this post was submitted on 16 May 2026

286 points (99.7% liked)

Technology

84699 readers

4313 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

286

A hotel check-in system left a million passports and driver's licenses open for anyone to see | TechCrunch (techcrunch.com)

submitted 1 day ago by fne8w2ah@lemmy.world to c/technology@lemmy.world

26 comments fedilink hide all child comments

top 26 comments

sorted by: hot top controversial new old

[–] HasturInYellow@lemmy.world 80 points 1 day ago (1 children)

What!? One of the thousands of separate and individually "secured" systems that you have to give your information to on a daily basis failed? But how could this be? Everyone knows having 1747627994 points of possible failure is the only way to ensure digital security!

[–] pingu@piefed.europe.pub 13 points 1 day ago (3 children)

Sovereign identity and Solid are the way. But governments will have to play a role in large scale implementation.

For some reason people seem to trust commercial organizations with misaligned incentives over governmental bodies.

[–] Electricblush@lemmy.world 6 points 20 hours ago* (last edited 20 hours ago) (1 children)

To be fair, some people have less reason to trust their government with their data, then others.

There are varying degrees of trust in authorities in the world.

For nations with high confidence and trust in the authorities, this feels like a no-brainer.

[–] pingu@piefed.europe.pub 1 points 17 hours ago

Agreed. Although confidence and trust sometimes misalign with actual actions and results.

[–] Electricblush@lemmy.world 3 points 20 hours ago* (last edited 20 hours ago)

Eu is working on a digital wallet that would (among other things) help with this.

Afaik It has a tiered information/identity structure, where the lowest level is: "is this a human being" (as an alternative to captcha)

Then you could have age. (Just "is this person above %age") Response would be just yes/no

Then spesific age, nationality etc etc.

You get the prompt, where it says what data they are asking for and you can concent or decline.

The source of authority would be the nation you are a citizen of, the origin of data would be obscured through EU proxies, and data would only be transferred if you approve the transaction from your app.

It's a pretty big and ambitious project and could eventually lead to a lot easier transfer of sensitive data, where you are in control of who gets what and less need to store local copies of sensitive data. (An example usecase is for instance confirming a prescription to a drug for a pharmacy while traveling abroad).

Biggest risk as i see is people confirming data request without scrutiny. There needs to be mechanisms to aggressively revoke the ability to ask for data if abused. And I would assume the requirements to what org can ask for high tier data are really strict.

Going to be interesting to see what comes of it.

[–] nomy@lemmy.zip 1 points 20 hours ago

For some reason people seem to trust commercial organizations with misaligned incentives over governmental bodies.

Governments have a monopoly on legal violence.

[–] solrize@lemmy.ml 32 points 1 day ago (2 children)

The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check guests in.

They left an S3 bucket open.

[–] Wispy2891@lemmy.world 2 points 20 hours ago

this is why other s3 compatible servers like garage intentionally ignore admin commands to leave a bucket open, it's simply not possible as there's no valid reason except developer laziness

[–] VivianRixia@piefed.social 3 points 1 day ago

This is surely a joke post, please tell me this is not actually the cause... *reads article*... it's the cause... *sigh*

[–] pineapplelover@lemmy.dbzer0.com 5 points 20 hours ago (1 children)

I'm extremely avoidant of anybody that even ask for ID. If any private business asks me, I say I don't have a driver's license and usually get away with it

[–] kent_eh@lemmy.ca 2 points 16 hours ago

I'm extremely avoidant of anybody that even ask for ID.

I don't even give them my phone number when getting a haircut.

[–] gedfromgont@piefed.ca 29 points 1 day ago (1 children)

So is this legally different than making a photocopy of your passport? Since that is supposedly not allowed but in the moment you are asked you are obviously going to comply as you really need a place to stay. If it is not I hope this company gets into the legal drama they deserve.

[–] mokey@therock.fraggle-rock.org 4 points 1 day ago (1 children)

Not allowed where?

[–] jaybone@lemmy.zip 2 points 1 day ago

My Nigerian scammer has a copy of my passport. Nbd

[–] Bieren@lemmy.today 1 points 21 hours ago

I’ve gotten to the point I don’t care anymore. All of my data and info is already out there. Been leaked and sold by so many times and waya. Not like I can do anything about it. Just hope that of the millions of other id’s out there mine isn’t the one someone uses.

[+] EvergreenGuru@lemmy.world -9 points 1 day ago (1 children)

His is why digital ID is bad.

[–] Electricblush@lemmy.world 16 points 1 day ago* (last edited 20 hours ago) (2 children)

No. A properly managed eid system like the EU digital wallet would be better.

You would not hand over any document to the hotel. They would ask the central authority server if you are who you claim. You would get a prompt to confirm that you allow the hotel to confirm your identity. The server would respond, yes you are indeed that person. End of transaction.

No data would be left to whatever security standard (or lack there of) that the hotel has. No critical documents stored on their end.

[–] NewNewAugustEast@lemmy.zip 2 points 22 hours ago* (last edited 21 hours ago) (1 children)

Whatever happened to just here is my money I will stay here and be done? Why does the hotel need to give a shit who i am that I am staying?

[–] Electricblush@lemmy.world 5 points 21 hours ago* (last edited 20 hours ago) (1 children)

Laws requiring Hotels identify their guests. This is a requirement for several reasons.

Some of which are visa requirements for foreign visitors, making it harder to use fake guests to launder money, in addition to several other uses of hotels by criminals (including prostitution) leaving a paper trail for authorities to follow up on.

[–] NewNewAugustEast@lemmy.zip 0 points 21 hours ago* (last edited 20 hours ago) (1 children)

Been awhile since I have been to the EU, that sounds like something stupid they would do. I imagine it would be France and Germany mostly.

Several countries I have been to recently I haven't even talked to anyone at the hotel, which is nice. I don't have to see the front desk at all, and the bell hop doesn't care.

Again, why can't I just pay and stay? It may be laws, but I am sick of this bullshit. People should be able to travel without state violence used against them.

And as we can see here, gathering information by the hotel is a horrible idea.

[–] Electricblush@lemmy.world 2 points 20 hours ago* (last edited 20 hours ago)

I've edited my response to include some of the reason some countries require the Hotels to identify their guests.

It can also be a liability/insurance requirement in case of fires or other accidents.

Many countries have several mechanisms to have a certain control of the movement of foreign nationals within their borders. Especially if they have problems with unofficial immigration.

I might not agree with all of the mentioned rationales, but at least a few I can understand why someone, somewhere considers it a "good idea"

[–] jaybone@lemmy.zip 1 points 1 day ago (4 children)

What happens if someone steals your phone?

[–] CannedYeet@lemmy.world 2 points 21 hours ago

Even if that was a vulnerability, they're never going to steal a million phones at once

[–] MagicShel@lemmy.zip 2 points 22 hours ago

Are you asking how you would confirm without your phone or asking about someone stealing your credentials or impersonating you?

To the first I'd ask how do you confirm identity if someone steals your wallet? But also, I'd probably be able to confirm with my watch as well.

To the second, my phone would be a brick before they ever got it unlocked.

[–] Electricblush@lemmy.world 1 points 20 hours ago

Lastly if you are asking how you would deal with getting new credentials. There would be a mechanism similar to when you first get the electronic id where your previous device gets deauthorized and you authorize a new one.

All of these are allready solved problems at this point. We do this all the time with other credentials like online banking etc.

This varies by country, but in Norway for instance all of these things are already solved and online/phone banking is both safe and the most common way of doing things.

Loss/theft of phone is at worse a few phone calls and security questions to get it deauthorized (a properly secured phone would not be any significant hazard as mentioned in other responses) and authorizing a new device can be done with mail/SMS combo identification pr by showing up to a local office if you wanna do it that way.

[–] Electricblush@lemmy.world 1 points 21 hours ago* (last edited 20 hours ago)

It of course requires on device lock, like a pin or biometrics.

Also anyone with a nibble of security awareness will have their phone properly secured so it cannot be opened by anyone else.

(My phone requires face match, fingerprint or 6 digit pin. Additionaly it locks up to only accept the pin if it moves out of range of my smartwatch. It can also be remotely locked further, traced, and even remotely wiped)

If you run your phone without security pin or fingerprintint lock, this would be the least of your worries if your phone got stolen.

How are your banking apps secured?