Why Can't the Freelancer App Take a Photo for...

bodine-dorian · ‎04-01-2020

The AirBnB mobile apps have required photographing IDs through their app for years. There is no snapping a photo and ferrying it across two or three devices just to upload it to AirBnB for identify verification.

Why can't the Upwork app for Freelancers do the exact same thing? It would be much more secure for us Freelancers than asking us to upload a picture of our ID through a third-party web browser which we might not have the good sense or know-how to protect.

When I submit my ID for photocopying with a brick-and-mortar employer, I trust myself as the possessor of sensitive information, and the proprietary systems of my employer or contractor agency, as well as any 3rd party they contract with. There is a clear chain of liability there, which photographing IDs with proprietary apps replicates (notwithstanding the question of whether that endpoint was already compromised).

Upwork's current system injects at least three other surfaces: whatever your default browser is, which the current App flow INSISTS on using for reasons I just can't fathom; everything ELSE that loads or is loaded into your default browser, which, why would you expect the user to clear that out before uploading their ID; and everything else that is running on the hardware of the device used to submit the photo, where it is presumably stored in the open and is accessable by everything else that can reach your Pictures folder or wherever it is.

It stands to reason that sensitive data like photos of government-issue ID warrant at least a little more protection than my collection of other people's fur-baby pics. Upwork's current flow expects me to treat them the same, or else go to some drastic length to ensure that picture only goes where it is supposed to.

Can someone please explain to me why this is considered an acceptable attack surface to expose to the global community of identity-stealing scripters?

And if this is something you know how to implement in an app for Android and/or iPhone, could you please post a hypothetical bid to represent the cost of doing so through our market?

Same for implementing secure recipt, storage, evaluation and destruction of this data, assuming Upwork wants to destroy the record 30 days after successful verification.

AveryO · ‎04-02-2020

Hi Dorian,

I understand how this verification process can be worrisome to some users. We appreciate your feedback about aliternative ways, however, at this point, the only way to complete the verification process is by uploading an official government-issued ID and meeting with us for a short video call.

The information you provide for ID verification is governed by our Privacy Policy and sent to us and our third-party partners using SSL—the same secure encryption that websites use to transmit credit card numbers. Our third-party partners handle this info and the storage of your government ID according to our Privacy Policy, which describes how we protect your information.

~ Avery

bodine-dorian · ‎04-02-2020

Hi Avery,

I appreciate that your (read: "Upwork's") terms of service are what they are, and if I don't like them I can leave. I accept that.

I also appreciate that you, Upwork, communicate securely with 3rd-party vendors. That is also standard practice.

If you will read my post more slowly, you may notice none of that is what has me upset.

What has me upset is that the company you are representing has neglected a client-side vulnerability which other providers of sensitive services reasonably protect.

I am trying to report a software bug, which is exactly what this is. If I were employed internally as the tester for this software--as I have been elsewhere--I would insist that the development team consider precisely the argument I have raised here, before they decided whether this risk should exist as an intended behavior.

If you, Avery, would like to be of service, please transcribe my root post into a bug to be submitted to the appropriate bug tracking database. That is where it belongs. Even if it is graded with the lowest priority and ultimately resolved with those Jira standards, "Not a Bug" or "Will Not Fix", that is where this thread belongs.

If you, Avery, do not understand how your response is a deflection of my question and not an answer, I would be happy to walk you through it. Even though I try, I know I'm not always as plain as I really mean to be. And if you are politely trying to tell me I will never get an answer because Upwork refuses to see this as Upwork's problem, that's fine too.

Best,
Dorian

AveryO · ‎04-02-2020

Hi Dorian,

Thank you for explaining this further. I wanted to understand your concern better, and I would be happy to discuss it further on this thread.

I am not well versed in the programming/developing 'world' so please excuse the level of my ignorance in this area. As I understand it and correct me if I'm wrong, you are suggesting a feature that we can add to the current Freelancer Mobile App, so that users can complete an ID-verification through the app instead of submitting it through a (secure) link. I have seen and used an app similar to this (it was an online banking app) where I had to submit a valid government ID by taking a picture of my ID against a solid white background. If I got it correctly, I think this is an interesting feature and an excellent suggestion! And I would be happy to pass it along to the team so that it can be considered.

As for the bug, I was wondering why you had suggested to file it as a bug, and it was unclear to me if you went through a specific issue. Could you please share more information so that I can assist you further?

~ Avery

tta192 · ‎04-02-2020

If you can't trust your computer to store a photo of your own documents why would a client trust you with a project you would work on using that same system ? Is your personal data more important than your client's data? That's not exactly a client-centric approach.

Why Can't the Freelancer App Take a Photo for ID Verification?