Project ideas from Hacker News discussions.

One million passports leaked online

📝 Discussion Summary (Click to expand)

Top 4 Themes from the Hacker News thread

# Theme Supporting Quote (with author)
1 Poor security & unnecessary retention of high‑value documents “The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.” – dgellow
2 GDPR storage‑limitation violations “Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.” – charles_f
3 Inadequate encryption and access controls “Printed IDs should be stored in an encrypted database, should they really need to be stored at all.” – charles_f
4 Weak enforcement & call for stronger liability “Leaking PII should be very, very expensive, and company leadership should face imprisonment.” – animuchan

All quotations are taken verbatim from the discussion and enclosed in double‑quotes as required.


🚀 Project Ideas

[Zero‑Knowledge Age Verification Platform (ZK‑Age)]

Summary

  • Enables services to confirm a user is over a required age without ever storing the scanned ID or passport.
  • Uses decentralized zero‑knowledge proofs (ZKPs) to validate age from a government document while keeping the raw document off‑chain.
  • Guarantees GDPR‑compliant data handling: no persistent PII after verification.

Details

Key Value
Target Audience Age‑restricted platforms (cannabis retailers, online gaming, alcohol sales, credit services)
Core Feature Zero‑knowledge age proof generation that can be verified by any third‑party service
Tech Stack Frontend: React + WebAssembly; Backend: Rust + Juno ZKP library; Storage: IPFS (encrypted proofs only); Identity: DID‑based wallets
Difficulty Medium
Monetization Revenue-ready: Subscription per verification tier (e.g., $0.001 per proof, $199/mo for up to 10k proofs)

Notes

  • HN commenters emphasized that “the documents were left completely unprotected” – ZK‑Age eliminates the need to store them at all.
  • The spec linked in the thread mentions “experimental features” in ZKP – a market gap for a production‑ready implementation.
  • Potential to integrate with existing e‑IDAS 2.0 wallets, giving early adopters a first‑mover advantage.

[Self‑Destructing KYC Vault]

Summary

  • Provides a secure vault where KYC providers upload identity documents that are automatically encrypted, used for verification, and then erased.
  • Guarantees that no copy remains after successful validation, reducing breach surface.
  • Offers audit‑ready logs for regulators.

Details

Key Value
Target Audience SaaS platforms requiring KYC, cannabis clubs, online marketplaces, any service needing identity verification
Core Feature End‑to‑end encrypted storage with auto‑delete after verification; zero‑knowledge proof export option
Tech Stack Backend: Go + libsodium; Frontend: Vue.js; Encryption: NaCl secretbox with per‑document keys stored in HSM; API: REST + Webhooks
Difficulty High
Monetization Revenue-ready: Tiered pricing by document volume (e.g., $0.01 per document, $49/mo for up to 5k docs)

Notes

  • Commenters lamented “Why wouldn't they retain the information?” – this vault solves that by making retention impossible.
  • The architecture can be marketed as “compliance‑by‑design” for GDPR Art. 5 storage limitation.
  • Partnerships with hardware security modules (YubiKey, Nitrokey) can be a differentiator for security‑focused clients.

[Privacy‑First Identity Proof Generator (PFPG)]

Summary

  • Browser extension that lets users generate a cryptographic proof of age or identity from a scanned document without uploading the image to any server.
  • The proof can be presented to a verifier site via a short URL that expires after use.
  • Eliminates the need for third‑party verification services that store PII.

Details

Key Value
Target Audience Privacy‑conscious end‑users, small developers building age‑restricted features, DIY KYC integrations
Core Feature Client‑side generation of BBS+ or zk‑SNARK proofs; zero server interaction after initial setup
Tech Stack WebExtensions API, TypeScript, Circom zk‑circuit, Service Workers for offline operation
Difficulty Low
Monetization Hobby

Notes

  • Directly addresses “Why can't verification simply be go to post office, clerk will affadavit that you presented correct ID via online form” sentiment.
  • Low technical barrier encourages community adoption; potential to sponsor development via Patreon or GitHub Sponsors.
  • Could be packaged as an open‑source reference implementation for other projects.

[EU Age‑Assurance Compliance Automation Suite (EACAS)]

Summary

  • SaaS platform that automates compliance with upcoming EU age‑assurance regulations (eIDAS 2.0, GDPR Art. 5).
  • Continuously monitors data pipelines, enforces deletion policies, and generates audit reports for regulators.
  • Reduces legal risk for companies using third‑party verification services.

Details

Key Value
Target Audience EU‑based businesses that must verify age or identity (online retailers, gaming, cannabis, tourism)
Core Feature Real‑time compliance dashboard, automated retention‑policy enforcement, integration adapters for common KYC APIs
Tech Stack Backend: Node.js + PostgreSQL; Frontend: Angular; Integration: OpenAPI connectors; Deployment: Docker/Kubernetes
Difficulty Medium
Monetization Revenue-ready: Monthly subscription per employee seat (e.g., $5 per seat, $500/mo minimum)

Notes

  • Commenters noted “The EDPB has explicitly ruled… once the user's age is verified, no record... should be kept” – this tool enforces that rule automatically.
  • Aligns with “The EU's verification laws will ensure much more of these leaks in the future” – offers proactive mitigation.
  • Can be positioned as a “compliance as a service” layer on top of existing verification providers, creating a B2B revenue stream.

Read Later