Normalized Security Nightmare
By Brian Poulsen | February 2026
The other day, I was checking an article from the science news site Videnskab.dk via Facebook. The topic was purely biological – a comparison of anatomy among primates – illustrated with a classic Greek marble statue. But before I could see the white stone penis, I had to click through several warning layers about “offensive content.”
It seems deeply ridiculous, but this is merely the tip of the iceberg. While Facebook settles for annoying warning boxes, major global trading platforms like eBay, Amazon, Shein, and Temu have begun demanding something far more dangerous: Your passport.
If you wander into product categories today that algorithms have stamped as “Adult Only,” you aren’t just met with blurred images. You are met with a requirement for full identity verification. We are not talking about a simple checkbox saying “I am over 18.” We are talking about uploading high-resolution images of passports or driver’s licenses to third-party servers.
We are in the midst of a shift where we are devaluing our most important identification documents. A passport is designed for crossing national borders and documenting citizenship to authorities. It is not designed as an admission ticket to a Chinese webshop or an American auction site. When we are forced to use nuclear weapons to kill sparrows, we are breaking a fundamental principle of proportionality. The risk of sharing this data does not measure up to the reward of being allowed to view a product.
What we are seeing is the consequence of the EU’s Digital Services Act (DSA), which, in an attempt to protect minors, has created a security monster. The law threatens so-called “Very Large Online Platforms” (VLOPs) with astronomical fines if they do not have control over their users. The law imposes enormous responsibility on platforms to protect minors. The threat is real: fines of up to 6% of global turnover if they fail. In panic, the platforms’ legal departments are choosing the only solution that legally “covers their backs” 100 percent: Photo ID. They couldn’t care less about user-friendliness or data security, as long as they can show the EU Commission that they are compliant with the rules and have their documentation in order.
It reeks of a hidden trade war. By placing extreme demands on global giants, the EU has effectively created a digital A-team and B-team, where local shops go free while international competitors are slowed down by bureaucracy. (See the fact box ‘The Law Splitting the Internet in Two’ at the bottom of the page).
We are thus standing in the middle of a bureaucratic and technological storm, where EU legislation, American moral panic, and a Chinese trade war collide – and we, the consumers, are the hostages in the middle.
Honey Pots
And here the real nightmare emerges: What security experts call “Honey Pots” – jars filled with honey that flies (hackers) cannot resist. By forcing millions of ordinary consumers to digitize and upload their passports to access banal goods, we are building gigantic, centralized databases filled with identity gold. These are irresistible targets for hackers. To view an item costing $7, I am asked to digitize and upload my passport or driver’s license to a server I don’t know, owned by a subcontractor I’ve never heard of.
History is Frightening
We have seen gigantic leaks before where centralized databases have been drained. We saw it with the Equifax leak* and the countless leaks of “KYC data” (Know Your Customer) from crypto exchanges and fintech startups floating around the Dark Web.
- *Between May and July 2017, the American credit reporting agency Equifax was hacked. Private information of 147.9 million Americans, as well as 15.2 million British citizens and about 19,000 Canadian citizens, was compromised in the hack, making it one of the largest cybercrime cases related to identity theft.
When we force millions of ordinary citizens to upload high-resolution copies of their passports or driver’s licenses to shop online, we are creating the world’s most valuable buffet for identity thieves. A passport is not just a password you can change. It is the key to opening bank accounts, taking out loans, and committing crimes in your name. You can’t just get a new social security number or change your face. It is deeply ironic that legislation designed to “protect” citizens ends up exposing us to a risk of identity theft that can haunt us for the rest of our lives.
The Invisible Middleman
If we take Temu as an example here, reading the pop-up box that meets you on the screen reveals a textbook example of digital disclaimer.
The text reads: “As required by GBG, please have a valid identity document ready…”
The phrasing is brilliant in its manipulation. By writing “as required by GBG,” the trading platform makes it sound like they are being forced by an external authority. But GBG (GB Group plc) is not a government authority; it is a publicly traded British data giant that the platform itself has hired for the task.
It becomes even more disturbing when reading the small green text at the bottom: “…No personal information is collected or stored by Temu.”
To the untrained reader, this sounds reassuring – as if the platform is looking after your privacy. But in reality, the sentence confirms exactly the security problem we are facing.
When the platform writes that they do not store the data, it effectively means they are sending it directly out of the house. The moment you click “Verify,” you are sent away from the webshop and onto an external domain (idscan.cloud) managed by GBG.
You are not uploading your passport to the store you are shopping with, but to a third party you have never heard of, and with whom you have no customer relationship.
You are left in a situation where your identity lies with a British subcontractor, while the trading platform can legally wash its hands and say: “It wasn’t us who stored your passport.” It is an opaque chain of data sharing where you, the consumer, bear the entire risk, while the giants hide behind each other.
It is a technocratic scandal that the EU rolled out the legal requirement before the solution was ready. We are still waiting for the “European Digital Identity Wallet” (EUDI) – a technology that, via so-called Zero Knowledge Proof, would be able to confirm age without revealing identity. But instead of waiting for the tool to be finished, politicians introduced the coercion first. This has left us in a dangerous void where platforms grasp for the only hammer they have: Total surveillance.
At the same time, a new “puritanical” (strictly moralizing) normality is sneaking in through the back door. When even a marble statue on Facebook requires warnings, and legal goods on eBay require a passport, we are slowly being accustomed to the idea that the internet is not free.
It reminds me of the famous “boiling frog” analogy – a living frog in a pot of water that is gradually heated so the frog has time to adjust to the heat, but when the water reaches the boiling point, the frog no longer has the energy to jump out of the pot and is boiled alive.
In the same way, we quietly accept that we must identify ourselves to participate. What starts with “adult” goods today could be social media tomorrow.
As if EU bureaucracy wasn’t enough, we are also being squeezed from the West. In the USA, we see a wave of moral legislation in states like Texas, Utah, and Virginia, demanding strict ID verification for access to “adult content.” It looks strikingly like the “horseshoe theory” (extremism on both sides) in practice: The American right-wing “freedom fighters” and EU technocrats meet in the middle in a shared eagerness to monitor and control citizen behavior. For a global platform, it is easiest to simply align with the strictest common denominator. If Texas requires ID, and the EU requires ID, then the whole world gets ID requirements.
One cannot help but speculate on the geopolitical game. The requirement for ID verification hits Chinese giants like Temu, Shein, and AliExpress particularly hard (although implementation varies). In EU corridors, it is an open secret that there is a desire to stem the tide of cheap Chinese goods. By introducing requirements that create massive friction – who wants to fetch their passport to buy a gadget for $5? – they have effectively introduced a technical trade barrier.
We are creating a digital culture where you have to show your “Ausweis” (papers) at every street corner. Not because it is necessary, but because tech giants are afraid of fines, and because legislators forgot to consider data security in their moral crusade. The price for protecting children from seeing something they can easily find elsewhere on the net anyway is paid by all of us with our privacy. It is a bad trade-off.
Until the EU completes its secure digital wallet (EUDI), we consumers are left in a market where we must choose between being blind to the supply or exposing ourselves totally to unknown actors. This is not protection. It is a digital experiment with our identity at stake.
FACTS: The Law Splitting the Internet in Two
If the sole purpose of the DSA (Digital Services Act) was to protect children from harmful content, the law is leaking like a sieve. The rules create a marked discrimination based on company size rather than the character of the content.
- The Magic Number: 45 Million: The EU distinguishes sharply between ordinary platforms and so-called VLOPs (Very Large Online Platforms). The limit is 45 million monthly users in the EU. Only VLOPs are forced to undertake the heavy “systemic risk assessments” that have led to the aggressive demands for passport verification.
- Who is Hit? (The A-Team): The list of VLOPs counts global giants, including Temu, Shein, AliExpress, Amazon, eBay, TikTok, and Facebook (Meta). This is where you hit the wall. Since these are often American or Chinese, the legislation acts in practice as a “brake” on foreign competition.
- Who Goes Free? (The B-Team): Ordinary webshops (like local specialized retailers) are typically categorized as “retailers” or “small enterprises.” They are not subject to the same requirements for algorithmic monitoring and ID upload.
- The Conclusion: The result is a paradox: A teenager can be required to show a passport to view an item on a Chinese app but can five seconds later find exactly the same type of item on a local webshop without other barriers than an “I am over 18” button. This suggests that the law’s effective purpose is more to curb the market dominance of global giants than to close gaps for minors.
While writing this article, the Danish Consumer Council (Forbrugerrådet Tænk) issued a similar warning, advising against uploading passports to these platforms. It can be read here in Danish:
https://avisendanmark.dk/erhverv/forbrugerraadet-send-ikke-dit-pas-eller-koerekort-til-temu