There is no good identity.
Emails change, people lose access to old emails.
People dislike usernames, they want to be able to choose non-unique ones rather than end up with user53267 or something inane.
People lose devices, just storing a secret UUID in their cookie, or using a passkey from their device isn't going to work.
There is no ideal solution except to blend a variety of things together, for some people email is pretty stable for long time and they like it as the identity, for others their usernames are stable and they prefer that as the identity... though I know of no-one that has had the same primary device for more than years (not decades) so perhaps that one will never work.
I do think this is important though, where it comes up a lot is a work email account, a first.last@company.com, and how all of the vendor software utilises "Sign in with Google", and it's the email address they then store in the vendor app as the identifier...
People get married, people get divorced, people transition, people move culture and choose new names... names change, and so do email addresses.
Perhaps OIDC and the like needs a new extension: a standard API to change a username, and a standard API to change an email address.
People also have a right to lose everything and start a new life. this is something that people could do just a few decades ago
Registered sex offenders in many U.S. states lose this right.
https://www.youtube.com/watch?v=eWPtAJS1kro
that makes sense
Doesn't some states have really arbitrary rules for what constitutes "enough" to be called a sex offender? Things like visiting a prostitute, urinating in public, consensual sex between two teenagers and more requires you to register as a "sex offender" in some states. Should that suddenly mean you shouldn't be able to start anew online?
Yes. If you don’t think some offenses should be punished with sex offender registration, we can discuss changing those particular statutes, but that’s no reason to allow violent rapists and child molesters to evade registration.
Eliminating registration requirements so we don't have to institute a tracking system and prevent anyone else from starting over when >99% of the public is not a sex offender is not "evading registration", it's eliminating it.
If someone is still a danger to the public then maybe don't release them from prison.
I would gladly support life sentences or even the death penalty for rapists and child molesters, but unfortunately a lot of people like to complain about “mass incarceration” so most states don’t have the ability to fund the necessary prison facilities. If we’re going to let them out of prison, the least we can do is to try and keep these people away from children.
"Mass incarceration" is from the war on drugs and general over-criminalization of society. Let out the non-violent drug offenders and there will be plenty of cells for the rapists and pedophiles.
That’s not true. Consider the following graph: https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_pr... (source: https://inquisitivebird.substack.com/p/crime-in-the-usa)
62.5% of sentenced prisoners committed violent crimes, which includes 15% for murder and 15.5% rape and sexual assault. All drug offenses put together make up only 12.6%.
Sounds like your stats support the argument that if we let out the drug offenders there will be plenty of space, since it effectively doubles the amount of room currently taken by those convicted of rape and sexual assault.
Also, you haven't considered length of terms.
If 62.5% are serving for violent crimes, they are most likely serving longer sentences than those convicted only of drug offenses. This means over the time of one violent criminal's stay in prison, you have maybe 1.5 or 2 or even 3 or more drug offenders being taken in and released. This doesn't affect the amount of people in prison at one time, but it affects the amount of people who end up going to prison.
By the same token, life sentences for rape are going to take up a lot more prison capacity than you’re accounting for. If you change a rape sentence from ten years to life (and a ten year sentence might mean you get out in six), you could end up 5xing or 10xing the number of prisoner-years the system needs to handle from the same population of offenders.
Also by the same token, you’ve essentially made my case that “mass incarceration” is more a consequence of harsher sentences for serious violent crimes than it is a consequence of drug prohibition. If you favor even harsher sentences for serious violent crimes (I do too) then you need to accept that this will require significantly more prison capacity. Either that or we need to start talking about expanding the death penalty, and expediting the appeals process in capital cases so it can be applied at scale.
I think your case is overly simplistic. My response was pointing out that quoting basic statistics is not going to explain anything, and diving beyond the surface will reveal complications. Move on to 'violent crime caused by drug prohibition' to see yet another aspect of this. I am not making any argument beyond this.
It doesn’t really add anything to the discussion to wave your hands around, say “it’s more complicated than that” if you’re not prepared to seriously explore the consequences of the complications you’re bringing up. For instance, you raised the complication that prison term length will have certain effects on the amount of prison capacity required for a class of crime. Fair enough, but once we actually explore that complication in depth, the conclusion is that lengthening prison terms for rape will consume significantly more prison capacity than you can free up by completely eliminating prison terms that are already relatively short. Likewise, unless you have some sort of data-backed argument as to how and why eliminating drug prohibition will change the conclusion that we will need more prison capacity to incarcerate all sex offenders for life, you’re not actually making any useful point.
There is no way to have a real discussion about this without actually being informed. Pointing out that your feelings about how rapists should be sentenced should not depend on whether or not drug prohibition is just because of 'room in the prisons' is perfectly valid. Statistics that mean nothing without broader context and analysis are pointless and misleading.
I don’t know about you but I don’t have this problem.
It’s completely beside the point here. I’m making the argument that if we want to incarcerate rapists for life, we will need the prison capacity to do so. Which means, keeping everything else equal, building more prison capacity and increasing the degree of “mass incarceration” in the country. Something that is a very controversial suggestion to say the least.
AnthonyMouse responded with the claim, “Let out the non-violent drug offenders and there will be plenty of cells for the rapists and pedophiles.” I could have backtracked and tried to make the argument that one has nothing to do with the other. But there was no need because I could, and did, simply refute AnthonyMouse’s claim directly.
You’re clearly implying this is a mistake that I’ve made. I don’t think that it is. While you’ve pointed out a specific complication that I didn’t explicitly mention (the relationship between length of prison term and share of prison population), this complication doesn’t undermine my point but rather strengthens it. You made a further suggestion that maybe we should consider the violent crime that’s caused by drug prohibition. That would be a fine counterargument for you to make! Bring your own data and analysis and maybe we can both learn something.
The problem is that it’s a lot easier for you to sit there and criticize me for not bringing enough “context and analysis” when you’re not bringing any of your own. If you have a point to make, make it. Don’t complain that my arguments are “simplistic” when you’re just going to make lazy sniping comments and expect me to do the work of making your counterarguments for you.
My point is that you have a solution which, correct me if I am wrong, is 'let them out because we can't jail them forever because we don't have room, so then we have to put them on a registry'. You act as if this claim is practical (or even sensical), and then defend it by using statistics. I shouldn't have bothered pointing out your statistics are pointless and should have pointed out that your claim is based on a false premise.
Sex offender recidivism is a complicated topic that is very difficult to study, and 'sex offenses' are not something that are standardized between societies or systems, and acting like your solution is a decent one means that you think that a simple solution can solve a complex problem.
Thus any conversation you are going to have on the topic is going to be fruitless unless you are trying to push an agenda with no regard for a real path forward.
One can be intelligent and intuitive but without the proper background and without the awareness to know when out of depth then a lot of damage can be done.
You’re wrong, so let me correct you. As per my previous comments, I’d be perfectly happy executing the lot of them. I don’t think that’s politically feasible, so as a compromise, I would be satisfied building as many prisons as are necessary to incarcerate them for life. But even that is politically infeasible, largely due to widespread misconceptions about the bogeyman of “mass incarceration”—including the misperception that mass incarceration is primarily a consequence of drug prohibition. So now that we’re backed into the corner where rapists and child molesters are eventually released from prison anyway, I much prefer them to be registered as sex offenders than for them not to be registered as sex offenders.
Since Anthony has some sort of problem with sex offender registration and was the one to suggest life imprisonment in the first case, I pointed out that the natural consequence of such a policy would be the expansion of “mass incarceration”. I wanted to see if Anthony was serious enough about life imprisonment to accept the necessary tradeoffs of such a policy. He replied by claiming that mass incarceration is the consequence of drug prohibition and that the required prison capacity could be freed up by releasing nonviolent drug offenders. This claim is false and I refuted it.
No, you shouldn’t have, because they aren’t. The point was to refute Anthony’s claims that mass incarceration is the consequence of drug prohibition and that the required prison capacity could be freed up by releasing nonviolent drug offenders. If you would like to refute my refutation, please feel welcome to introduce whatever data and analysis you have toward that end. I only ask that you put forth the effort yourself instead of gesturing vaguely in the direction of a refutation and then scolding me for not doing the work of presenting your side of the argument.
The rate of recidivism among dead men is zero, and while lifelong prisoners do engage in recidivism against other prisoners, at least they aren’t committing crimes against the rest of society. So there actually are relatively simple solutions available to us. If we are all in agreement that we are willing to bite the bullet and increase the scale of either the death penalty of mass incarceration, I would be satisfied.
When people object to sex offender registration by asking “why are we releasing them from prison in the first place?”, I am not actually convinced that they are serious about lifelong incarceration. I worry that they are using this point as a rhetorical cudgel and have no intention of actually accepting a policy of lifetime incarceration for sex offenders, especially when such a policy would likely conflict with what I reasonably presume to be their attitudes about “mass incarceration”. Now, maybe my presumption was wrong and Anthony is actually totally fine with mass incarceration, but if that were the case he would have said so. Instead, he introduced the canard that mass incarceration was the consequence of drug prohibition. He provided zero data to back up this claim and the data I provided refutes it. Anthony had no response and your responses have been little more than pointless bromides about how these issues are “complicated” with next to no data or analysis on your part about what these complications might be or why they would change our conclusions.
Between the two of us, you’re the one who is struggling to contribute anything that could make this conversation fruitful. I hope I’ve clarified my position well enough for you to add something of substance. For one, I’m not actually clear on what specific position you’re taking here, other than “against Phil”. Perhaps this is another presumption on my part, but I assume that when people argue with me, it’s because there’s some point they disagree with me on. So what is it?
I think it's a cost/benefit thing. People react strongly to sex crimes, and many people don't agree with the state the 20 years in prison or whatever was enough, so this allows the state to spend $0 on incarcerating someone and still placate those voters.
I don't know why we don't do this for all crimes, though. Why no murderer registration list or bad-check-writer registration list? I guess those we outsource to the private sector.
People want rapists and pedophiles to burn in hell. They don't feel the same about bad check writers, and first degree murder already carries the death penalty in the relevant jurisdictions, but sex crimes generally aren't punishable by death.
It's probably because sex crimes are extremely hard to prove. If there is a murder, somebody is dead and somebody killed them. It's not that ambiguous. Consent can be extremely ambiguous. It drives people mad because you want every rapist to be six feet underground and every falsely accused innocent person to be free but there are all too may cases, plausibly the majority of cases, where there is no way for the system to conclusively distinguish them.
And then we hesitate to kill rapists because we're uncomfortable about that when it's so easy to get it wrong, but if we don't, people feel the guilty ones are being insufficiently punished. This is kind of a recipe for ending up with bad laws.
Sex offender registries are not limited to rapists and pedophiles. Jurisdictions without death penalties have sex offender registries. And some other crimes receive longer prison sentences.
Sex offender registries are for rapists and pedophiles. Putting people on them who were arrested for urinating in public is the sort of negligence that rarely gets addressed because it doesn't affect a powerful lobby. But that kind of intractable bureaucratic scope creep is another argument for not having them.
The sentence isn't the longest of any crime for the same reason it isn't death (or, for the jurisdictions without the death penalty, the same as their penalty for murder).
Sex offender is not a natural category. Registration statutes specify relevant crimes. People who urinated in public were compelled to register because statutes specified genital exposure. Buyers and sellers of consensual sex between adults were compelled to register because statutes specified consensual sex between adults.
The difficulty of proving rape is why rape conviction rates are low. Imprisonment for rape is shorter than imprisonment for murder because most people consider murder worse than rape.
People who urinated in public were compelled to register because statutes specified genital exposure in order to cover flashers but were overly broad and non-discretionary, causing an absurd result. Statutes covered flashers and prostitution because of scope creep; once you create a machine people want to use it for things. It's fairly obvious that there would be no registry to begin with if there were no rapists or pedophiles.
Even despite the low conviction rate, rape convictions are reversed at a higher rate than other crimes, because it's so difficult in those cases to know the truth.
Many countries historically imposed the death penalty for rape and a few still do. Typically the ones less concerned about proof beyond a reasonable doubt in general.
People viscerally hate rapists and, even more, pedophiles. Murder is nominally worse but not by much. The penalty for rape and second degree murder are typically about the same. In multiple US states the penalty for rape is higher.
Do they? A quick mental scan of well know paedophiles suggests that famous ones face limited repercussions.
"Powerful people evade justice" is a different issue. That doesn't really depend on what they did.
That’s what criminal background checks are for. Lots of criminal convictions have lifelong consequences, many of which are meant to prevent recidivism. People who are convicted of violent felonies are barred from owning firearms, people who are convicted of securities fraud are barred from working in positions where they are capable of committing securities fraud, and people who are convicted of sexual offenses are kept away from children. All of these restrictions seem reasonable to me.
How is urinating in public a sex offense? I'm releasing urine not having sex with it.
Because in order to pee you have to expose your genitalia. I suppose the laws were made so that anyone exposing genitalia could be charged for it.
That being said, it is completely stupid that people are actually made to register as sex offenders when they really were just peeing. Doubly so when they did so without anyone other than themselves seeing their private parts.
They should visit India once. Of course many people will pee against an object (wall, tree) but at times not so hidden
Incidentally saw this funny discussion yesterday (the comments are funny): https://www.reddit.com/r/unitedstatesofindia/comments/18ufbu...
I think these United States have gone way above and beyond their duty as far as calling people sex offenders (not saying that Indians are right)
You just need to go as far as Budapest.
You just need to go as far as Brooklyn on the subway.
Pee in public within a certain distance of a school and you'll probably find out.
I know a guy that happened to. He was drunk and urinating by the side of the road in plain view and wound up registered as a sex offender. West Texas.
This is his story that I've not independently verified, but I don't think he was an actual sex offender from what I knew of him. He was certainly a drunk though.
Because the law is badly written sometimes.
Because people may wee your weewee.
Source?
https://slate.com/news-and-politics/2014/08/mapped-sex-offen...
It's kind of weird that sex offences are treated specially. I'd like to know if I live around someone who gave in to plain violence as well or if someone stolen something significant enough.
Either we are giving people second chance without stigma or we are tracking everyone forever. I'm fine with both.
Sex offenders should lose rights. This video is trying to draw sympathy for a 19 year old hooking up with a 14 year old, and that is plain evil.
"Sex offender" at least in the US is a ridiculous classification that includes people who peed in a fountain while drunk. I don't think they should be punished for the rest of their life and be on a public list with serial rapists.
No it doesn't. There are zero people on the registry for urinating in public. This is a myth that pedophiles like to claim.
You'll find thousands of articles about it. You won't find a single case.
Yes it does. Puppy killers like to claim that it doesn't. /s
Here are a few examples with names: https://www.menshealth.com/trending-news/a19541024/you-might...
There is a ton of posts from lawyers confirming the fact that in many states you can get convicted for public urination and put on the sex offender list. For example, here is a post from a Texas-based lawyer: https://www.craiggreeninglaw.com/can-you-really-become-a-sex...
The reason it's so hard to estimate the real number of these cases is that the crime is listed as indecent exposure or lewdness.
I believe that sex offender registration laws are problematic. But so is that Men’s Health article.
Yes, the article contains actual names. Thing is, none of those people are registered sex offenders:
1. Juan Matamoros is not a registered sex offender.
2. Julie Amero was a crazy case involving false testimony by a police officer. Her conviction was vacated on appeal, and she is not a registered sex offender. (That all happened long before the article was written.)
3. Wendy Whitaker is no longer a registered sex offender.
4. Janet Allison is no longer a registered sex offender.
5. Eric Williamson was acquitted. He was never a registered sex offender.
Men’s Health is not a reliable source for investigative reporting.
This isn't reddit. And that's a terrible form of argument.
Okay. I can agree that that subset of sex offenders shouldn't be defined as sex offenders.
Highly dependent on jurisdiction.
Ditching a jurisdiction where it’s illegal to start afresh in somewhere the tradition is welcome is part of the process.
Oh really?
As someone that once faced serious jail time for plants, I think that would have been a nice option, but I wasted two years of my life in court/etc.
Passkeys aren’t device-bound. I think they’ll work just fine.
The real problem, though, is that we seem to need digital identity solutions to be perfect as opposed to “good enough”. No solution is perfect and we’ll be stuck on email as long as the enterprise security nuts (who need everything device-bound and vendor attested) and anon-in-the-ether privacy schoolers (who think any stable identifier whatsoever is a heinous crime) are part of the conversation.
Imagine if everyone just used mobile drivers licenses issued to whatever self-sovereign wallet the user chooses. Identity issuing, revocation, and recovery is then handled by all the things society has already built to handle meatspace identity. Account recovery involves a trip to your local gov’t office to re-issue your ID credential. Which means you need some chain of trust to your birth certificate. You’re going to treat your mDL credential wallet with a lot more reverence if that’s the recovery flow, so some of these problems solve themselves if we stop using punk short-names everywhere online.
Relying parties that need human uniqueness, age, and/or nationality guarantees use the mDL verifiable credential. Law probibits relying parties from aggregating and selling/transferring information obtained for purposes of authentication from a VC. Ad-tech privacy problem solved.
Services that don’t need proof of human uniqueness etc. can just skip the VC part of the equation and use basic passkeys and implement short-name reclamation.
But why do you need to tie it to your driver's license? Tie it to whatever kind of account recovery token you like, put that in a safety deposit box at a bank (available for ~$20/year), and then you can get access to that with your government ID if all else fails.
This requires no new infrastructure to screw up or get broken into and doesn't tie your internet activity to your name while still allowing you to use your name to recover your accounts.
This is variously unnecessary and ineffective.
The correct way to do age verification is to ask the client's browser if the user is a minor. If the user is a minor, either their parents will have configured the device to answer truthfully or the minor has access to an adult willing to allow it, against which no remote system is secure anyway because the adult has an adult ID.
This is the same reason human verification doesn't work like that. You still have no idea if you're talking to a human, all you know is the device on the other end has somebody's ID attached. Individuals who aren't supposed to be using AI still have a human ID and criminal organizations not only have their own IDs but also any they can steal.
It's not clear why proving nationality over the internet is necessary but most of the obvious use cases are dystopian and requiring you to visit a physical office once in your life to prove your nationality to some bureaucracy (after which you can use your account) seems like a minor burden -- and more secure -- than trying to do this.
That kind of system is not worth the candle. The tracking risk is large, the benefit is small, there are too many ways to screw it up and it would inevitably be politically compromised and hard to change.
You can use whatever credential society is willing to trust. Practically that’s a state-issued ID.
All I’m arguing is that we should extend the concept of your state ID cryptographically into cyberspace. Amd that it should be used for recovery flows where real identity matters. There’s nothing new here (society already works this way) other than the protocols and specs to agree on document and signature format, which is luckily something we happen to excel at managing.
None of your counter suggestions solve any practical problems. A liquor store isn’t going to simply “ask the user” whether they’re of age. They need more formal proof. Users don’t rent safe deposit boxes at banks, and even if they did that would be chained back to your physical ID anyway so your apparent solution isn't a real solution.
The dystopian worries are hyperbolic and mostly FUD. If a service needs your info and you need the service, you’ll give it to them.
Anyway mobile DL is already happening. I’d rather a state that I have at least a modicum of control over be the root of my digital identity than some corporate run email system than can evict me without cause.
Nearly every institution trusts the credentials that it issues. Your employer trusts your ID badge that they issued. Your bank trusts your bank card that they issued. Why does anything else even need to exist?
And then it will be designed poorly but everything will start requiring it because the poor design will allow it to be used as a tracking ID (even if it was claimed not to, because malicious corporations are clever), but once everything is using it the poor design will be difficult to change. See social security numbers (which never should have been public).
A liquor store doesn't need to verify identity over the internet because you're standing in the liquor store. Unless it's an internet liquor store in which case they already have your identity because you've provided them with payment info and a shipping address, and checking ID at the point of sale is useless when it's the point of delivery you care about, i.e. you need the delivery driver to check it. Otherwise minors can just buy alcohol with an adult's ID unbeknownst to both the seller and the adult, and have it delivered to themselves where nobody checks who receives the package.
You can't verify age over the internet because you have no way to know if the credentials being used are those of the user or someone else. In person you compare the picture on the ID to their face, or can notice if they're clearly a child.
The bank doesn't even know what's in the box, and you're not required to use a bank if you don't want to. You can use any safe place you'll still be able to access even if your house burns down etc. A safety deposit box is an example of such a place which is relatively inexpensive. Many people do in fact use them to store important documents -- that's one of the main things they're for.
If you make it easy to demand then services that don't need the info will demand it, and then you'll give it to them because you need the service. Which is the evil to be prevented, by making it hard to demand, so only services that actually need it will demand it.
That which is made can be unmade. Easier if done sooner.
So buy a domain name for $15/year to use for your email, which you can point to any third party email service if you don't want to host it yourself, and you can point somewhere else if they disappear or become adversarial. Or make it easier for the average person to do this (though it's really not that hard).
You’re really missing the point of the whole conversation: account bootstrap and recovery for situations where things like verifying that a real human and not a bot owns the account, that the real human is unique and isn't lying about their name, and that the human is legally allowed to use a service (age) are requirements.
(To your example: we’re talking about bootstrapping an account at a bank not using a bank card as a bearer token. Banks won’t trust a bank card when you tell them you lost your bank card and need a new one, or walk into the branch for the first time to open an account.)
Today we do an entirely shitty job across the board of meeting these requirements. We root trust in essentially the digital analog of your postal address. We TOFU any comms coming from a new address. We use crap like captcha (which is now easily defeated by AI) to try and help establish a pulse. Etc.
Everything you mention about stable IDs existing, corporations abusing the relationship with their users for extra profit, etc., is already a problem today. All a service needs is name and DoB and they can sell info about how you use their service to aggregators for days. Our current system of email addresses doesn’t solve that even remotely. And it makes services that do justifiably need stable IDs reach for crummy insecure, unsafe and terrible options like asking you to upload a photo of you holding your drivers license… talk about creepy shit services shouldn’t be doing. There is no reason we can’t show the user a page that explains exactly what data will be shared with a service when they present any given credential and allow them, not you, to make the choice of whether that’s okey and warranted for the given service.
You’re making multiple logical fallacies: (1) you’re moving the goalposts and arguing that a system that improves our ability to issue, hold, and consume digital versions of a government issued ID is wholesale bad because it doesn’t solve all conceivable problems in the digital ID space even though it solves many. And (2) your resounding reason for the badness is that “it will be designed poorly and used by bad guys” which is just our slippery slope du jour.
Why does account bootstrap require any identification? It's a new account with nothing in it. You can't be reading someone else's messages or withdrawing their money because there isn't any. If you're the one opening the account, that's your account, regardless of who you are.
The only reason anybody cares about this even for banks is that it's required by law. But then you show them your government ID one time when you open your account, which doesn't have to be done over the internet, and if you care about the security of it then it couldn't be. Otherwise you can't prove that the presenter of the ID is the person whose name is on the ID. And if you don't care about that (e.g. because to prevent this you're relying on the legal system deterring that with criminal penalties) you can let them provide their name without any ID.
I mean let's ask the question this way: If people have their government ID on their phone and then someday there is a wormable remote root exploit in one of the major phone platforms, a criminal organization now has access to millions of IDs. Not possible when government ID is a physical thing in your wallet. Are we just setting ourselves up for doom? They can steal everyone's money and pin their crimes on whoever they want? Why would you build such an epic single point of failure?
It doesn't really do that. It just pushes it one level away as if that system can do something different.
What do you do if you lose your bank card? You show them your driver's license. But then what do you do if you lose your driver's license? Regardless of what that is, couldn't you just do that if you lost your bank card? It's not providing anything but another level of indirection. And in either event it's not something that needs to be done over the internet because it's needed so rarely. You don't event want it to happen over the internet, because then someone who can steal or forge a digital ID can steal your bank account from Russia instead of having to walk into a physical branch in the victim's country and put their face on a surveillance camera.
I still don't understand how this is supposed to prove anything. The human who operates the bot will have an ID for the bot to use.
This is the biggest reason to burn any such system to the ground. Because it only works against honest people. You prohibit victims of government abuse and anyone who doesn't want to be tracked from using a pseudonym, meanwhile serious criminals get IDs by remotely hacking phones or servers or bribing low-level government employees.
Preventing innocent people from being anonymous is an offensive goal.
So then you call them or sign in to the account on their website and have them mail it to the address they have on file, which they'll notify the account holder of by sending text and email.
As opposed to the traditional system, which does the same thing with your actual postal address? The government does the same thing as the bank if you lose your driver's license. They mail you another one. In many cases they mail you the first one.
Which is exactly why you should never have to give them that information, and any system that prevents you from making it up is to be destroyed.
There are so few things that legitimately need this that keeping them clunky and arduous is a huge feature, to keep the demand for it from spreading to services that don't.
And then all the services that want to track you demand your full name and DOB, use it to track you, and you have to use them anyway because they have a network effect or some other market power, or there are only three companies in the industry and they all do it.
It not only doesn't solve all problems, it only solves one problem -- how to track people who don't want to be tracked, which is a problem that could quite beneficially carry on not being solved -- and in the process it creates multiple new problems that didn't previously exist.
It's the thing that will happen, because designing such a thing with effective privacy protections is actually an extremely difficult problem even when you're competent and have good motives, but you're asking the political system do to it, which is the thing with a poor track record on technical competence and corrupted by all of the interests who don't want that problem to be solved because they want to track everyone.
You're massively oversimplifying reality.
No it's not. Many many services ask for phone number as a proxy for "this is a unique human". Plenty of services ask me to verify my identity with those stupid "which one of these is your address from 2004" questions. Some ask me to upload photos of my drivers license or enter the info from the card. Services where I enter payment require my information. In fact I'd argue that the majority of the critical digital services I use require strong identity be it traditional or web3 crypto-style. It's just the angsty message boards that don't. Heck even social media requires at least a phone number these days. I simply don't buy your unfounded assertion that "the majority of relevant digital services don't need strong identity". Strong identity should be the default, anonymity only when needed or desired by a select digital community.
The iPhone has been remotely exploitable since its introduction. Still, I don't know of a single Secure Enclave exfiltration exploit because it's hardware separated. Regardless, your doom and gloom scenario has yet to play out so I'm calling FUD.
There is no that. You get your license re-issued or maybe you can use SSN (which is so bad and doesn't solve anything because we devolve to digital SSN instead of DL). I don't know of any banks that let you bypass identity verification because you lost your credential. You have to go get a new credential. Fun fact, phone companies are now requiring ID verification via state issued credentials to make changes to your account. Simply having the account login credentials aren't enough anymore. Lost an hour at the Verizon store trying to get my mom a new phone for the holidays only to learn she needs a DL.
Nobody cares if the human uses a user-agent software to browse the web. What people care about is humans having multiple accounts, gaming systems, spamming communities, being bad actors, etc. All these things are enabled by a lack of scarcity in identity or anonymity (two sides of the same coin). Because strong identity is scarce, you don't get to make up accounts for a bot and then just roll a new one when that bot is banned. You get one shot and if you blow it and don't play by the rules your account is banned, your spam and abuse potential is now zero instead of one.
If you're being targeted by your government then you can't use systems with strong identity anyway (whether it's form the 20th or 21st century isn't important), so it's a moot point. You can't use banks with KYC because all your accounts are frozen or being watched. You can't communicate using government regulated comms channels. Like it or not we cede a monopoly on violence to our governments. If you don't like yours then move elsewhere or yes reach for true anonymity and operate beyond the pale.
Nooo. Trust is not rooted in your address. It's rooted in presentation of a birth certificate and residency documents to a government agency. Only after you attest to your name and bind your name to an address is an address trusted. They don't just say "oh you say your name is Paul? Great where's the best address to send this credential?", (and FWIW some even print you the credential on the spot avoiding the postal system).
The fact that you either don't understand this or haven't taken the time to be careful enough about this nuance tells me you're firmly in the camp of tinfoil hat anonymity purists, and that your opinions on the matter of practical human identity can be pretty much discarded as such. No offense. I mean you said this:
Any system where I can't just make up arbitrary details about myself is to be destroyed. Okay that's practical.
I don't even need to rebut this statement because it's so asinine it discredits itself.
FUD and arguing past me. I said we need legislate the use of PII from digital credentials. We already live in a world where companies abuse everyone. We are beyond fucked on that front. So the solution isn't "stifle all innovation because it could make you slightly easier to stalk". The solution is build a strong robust framework around which information is clearly in the domain of user-controlled identity/PII and that shall not be abused without consequence, and then enforce the law. How is that not clear? The problem is EXACTLY that we can't stand up as a society and point to digital PII, because it doesn't actually exist in a clear form. We live in a blurry purgatory where nobody knows what exactly is an identifier and how it should be respected because we don't have strong digital identity. The ad industry doesn't need a credential document to track you. They just tag you with their own UUID when they see you and your shitty browser (also built by ad-tech) does the rest. Zzz...
That's not even a charitable interpretation of what I'm arguing. Thanks. It doesn't create a single new problem (or if it does it's strictly in the realm of unsophisticated doom and gloom tirade FUD). It makes a shitty system better for the vast majority of humans who'd aren't super fond of internet trolling, scalping, spam, bullying, and all manner of activities that our current system tacitly glorifies.
Privacy is not one dimensional. If you're competent you understand that privacy isn't "nobody knows anything about me". Privacy is about only sharing sensitive information with people you trust. A functioning social society involves trust. Trust no-one is not a valid pragmatic mantra. A system where the commons agree on a stable identifier and credential and then each individual is able to present the credential, attenuate the claims (e.g. transform a strong meatspace ID into a weaker but still unique pseudonymous ID for services that don't need meatspace details but still need functional identity), etc. is exactly what we need to solve problems and make progress. What we don't need is to tear down society and all become faceless anons by default.
I guess this discussion probably boils down to a difference in philosophy. I'm a humanist. I want technology to augment and enhance human systems. I don't want to evolve into a trans-humanist hive mind type of civilization where we're all faceless interchangeable worker bees without any sort of reputation or identity.
---
Addendum: FWIW I suspect the idea of a credential with everything a traditional drivers license has is tripping you up mentally. In the actual implementation the user is issued a selection of credentials with varying claims and can choose which one to present to any given service. The user only reveals the minimum information they're comfortable sharing with any given service. This is an enhancement possible with a digital system that's cumbersome with physical cards since sending your all the different permutations of a DL with different fields included would be unwieldy and expensive.
[2/2]
That has two major problems.
1) There is no way to verify what they do with it. Once they have the information, what they do happens entirely within their own organization, which the user has no way of knowing. They'll lie about it, or secure it inappropriately and then have it leaked. The only real solution is for them never to have it to begin with, not laws on what they can do with it that nobody can verify.
2) Defining PII in this way is basically hopeless, because whether something is personally identifiable is context-specific.
You want to prevent a social media company from getting your PII, so you never give them your name or date of birth, all they have is your username with them. If the same company owns a retailer, you make a separate account with the retailer and the social media service still doesn't have a physical address for your social media account even if the retail service does.
Give that company a way to prevent you from having "two accounts" and now you have one account and your social media account is correlated with your name and physical address. But they get to claim they need the information because the retailer has a legitimate need for your shipping information. And the username goes from not identifying you to identifying you.
How would "strong digital identity" change that? All it would do is create an additional form of PII. All of the others would still be there and be just as uniquely identifying, including the ones that weren't created to be or appear to be at first glance but are, or are in combination with some other variables they also know.
It's not that hard to maintain multiple identities and keep them separate. The easiest way for laymen is to use separate devices; older devices are cheap and more than fast enough for basic internet use if you just want to read the news on a device that doesn't know where you work etc.
Forced single identity kind of throws that out the window as soon as they find any way to correlate accounts using the same ID, and do you really think they won't?
Okay, here's a single, specific, new problem: If your government ID is digital rather than physical then things that used to require a criminal to be physically present in your jurisdiction can now happen over the internet from countries where they have no fear of prosecution.
There are alternate ways to address these problems that don't involve massive centralization of authentication.
That's kind of the point. You're already free to give truthful information to anyone you trust. Now what do you do if you don't trust someone but they demand your info anyway and you're not in a position to refuse?
There is a difference between faceless anonymity and having multiple identities. The latter is how human society has always operated. People behave differently in front of their parents and their friends. They wear different clothes to work and to play. They say things in confidence to people they trust that they wouldn't say to people they don't.
But now you're not just saying it to the people you trust, you're saying it to people you trust and a huge corporation who records it forever and often gets breached. Keeping a thick line between these different identities is something we need to support, not inhibit.
You're really looking for a rate limiter to prevent someone from creating a million accounts. You don't have to merge everyone's pseudonyms into a totalitarian centralized identity system for that. All you need is something that puts a price on account creation. A literal price would work fine. So would a dozen other things.
The real problem is that services don't want something that adds friction to account creation, but they do want to track everyone. And what I'm saying is that we should fight against making the tracking everyone thing frictionless.
Can you explain when this is the case? You can always vote with your feet and not use x|y|z.com. Not a once have I been forced to used some piece of software in my personal life.
I'm not actually arguing that socially we shouldn't have "Personas" or access to multiple email addresses or whatnot, etc. I'm arguing that personas should be specifically chosen by products on top of a strong cohesive underlying human identity system (by not using some global id as a primary key in the users table or even storing it in the first place, or by allowing a less strict form of authentication). If your message board doesn't need to enforce uniqueness of humans, or enforce that posters use a real name, then it simply doesn't (maybe email is good enough for it). However, if your bank does need to, it has a good way to do so not a shitty one. And as a user I'd rather my account recovery be rooted in a socially robust system even if higher order services don't need to chain their account/user records back to a unique person ID.
That's not what I'm looking for but I don't disagree that it's a solution to some of the spam and bot type of problems.
I'm looking for a strong digital identity system not rooted in a digital postal address. Some people are allergic to the idea because of all the ways it could theoretically be abused. I simply don't buy FUD around how an strong identity system could be abused to be reason not to build it. Powerful tools come with great responsibility. I believe there are enough people who care involved that we could develop and wield a better system than "your email is you" responsibly as a society. I actually think that a strong identity system would help us avoid slipping into a totalitarian nightmare where all the tracking happens in the dark behind the veil (essentially what we have today). I want people that need to track you to declare it loud and clear so that I can make informed trust decisions on a service by service basis.
Anyway you really seem to be arguing from a position where you assume this tool will be used unilaterally by everyone for bad. I simply don't buy it. Your fear is noted, and I think we've discussed as much as is productive at this point.
This is how we end up with personal accounts as an admin of Facebook ads of fortune 500 companies, and the like. By not allowing multiple accounts, you prevent partitioning of life/business, you prevent abused spouses from creating a secret identity to seek help through, you prevent whistleblowers from blowing the whistle, you prevent people from being able to have conversations about part of their life they don't want associating with their identity.
People can have multiple passports! They can choose which passport to show when entering a country. I have a US ID and a Dutch ID, a US social security number and a Dutch one, a US phone number, and a Dutch one. Why should I have the privilege to have multiple accounts while you do not, simply because I moved to another country?
Why should only people who have driver's licenses be allowed to get a phone? That seems ridiculous.
Since I've moved to the EU, I have many friends who get banned simply because their written English is bad enough to be considered a bot. How does identity prove they are a human and not a human running a bot? Please tell me this. I'm quite interested in this.
How is this different than what we already have? I can choose to give a service as little true information as I want. Do you just want some cryptographic user/pass that is attested via a government? What do you do if a government revokes a user's id (aka, deportation, lost id, etc)? Can they still log in? What if it expires, is it still valid for your service? My US driver's license is long expired, but it still asserts my identity even though I can no longer use it to prove I know how to drive.
I don't think this is very well thought through, nor is it realistic once it hits any sort of common edge case. I really hope nothing like this ever happens.
[1/2]
Anyone can get as many phone numbers as they want for less than $5/each.
And there is a better way to rate limit account creation -- you pay $5 to create an account. For a legitimate user this is a nominal one-time fee, but a spammer has their account banned in minutes and has to pay over and over, and the fee directly pays the costs of fighting spammers so the more there are the more funding you get.
The biggest problem with this is, ironically, that we messed up our payments systems so that it's really hard to pay anyone over the internet without disclosing your identity. Which makes "pay a nominal fee instead of giving your identity" pretty hard to implement. If you want to fix something, fix that.
Anonymity has to be the default because it's needed by specific people rather than specific communities. Most people on some huge social network don't need to be anonymous but the minority who do need it desperately. They're a minority that needs to be protected even though a conglomerate would be willing to steamroll over them because they're not a large enough population to affect the bottom line.
It hasn't been a huge problem because the majority of people haven't had a single-root digital ID on their phone and the majority of services don't currently accept one. But there have been known to be vulnerabilities in various hardware security modules, some of them remotely exploitable. It's a bad assumption that no one will ever find another one.
And the problem isn't just the scale, it's the scope. Even Apple had a Secure Enclave vulnerability, which was reported to require physical access, but sometimes the attacker has physical access. And then it's not that you can access the bank accounts of millions of people, it's that you can access all the accounts of anyone whose phone you can steal because you've put every egg into the basket of that single ID. Which the attacker can then use without showing their face in a physical place.
That's my point. That is the law against giving false information on an application for government ID, which isn't any more effective than a law against giving false information on an application for a bank account, and shouldn't be necessary on an application for phone service or similar.
You did the identity verification when you opened your account. They generally don't need to see your ID again. They were going to send a new card there anyway because the cards expire every few years and they automatically send you a new one.
Not because they care about your name, because they don't want attackers stealing their actual customers' phone numbers and digital credentials can be stolen remotely, so they resort to physical ID. Making the government ID a remotely stealable digital credential is not solving their problem.
You don't want players using bots to play your game, so you say captcha to continue if they play suspiciously well or suspiciously long. Asking for ID doesn't work because the bot can present the human's ID.
You don't want Archiveteam scraping your site, but they have many volunteers willing to each run a slow crawler from a separate IP and it's hard to distinguish the bots from real users, so you use captchas. Using IDs instead doesn't work because each of the volunteers has a unique ID.
Company wants to use AI marketing bots in the same way as they pay astroturfers, but now instead of paying $1000/month they pay 100 times as many people $10/month just to use their ID. Each bot gets an ID, and the bots aren't conspicuous so they don't get banned quickly, they just post a lot of 20th percentile-quality content and really love that company's products. If anybody's ID gets banned the company replaces them with someone else. There are a million people willing to take a ban from a site they don't use in exchange for a little money.
Lots of people currently use captchas in places where asking for ID wouldn't do any good. Rate limiting by ID overlaps heavily with rate limiting by IP address.
These are not at all the same thing. You can get access to a large number of unique identities with a relatively modest amount of resources, and demanding ID won't be effective for anything requiring more of a deterrent than that. Conversely, you can rate limit based on anything scarce, not just ID.
Having users post a bond is particularly effective because you can make the amount scale with how aggressively you need to deter bad actors, and it's technically possible (though not currently convenient) to do this anonymously.
You can also rate limit by reputation by using vouching systems etc. etc., none of which requires the person doing the vouching or the person being vouched for to be using the same identity on your site as they use in any other place.
This is what I mean by creating new problems. What do you do if you get hacked and then banned from everything? It's one thing to lose a $5 deposit or have to start over with a new account on one service, what do you do after your ID gets banned from all social media and every major infrastructure provider in a consolidated market? Tying everything to one root is bad.
There are different levels of being targeted by the government. If your abusive ex is a cop, you need to be able to operate under the radar so they can't find you. That doesn't mean they can have your bank account frozen without raising red flags, so you can still go to the bank to get enough cash to run away.
In general we try to improve the government, e.g. by increasing the ability for the public to maintain their anonymity. Especially when that country is the US and the US is the country preventing other countries from e.g. providing their citizens with an anonymous bank account. Where are you even suggesting someone go? Sealand?
A birth certificate is just a piece of paper with a name on it. They have no way of knowing if that's your name. No authentication is happening there.
This stuff isn't based on cryptography or signature verification or anything. It's based on it being a crime to lie about it in particular contexts, which deters people from doing that. "Attesting to your name" is something you could do just the same to the bank. All you have to do is make it illegal to give a false social security number to a bank and you have the same level of security as you do to get the government ID.
Being made up is where names come from, and people don't have a single name. Married people often change their name and carry on using both of them in different contexts.
A particularly relevant example is stage names. Their name in the credits isn't the name on their mortgage or in their high school year book. They'll use their stage name for a social media account. Using their other name is dangerous because if their social media account gets hacked, the name on their mortgage gets out and stalkers show up at their house.
This is as true for minor celebrities as major ones, if you do certain kinds of work or discuss certain kinds of topics, so those people need to use a pseudonym on the internet. With no way for anyone to tie it to where they live. Even if they're not famous enough to have Big Tech CEOs in their address book.
Personally, I like the idea of hardware-tied auth (phone/FIDO2 key), that could work for me eventually. However, I am also one of the "anon-in-the-ether" people and don't want a permanent identity on any public service.
A permanent identity comes with many additional mechanics, far beyond just a stable identifier. The biggest one is post karma (including likes): IMO it's at the core of almost everything what's wrong with the modern web. It introduces vile personal and group incentives and leads to an eventual destruction of any honest conversation. While this mechanic exists on public forums, I won't use a permanent identity.
Stable identifiers were common decades before karma or likes.
Yup, I used to use them back then.
You said stable identifiers come with karma and likes. But you know they come without also.
I mean - yes? I understand what a stable identifier is. Having a unique user ID in a database doesn't magically enable likes on all features. But for the purpose of this discussion I limited my opinion to "public services", i.e. services with a social aspect, which overwhelmingly have this mechanic (to such an absurd extent that I can "like" payments made by people I don't know on Venmo).
You do not understand what core is apparently.
From what I understand "core" is a central part of a fruit.
I’d challenge you to live life without a government ID, and without giving your phone number to any “public service”. I’m sure we could be more private than we are, but you aren’t going to get far without your permanent ID.
I definitely don't consider myself a "privacy schooler" (whatever that means) but government-issued ID credentials tied to "self-sovereign wallets" (whatever that means) sounds like a, pardon my french, absolute fucking nightmare. But agreed with your other point that we'd probably stop giving ID up as easily if that was the cost of recovery.
You have government issued id credentials tied to government controlled bank accounts and cards, a wallet per se would not change much.
Those are not signifiers for my entire digital life and allowing them to be a single trackable signifier online gives corporations and governments carte blanche to track every movement we make online in perpetuity, forever once that cat is out of the bag.
It will be worse than the WEI framework in terms of restricting access to a certain class of people. If you're already disadvantaged and don't have the ability to provide documents to the DOL proving who you are, how are you supposed to get access to your online identity again to get into a mail account and try to apply for work or housing?
Imagine someone steals your real world wallet and gets your online identity credentials, goes posting revenge porn and crypto spam and gets you booted off every platform. You get cancelled and lose your job because your online identity is tied explicitly to meat space and the court of public opinion operates on guilty even after proving innocence.
Meanwhile you're trying to recover your life--social, physical, and digital--, but can't get into any platforms online. None of your accounts work anymore. You can't access your backups, or get into your contacts because your device is no longer trusted because it's tied to a blocked Microsoft/Google/Apple account. You can't access your house because your IoT security is tied to your online accounts which have been disabled. You can't access your physical documents safe. You have to break into your house. You can't scan the QR code or NFC to verify identity after providing the alarm code. Police come, and arrest you because you can't prove who you are. You're crazed about your situation, babbling because of the insanity of it all and look like someone trying to steal a nice homeowner's documents.
I realize that's a pretty extreme Black Mirror level example a bit like Nosedive, but it's in the realm of possibility if we go down that route knowing that corporations are already trying to do device attestations. Maybe you'd have the prescience to have a physical security layer 0 for your IoT security, but many products people purchase won't because having to carry a key defeats the purpose of having the tech solution.
The scary enough reality is that if there is a single government provided signifier for an individual online, we will inevitably see sweeping tracking and censorship. They do as much as they can possibly do now. Why on Earth would anyone ever think they wouldn't do more?
No, thanks.
Entirely unfounded FUD!
Wallets wouldn’t just let some random thief access all your credentials. They have safeguards like biometric TEE unlock. If you’re being targeted by someone who can get past that, then they could do equal damage with your physical drivers license. Nobody is going to drive by swipe your phone, bypass biometrics, and access your wallet just to post revenge porn. Give me a break!
The way you fight companies trying to do device attestation/profiling is to provide a system that meets the current needs but controls structurally the philosophy around what you’re identifying (user, not device). And you legally limit behavior, not technically. I am sick of losing every nice thing we had because some privacy wanker says “oh that’s a persistent identifier better neuter it”. I want well regulated identifiers that I control judicially and around which there is a clear legal framework preventing abuse. I don’t want a world where I can’t manage my kid’s phone on my home network because some tin foil hat at Apple decided to change the device’s mac address every day “for privacy”.
I don't think changing the device MAC idea is a good one either, I just don't want my online identity permanently tied to my meatspace identity because I might say things that a future government takes issue with, and if I am tied by government control to my online identity and rules change, my meatspace life gets fucked forever.
neither would a wallet, "only allow access with government issued ID" can be done (and _is_ enforced for some things) independently of central-bank-issued wallets or government IDs. They are just orthogonal things.
Most of the EU has had access to electronic IDs for years, but they are not used to log in to hacker news, and there is no reason to expect them to ever be.
You call that an extreme example, but I say "watch that happen by 2030 at the rate we're going". It's rather frightening how so many people on Hacker News either are completely unaware that this is a thing that any party of power wants to be able to do, or think that society wouldn't let it happen, even as parties in power remove all means of leverage against them.
Is there anywhere to follow progress on this? I don't think anyone actually implements import/export of passkeys yet.
Don't they work pretty portably within Apple iCloud keychain or Google equivalent (but only one)? I think some of the legacy password managers are supporting this as well, although my preferred self-hosted vaultwarden option doesn't yet (bitwarden has support, but I don't think it is in the self hosted version yet, let alone in vaultwarden)
There are ways to set passkeys as non-exportable from device I think but that is not the default.
Bound to devices chosen by Apple or Google is device bound.
What does legacy mean to you? The usual meaning of outdated is inapplicable in this case.
Device bound is to a specific piece of hardware (whether it supports reinstallation at some level is debatable but I wouldn't use the term for it; Signal is essentially single-concurrent-device-limited even though it has migration capability, but since it can be exported, it's not truly device bound. Apple, Google keychain lock-in is vendor or maybe account lock-in, not device lock-in. "Non-exportable" keys from a secure enclave make it device bound, although a sufficiently functional reprovisioning process might make that only a technical distinction.
Passwords are "legacy" security technology at this point (in the sense of being outdated and bordering on obsolete, and yet still needing to be supported) -- password managers are tools to manage that legacy technology.
No it’s not. At least that’s not what anybody in the security community means when they say device bound. Device bound implies the key is cryptographically tied to a piece of unique physical hardware.
Depends on the implementation. Some passkeys are device bound. The free ones, typically. Unless you trust Apple and Google to preserve and protect private keys.
WebAuthn can be device bound. A Passkey is webauthn with nil authdata.
Sorry, how are passkeys not device bound? Every single article I read explaining why they're "better than passwords" touts precisely this as a strength - your authentication takes place on device, so there's no server of passwords for anyone to hack. If you lose the devices your passkeys are paired to, you've locked yourself out of that account for good.
It’s useful to have your own domain with your own email so it stays with you as long as you like, beyond work emails.
Being a tolerated guest who pays little to none in someone’s servers is another issue.
Most large email providers are more like digital identity providers, and being a citizen of one of these big digital countries is neither democratic or setup for your long term preferences.
Is there a way to actually "own" your domain instead of paying registration fees every year?
You can pay ahead up to 10 years, which helps. Get in the habit of adding time every year, but you can miss up to 9 in a row before there are any problems.
This, if you can't keep a domain registration current despite the 10 year max length, domains aren't for you.
People who have been incarcerated?
Kind of an odd example in this context? Someone who is incarcerated for that length of time is liable to lose any property they fully own anyway given the kinds of monetary damages that tend to go with it. And physical property isn't trivial to have kept up for a decade away from it in jail either is it? The only way that happens is if they have it legally isolated from them and someone else who can/will be a caretaker, and in that case said person could easily renew a domain as well. If anything domains would relatively speaking seem pretty easy there, no matter what jurisdiction you're under there are domains to be had that are under a different hostile jurisdiction, there are registrars that will accept cryptocurrency payments, and costs are relatively very low. Auto-renew from a private bitcoin wallet for $10-20/yr on the face of it looks more sustainable and feasible to have work and survive court judgements following a serious felony. And during trial there is time to prep.
Nothing is perfect and the domain situation is really far from perfect, and it doesn't hurt to consider edge cases. But the Venn diagram intersection there of someone who cares enough to have custom domain that is critical, commits a serious felony, considers having the domain after release a key priority, isn't legally barred from it, and doesn't or can't take any steps towards it, seems kinda small. In that case maybe indeed "domains aren't for you" but that doesn't really take away from its use to the rest of us.
I think you would get a confluence of many of these when looking at computer crimes, because often a condition of the sentence is being unable to use a computer (and, to some extent, a lot of people who spend time on computers lack physical people in their life who can step in to help out in situations like these…)
Tell that all SSL cert holders lol
The system is more like leasing/renting instead of owning.
The impermanence of which isn’t the greatest.
I think there’s a few rods that are free to cheap. .cx comes to mind for some reason
Most registrars let you prepay. I prepay mine by 5 years in advance, and have a reminder to refresh it yearly. It also is setup to auto-renew 3 months before expiration so if the charge fails… you have 3 months to fix it.
And I just finished almost three months of emergency military service and my credit card was just cancelled before due to my own mistake. Had I been two weeks into that three month window, I would have missed the renew date.
Even after the reg term expires there’s typically a grace period before the domain is unrecoverably recycled. Find a registrar with good policy, though some things are regulated by internet orgs.
Yes, thanks.
This is a nice approach.
Having too many active domains can be a pain tho
Or you decide to change the domain, but are too lazy to change the email address... everywhere, so you end up paying for 2-3 domains instead of one just for the email redirects to work.
Or you have financial troubles and no credit card just as you need to renew...
A more permanent way to buy - not rent - domain names would solve many of these issues. And changing ownership of domains should be just as difficult as changing ownership of real estate, the only people benefiting from the current ease of changing domain ownership are speculators.
There is at least one domain tld selling “lifetime” domains.
I’m not sure why icann wouldn’t let anyone pay for 10-50 years for a domain.
Domains can be decommissioned once no emails are coming across them, which can be reasonably tracked.
I had no idea or time to figure this out and luckily we weren’t the first to come across this :)
I had my own domain for many years until the email provider of the admin email for the domain (openmailbox.org) decided to shut down. Bye bye my domain.
A good reason why no one should use an email address from their internet provider’s domain, can’t leave.
This is a fair concern.
I think it could be something to start seeing instead like not paying a cell phone bill.
Being able to move your domain between any email hosting provider remains valuable.
A domain that important is worth putting multiple recurring yearly calendar reminders up.
An email serving your identity is probably worth a bit more investing in.
It’s possible to leave a credit card on file to auto renew, renew for maximum years at a time, And lock down the domain enough to prevent hijacking.
It would be so much easier for normal people if all service providers allowed you to add multiple email adresses or other aliases to the account.
You can easily lose access any particular email address, even if it's on your own domain. Losing access to all your email addresses and phone numbers at the same time is far less likely.
In which scenario would this happen, except for loss of ownership of the domain itself?
I'm not aware of any other scenario, but losing a domain is easier than you may think.
For instance, my main email address is on a domain that is now owned by my company (it wasn't originally). If I ever sell the company, I lose access to the domain as well. My wife's email address is on that domain too.
Right. Yeah I know it's not hard to lose posession of a domain. I probably misinterpreted your comment when I thought you meant losing a specific email address but not the domain as a whole.
I never mix work and private. My email addresses on my company's domain are for work-related things only. If I ever sell or close the company, it doesn't matter. I own a separate domain for personal email.
>I never mix work and private.
That's definitely a good idea. My company sort of emerged from a personal activity and things got mixed up. If I could do it again I would handle it differently, but you know, life's twists and turns... :-)
Came to the same conclusion myself.
The only “safe” email host is the one you run yourself or pay for with actual dollars, not data.
The hard part is taking your second paragraph to action. Most people are not ready for that conversation because the major freemail providers have been in service for such a long time that most people really can’t grasp the concept that email is something you have to pay for.
I really blame a lot of that on Google from the very beginning. Gmail, and essentially all free mail providers, are what they are today because of the precedent Google set and the only way companies were going to be able to compete with that was to also make their email services free.
I usually dislike the idea of inviting government into this space, but if there's anything that governments have traditionally done decently well and should do (it's usually within their mission statement) its identity. Passports are really the primary identity layer of Earth.
Ideally in a perfect world we'd have governments run OIDC systems similar to the US login.gov and these would delegate from an international master OIDC system at the UN. Everyone would have their citizenship passport ID and their UN ID, and the latter could serve as a "break glass" master key to support immigration and also limit the ability of countries to "digital death penalty" people.
I can think of some dystopian outcomes here, but IMHO they are not worse than the dystopian outcomes that come from corporate monopolist control of digital identity. At least in democracies one has some nominal influence over one's government and the latter is bound by the rule of law, and if you don't live in a democracy you can (or should be able to) leave.
You're right that identity is hard, and I think most of why it's hard is human rather than technical. One could create a decentralized identity layer from a block chain fairly easily but people would lose their keys etc.
Governments do a bad job here, not a good one.
They restrict people to a single immutable identity, that may not conform to other governments, that may not accommodate different languages and character sets, that are not flexible of gender, that do not reflect relationship types that aren't typically monogamous... the list goes on.
They offer a poor base implementation that is only sufficient due to the legal identity seldom actually being needed online. Which is a good thing, because identity theft would be so much worse if that was everywhere.
In the UK we don't have as fixed an idea of an identity as people think, Cherie Blair is also Cherie Booth Q.C. , Elton John is also Reginald Dwight, and for both people, both identities are real identities and sufficient to get bank accounts in the name of, it's only when it comes to a tax record and passport that you are reduced to a single identifier, but who is to say that the name on that is the preferred name of a person?
My bank account, bank card, accounts on most of my things, do not match my passport and birth certificate.
The alternative is corporate monopolist control, which is what is developing right now with OIDC where Google can "digital death penalty" you and lock you out of your life. The biggest realistic risk is this happening "accidentally" because some stupid bot at Google or Microsoft decides you are violating ToS, and since these companies have basically zero tech support it takes you weeks to unlock your account if at all.
I don't actually like governments owning the identity layer, but then again I am of the "necessary evil" school of thought regarding most of what governments do. It's marginally better than having corporate monopolies own it.
I'm a giant fan of decentralized identity, but there are two insanely hard problems with it:
(1) People lose keys, forget passwords, or get them stolen. They also lose or break security key hardware. I've heard stories of people paying people to actually excavate dumps to find lost Bitcoin keys for example.
(2) There's a chicken or egg problem of getting sites to support any decentralized login scheme without a monopolist like Google pushing it, and the latter have no reason to do so since they want to monopolize the identity layer.
Problem (1) is solvable to some extent by having companies that escrow keys for you. Escrowing with them would not be mandatory but they'd offer a "break glass" service for people who are willing to trade a bit of (potential) privacy for it. A good escrowing service would have a terms of service that forbids misuse of your identity.
Problem (2) is probably harder. Big tech will actively refuse to support any system that doesn't hand them a monopoly or at least an oligopoly.
BTW this is one area where cryptocurrency could have found an actual bona fide beneficial use case! But it's not as profitable as running scams and casinos so nobody did it.
This whole discussion seems to revolve around "Who will be the central authority, the permanent and unwaivering center of trust?". Really a good time to bring blockchain into the discussion, as this is actually something it's kind of designed to handle.
That's a tool, it still leaves open the question "Who will be the authority to determine what changes to allow to the blockchain?", the problem was not solved by introducing blockchain, you just changed the question slightly whilst adding a dependency that wasn't required originally.
Moreover proof of work can't work for non-currency use cases because it requires an incentive structure for the game theoretics to work.
This is a good thing because this is what people have, one single immutable identity.
What you've identified are problems with assumptions about the relationship between various things and identity.
A key one is the relationship between name and identity. Two people can have the same name but aren't the same person. A person ca change their name but they haven't become a new person.
I can do anything I want to myself honestly. I can color my hair, have a sex change, lose weight, gain weight, have height augmentation surgery, get piercings grow a beard, change my name, whatever, but I'm still the same person. That is immutable. I still have the same mother and father, the same birthdate, lived in the same places, attended the same schools, studied the same things, etc.
My identity as far as the government is concerned is still tied to a single number. Yeah, they make it hard to change a lot of the other stuff related to that number (for good reason), but ultimately they are pretty good at knowing who I am based on that number.
I don’t know. I wouldn’t say that governments do identity better than anyone else and adding more dependency on it just increases the value of the government ID making it an even more lucrative target to steal/forge.
Fake ids are a thing and the quality depends on how much you spend. Governments also have reasons to lie about identity themselves (think spies).
A true identity solution means being able to cross reference your identity across multiple entities (federal government, state and municipal, employers you’ve worked for, businesses you’ve interacted with, etc etc).
I'm sure there's a criminal underworld where you can just buy a passport to get you into a country, but for the average person, passports are really hard to fake, which makes them good enough as identity for logging into your average dog photo sharing site.
Why would I want to log in to a dog sharing website using my real identity? Maybe I'm an outlier but I really value the pseudonymity possible thanks to the internet. I can share as much or as little about me as I want, and the dumb things I probably wrote when I was 14 are not immortalized with my name next to them.
A dog what web site?
They said dogs, not cyberdogs, so you might be safe?
Umm, I'm not they're not that great as a primary identity either.
One edge case is that you can have have more than one valid passport for the one nationality. Another is of course that one can have more than one nationality.
Also, passports become useless once your government actively turns against you, see the current fate of adult Ukrainian men still residing in Ukraine.
The same thing risks happening with this government-approved online identity, I mean, how will the EU bureaucrats “handle” people like me that are openly against the West’s take in Ukraine? Will we get our accounts banned from posting pro-Russia content online?
Don't forget the Covid QR codes.
I have a Google, Apple, Microsoft, and GitHub OIDC account among others. That's a feature not a bug.
It'll be a cold day in Cupertino before I accept a UN ID.
I'll reconsider once the corporate death counts begin to match the governmental ones but until then I'll take my chances.
The temperature in Cupertino is currently 50F. That probably doesn't meet your definition of cold though.
A bit chilly.
That is unironically shorts weather.
We'll know soon, something pretty close to what you're asking for is about to be rolled out in the EU: https://commission.europa.eu/strategy-and-policy/priorities-...
Fortunately that will be another nail in the coffin for the EU, at this point they’re just throwing the proverbial excrements at the wall and seeing what will stick. That’s how you get parties like the AfD at more than 30% of the vote (the NSDAP themselves were just a little over 30% too in early 1933).
60% of Americans approx don't have passports. In India about 93%. It's not an ideal solution to logging in to your website.
Also in the UK various government types have tried to bring in national ID and the people rebel. People eh?
I think it's not a good idea. What if, due to unforeseen circumstances, you become homeless and passport-less?
Immigration doesn’t work that way. You don’t lose or transition from one identity federation to another. You maintain both, typically for the rest of your life.
My personal wishlist is that decision makers and designers of identity systems must include people with real world experience of multiple nationalities, tax residencies, migration and so on.
Currently, these systems are already built on false premises and immigrants suffer a lot – not only because of malice but to a large extent because the bureaucrats didn’t think like security-minded engineers. The edge cases are extremely important when it comes to identity, because identity is required for a lot of basic needs. As the world is become more globalized, these issues are a lot more prevalent.
Yes but I don’t see why that’s so surprising. It’s the identity of humans that’s the problem.
FWIW I think email is fantastic as identity, compared to the abysmal state of the alternatives. It doesn’t change when you cross a border like phone numbers. It’s not perfect when it comes to self-sovereignty and account recovery.
This is just not true.
There absolutely is a good identity, and it's one provided by countries.
How do you imagine using that? Having an API for each country and each returning different data? With a 10% adoption?
If my country did not like your country I will not be able to connect to your stuff?
A never ending must of problems ahead.
Well the argument not that it it readily available, but that most countries do have an administration of their inhabitants.
So instead of "There is a good identity", GP should have said "There are about 200 good identities around the world, but if your country happens to not have a single unified ID system you're out of luck"
There are 200 good identities in the world with an authentication system closed outside the official entities.
I have never seen any endpoint for the general population that can be used to authenticate a citizen
Doesn't it kind of already exists for passports? I can travel with my passport to (basically) any country on earth, so there must be some international support for this.
Good for you, but, for example, Israeli passports are not recognised by many countries as legitimate.
The format of the data on a passport is unified (https://en.wikipedia.org/wiki/Machine-readable_passport) but the problem is to make sure that the one who presents this string of data is actually the one it belongs to.
People get new citizenships. They often lose their old citizenships, too, often deliberately for tax purposes.
The most common reason people lose their citizenship is that they take on a second citizenship and the first country doesn't allow dual citizenship. This means that citizenship limbo exists where you have legally lost your citizenship but can still benefit from it until the first country finds out. Some countries forbid dual citizenship but don't enforce it so people end up in this limbo for the rest of their lives.
There's also a large number of stateless people who don't have citizenship at all.
There's also people who are not technically stateless, but cannot return to their country or obtain any identity documents from it.
maybe you are in Scandinavia, but many countries do not even have a centralised register of births, deaths, marriages... and so they do not have a centralised and canonical record of identity of all people in the country.
For example Czech republic has central register of all residents. The register is intentionally designed so that it does not provide any kind of identifier that is both long-term stable and globally meaningful (there is a number called RČ broadly equivalent to NIN in other countries, but it is not supposed to be used since 2010).
Conceptually there is ZIFO (Basic ID of natural person), that should be globally unique, but this is known only to a subcomponent of the central registry that is run by different govarnment entity than rest of the system. At same time the design of that subcomponent contains provisions for allocating new ID, mainly for handling the cases when that ID was allocated wrong (both multiple IDs for one person and multiple persons sharing same ID), so even that is not necessarily stable ID.
Users of that data refer to persons using AIFO, which is specific and meaningful only for particular database (called AIS) and if different databases need to identify particular person as having the same identity they have to call the central translation subcomponent (the API surfaces are designed such that the translation the calling system will not get the result of the translation, which is only sent to the destination system). Even that the AIFOs are meaningless, they are required to be not disclosed to anybody. Alternative IDs that can be used are broadly serial numbers of government issued identitty/travel documents, but these are necessarily both revocable and have limited time validity (the aforementioned technically deprecated RČ is essentially a special case of this).
I believe that this design comes from some pan-EU initiative related to GDPR. For example according to Wikipedia Austria uses broadly similar, but less fine-grained system.
This has interesting issue with regard to things like eIDAS as there is no sane ID that could be included in the qualified personal certificate. One Czech QCA (PostSignum) does not include any kind of personal ID in its personal certificates, second one (I.CA) can optionally include the serial number of identity document that was used for identification. Apparently you can get Swedish qualified certificate that includes Czech RČ in its CN form Zealid. You are supposed to register your certificate into the resident registry yourself, which creates the link between the certificate and your identity. The slight issue with that is that there is no sane way how a third party outside the architecture of these registers can validate that link (you can send them a signed PDF with your data from the resident register, which is apparently what you are supposed to do, but "sane" would look different).
The UK has no formal universal government provided ID system. The UK does allocate National Insurance numbers, but those are specifically not to be used as ID in part because they don't have a face associated with them. Driving licenses exist but are optional, and need regular replacement e.g. when moving address. Names are something you can change on a whim for a bet. Passports have to be updated if your appearance changes significantly, and in any case you don't keep the same one if you change nationality.
And you can basically say all of the same things about the US.
Sometimes, the country you are in changes even though you are in the same geographical location. I've had my email address for over a decade longer than the current countries of Serbia, Montenegro, Kosovo and South Sudan have existed.
Well, that if your contry keeps a lifelong unique ID for your person. And that's only till you migrate, I guess.
Then, however else you'd want it to be, states do come and go too, regions change hands...
Here in Brazil I have at least 4 different IDs :-).
What if every newborn received a chip implant under the skin (cryptographically unbreakable, unauthorized removal punishable by law), linked to a central government database with the chip’s unique identifier and a profile of the newborn’s DNA signature?
There are reasons why SSN or its equivalents are unpopular as web identities. Can you enumerate those reasons?
Where I live the SSN-equivalent is extremely popular as web identity.
Can you explain why it shouldn't be?
Not sure about where you’re from but US institutions often treat the SSN as a secret which should allow account access. Which it’s not by design but nobody wanted to make a better system; it’s why banks have claimed that they are not defrauded by people and instead the fraudsters “steal identities”.
To answer the question more directly, it’s treating the identifier like a password that is problematic.
Okay, but that is then about authorization and not about "identity". I agree that treating it as a secret is a bad idea.
The person said SSN and equivalents, so I guess it depends on what is meant by equivalents.
Where I live my personal number is used as identity, but to actually prove I am the owner of it another mechanism is used (private keys embedded in certs). The personal number is very public info by design and can't be used as a secret.
If my web identity was my personal government tax identification number, I would be worried that one could use that to fraudulently and successfully claim to be me with a fair number of institutions because the authentication mechanism is lacking efficacy.
Yes, I understand, but you mix up identity with proof of identity.
My non-web identity is my name. But me saying that my name is John Doe is not a proof that this is my name. In the same way, me saying that I have identification number 12345678 isn't proof that I actually have that number.
As I wrote, I have a government issued identification number. This number can be looked up by any citizen in the country since it's public info. You can even look it up online - it's not secret.
But someone knowing the number doesn't mean they can prove it is their number, because proof of identity is not in the number itself - for that we use public/private keys and other secure mechanisms.
I understand that this is not how it works in the US because some organization treats the SSN as secret. But that's not an issue with government issued identity number as a form of identity, it's an issue with the US system. Other countries does not have the same issue, since they didn't mix up identity with proof of identity.
Many people don't want their online identities be easily connected to their offline identity (or even with each other). Hell, you yourself didn't register on HN with your G.I. ID's serial number for some reason, did you?
Sure, but this specific part of the discussion was about it being a bad choice because "it’s treating the identifier like a password that is problematic", which I objected to.
I do agree that in many cases I would not want to use it as my web identity. (Those cases would also overlap pretty well with cases where I don't want to use my own email address, like when signing up for sites like this, reddit, Twitter and similar).
Of course this is extremely stupid (basically using the "username" as a secret, something everyone in IT and itsec knows not to do). If we started using SSN-equivalent identifiers as online ID problem would solve itself because by then they're not a secret anymore.
In my country my national ID numbers are nowhere near as problematic as SSN on the US (from what I understand).
Most consumer & enterprise web services are international, and making an implementation for every jurisdiction is burdensome.
There are also some ugly edge cases - what happens if somebody is too young to get a SSN equivalent (e.g NI numbers in the UK), or somebody expatriates, or if some government allows people to request a change to their SSN-equivalent, or if a customer is a refugee without an SSN equivalent?
I do think SSN-equivalent identifiers may be useful for services which are inherently for tax paying adults like some accounting/banking services or marketplaces.
I can't believe such satirical gold is getting downvoted.
This is HN. There are equal probabilities that the post is not satirical and that the downvoters are not getting the sarcasm.
Not convinced that's a vote winner.
See for example UK id cards scrapped in 1952 and again in 2010
Some of the chips would malfunction or get destroyed in incidents. You still need an update protocol!
keep hackernews away from the newborns
"There is no good identity."
Government has failed to adapt with modern times and technology and has failed to provide modern and secure identification and authentication services for citizens.
I log in with my bank credentials to access my government tax account, talk about a total failure to do your job from the people still using SIN as an important piece of identity for some of the most important aspects of life.
This is a solvable problem. Governments can adapt and use modern technology to provide identity and authentication services, but they do not.
In my opinion this is a failure to be responsible for core government services, and I can only speculate why.
It would be or a chaos or very limiting expect that companies would interact with a lot of govs to get authentication. It's way cheaper leave as is.
"Cheap" should never be the driving factor for these things.
That is, in fact, the purpose of government, to do the things necessary for a functioning society for which a profit motive does not exist.
Maybe I'm mistaken but China's super apps solve this problem with profit motivation.
the last thing I'd want would be connecting every online personality to my real identity
Your aliases don’t need to be publicly disclosed.
But the reality is that virtually every online identity is tied to a real identity, just with layers of obscurity added.
This hacker news was created with anonymous accounts but it still links back to my real one.
Every day I get dozens of 'your account was hacked and we used your webcam to record videos of you jacking off' bitcoin 'blackmail' spam to various accounts that have been either hack-harvested or the company went bust and figured selling all their user data was a decent golden parachute.
Just imagine if those accounts all had had direct and firm ties to RL identity stored with them.
They don't, but they will be. If for no other reason than the concrete knowledge that somehow your alias on a site is verifiably connectable to person X will lead to a raft of abuses of the legal system to silence or harass people saying things someone doesn't like. And average sites aren't going to have the resources or will to fight this.
It's not a problem though.
It's definitely a problem. Identity theft is way more common in the US than in Europe.
If it wasn't a problem the SSN system wouldn't be used in unintended ways.
Maybe. Still no need for the government to provide such a service to 3rd parties.
At least in many EU countries, they are adapting. I'm a fairly happy user of Irish myGovID (OIDC) and ROS (X509 "sign this message with your private key" challenge), and Polish Profil Zaufany (I think OIDC or CAS?).
The issues I see are:
- Each country has its own system, some documented, some not so much, some use OIDC, some SAML, some something more obscure.
- As an individual who moved countries, you end up with multiple accounts.
- As a developer you cannot easily register your own OIDC app. Send an email to some ministry and hope for the best. If you aren't part of government yourself, you may be out of luck.
Identity is not centralized and therefore identification and accounting cannot be centralized.
I once had my email change because my ISP was bought out. Absolutely nothing I could do about it. The old email was forwarded for 12 months, then cut off completely.
Did you use that time to update relevant accounts?
Not sure what the gripe is here, especially with a one year notification period.
It means you lose accounts that use the email address as your identity and don’t let you change it.
Can you give a couple examples? I can't think of any accounts that don't allow an email change.
Say, for example, systems that directly expose your email address as the identifier that can be used to reach you. "Send money to saagar@saagarjha.com [using our service]" kind of sites.
Not everything is a phpBB forum.
Also:
https://support.google.com/accounts/answer/19870
There are accounts which do not allow you to change the email the account is registered to.
Can you give a couple examples? I can't think of any accounts that don't allow an email change.
I changed my email address in ~200 accounts and only had trouble updating a few: BuiltIn, CPUID, Flickr, Kakao, JCrew, Nord, and Steiger.
After I contacted Kakao support, they asked for some documents. Then they called me to verify the details. A day or two later, they updated my online profile with an editable email field, so I was finally able to update my email address.
When I contacted JCrew chat support, they performed the update immediately and emailed me a temporary password from noreply@demandware.net.
Flickr and Steiger were also happy to help. TBD on the others.
So I can't think of any accounts that don't allow an email change either. But you might have to jump through some hoops.
1 of the article's points was accounts must be designed to be updated.
I updated all the accounts I could remember, but to this day I don't know if there were any I forgot. I figure if I forgot one, it must not have been important.
P.S. not a gripe, just adding an anecdata.
The oldest email that I can connect to is more than 20 years old. I'm not using it anymore but it's older than any of my phone number or physical address. I don't think we can do better, except with official indentifiers like I'd card or social security number
And even those change
And most the world doesn’t have them.
Or won’t allow them to be recorded by private entities for privacy reasons even when they do.
Because most world has a generic identity numbers for residents, not those related to social security: https://en.wikipedia.org/wiki/National_identification_number
even if they did, your would change when you moved to another acountry
I liked Discords old scheme where you had an email and a display name. Everyone had the numbers so they didn't matter. When they switched to unique account IDs I was kind of bummed, but I'm still curious why they switched.
Because it was trivial to impersonate someone. The old usernames supported full UTF-8, enabling a wide variety of attacks.
And by paying for nitro, you could choose the numbers too, so step 1. Find someone you want to impersonate, copy their username, and replace one character with a visually identical one, but a different one. Step 2 - pay for nitro, and choose the numbers too.
As usual, malicious actors are the reason why we can’t have nice things.
I don't think they solved the impersonation problem. You can still look exactly like someone else, and you can only figure out that person X isn't who you think they are upon investigation. Most people don't investigate anything except the display name and profile picture, so are still vulnerable to impersonation.
As far as I can tell, this hasn't been a big problem in practice. Calls can forge caller ID. Emails can forge the From field. It's irritating but isn't exactly halting society.
I am really not sure why Discord made the change. Wanted to prune inactive users? Wanted to sell Nitro Super Mega Premium to jump ahead in line to get your username of choice? Just bored?
But you can’t have a username that looks exactly the same anymore.
I’m in some 140 discord servers. The amount of spam from people impersonating someone popular has reduced drastically since this change.
I wouldn’t call “one click” an investigation.
So the change that mattered is dropping utf-8. Otherwise if was still supported all someone had to do is step 1.
Yeah, same here. I thought it did a good job of resolving username conflicts without it really being an issue inside active social circles. Everyone can just always use their normal username, and it's only a minor friction when sharing your name outside Discord without a link or something.
What about domain names? Emails are bound to a domain name by definition, and indeed domain name IS designed as a good identity and can be used to host an email. See how domain names are owned by large corporations and trusted since day one and never lost, as long as you keep it carefully. It requires WHOIS information as the authoritative information of domain owner. An account based on username and password is what you usually need to access it, but if you are serious you can always choose a domain registar that is serious about keeping your domain name. It’s not free but it costs nuts compared to the cost of losing it, and let’s not forget that there is a cost behind hosting emails even if it’s given for free.
I set up a Twitter account long ago with an email from a domain I used. I let the domain expire later, and now can't do the password reset because it's pointing to a domain that I don't own, and can't buy anymore. Basically lost forever.
You can buy a domain 10 years at a time. If you forgot to renew it one year ahead, the domain probably wasn’t important enough for you.
Correct it was not. I let it expire. I forgot the Twitter account was registered with it. Later when I needed to relogin and couldn't remember the password, I couldn't do a password reset.
This happened to my primary Google account once and only by sheer luck was the domain available and I was able to recover the account.
I'm the only one to blame because I changed my password at 2 in the morning when notified that someone in another country used it. I didn't put my info into a password manager or remember it because I wasn't truly awake at the time.
When recovering I had to go through a bunch of steps and did great up until the email one. Well, Google was firm about wanting access to that email. Odd, considering the domain wasn't registered at the time of requesting a password reset and so I would consider it a security violation to accept that.
Needless to say, I am much more stringent on making sure this stuff is set up correctly now.
I think email plus a robust protocol for resolving changes works as good as can get.
For important stuff like banks and pensions they also have phone and physical address, so there’s a way to reconcile things like email changes, as rare as they are.
US example. Financial services orgs have your social security number. Perhaps they should be able to forward a message to the US gov to forward it to the citizen stakeholder through a government messaging delivery platform. This ensures continuity of communication but does not allow orgs to lookup emails with loose data governance (and all that leads to).
Login.gov is very good from a federal gov idp perspective, and I’m hoping it slowly develops into supporting a national ID and ubiquitous identity proofing to squash identity fraud but also streamline gov digital service delivery.
I'm surprised the USPS doesn't offer email addresses. Seems pretty in line with what they do.
This is very similar to what's happening with the Australian Digital ID Bill [0].
[0]: https://www.digitalidentity.gov.au/digital-id-bill
My understanding of the article is:
1. Use a guid-like value as your internal identifier. All internal references in your databases to a user should use that.
2. Use a second user friendly identifier for the user to login (i.e. Email). Feel free to rebind this if the user needs to change it. Keep a 1-to-1 relationship between the two.
That was my understanding as well but it doesn't really address sufficiently what to do in the case of, for example, the user permanently losing access to #2. Sure if I am making the decision to migrate from gmail to some other provider, I can self-coordinate transitioning in your app. But if I lose access and can't regain it through my own forgetfulness, or worse I get hacked, the easiest option still seems to be creating a new unique account.
That's true of any identifier.
I remember losing cell service after a storm, but the internet still worked. I couldn't login to gmail (~10-12 years ago when this was the only 2fa) because my phone couldn't receive text messages with the 2fa code.
Even if you lose all the keys to your house, you'll need to get new locks. If the locksmith who is going to let you into your house does everything by the book, they'll need you to prove you actually live there. I had a friend thrown in jail for a day because his ID, keys, etc. were lost in a kayaking trip, and was arrested for attempting to break into his own house.
My point is, there really isn't a good answer here. The platform equivalent to hiding keys in the bushes is printing out one-time passwords. That works pretty well, but also has its own drawbacks.
You could allow the user to add secondary email addresses or phone numbers to their account for account recovery, but then any of this becomes the weak link for hacking their account.
Disagreed. I'm 39. I've known hundreds of people (HS, college, etc) and many close friends who willingly made email accounts like "brijacks85" (their birth year) or "sammichelson212" even when their actual names were still fully available on yahoo/gmail/hotmail, etc. I used to regularly create email accounts for these people using just their names and then ask "why didn't you just check your own name first?" and they'd usually just shrug with total indifference and never use the account I made for them.
When you get the simplest variation of a name on a popular site you’ll receive mail from all the mistaken folks who weren’t careful enough.
Similarly, I get a small fraction of the mail of a texas lawyer, because her email address string is a super set of mine, and some percentage of her clients don’t bother or notice the need to add the extra suffix.
Oh yes, some large number of people are incredibly habitual.
But some also large number of people are not.
I'd never use an account someone else made for me either. Who knows if after you created it, you added some recovery questions or a recovery email or saved the login cookie or who knows what else? I'll stick with my fresh account made on my own PC through my own connection, thanks.
My "favorite" of those email changes is the self-inflicted contractor postfix change. I've worked at places where a conversion to employee forces the creation of a completely new account, and lacking a simple, single permission systems, the act of converting means spending a good 3 weeks trying to get access to systems one had access the day before.
This is extra fun when the company in question does a lot of their business offering complicated accounts to customers, and has an external facing identity solution that deals with all of this easily: just not for their own workers, including those maintaining the external-facing identity system.
In a thread about email, "postfix" really threw me here! But I realize you don't mean the email server, but I'm not sure what you do mean.
The shoemaker's children always go barefoot
OIDC actually already handles this by requiring the `sub` claim to never be re-assigned and unique: https://openid.net/specs/openid-connect-core-1_0.html#IDToke...
Of course this means that an ID token should not contain an e-mail address under `sub`.
So the identity provider could just generate this unchangable ID and let the user link any number of aliases to it, right?
That is what TFA suggests, yes.
Multiple identities at the same time, too.
This is why I think email addresses are "good enough" - you can always spin up a new one for each identity you want to inhabit.
Some services explicitly want to disallow this so it’s actually an attack vector in that light.
Exactly the analogy I had in mind. email primary keys are "serial monogamy". Or if you want a mathematical analogy, piecewise constant :)
Speak for yourself, I'm an email polygamist!
Long lasting usernames across websites is the worst for privacy though, unless the username is not public. In general, it's best if the unique identifier is only known to the user.
Example: https://instantusername.com
I've seen quite personal details being leaked because sometimes even smart people don't realise how easy it is to cross-reference given a unique username.
This isn’t a technology problem. We just need to put our foot down as a society and make tracking as illegal as sexual harassment/assault and aggressively and visibly punish and shun companies that abuse you. There isn’t a technology that magically makes you safe for creepy internet stalkers.
Google doesn't reuse usernames so if they are still around - in a few decades pretty much all unique usernames will belong to dead people.
FaceID and touchID for iOS works pretty seamlessly nowadays for authenticating stuff e.g. mobile payments/banking, etc. and are pretty robust from being spoofed/hacked (uses depth sensor?). Why can’t we create some privacy agnostic universal FaceID to do away with passwords and usernames?
Spotify let's you add separate login methods. I have my email+pw set up as well as login with Apple and login with Facebook. They all log into the same account and all have the same permissions once logged in.
I think it's a good solution.
Have you heard of key event receipt infrastructure (KERI)?
It solves the identity problem with decentralized identifiers though the secret sauce is the fractionally weighted multisig for enabling multi-device signing and account recovery with key rotation.
See the specification for more details: https://www.ietf.org/id/draft-ssmith-keri-00.html
Or the whitepaper: https://github.com/SmithSamuelM/Papers/blob/master/whitepape...
Also, it is good to keep concepts of account ID, public username, and login username separate. By using random account ID, can change the other values. Most accounts want email but don’t have to make it user name. Or people have multiple accounts and makes sense to have email reused.
For login, it can help to have multiple methods. Then people can change from OIDC to password, or between providers.
Pretty much everything is moving to UUID of sorts including Google auth.
It's tricky because you often need to let people reference username/emails for mentions and etc, so you just have to index all of em and translate to UUIDs for references behind the scenes.
It gets extra tricky with APIs. Consider AirPlane.dev which let's you specificy approvers via email. Now a user changes their name and their email. Well, that "IaC" suddenly references an invalid email or worse a different user because jane.doe joined after jane.doe-brown got their new email.