> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.
Everyone says this, including the TSA. But they never say they don't keep a hash, or an eigenvector of your biometric. Which is equally as important.
They also never say it goes through datacenters in room 641A or though Utah before it's "deleted", because it's a US company and they can't refuse that.
In case someone is unaware, 641A and Utah and both references to the US mass surveillance systems in this context. Specifically interceptors that a company wouldn't be able to prevent from saving your data for the few seconds they need to process and delete it
I might be misremembering, but AFAIK, that kind of surveillance mostly worked because many companies didn't bother encrypting datacenter-to-datacenter traffic, thinking that those networks are trusted. That mistake has since been rectified though.
With almost everything going over TLS these days and HTTPS being the norm, even for server-to-server APIs, it's much harder to snoop on traffic without the collaboration of one of the endpoints, and the more companies you ask for that kind of collaboration, the higher your risk of an unhappy employee becoming a whistleblower.
That's also about US companies that can't refuse or can't bother to challenge that a dragnet is set up in their process.
ISPs themselves didn't save any data.
However, they gave interception rooms to the NSA (which is indeed technically not them).
Nowadays ISPs aren't the right scale to do it for the reasons you mentioned. But the USA lowkey moved the dragnet to the main datacenters with prism, then made it mandatory for all with the CLOUD act.
And if the threat is not coming from the USA, but some other country starts to ask Discord to BCC them the IDs of their citizens, we can do the odds on whether Discord will challenge it or not.
Now I want to ask Discord who is their third party provider ? Why don't they process IDs themselves ?
Unless you use Cloudflare (or roughly any other DDOS protection system), in which case you're letting those companies MITM all requests on purpose. Protected between you and Cloudflare by PFS and any other acronym you like.
I think the odds that Cloudflare hasn't been forced into data snooping by the government are approximately zero. It's the by far the biggest, juiciest target.
Everyone says this, including the TSA. But they never say they don't keep a hash, or an eigenvector of your biometric. Which is equally as important.