Ahh, cool, pour the corpus through GPTs and start tweeting Congressional rep personal info at them until they pass a law to outlaw data brokers (in keeping with historical precedent [1] [2]).
[1] https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
[2] https://jolt.law.harvard.edu/digest/dodging-the-thought-poli...
For argument sake, instead of outlawing data brokers wouldn’t it be better to design a better ID system that renders one’s name, dob, and SSN as harmless information?
I don’t know what that would look like but if I had congresses attention I’d like them to fix the problem rather than playing whack-a-mole with banning data sources. I don’t think any actual solutions come from that.
In many countries in Europe, your ID card contains a chip with a cryptographic key, much like chip&pin on a debit or credit card.
Those bits of information are worthless when you need to create a cryptographic signature with your ID card to do almost anything important.
If the card is lost or stolen they can just remove your old one from the keyserver. It's literally just public key crypto.
Identity theft is rampant in the countries that don't have such a system and basically require you give them increasing amounts of private information to prove who you are. In the UK that's every address you've lived in for 5 years, your council tax bill, your energy bill, your bank statement for a month... all because British people think an ID card means you'll get stopped on the street to show your papers.
The US has three dumb points pushing back on this.
The first is religious nuts who think it would be a "mark of the beast"
The second is anti-government types who are, well, anti-government anything.
The third is many business owners, because it would become much harder/risky to hire illegal immigrants to work.
The "mark of the beast" types are pretty much fine with cards that have chips in them, but they really hate it when you threaten to implant those chips into people and they want cash to remain an option - same as the anti-government types. I don't share their apocalyptic or anti-government concerns, but I'm actually kind of grateful for their passionate opposition to both of those things anyway. I don't really want an implant and the option of using cash is a very good thing.
The anti-government types do hate the idea of a national ID, but they're already forced to carry a drivers license/state ID, and SS card so they've pretty much lost the battle already.
I'm afraid that it's the business owners who are our biggest hurdle.
Eh, depending on the flavor, the mark of the beast types don’t even really like barcodes. Allegedly Hobby Lobby does not use a barcode inventory system for this reason.
Hobby Lobby's CEO provided a handy list of reasons why they do not use bar codes, none of which have anything to do with them being marks of beasts
https://www.snopes.com/fact-check/hobby-lobby-mark-of-the-be...
I will say that their list of reasons is deeply flawed.
- they can, and more importantly they almost never have to
- They can be added at the store/warehouse level, not every product needs one, and I've never seen a store that worked entirely on bar codes 100% of the time anyway.
- This assumes what I think, and it only needs to be more accurate than your current method. If it actually weren't more accurate, I don't think they'd have to fall back on "as you think" in their argument.
- this doesn't even make sense.
- questionable, but not impossible to support
- possible, but time savings at checkout is only one benefit.
- Reprogramming the computer for sales would take a huge effort in our case, because we put so many individual items on sale each week.
- It would take effort, but stores with much more inventory manage it just fine, even when new products are constantly coming in and sales are weekly.
- I have no idea from the article what this is in reference to. Maybe the amount it would take for them to make the the switch? It's hard to say how much money it would save them so it's fair to say cost is a concern. I will say that over a long enough time period, it'd probably save more than it costs.
None of this means that concern over "the mark of the beast" is really the reason, but the reasons they gave don't make a lot of sense either. It could just as easily be that poor record keeping and manual entry at the register allow them commit fraud or something.
I suspect that if the mark of the beast plays any role at all, it's that no having barcodes panders to the christian customer base they've always heavily pandered to. Even just the rumor is basically viral marketing for them to that crowd.
How about this: without barcodes, you can't replace your clerks with self-checkout machines
I'm not sure that's true, but it would make it more difficult since it'd be easier for customers to cheat. You'd need more monitoring than most stores at the very least.
Decathlon has RFID tags.
Personally, Hobby Lobby's poor inventory management is a major frustration for me as a customer. Unlike other stores, they don't have any way for me to check online whether the product that I want is at their store. Granted, I avoid shopping at Hobby Lobby in general due to their owners regressive views; but at those times when I couldn't find something at a competitor it would have been helpful to be able to see if I could get it from them.
It doesn't need to be a national ID, it could just operate on a state-level like drivers licenses currently do.
Correct. But not insurmountable.
Make the ID card optional, so that it simplifies things if you have it, but still allows operation without it. If 80% of law-abiding population has the card, only the stubborn deniers will remain targets of easy identity theft and fraud based on it. Partly it will stop being worth the effort, partly it will serve as a good control group.
Allow but do not require to use the card for employee identification. Whoever insists on hiring undocumented immigrants, could continue. Most industries don't do that, and would reap the benefits of a more secure identification.
Don't make the card universal. A bank card with a chip does not identify you for governmental agencies, but prevents a lot of PoS fraud. It could prevent credit fraud if banks allowed me to require the card to take a loan in my name, or to make a transfer larger than $10, and provided the card identity check service to each other and to credit unions. Phones with NFC can read bank cards, so it's a good way to say "it's me, I confirm" in a secure way.
Evolutionary, opt-in, piecemeal solutions often have higher chances to succeed than abrupt all-at-once changes.
Kind of like RealID[0]? It exists right now in the US.
[0] https://en.wikipedia.org/wiki/Real_ID_Act
Yes, this is a step in a right direction.
If it's optional, then one would need to be able to have a central database of people who have IDs and want providers to require them.
Otherwise there's no protection against impersonation if IDs aren't mandatory.
Indeed. But a federated database is fine, too; this is how Visa and MasterCard work.
Imagine having a bunch of ID cards in you wallet, like you already have (driver's license, library card, office access card, store loyalty card) that all have interoperable smartcard interface, and a QR code of their built-in public key.
They would be much like contactless bank cards you also keep in your wallet.
Banks and phone network operators are uniquely positioned to sell a validation service for such cards, being highly connected and already having data about their existing customers, which would be an easy initial audience pool.
They absolutely do, but most of the immigrants have a form of ID that gives the companies some measure of deniability. As long as the I-9 goes through, not my problem. If it doesn't, well that's where contractors come in. Official numbers say around 14 million illegal immigrants. Reasonable estimates are closer to 22 and some non-hyperbolic estimates go as high as 40 million.
Governments murdered hundreds of millions of their own people during the 20th century, and the 21st is shaping up to tell the 20th to hold its beer.
Any proposal for modern ID needs to have Constitutional protections, checks, and balances or it will eventually devolve into a digital police state.
How?
Everyone's like "a government went on and extermination campaign" and for some reason what would've stopped them is the difficulty in identifying who to exterminate?
As though genocides much care about accuracy.
The big secret of Nazi Germany that isn't a secret at all I is that they put a lot more then just Jews in those camps.
A lack of national ID cards would not have hindered the Nazis in carrying out mass murder one bit.
There is another group: those of us who think the trend of requiring ID to transact is a dangerous one.
One doesn’t need to be anti-government to fear governmental intrusion on one’s rights without due process. Our current government does that now.
agree and second -- history shows that this sort of thing goes badly due to "humans"
Big one, but even though employing illegal immigrants is a crime, it's almost never prosecuted.
It's trivial as an immigrant to get a (stolen) SSN. Business owners are not responsible for checking if the SSN is stolen or not.
You're forgetting the entire political left, who claim only whites are intelligent enough to get IDs.
That's probably because all of the anti-immigration and anti-foreigner people who are asking the government to stop people and ask them for their papers... this is not unique the the UK, Canada, or the United States either, and some of the countries plan to do more than just deport people.
Strong identity is increasingly a meaningful technical requirement, but glossing over the human impact of strong identity controls by the government is not going to have good outcomes either.
Not really in Britain. Labour tried to introduce some national id in early 2000s, the right wingers were the ones who objected the most. The same right wingers who are most anti-immigration
I think most of those right wingers are against illegal immigration. There's a big distinction here.
I think very few of those so-called right-wingers are -say- against doctors immigrating to one's country if there's a doctor shortage. As long as immigration is all done using legal means. And with proper checks and balances.
I'm a right winger (but not born and raised in the UK). And I am very much against illegal immigration. I also don't want to be required to wear an identity card / passport with me at all times.
Actually, with proper immigration policies in place, the state can be sure that most people inside the state are legal, law-abiding citizens. I don't think in such cases it does make sense to require people to wear an id card with them at all times.
There were just a series of mass race riots by right-wingers across the UK, in which they went around smashing up shops owned by immigrants and beating up people who don't look white. This isn't about illegal immigration. It's about racism.
conveniently emitting the fact that this is a reaction to immigrants going around randomly attacking birtish people. If you aren't already consider workong for MSM.
That doesn't make it any less racist!
But please give some more details on that. The only case I've heard about was a single attacker who was incorrectly called an immigrant.
It adds context which people who manipulate the overtone window for political games and name calling like to exclude.
The person was a immigrants child. Considering there obvious (violent) refusal to integrate they are too an immigrant.
It's completely bonkers to have retaliation like that against a single attack that isn't part of a pattern.
Like, that context arguably makes it worse than if there was no inciting incident, because it's so blatantly blaming a huge group for one person.
To bring up more things in the broader context, were there not several "grooming gangs" that were active in Britain recently and the police were reluctant to investigate/prosecute them as it might appear racist?
Yes they are against all immigrants.
Yeah, id cards aren't mandatory in France either because the precedent when they were comes from literal Nazis. (At least theoretically, in practice you will face a lot of pressure...)
That depends on the type of attack you're protecting against. It might prevent an attacker from filing your taxes for you, but many companies are still going to use this kind of information as primary key. But it's not going to stop an attacker from pretending to be a bank employee, calling a genuine bank employee via a secret internal-only number, and claiming they've got Mr. Doe in their branch trying to do a critical transaction but their phone broke so they can't use the bank app. Yeah, the Mr. Doe living at 987 Main Street, that one. See, you even verified their ID, and it has a SSN of 123456 printed on it - just compare that to our customer database to make sure it's legit!
It also opens up a whole new type of attack. The problem with those smart cards is that there isn't really a way for the user to know what operation is actually happening. You're using a regular PC or smartphone to interface between the smart card and whatever entity you're trying to communicate with. But that could just as well be a phishing website pretending to be that entity, or malware doing a MitM. Or even just a random website pretending to need a signature for "age verification" when it's actually applying for a loan behind the scenes.
There's no "Do you really want to sign over your house to XYZ?" message on the card itself. And suddenly the government/bank/whatever is getting a request with a cryptographic signature which can obviously only be made by you - why would they have to double-check it if it cannot possible be fraudulent?
I agree that we should be moving to more secure systems, but those ID smart cards aren't a one-size-fits-all solution.
That seems entirely like an implementation detail that doesn't have anything to do with the smart card interface itself.
It's not like it's rocket science to have the reader application detail what the request is used for, and encoding it in the request/response, verified when used, so that it can't be used for anything but the approved purpose.
Why do you trust the reader though? It could display one thing and send another. Although I guess this also happens with payment card terminals. Who's to say the €3 displayed is not charged as €300...
This is a solved problem.
If the ID is on your phone, you can make it so that the transaction details have to be digitally signed by the person authorizing them in order to be valid. Then, if 3€ shows up on your phone, that's what you're authorizing, not 300€.
Sure, given an advanced enough device anything is possible. But I think here we are still discussing a "card" form factor for ID? (Being an "unperson" simply because you don't have a smartphone or have a rooted one would be "interesting").
The reader application can, sure, but what ensures that that "reader application" is genuine and can't be subverted? The card's own processor is supposedly tamperproof, but all the display etc. is in the reader which is probably owned and controlled by whatever third-party you're identifying yourself to, or at best it's a random application running on your PC/phone with whatever malware you have.
As a potential Mr. Doe, I'd love to have an ability to opt in to a stricter mode of banking. I would voluntarily ask my bank to refuse certain types of transactions in my name unless my identity can be confirmed by secure machine-readable means at my presence; internal phone calls should not qualify. It could be a bank card, or a passport — yes, both can be physically stolen, but it's much harder to pull off, and I would immediately warn my bank when I notice.
My country's version uses separate mechanisms with separate passwords for "identify me, revealing my name/DoB/number" and "sign something". Obviously not impossible to pretend that you're signing an innocuous document and have you sign something else, but it at least removes some of the low-hanging fruit.
The US has infrastructure, but it's only issued to military and federal employees.
https://en.m.wikipedia.org/wiki/Common_Access_Card https://en.m.wikipedia.org/wiki/FIPS_201
How is key revocation authenticated?
Funny you should say that. Australia is trying to launch TEx -designed on open-source models to do this kind of thing. It's hitting the usual roadblocks of public acceptance of government mandated ID, in an economy which trashed the "australia card" idea back in the 80s. We're wiser now, we've been frogs boiled slowly: the downsides of central safe ID/auth are outweighed by the risks of loss of info giving everyone 100 points information.
The government now knows what we do most of the time anyway: layer-2 logs on our phones are constant. We lost any privacy some time ago. So now, getting security back might be a net win.
https://www.abc.net.au/news/2024-08-13/trust-exchange-digita...
Except it's being implemented by the people who brought you robodebt.
So i imagine the "Number of people driven to suicide" KPI is going to be pretty high. They're not going to want to ship something that performs worse.
Yes. There is that. But it's only true to the extent all government things are brought to you by the government. If the underlying IMS system used for datamatching by ATO and Centerlink is the product of the same s/w development group I'd be a bit surprised. It's different code.
But I am by tendency an optimist, and the open-source part (if they do that) means we can have eyes on their crypto assumptions behind the protocol and whats on the device.
MyGovID, which I think they're baking into it has been pretty solid. thats distinct from your mygov account, many of which have been hacked, in part because so few people used MyGovID.
(if you've got better info always happy to see it)
Huh?
https://news.ycombinator.com/item?id=41249568
https://news.ycombinator.com/item?id=40961834
TLDR Login.gov, and publishing a circular to allow businesses to use it to identity proof. Push all liability onto the business for losses if this method is not used to identity proof. ID card as ljm mentions, such as a passport card. Very similar to credit card EMV chips and the liability shift from magstripe.
Aggregating data means it can be lost. You must therefore make aggregating and storing data toxic, and impossible to be leaked through eventual mismanagement.
We should fix the problem and ban the data-sources. Whack-a-mole makes it sound like we're talking about a ban on one company, but what clearly needs to be done is a categorical ban on super sketchy business practices, and that seems simple enough. Data-brokers, if they are going to exist at all, need to accept the burden of proof to establish that every single row involves consent, and they need to acquire new consent for every single resale of the information. If that makes the whole industry unprofitable, too fucking bad. And if this looks bad for business, it gets even worse: good luck getting consent for reselling what is mine without offering me a cut.
Since the above kind of common sense looks crazy these days, let's throw in something even more radical. For anyone looking to fund UBI, ^ here's a start. The trouble with the often-mentioned idea of "tax the data" as a solution for privacy concerns is that these taxes are just redistributing wealth from corporations to governments, while all of profit is made with our information. Who wants the monetized details of their personal life to pay for the next unjust war, or even the roads in some place they don't live. If we are so valuable, put some of that money back in our hands, and if the price doesn't sound fair to us, then let us opt out of the sale.
It's politically a non-starter in the US. US states have a lot of power that is derived from their ability to maintain their own ID systems. The states have fought for almost 20 years on requirements as simple as REAL ID.
I’d replace “instead of” with “in addition to”.
Going after data brokers seems like low hanging fruit, and necessary even if the ID system needs to be replaced. This is a top level issue that need to be addressed regardless.
While I think it’d be great to design a system where the information you mention is harmless (I’m curious how this would work without just shifting the problem to whatever new identifier is established), the reality is that this information is not harmless, and will continue to be dangerous to leak for the foreseeable future due to the myriad of systems that use this data in its current form. Any theoretical project to replace this would likely be a long and drawn out undertaking. Addressing the information environment in the meantime seems like a good idea.
We should be doing both, for different reasons. Ban data brokers because they allow anyone with a credit card to stalk people, more or less legally. Fix the SSN identity system because even if you ban data broker businesses, dark web brokers don't abide by the laws anyways.
The uneven availability of information means that no, it's not better to just design a better ID system. Data brokers give corporations far more advantages than a normal person could ever protect themselves against, because even if the data broke doesn't have your government issued credentials they can still easily designate who you are buy collating all the data from other means such as purchasing habits, cellular, and service guest lists.
Plenty of countries have smart cards with chips and RSA keys that can be used to verify ID with much higher level of certainty, but then they usually don't use it.
Even just name, DOD and last 4 of the SS number and you are done.
It's ridiculous.
We detached this subthread from https://news.ycombinator.com/item?id=41249125.
I thought it was a legitimate proposal to the problem at hand, but respect and understand the decision. My apologies for taking the conversation potentially off topic.
https://paulgraham.com/founders.html
While scoped to founders, I think it broadly applies to a subset of curious people who are wired to solve problems, imho.
Err, why do you need a GPT for this stunt? For a quarter of the price of a 2010s mid-range HP laptop, I have a Python script for you.