Every digital interaction begins with a question: Who are you?
The answer may be simple like a name and an email to join a newsletter. Or it may be complex, like a government-issued ID, biometric scan, or third-party verification service. But as the tools of identity verification expand, so too do the risks to privacy.
To explore this tension, we spoke with two experts: Ross Moore, Information Security Researcher, and Chloé Messdaghi, Founder & Principal Advisor at Thornbridge Advisory. Their perspectives highlight both the history that brought us here and the future we are building. A future where convenience, trust, security, and privacy constantly pull against each other.
Do We Really Need to Hand Over Data?
Ross Moore begins with a historical analogy. “Many years ago in the US, there were no mailboxes. It was all PO Boxes. Residents could live on their land, and only those they wanted to know would know where they lived. Any package or mail was sent to the post office in the local town, the residents would come to town as needed and pick up their mail. Complete privacy, with high inconvenience. In time, mailboxes came about. Much more convenient, but now everyone knew where someone lived.”
That tension (privacy versus convenience) still defines identity verification. Moore argues that in a digital-first world, some level of personal data is inevitable:
“Absent face-to-face interactions, some personal data is necessary for proof of identity, even if it’s just a first name and email to subscribe. Add in financial transactions, then aside from personal payments in cash (and those opportunities are limited), more information is required to guard against fraud. This requisite level of security protects the vendor and the consumer from theft and fraud.”
But convenience has pushed the pendulum too far. Moore points to everyday scenarios: “For many services, though, a great level of personal data is not necessary. What does it matter, when I order pizza (whether online or in the store) what my demographic, entire shopping history, and travel route for the past six months have been? Why bring in detailed analytics when all I want is some food for dinner?”
Messdaghi agrees that the status quo often demands more data than necessary, and that this is a matter of business convenience, not security. “Handing over sensitive information to third parties has become the default because it’s convenient for organizations, not because it’s the only option. Alternatives like on-device biometrics, self-sovereign identity, and selective disclosure models can verify who we are without exposing everything. These approaches could reduce risk by limiting the number of hands touching sensitive data, proving that we can balance security and privacy if we choose to.”
When Is Data Really Needed?
- A bank account requires robust verification.
- A corporate transaction may require checks, but the depth should vary with risk.
- A vision appointment should not demand an SSN.
- Ordering pizza does not justify demographic or travel data.
The “All-or-Nothing” Trap
Moore discusses the problem of mandatory data handover: “Ironically, many times detailed information becomes necessary because many companies by default require that we either hand our data over, or we don’t use their service.” This creates a one-sided trade-off: comply or be excluded.
“The reality is that most people don’t fully understand where their data flows, and apathy often sets in,” adds Messdaghi. “It’s not just that people feel powerless; it’s that society has normalized the loss of privacy. We’ve been conditioned to accept handing over data as the cost of participating in digital life. Companies exploit both that lack of clarity and that acceptance.”
Transparency and Trust
Both argue that transparency is essential, yet lacking. “Complete transparency. There’s not a smooth system, yet. So we have the right to know where it all goes. Even before AI, there was concern about fourth, fifth, etc. parties. Most vendor reviews only go to third-parties. There needs to be some consideration about where it might go after that. It’s about ethics and moral values,” explains Moore.
Messdaghi calls for clarity that ordinary people can understand: “Transparency isn’t optional, it’s essential to trust. If a company outsources identity verification, users should know who the provider is, what data is being shared, why it’s needed, where it’s stored, and for how long. Instead of hiding behind dense privacy policies, organizations should communicate clearly and simply. Doing so isn’t just about compliance, it’s about pushing back against apathy and rebuilding trust in a space where people have been taught not to expect it.”
Questions Companies Must Ask
- What do we really need to verify employee activity?
- What do we need to verify customer activity?
These are not trivial. A cash purchase has a different risk profile than an online order with a stolen credit card.
AI, Biometrics, and the Future of Identity
Here, Moore and Messdaghi diverge slightly in emphasis but agree on the risks.
Moore says: “AI and biometrics are proliferating more than they are advancing, there are so many unknowns and untested capabilities, yet more organizations want to add ‘AI’ to whatever the feature is, but without testing its usefulness first so they can be first to market, with the approach of ‘we’ll be first, and we’ll fix it later.’ Hats off to the companies that are taking the time and effort to implement AI responsibly and ethically. There are improvements that should be acknowledged.”
But the lack of standards leaves gaps wide open: “There’s also a lack of proper weights and measures for protecting. For simple or normal purchases, there can be a great deal of verification, but for those who have experience with swatting, it’s often set off by an anonymous phone call with an allegation.”
He cites real-world cases: Jameson Lopp and Owen Shroyer, both victims of swatting, where false identity claims triggered dangerous law enforcement responses.
Messdaghi believes that bias and opacity are equally dangerous. “While AI, biometrics, and cryptographic tools could enable privacy-preserving systems, what we’re actually seeing is the opposite. AI is often trained on poor or biased data, leading to flawed identity decisions, false positives, and discrimination. Instead of reducing risk, these systems can amplify it, and users have little visibility into how the models work or how their data is being handled.”
Centralizing biometric data, she warns, compounds the risks: “Centralizing biometric and identity data with third parties creates huge attack surfaces and long-term privacy risks. And because people have grown accustomed to trading away privacy just to participate online, there’s little pressure on companies or governments to build anything different.”
Data Aggregation and Digital Discrimination
Moore sees a troubling trend: “The data being taken, especially when collected and stored in public-facing repositories such as FamilyTreeNow, leads to what’s known as ‘digital discrimination’ or ‘surveillance pricing.’”
This is the quiet monetization of personal data: adjusting prices, opportunities, or access based on hidden profiling.
Messdaghi adds: “Hybrid models may appear in some spaces, but without stronger demand and regulation, the reality is that we’re normalizing systems that sacrifice privacy and accountability in the name of convenience and compliance.”
Privacy as Choice
Moore says privacy is not about vanishing but about autonomy. “Privacy isn’t hiding, it’s deciding: one gets to decide what is shared, with whom, and when.”
Yet, he laments, privacy has become commodified: “A sad current reality is that privacy is a paid option. More often, services require one to pay in order to keep personal data secured and siloed. One has to pay to get data removed from brokers, to keep chats from being scoured by other companies, or to get a ‘privacy-as-a-service’ offering.”
He draws an analogy from music history: “Record players used to be in almost every household, and they were relatively low-cost. As people moved to other media, production was all about the other media, and record player makers made it expensive because society just wasn’t geared for that anymore. With private data today, so many systems are geared toward ‘take the data.’ They’re not, by default, designed to allow opt-in. But just like record players made a comeback, affordable, improved, and even with USB connectivity, there’s hope that privacy protections can be reimagined too.”
To frame the tension clearly, Moore outlines the contrasts between identity verification and privacy in the table below.
| Aspect | Identity Verification | Privacy |
| Goal | Prove a person is who they claim to be | Limit unnecessary exposure of personal data |
| Focus | Trust, security, compliance | Control, autonomy, confidentiality |
| Typical Methods | Passwords, biometrics, ID checks, digital identity | Data minimization, anonymization, encryption |
| Strengths | Prevents fraud, enables accountability, supports regulations (e.g., KYC, AML) | Protects individuals from surveillance, misuse, and identity theft |
| Risks/Weaknesses | Can lead to over-collection, central databases become high-value targets, hard to revoke biometrics | May hinder fraud prevention, can enable anonymity abuse (spam, illegal activity) |
| Regulatory Drivers | Financial regulations, border security, age restrictions | GDPR, CCPA, human rights, consumer protection laws |
| Trade-off | Stronger verification often reduces privacy | Stronger privacy often makes verification harder |
| Emerging Solutions | Digital IDs, biometric authentication, federated identity (Google/Apple login) | Zero-knowledge proofs, selective disclosure credentials, local biometric storage |
| Core Question | “Can we trust this person is who they say?” | “Do we need to reveal this data at all?” |
Practical Recommendations
They both offer some practical tips:
For Individuals
- Map who is monitoring your data: Identify brokers and request removal where possible.
- Control cookies: Block them at the browser level; use tools like Ghostery.
- Get tech-savvy: Learn how to audit, secure, and delete personal data.
- Know your rights: Understand privacy legislation and how it protects you.
For Companies
- Token-based identity: Issue minimal-information tokens, revocable if compromised.
- Threat modeling: Always ask, what happens if this database is breached?
- MFA enforcement: Reduce reliance on up-front verification by validating user-controlled devices.
- Organizational ID options: Consider verifying employees through corporate credentials rather than personal IDs.
- Least privilege: Neither customers nor employees get “keys to the kingdom.”
Regulation and Incentives
When it comes to legal and reputational stakes, Moore says: “More countries are passing regulations to fine companies and even other nations for not respecting and protecting the privacy of their citizens. If companies don’t acknowledge that, ask good questions, and proceed accordingly, their company may find themselves with a bad reputation, if not out of business.”
Messdaghi adds that regulation can’t just be about compliance, it must also restore trust: “Instead of hiding behind dense privacy policies, organizations should communicate clearly and simply. Doing so isn’t just about compliance, it’s about rebuilding trust in a space where people have been taught not to expect it.”
The Balance Ahead
Identity verification will always matter. Fraud, theft, and abuse are real threats. But the means of verification must respect autonomy, minimize data collection, and prioritize transparency.
“No solution is risk-free; never has been, never will be,” says Moore. “But companies need to think through what would happen if XYZ database was compromised, and protect it accordingly. And customers need to be aware that the actions taken to protect their confidential data will come with requisite limitations and exposures.”
“We can balance security and privacy if we choose to,” Messdaghi ends.
The choice now lies with organizations, regulators, and individuals: whether to normalize ever-expanding data handover, or to demand a future where verification does not mean surrendering privacy.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.