Reports of identity fraud linked to ID scans submitted online rose by more than 50% last year, the Telegraaf has reported, as a growing number of platforms ask users to upload copies of their passports or ID cards.
The government identity fraud reporting centre (CMI) received 3,373 reports of fraud arising users handing over scans of their IDs in 2025 – up from 2,208 a year earlier – the paper said, citing the agency’s internal records. Reports rose again from 326 in January this year to 1,350 in April.
Only certain types of organisation are legally required to verify customer identity with a full ID scan – banks, insurers, cryptocurrency platforms and licensed gambling sites, under the money laundering prevention act and the gambling act.
But Airbnb, Tinder, LinkedIn, Ryanair, Instagram, Facebook, Pornhub and OnlyFans have all introduced or expanded ID-scan checks, the Telegraaf said, citing fake-profile detection, age verification under the EU Digital Services Act, or trust and safety.
Routed through US firm
Many of those platforms, including LinkedIn, Ryanair, Airbnb and Roblox, route their checks through Persona, a San Francisco-based identity verification firm. In February, researchers found Persona had left its entire government dashboard codebase – 53 megabytes across 2,456 files – publicly accessible on a US government-authorised server.
Privacy expert Brenno de Winter told the Telegraaf that under the US Cloud Act, American authorities can compel US-owned firms to hand over data, meaning Dutch passport scans processed by Persona could in principle be requested by US agencies.
The same Cloud Act exposure underpins ongoing controversy over the proposed US takeover of Solvinity, which hosts the government’s DigiD identity system, as well as a class action launched against Odido after February’s leak of ID details belonging to 6.2 million customers.
What the regulator says
The Dutch data protection authority said social-media platforms may only require an ID scan where there is a credible reason to doubt a user’s identity and where no alternative method of verification is available.
Users asked for a scan should ask why it is needed, contact the platform’s data protection officer, and hide their BSN numbers, along with any other unnecessary information. The home affairs ministry’s KopieID app allows users to add a watermark stating the purpose and date of the copy.
EU age check
The European Commission has urged member states to roll out an EU-wide age verification app by the end of the year, which would let users prove they are over 18 without disclosing their identity or date of birth.
The Netherlands is not among the seven countries piloting the technology – Cyprus, Denmark, France, Greece, Ireland, Italy and Spain – and Brussels has stopped short of making the app mandatory.
