A passport scan, a driving licence, a utility bill: these are the documents modern services routinely ask for to verify a new customer. The customer uploads them once, in a single transaction, on the understanding that the document is being used to confirm an identity for the service in question.

The document, in most cases, is not held only by that service. It is retained for compliance purposes for periods of years. It is shared with verification subprocessors who specialise in the work; it is sometimes shared further with the partners of those subprocessors. The single upload becomes several stored copies of the same document, in different organisations, with different retention policies, in different jurisdictions.

What this means in the ordinary case is little. Documents stored under proper conditions, by competent organisations, are reasonably safe. What it means in the less ordinary case is more. A breach at any one of the holders releases the document. The document does not need to be released by the original service to circulate widely; release by any of the downstream holders is enough.

Once a passport scan has circulated, it does not stop being the principal's passport scan. The same document is what is presented, by parties who have come into possession of it, to fresh verification systems that ask for the same kind of evidence. The document the principal uploaded for one purpose becomes the document presented against them for another.

The remedy is principally preventive. It is about being deliberate when documents are first uploaded: to which providers, for what purpose, under what retention, with what sharing. It is about preferring providers who can demonstrate that the document is destroyed after verification, or who use document-checking systems that do not retain the original at all. The document the principal does not let circulate widely cannot be used against them later.