tool actually makes it easier for us to ensure GDPR
compliance as well as having more accurate identity checks. It also
allows us to complete these checks much more quickly and reduces
costs, which is a priority for us.

Please let me know if you have any further questions about our
identity verification process.

Kind regards,
James Kennedy
Chief Registry Officer
RIPE NCC
—------

[1] Due Diligence for the Quality of the RIPE NCC Registration Data:
https://www.ripe.net/publications/docs/ripe-791/
[2] Assisted Registry Checks:
https://www.ripe.net/manage-ips-and-asns/resource-management/assisted-registry-check/
[3] Using Third Parties to Automate Our Due Diligence:
https://labs.ripe.net/author/felipe_victolla_silveira/using-third-parties-to-automate-our-due-diligence/


On Fri, 26 Apr 2024 at 10:33, Lennart Seitz via members-discuss
<members-discuss at ripe.net> wrote:
>
> Hi,
>
> i was also quite shocked to see that such critical data is outsourced to
> 3rd party. Isn’t the Sponsoring-LIR supposed to check the identity of
> the End-user? Why is an additional check via a 3rd party necessary?
>
> Also interesting to notice on this topic: for other legal form (for
> example GmbH), a registration paper is authorization enough. This can be
> grabbed publicly (atleast in Germany) by everybody for a few bucks. Why
> is it required for End-users to upload sensitive documents while for
> other legal forms, public available information is enough?
>
> BR,
> Lennart
>
> Am 26.04.2024 um 09:15 schrieb Maxi:
> > Idenfy is used for an amount of time. Atleast one year.
> >
> > Idenfy themself state that they delete the data right after verification.
> >
> > See here https://www.idenfy.com/security/
> >
> > However… that is all payed for by the LIRs. It would there for be nice
> > to integrate it in a way, that the LIRs could use the information for
> > their contract themself. As in we can get access to the result to
> > fulfill the standard agreement.
> >
> > It’s a waste of resources to require an identification from the LIR
> > just to then do another one.
> >> On 25. Apr 2024, at 17:19, Clement Cavadore via members-discuss
> >> <members-discuss at ripe.net> wrote:
> >>
> >> Dear all,
> >>
> >> I, as LIR, have received requests from RIPE NCC, as they are running a
> >> project to verify all the resource holders registered with them, to
> >> check the ID of some of our end users (natural persons). We have been
> >> provided links to a third party organization which (I think) runs ID
> >> check on behalf of RIPE NCC.
> >>
> >> The URL for those check is ivs.idenfy.com/<something>.
> >>
> >> The fact is that:
> >> - We do not have any information regarding how those sensitive
> >> documents are processed (and stored ?)
> >> - the URL is hosted bedhind an AWS URL, and this is not really an
> >> acceptable solution for RGPD.
> >>
> >> Could we please have more infos on this ?
> >>
> >> Thanks in advance
> >>
> >> Clément Cavadore
> >>
> >> _______________________________________________
> >> members-discuss mailing list
> >> members-discuss at ripe.net
> >> https://mailman.ripe.net/
> >> Unsubscribe:
> >> https://lists.ripe.net/mailman/options/members-discuss/maxi%40zeug.co
> >
> > _______________________________________________
> > members-discuss mailing list
> > members-discuss at ripe.net
> > https://mailman.ripe.net/
> > Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/mail%40lseitz.de
>
> _______________________________________________
> members-discuss mailing list
> members-discuss at ripe.net
> https://mailman.ripe.net/
> Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/jkennedy%40ripe.net