I'm mostly offended that they're using a third-party private service.
We need a reliable link-to-meatspace authentication provider for the consumption of government services. That's obvious.
But why are we outsourcing it to an external company, which may not be subject to the same purview as the government itself, particularly in terms of legally-mandated transparency, accountability, and universal service?
I suspect half of this is anchored in the "mark of the beast" crowd who is terrified at the thought of any sort of coherent national identity document system. After all, if we had a central "Department of Identity" already, adding some sort of account system linked to the pre-authenticated passports and driver's licenses you already have would be trivial and within their wheelhouse.
Decentralization doesn't add value because it's not really a consensus/disagreement problem.
If you look at it a certain way, we're not considering the general problem of identity, just "association with government accounts". We already have an established set of roots-of-trust and dispute resolution protocols for figuring out which accounts you're attached to. All we need is a tech-friendly set of credentials to supplement the paper passport/driver's license/social security card.
If anything, decentralization would be difficult for the legal system to work with. How do you force everyone else to accept an update from the courts, especially if they're politically opposed to, or disincentived to, accept the update? You could try to tie legal acceptability to staying up to date, but then you'd create a huge liability for software bugs.
This is worth some discussion.
Notaries are decentralized and regulated.
Alternatively decentralized at employer, UI logon credentials could be set up when onboarding each new hire.
Then you start running into differing motivations. How often would you see employers "forget to" synch new hires with the unemployment system, figuring that will reduce their claim rate later? Or check in new hires as "verified citizen, eligible to work" when their proof consisted of a McLovin driver's license and a birth certificate still warm from the Kinko's across the street?
It feels like it would turn into every other abused aspect of employment law: widely exploited both because of technical incompetence and the knowledge most will get away with it.
> terrified at the thought of any sort of coherent national identity document system
If the outcome that they want to avoid is actually a global ID system, you'd think that a private corporation (that could offer its services to multiple countries, interoperably) would be more worrying to them.
It's not like, by opposing a government-run ID system, they've prevented the existence of an ID system that the government accepts (and could mandate nationally).
This is a big blind spot in the US generally. Few people consider that corporations could be a bigger risk than the government, so they limit government power and leave corporations less regulated.
A corporation can't arrest me, shoot me, confiscate my property, or otherwise tell me what to do outside any voluntary contract with them. It's really not the same at all.
> Few people consider that corporations could be a bigger risk than the government, so they limit government power and leave corporations less regulated.
> A corporation can't arrest me, shoot me, confiscate my property, or otherwise tell me what to do outside any voluntary contract with them.
I think that while corporations may be more likely to have risk, the risk may not be as big as if it were done by a government. So, high chance of risk but maybe lower damage vs low chance and higher damage may end up being a wash and may explain why some people fear the government more than corporations.
Typical libertarian blind spot. If the government contracts out to a corporation, you get the worst of both worlds: they can tell you what to do (follow id.me rules or else) and you can't vote them out of office. If you vote the people who hired them out of office they still have a contract so we are stuck with them.
And a corporation hired to, say, run a prison can shoot you.
> A corporation can't arrest me, shoot me, confiscate my property, or otherwise tell me what to do outside any voluntary contract with them. It's really not the same at all.
Corporations have done all things, even within the boundaries of the USA.
You are welcome to argue that this should not have been possible, should not be possible etc., and very few people, including me, are going to disagree with you.
But if we're going to talk about what actually happens in the real world rather than what should happen, everything you've said there is factually untrue.
Can you please post links to well-documented examples of each?
States use violence routinely, corporations may order a hit on someone maybe once in a blue moon. Usually any violence they do is by co-opting government mechanisms already in place.
And btw I am a left-libertarian who criticizes both states and corporations
There should be a protocol, in which voluntary individual participation is possible alongside identity brokers. This is one of those things that should have zero trust baked in at every level. It should require reversible data transactions, and real world mechanisms to allow legal authorities to reset or return ownership of ID information. It should work concurrently with a properly defined notion of valid, entirely offline identities to accommodate people who don't want their identity digitized.
Multi signature cryptography and webs of trust are pretty mature concepts at this point. Using public notary systems could provide the real world authentication to publish keys, so the protocols could be developed around the idea that additional bureacracy and government shouldn't be needed - use the systems already in place wherever possible.
Wrong. It’s due to capitalism as a political economic system. The US government is nothing but an association of global corporate stakeholders. It’s not in service of its citizens. It’s the neoliberal world order.
In Denmark they actually issue their citizens little RSA tokens for use authenticating into government websites. Of course, there are issues sometimes with desynced tokens but I wish our government took things that seriously.
My main key was a ed25519 one for a while (looks like 2016-2018) but after running into so many edge cases I just went back to a rsa 4096. Is it in a better place now?
I tried to file for unemployment insurance benefits for the first time back in July, and I'm still in limbo thanks to Id.me. My state won't let me into their online portal without verifying with Id.me, but their website fails to recognize the photo on my driver's license. Their customer support rep apparently couldn't help in any way other than to escalate my ticket. Got an email update in November to please be continue being patient...
Bonus points to the state of Florida DEO for removing any human staff from their phone answering system. It's just an automated menu that always leads to forced disconnection and useless advice to check their useless website.
Why even have a government if it's adversarial to its own citizens?
There is almost nothing conservative about it. The US government and both US parties are plainly neoliberal. Capitalism as a political economic system is contradictory to sustaining a state that serves its working citizens over its ruling class and global corporate stakeholders.
It couldn't recognize my documents either, but I got directed to a video chat with a real person. Took several hours because the "queue" randomly stops refreshing, but I got verified with in a day.
It was ass, but at least it worked. You never got the video chat option?
It's insurance so you paid for it. If you know an attorney, maybe look at where the State agency thinks it got authority to demand this and maybe sue for injunction.
I recommend the curious to check out DigiD. It's a relatively well-designed SSO for many (if not all?) national and local government services in the Netherlands: personal taxes, business taxes, municipal taxes, trash and water bills, health insurance (trusted private), social benefits, police services, and more.
> LaManna noted that any taxpayer who does not want to use ID.me can opt against filing his or her taxes online.
Do this or you can't use a government service online. Ok terrorist.
> “We believe in the importance of protecting the privacy of taxpayers, while also ensuring criminals are not able to gain access to taxpayer accounts,” LaManna added, arguing that it’s been “impossible” for the IRS to develop its own cutting-edge identification program because of “the lack of funding for IRS modernization.”
Yea, sure trust a private org on data storage. Data breaches never happen..(Drizly I'm talking about you)
>> LaManna noted that any taxpayer who does not want to use ID.me can opt against filing his or her taxes online.
This statement seems absurd. The IRS website doesn't support filing taxes online like a normal country because the tax preparation companies have lobbied to prevent it.
Last time I tried mailing in return I ended up sending it 3 times. They never got it. And I started getting scam calls where they had clearly gotten ahold of the missing returns.
I ended up contacting all of the senators on the finance committee (they're responsible for the IRS's ongoigns) I hope they took in heart my concerns about IDme being a piece in this data proxying/storage etc.
Unfortunately: There were some senators who contact form was broken. (One in texas and I think one in wyomey was another.. other than that I got responses of "we don't give responses to non-constituents)
> I ended up contacting all of the senators on the finance committee... "we don't give responses to non-constituents"
That's a bit disturbing. Senators' work on committees affects everyone in the country, not just residents of the senator's home state, and one's own senators may not have a seat on that committee.
Senator Cantwell (Was), Tim Scott (SC) were the ones that responded back with:
Thank you for sharing your thoughts with me. As a matter of professional courtesy to my U.S. Senate colleagues, I defer to them and encourage you to contact your U.S. Senator with this issue. In addition, I deeply value my correspondence with South Carolinians; because of the high volume of mail I receive on a daily basis, I will give preference to responding to my constituents.
Contact information for your U.S. Senator can be found at www.senate.gov. Thank you for your time and have a great day.
You can contact the committee directly, by phone or fax. Numbers are on this page[1]. You can usually leave a voicemail if nobody picks up.
For written communication, yeah most of us don't have a fax machine, but there are services online that let you upload a PDF to be faxed. They also accept snail mail, but it is very slow.
> They also accept snail mail, but it is very slow.
For context, this isn’t just “it takes a couple of days for a letter to cross the country.” Here’s the note from my local congressperson’s contact page, for example:
> All postal mail sent to my offices must be scanned for security purposes, which means it will take an additional two weeks for me to receive it.
Regarding faxes, it’s also worth checking with your local library—mine offers scan-to-email and faxing as a free service.
On the contrary, it is traditionally considered inappropriate to contact Senators who do not represent you and it is unethical for them to respond in substance (in the House it is explicitly against House rules). We live in a representative democracy and power is distributed geographically through elected representatives. When you contact someone who does not represent you, you're sort of stepping outside the bounds of the democratic structure. You're also consuming resources that are apportioned to a legislative district that's not your legislative district.
> When you contact someone who does not represent you, you're sort of stepping outside the bounds of the democratic structure. You're also consuming resources that are apportioned to a legislative district that's not your legislative district.
That is no longer relevant when they step out of the bounds of representative politics and form special social groups that dictate the laws and behavior of offices that we have to deal with. You can't just have your cake and eat it too.
I appreciate you pointing this out and wish I heard it more. I hear so much talk of "democracy" but not many people talking of "representative democracy," which is how the US government is mostly structured (the occasional ballot issue).
I wonder if the internet and other tools that have reduced the costs of communication have been nudging many of us more towards wanting direct democracy, not representative democracy, without even realizing the shift or how it conflicts with the underlying structure of our government.
I'm curious, what are your thoughts related to how people see the government in terms of representative vs direct (or other forms of) democracy?
The broken form thing reminds me of when I tried to send a message to California FTB (basically the IRS for California).
Kept getting this cryptic error: "Field contains invalid characters or format."
Eventually I found through trial and error that the problem was APOSTROPHES. So I'm, it's, that's, they're, etc are all out.
It amazes me that not only do they not support such commonly used phrases in their messaging system (which pretty clearly means they've never tested it with any thing remotely resembling a real world message), but also that they couldn't even have the decency to give a more descriptive message so I didn't have to go on a punctuation whack-a-mole.
Occasionally I see websites take issue with a odd number of ' because it's creating a SQL statement, and inserting my message/posting in a table within a database.
At least as of last year the FTB website still didn’t take parenthesis either. Pretty sure it is a ham-handed approach at sanitizing the input against sql injection.
I found one of these once for a client I was doing some work for. It was an Ecommerce site as well and they had the "brilliant" idea of "solving" SQL injection by exiting early and stopping the page from loading if the URL contained an apostrophe... One URL encoded apostrophe later and 45 minutes wrangling T-SQL and I had a neat URL to show them at our next meeting with CCname in it.
For added fun, they used Authorize.net but instead of just storing a transaction ID in their infinite brilliance they decided to store name, number, expiry, and CVV code! They didn't even have user accounts or saved payments, it was all more or less a guest checkout flow for all their orders so customers couldn't even look this up on their site after the transaction. Once an order had been filled there wasn't even any usage of the old order data and they never deleted any of it. A quick row count showed ~750,000 entries going back for years.
People that do things like filtering all apostrophes in a form send shivers up my spine. God only knows what horrors lurk beneath the surface on that California government site.
All I can do is express my thanks. In IL it seems like my concerns are, at best, ignored altogether. I get that I am low wagie nobody, but I do vote so I am sometimes really surprised about the non-responses I get ( if I get any at all ).
I sent Duckworth and Durbin a note.. but ofcourse.. you'll never hear back.
I also sent them a letter a while back about the National Security Letter law incursion in HK.. their response a month ago "intenational events are very sensitive subjects .. blah blah blah... vague non related comment on 'we believe on human rights.'"
I sent Duckworth letters before ( physical too since they seem to respond more readily to those ) for a specific non-party request within her authority. The non-response I received made it look like no one read the letter at all. At this point, it is almost a given I will vote for just about anyone who will oppose her.
Her class is part of the reason I tend to write 'representatives', when I describe senators and congressmen.
> Unfortunately: There were some senators who contact form was broken. (One in texas and I think one in wyomey was another.. other than that I got responses of "we don't give responses to non-constituents)
Their contact forms aren't broken, they literally just don't represent you unless you live in their state.
Since you already have done it. do you mind sharing links and letter template? I think a lot of people think strongly about it, having this info handy might push more people to reach out.
Sometime last year I wanted to stop these early child tax credit cheques being mailed to me. I was shocked that I had to use ID.me to even do this one thing.
OK fine, whatever. But then even after filling up all kinds of info, uploading pictures of my driver's licence and having literally scanned my face, it wouldn't let me login, because it can't "verify" me.
I've been filing taxes online for many years without issue.
I can't believe a private company gets to decide whether I can access IRS services.
I've been wondering just how mandatory id.me is. Out of curiosity I tried to find if there was a way to address the problem you mentioned without using id.me. Buried very deeply in the Q & A via a link called "alternative options" it says
If you can’t verify your identity online, you can call the telephone number on the letter you received from the IRS telling you that you may be eligible to receive advance Child Tax Credit payments (Letter 6416)
But... the link to Letter 6416 goes to a PDF that has no phone numbers on it at all.
So although id.me might not be strictly speaking mandatory, in this case it seems impossible to avoid, since the "alternative option" isn't really there.
To me it reads like Letter 6416 is meant to add specificity to "the letter" in the previous sentence.
EDIT: I've found other examples of Letter 6416 online on non-IRS websites that do have a phone number at the upper right. I'm not sure if the phone number's absence from the sample PDF on the IRS website means it has been removed, or if non-sample copies would have a phone number.
Absolutely. Email, password, secure image, 2FA seems more than good enough. It already is for everyone else in my online life like banks, medical services, and so on. Why wouldn’t it be for government services? Given that ID.me is located in the DC area, it seems a lot like this was forced through due to shady dealing.
This has nothing to do with securing your data. It's about denying citizens their right to privacy under the disguise of preventing fraud. I 1000% guarantee the use of ID.me cost the government more than they save in fraud. It's just the Patriot act in different sheep's clothing.
id.me claims to be able to validate identities at a level equivalent to NIST identity assurance level 2. (Not sure if IRS implemented that)
If you look at the fraud activity reported in the media in places like California, most of that was using breach data. Validating at IAL2 would probably eliminate 90% of that.
Tax return fraud is a huge business too, especially for people with large refunds due to EIC.
I'm confused by why you're asking the question in response to my other question. Personally I would prefer that the US government collects certain identity info (name, photo, birthdate, SSN) directly rather than using indirect private contractors because then we as citizens would have more say over what happens to the info and its collection.
I'm confused by your question because I get the impression you were assuming I wanted to delegate such info collection to a 3rd party and that you would not that want, but maybe I've got that wrong. Is that what you were implying?
I was really just saying that the current reality seems to be that no matter what one's position on the US government collecting and storing information, the situation on the ground is that it's actually be done by private corporations, which I would think many people regard fairly differently.
Ah, I think I understand. That no matter if the "government" is doing it, the government almost always contracts it out to a private firm?
I think yes that's the case and yet I do think there are some services that are more in-house to the government and less farmed out, but I'm not sure.
For example, I think the unemployment departments at the state level are often government-run, but I could be wrong. Not sure how much the passport process is contracted out, but I would assume not too much but maybe it is.
How about login.gov? Govt run. Very well done. Already used bu multiple federal agencies. Seems like a shoe in. Throw out ID.me and return their lobbying dollars for good measure.
It is the primary identity provider for the Social Security Administration as of September 2021, and provides identity services for ~211 federal agency applications. IRS is one of the last holdouts.
I've been wondering why login.gov wasn't the choice in the first place, and the only thing I can think of is that id.me seems to portray itself as a fraud-busting identity service, whereas login.gov is simply a sign-in service. So presumably anyone contracting with id.me is convinced that they can help prevent being defrauded.
What I don't understand is why any customer of id.me believes id.me's characterization of how much fraud there is, and how effective they are. How many of id.me's claims have been independently verified?
I know a guy who worked on Login.gov, and I'm all for the government continuing to invest in 18F, the US Digital Service, etc. They've successfully recruited top talent in the past decade, although it's still not nearly as much as it could be. A couple decades ago I was reading horror stories on Slashdot about how the government pays employees peanuts and all the contractors get crazy high rates. Knowing about some of the improvements with in-house software projects in recent years, I was seriously miffed when I had to use ID.me since I knew it was a private company.
ID.me was one of the most ridiculous experiences I’ve ever gone through. I’m used to shitty service, particularly when dealing with the government, but waiting in the queue for the web chat for four hours, only to have it crash and make me re-join every day for two weeks is insane.
New conspiracy theory: Do all authentication through a private, 3rd party company that isn't beholden to the same restrictions of a government agency. Things like creating a video for facial recognition. Create databases that shouldn't exist for government entity, that the government can then freely tap into with things like the Patriot Act. There would be less restrictions and oversight on who this company can share data with, compared to an agency.
This conspiracy theory doesn't have great explanatory power: the USG has ample legitimate sources of photographs for individual citizens, via licenses, passports, and records collected in the courts. There are no meaningful restrictions on what the USG can do with those photos, because they're not private information.
The USG has also openly applied facial recognition already, for things like border control. They're not really hurting for data sources.
I'm also not defending the government's decision to use ID.me; I'm not happy about it. But I think the reason behind it isn't some shadowy data harvesting plan by the USG; it's probably something between "we didn't want to do the paperwork to authorize, fund, and build this internally" and "someone's nephew works at ID.me."
I already had a photo-verified-in-person account with ID.me as part of obtaining my California REAL ID driver's license. This involved a passport, proof of residence address, and in person validation.
Why does the IRS even think they need this? I feel like this was developed from an incident at a stripclub after a ritzy dinner, which was then proceeded by hookers - and less to do with practical scrupulous enforcement of the tax code.
It is very common for the government to use its various arms to institute large data collection efforts in the name of national security. A selfie video of yourself on a modern day phone provides for the government a high definition facial recognition vector for identification purposes. I'm sure you can imagine all of the use cases of having this critical data.
Personal Story: My wife and I travelled abroad right before COVID in early 2020. On the way back, we didn't interface with any customs agents at the airport. Instead, there was a portable robot that took our pictures and advised us to proceed to exit. I can only imagine which image database it referenced for a perfect match to allow entry (passport, driver's license, social media?, etc). From a security standpoint, I would assume that the matching capability/requirement of such system had to have been best of the best.
Isn't the bigger story here that you were able to enter a country without a photo ID? Or did you not make the connection that it could simply compare you to the photo on your passport, like a person would do?
I would love to see how much this system actually costs taxpayers and how much it saves in fraud. Knowing a bit about both of these, I suspect it's lopsided in a bad way.
Despite all the negativity on this thread, I'm pretty happy to hear they are reconsidering. Quite different than when the FCC was ignoring comments on net neutrality.
> Does ID.me maintain a database of faces that map back to original photos and who has access to the database?
> ID.me retains the selfie that was used during the identity verification process. ID.me is the only entity with access to this database. The only time biometric information is shared with a government agency is when there is apparent fraud and identity theft tied to the account associated with the agency.
I wonder if id.me keeps a copy of the photo of the government ID.
A lot of government agencies aren't too concerned with the quality of their services.
Things that discourage people from using thier system just makes their life easier. Theres's no consequence to the department and it's not their problem.
It is completely inappropriate for the government to force people to give up their privacy and share so much with a third party. And it is completely unethical for this company, Id.me, to pursue it. I already am able to use banks and other devices successfully without this service, and I used the IRS website fine as well. Why do this? It smells a lot like corruption.
ID.me gets paid via taxpayer funds. Each taxpayer can't line-item-veto the spend. Treasury has the budget to spend. Treasury gets to tell Congress 'security, good'.
The spend cycle can slow if we radically reduce federal spending/income. Move truly necessary services to the States.
That won't happen, so opt out. Structure your life to avoid qualifying as a person who files a return.
Slaves do as they are told or they get punished by their owners who own the fruits of the labor of the slaves. Free people have the right to choose.
Are you free or a slave? No choice, no freedom.
I'm mostly offended that they're using a third-party private service.
We need a reliable link-to-meatspace authentication provider for the consumption of government services. That's obvious.
But why are we outsourcing it to an external company, which may not be subject to the same purview as the government itself, particularly in terms of legally-mandated transparency, accountability, and universal service?
I suspect half of this is anchored in the "mark of the beast" crowd who is terrified at the thought of any sort of coherent national identity document system. After all, if we had a central "Department of Identity" already, adding some sort of account system linked to the pre-authenticated passports and driver's licenses you already have would be trivial and within their wheelhouse.
Wondering why centralized department of identity is needed. Could it be decentralized?
Decentralization doesn't add value because it's not really a consensus/disagreement problem.
If you look at it a certain way, we're not considering the general problem of identity, just "association with government accounts". We already have an established set of roots-of-trust and dispute resolution protocols for figuring out which accounts you're attached to. All we need is a tech-friendly set of credentials to supplement the paper passport/driver's license/social security card.
If anything, decentralization would be difficult for the legal system to work with. How do you force everyone else to accept an update from the courts, especially if they're politically opposed to, or disincentived to, accept the update? You could try to tie legal acceptability to staying up to date, but then you'd create a huge liability for software bugs.
This is worth some discussion. Notaries are decentralized and regulated. Alternatively decentralized at employer, UI logon credentials could be set up when onboarding each new hire.
Then you start running into differing motivations. How often would you see employers "forget to" synch new hires with the unemployment system, figuring that will reduce their claim rate later? Or check in new hires as "verified citizen, eligible to work" when their proof consisted of a McLovin driver's license and a birth certificate still warm from the Kinko's across the street?
It feels like it would turn into every other abused aspect of employment law: widely exploited both because of technical incompetence and the knowledge most will get away with it.
> terrified at the thought of any sort of coherent national identity document system
If the outcome that they want to avoid is actually a global ID system, you'd think that a private corporation (that could offer its services to multiple countries, interoperably) would be more worrying to them.
It's not like, by opposing a government-run ID system, they've prevented the existence of an ID system that the government accepts (and could mandate nationally).
This is a big blind spot in the US generally. Few people consider that corporations could be a bigger risk than the government, so they limit government power and leave corporations less regulated.
Yeah while that may be a reason, and I say that with respect, that's not the reason we let corporations do what they do.
That's just temporary embarrassed millionaire syndrome and financial greed.
A corporation can't arrest me, shoot me, confiscate my property, or otherwise tell me what to do outside any voluntary contract with them. It's really not the same at all.
But when the government mandates usage of a private company, what’s the difference?
> Few people consider that corporations could be a bigger risk than the government, so they limit government power and leave corporations less regulated.
> A corporation can't arrest me, shoot me, confiscate my property, or otherwise tell me what to do outside any voluntary contract with them.
I think that while corporations may be more likely to have risk, the risk may not be as big as if it were done by a government. So, high chance of risk but maybe lower damage vs low chance and higher damage may end up being a wash and may explain why some people fear the government more than corporations.
Typical libertarian blind spot. If the government contracts out to a corporation, you get the worst of both worlds: they can tell you what to do (follow id.me rules or else) and you can't vote them out of office. If you vote the people who hired them out of office they still have a contract so we are stuck with them.
And a corporation hired to, say, run a prison can shoot you.
> A corporation can't arrest me, shoot me, confiscate my property, or otherwise tell me what to do outside any voluntary contract with them. It's really not the same at all.
Corporations have done all things, even within the boundaries of the USA.
You are welcome to argue that this should not have been possible, should not be possible etc., and very few people, including me, are going to disagree with you.
But if we're going to talk about what actually happens in the real world rather than what should happen, everything you've said there is factually untrue.
Can you please post links to well-documented examples of each?
States use violence routinely, corporations may order a hit on someone maybe once in a blue moon. Usually any violence they do is by co-opting government mechanisms already in place.
And btw I am a left-libertarian who criticizes both states and corporations
Look up the case of Stephen Donziger. Chevron basically did just that.
The goal is to be able to point the finger at someone else when there is a problem.
There should be a protocol, in which voluntary individual participation is possible alongside identity brokers. This is one of those things that should have zero trust baked in at every level. It should require reversible data transactions, and real world mechanisms to allow legal authorities to reset or return ownership of ID information. It should work concurrently with a properly defined notion of valid, entirely offline identities to accommodate people who don't want their identity digitized.
Multi signature cryptography and webs of trust are pretty mature concepts at this point. Using public notary systems could provide the real world authentication to publish keys, so the protocols could be developed around the idea that additional bureacracy and government shouldn't be needed - use the systems already in place wherever possible.
Wrong. It’s due to capitalism as a political economic system. The US government is nothing but an association of global corporate stakeholders. It’s not in service of its citizens. It’s the neoliberal world order.
In Denmark they actually issue their citizens little RSA tokens for use authenticating into government websites. Of course, there are issues sometimes with desynced tokens but I wish our government took things that seriously.
As an aside, if you're using ssh-rsa the latest openssh server removed the RSA encryption module for pubkey verification, by default.
You can add it back into the sshd_config in /etc.
It should be added that this is because ssh-rsa uses SHA1, which is broken, and not because there's a problem with RSA itself.
My main key was a ed25519 one for a while (looks like 2016-2018) but after running into so many edge cases I just went back to a rsa 4096. Is it in a better place now?
ssh's support for RSA has nothing to do with RSA tokens, which is the common name for RSA's SecurID hardware 2FA generators.
> I wish our government took things that seriously
See the recent Zero Trust memo, https://news.ycombinator.com/item?id=30101411
That makes me incredibly optimistic. Thanks for sharing that. :-)
I tried to file for unemployment insurance benefits for the first time back in July, and I'm still in limbo thanks to Id.me. My state won't let me into their online portal without verifying with Id.me, but their website fails to recognize the photo on my driver's license. Their customer support rep apparently couldn't help in any way other than to escalate my ticket. Got an email update in November to please be continue being patient...
Bonus points to the state of Florida DEO for removing any human staff from their phone answering system. It's just an automated menu that always leads to forced disconnection and useless advice to check their useless website.
Why even have a government if it's adversarial to its own citizens?
> Why even have a government if it's adversarial to its own citizens?
The point is to be adversarial to the correct citizens, e.g., poor people and minorities. That's just basic conservatism these days.
There is almost nothing conservative about it. The US government and both US parties are plainly neoliberal. Capitalism as a political economic system is contradictory to sustaining a state that serves its working citizens over its ruling class and global corporate stakeholders.
It couldn't recognize my documents either, but I got directed to a video chat with a real person. Took several hours because the "queue" randomly stops refreshing, but I got verified with in a day.
It was ass, but at least it worked. You never got the video chat option?
It's insurance so you paid for it. If you know an attorney, maybe look at where the State agency thinks it got authority to demand this and maybe sue for injunction.
I suspect login.gov is going to be expanded.
There is a digital identity act making it's way through Congress. Check it out and if you support it write your local representative.
https://www.congress.gov/bill/117th-congress/house-bill/4258...
I recommend the curious to check out DigiD. It's a relatively well-designed SSO for many (if not all?) national and local government services in the Netherlands: personal taxes, business taxes, municipal taxes, trash and water bills, health insurance (trusted private), social benefits, police services, and more.
> LaManna noted that any taxpayer who does not want to use ID.me can opt against filing his or her taxes online.
Do this or you can't use a government service online. Ok terrorist.
> “We believe in the importance of protecting the privacy of taxpayers, while also ensuring criminals are not able to gain access to taxpayer accounts,” LaManna added, arguing that it’s been “impossible” for the IRS to develop its own cutting-edge identification program because of “the lack of funding for IRS modernization.”
Yea, sure trust a private org on data storage. Data breaches never happen..(Drizly I'm talking about you)
>> LaManna noted that any taxpayer who does not want to use ID.me can opt against filing his or her taxes online.
This statement seems absurd. The IRS website doesn't support filing taxes online like a normal country because the tax preparation companies have lobbied to prevent it.
Last time I tried mailing in return I ended up sending it 3 times. They never got it. And I started getting scam calls where they had clearly gotten ahold of the missing returns.
This is worse... they have accepted electronic returns. Now they're blocking that from happening with this third party service.
ssa.gov supports id.me and login.gov[0] so I don't see why IRS couldn't rely on login.gov, which also does identity verification[1].
0: https://secure.ssa.gov/RIL/ (gonna have to wait till tomorrow morning to see it, as it has hours of operation for some reason)
1: https://www.login.gov/help/verify-your-identity/how-to-verif...
I ended up contacting all of the senators on the finance committee (they're responsible for the IRS's ongoigns) I hope they took in heart my concerns about IDme being a piece in this data proxying/storage etc.
Unfortunately: There were some senators who contact form was broken. (One in texas and I think one in wyomey was another.. other than that I got responses of "we don't give responses to non-constituents)
> I ended up contacting all of the senators on the finance committee... "we don't give responses to non-constituents"
That's a bit disturbing. Senators' work on committees affects everyone in the country, not just residents of the senator's home state, and one's own senators may not have a seat on that committee.
Senator Cantwell (Was), Tim Scott (SC) were the ones that responded back with:
Thank you for sharing your thoughts with me. As a matter of professional courtesy to my U.S. Senate colleagues, I defer to them and encourage you to contact your U.S. Senator with this issue. In addition, I deeply value my correspondence with South Carolinians; because of the high volume of mail I receive on a daily basis, I will give preference to responding to my constituents.
Contact information for your U.S. Senator can be found at www.senate.gov. Thank you for your time and have a great day.
You can contact the committee directly, by phone or fax. Numbers are on this page[1]. You can usually leave a voicemail if nobody picks up.
For written communication, yeah most of us don't have a fax machine, but there are services online that let you upload a PDF to be faxed. They also accept snail mail, but it is very slow.
1. https://www.finance.senate.gov/about/faq
> They also accept snail mail, but it is very slow.
For context, this isn’t just “it takes a couple of days for a letter to cross the country.” Here’s the note from my local congressperson’s contact page, for example:
> All postal mail sent to my offices must be scanned for security purposes, which means it will take an additional two weeks for me to receive it.
Regarding faxes, it’s also worth checking with your local library—mine offers scan-to-email and faxing as a free service.
On the contrary, it is traditionally considered inappropriate to contact Senators who do not represent you and it is unethical for them to respond in substance (in the House it is explicitly against House rules). We live in a representative democracy and power is distributed geographically through elected representatives. When you contact someone who does not represent you, you're sort of stepping outside the bounds of the democratic structure. You're also consuming resources that are apportioned to a legislative district that's not your legislative district.
Do my tax dollars go to every senator on the committee?
The point is that your scope as a constituent is traditionally limited to your voting jurisdiction.
The point is senators' scope as committee members isn't limited to their voting jurisdiction.
> When you contact someone who does not represent you, you're sort of stepping outside the bounds of the democratic structure. You're also consuming resources that are apportioned to a legislative district that's not your legislative district.
That is no longer relevant when they step out of the bounds of representative politics and form special social groups that dictate the laws and behavior of offices that we have to deal with. You can't just have your cake and eat it too.
I appreciate you pointing this out and wish I heard it more. I hear so much talk of "democracy" but not many people talking of "representative democracy," which is how the US government is mostly structured (the occasional ballot issue).
I wonder if the internet and other tools that have reduced the costs of communication have been nudging many of us more towards wanting direct democracy, not representative democracy, without even realizing the shift or how it conflicts with the underlying structure of our government.
I'm curious, what are your thoughts related to how people see the government in terms of representative vs direct (or other forms of) democracy?
The broken form thing reminds me of when I tried to send a message to California FTB (basically the IRS for California).
Kept getting this cryptic error: "Field contains invalid characters or format."
Eventually I found through trial and error that the problem was APOSTROPHES. So I'm, it's, that's, they're, etc are all out.
It amazes me that not only do they not support such commonly used phrases in their messaging system (which pretty clearly means they've never tested it with any thing remotely resembling a real world message), but also that they couldn't even have the decency to give a more descriptive message so I didn't have to go on a punctuation whack-a-mole.
Occasionally I see websites take issue with a odd number of ' because it's creating a SQL statement, and inserting my message/posting in a table within a database.
yikes. that's web security 101 level stuff.
So instead of using prepared statements or even just escaping, the programmers just disallow any character that could cause SQL injection?
At least as of last year the FTB website still didn’t take parenthesis either. Pretty sure it is a ham-handed approach at sanitizing the input against sql injection.
I've seen the same thing. I used a government form a few years ago that was for asking questions and it wouldn't accept a question mark (?).
I imagine the incentive of fixing it is [inversely] correlated with how eager they are to receive more messages.
I found one of these once for a client I was doing some work for. It was an Ecommerce site as well and they had the "brilliant" idea of "solving" SQL injection by exiting early and stopping the page from loading if the URL contained an apostrophe... One URL encoded apostrophe later and 45 minutes wrangling T-SQL and I had a neat URL to show them at our next meeting with CCname in it.
For added fun, they used Authorize.net but instead of just storing a transaction ID in their infinite brilliance they decided to store name, number, expiry, and CVV code! They didn't even have user accounts or saved payments, it was all more or less a guest checkout flow for all their orders so customers couldn't even look this up on their site after the transaction. Once an order had been filled there wasn't even any usage of the old order data and they never deleted any of it. A quick row count showed ~750,000 entries going back for years.
People that do things like filtering all apostrophes in a form send shivers up my spine. God only knows what horrors lurk beneath the surface on that California government site.
All I can do is express my thanks. In IL it seems like my concerns are, at best, ignored altogether. I get that I am low wagie nobody, but I do vote so I am sometimes really surprised about the non-responses I get ( if I get any at all ).
I sent Duckworth and Durbin a note.. but ofcourse.. you'll never hear back.
I also sent them a letter a while back about the National Security Letter law incursion in HK.. their response a month ago "intenational events are very sensitive subjects .. blah blah blah... vague non related comment on 'we believe on human rights.'"
I sent Duckworth letters before ( physical too since they seem to respond more readily to those ) for a specific non-party request within her authority. The non-response I received made it look like no one read the letter at all. At this point, it is almost a given I will vote for just about anyone who will oppose her.
Her class is part of the reason I tend to write 'representatives', when I describe senators and congressmen.
If I had charisma, I would be running myself.
yeppppppp
That's the downside of living in IL and it being mostly a D voting base.
> Unfortunately: There were some senators who contact form was broken. (One in texas and I think one in wyomey was another.. other than that I got responses of "we don't give responses to non-constituents)
Their contact forms aren't broken, they literally just don't represent you unless you live in their state.
Since you already have done it. do you mind sharing links and letter template? I think a lot of people think strongly about it, having this info handy might push more people to reach out.
Sometime last year I wanted to stop these early child tax credit cheques being mailed to me. I was shocked that I had to use ID.me to even do this one thing.
OK fine, whatever. But then even after filling up all kinds of info, uploading pictures of my driver's licence and having literally scanned my face, it wouldn't let me login, because it can't "verify" me.
I've been filing taxes online for many years without issue.
I can't believe a private company gets to decide whether I can access IRS services.
I've been wondering just how mandatory id.me is. Out of curiosity I tried to find if there was a way to address the problem you mentioned without using id.me. Buried very deeply in the Q & A via a link called "alternative options" it says
If you can’t verify your identity online, you can call the telephone number on the letter you received from the IRS telling you that you may be eligible to receive advance Child Tax Credit payments (Letter 6416)
But... the link to Letter 6416 goes to a PDF that has no phone numbers on it at all.
So although id.me might not be strictly speaking mandatory, in this case it seems impossible to avoid, since the "alternative option" isn't really there.
It's a Kafkaesque nightmare.
> the letter you received from the IRS
this is presumably not the same as "the link to Letter 6416"
I don't know about that, see section Q K5 here:
https://www.irs.gov/credits-deductions/2021-child-tax-credit...
To me it reads like Letter 6416 is meant to add specificity to "the letter" in the previous sentence.
EDIT: I've found other examples of Letter 6416 online on non-IRS websites that do have a phone number at the upper right. I'm not sure if the phone number's absence from the sample PDF on the IRS website means it has been removed, or if non-sample copies would have a phone number.
Here's a novel idea: don't remove the existing email/password/secure-image combo. It works fine.
You can search for something more secure, sure - but don't break the damn system for the millions of people who need it and refuse to deal with ID.me.
Totally agree. Makes me wonder what sort of back room dealing went on to select ID.me.
This sounds good to me.
So much of this sounds like another overengineered solution to a problem that shouldn't exist.
Sounds more like data mining and getting friendly companies nice contracts to me
Sounds like another cut of the >$1,800,000,000 IT budget of the IRS.
They couldn't store more than 500MB of emails per employee, which was ~45TB uncompressed in 2014. Because of budgetary constraints.
Because they paid some dude rosemaro a half billion for an IT contract, among other things
Absolutely. Email, password, secure image, 2FA seems more than good enough. It already is for everyone else in my online life like banks, medical services, and so on. Why wouldn’t it be for government services? Given that ID.me is located in the DC area, it seems a lot like this was forced through due to shady dealing.
This has nothing to do with securing your data. It's about denying citizens their right to privacy under the disguise of preventing fraud. I 1000% guarantee the use of ID.me cost the government more than they save in fraud. It's just the Patriot act in different sheep's clothing.
Huh?
The government lost tens of hundreds of billions in unemployment fraud during COVID, and tax refund fraud is huge.
How much of that fraud would id.me prevent?
id.me claims to be able to validate identities at a level equivalent to NIST identity assurance level 2. (Not sure if IRS implemented that)
If you look at the fraud activity reported in the media in places like California, most of that was using breach data. Validating at IAL2 would probably eliminate 90% of that.
Tax return fraud is a huge business too, especially for people with large refunds due to EIC.
Tens of hundreds of billions is called "trillions", and no, what you just said is false.
It’s a typo, and should have been “or”. If you don’t believe that, I’m afraid that you are misinformed.
What information do you believe the US government should be allowed to maintain on its citizens? Anything?
What information about citizens do you believe the US government should be able to delegate out to private corporations?
I'm confused by why you're asking the question in response to my other question. Personally I would prefer that the US government collects certain identity info (name, photo, birthdate, SSN) directly rather than using indirect private contractors because then we as citizens would have more say over what happens to the info and its collection.
I'm confused by your question because I get the impression you were assuming I wanted to delegate such info collection to a 3rd party and that you would not that want, but maybe I've got that wrong. Is that what you were implying?
I was really just saying that the current reality seems to be that no matter what one's position on the US government collecting and storing information, the situation on the ground is that it's actually be done by private corporations, which I would think many people regard fairly differently.
Ah, I think I understand. That no matter if the "government" is doing it, the government almost always contracts it out to a private firm?
I think yes that's the case and yet I do think there are some services that are more in-house to the government and less farmed out, but I'm not sure.
For example, I think the unemployment departments at the state level are often government-run, but I could be wrong. Not sure how much the passport process is contracted out, but I would assume not too much but maybe it is.
Maybe the hackers have already figured out how to compromise that at scale, so they have to go to 3fa.
Like a few years back when they were stealing tax refunds by filing before you or filing for people who'd passed away that tax year.
How about login.gov? Govt run. Very well done. Already used bu multiple federal agencies. Seems like a shoe in. Throw out ID.me and return their lobbying dollars for good measure.
Totally agree! I was just going to write this.
Login.gov supports and encourages security keys (yubikey etc) as 2FA. I hope it does see wider adoption soon by more agencies, esp IRS.
It is the primary identity provider for the Social Security Administration as of September 2021, and provides identity services for ~211 federal agency applications. IRS is one of the last holdouts.
I've been wondering why login.gov wasn't the choice in the first place, and the only thing I can think of is that id.me seems to portray itself as a fraud-busting identity service, whereas login.gov is simply a sign-in service. So presumably anyone contracting with id.me is convinced that they can help prevent being defrauded.
What I don't understand is why any customer of id.me believes id.me's characterization of how much fraud there is, and how effective they are. How many of id.me's claims have been independently verified?
Massive amounts of online IRS fraud was a motivator, I believe.
Are the same legislators bringing in a private company to rectify also the ones who keep the IRS underfunded? Pretty sketchy.
I mean to get my online its account working I had to have them mail me a pin. (Us postal service mail…). I wondering now if my experience was unique.
I know a guy who worked on Login.gov, and I'm all for the government continuing to invest in 18F, the US Digital Service, etc. They've successfully recruited top talent in the past decade, although it's still not nearly as much as it could be. A couple decades ago I was reading horror stories on Slashdot about how the government pays employees peanuts and all the contractors get crazy high rates. Knowing about some of the improvements with in-house software projects in recent years, I was seriously miffed when I had to use ID.me since I knew it was a private company.
ID.me was one of the most ridiculous experiences I’ve ever gone through. I’m used to shitty service, particularly when dealing with the government, but waiting in the queue for the web chat for four hours, only to have it crash and make me re-join every day for two weeks is insane.
Sounds like the perfect government service experience!
Worked right away for me, besides the upload form being broken on desktop.
New conspiracy theory: Do all authentication through a private, 3rd party company that isn't beholden to the same restrictions of a government agency. Things like creating a video for facial recognition. Create databases that shouldn't exist for government entity, that the government can then freely tap into with things like the Patriot Act. There would be less restrictions and oversight on who this company can share data with, compared to an agency.
This conspiracy theory doesn't have great explanatory power: the USG has ample legitimate sources of photographs for individual citizens, via licenses, passports, and records collected in the courts. There are no meaningful restrictions on what the USG can do with those photos, because they're not private information.
The USG has also openly applied facial recognition already, for things like border control. They're not really hurting for data sources.
Navigate to id.me's homepage, scroll all the way down, click on: "Do Not Sell My Personal Information (CA Residents Only)"
Here's the link target: https://account.id.me/ccpa
ID.me doesn't even have to be loyal to our government. There's no requirement for that.
I don't live in CA, so this doesn't apply to me.
I'm also not defending the government's decision to use ID.me; I'm not happy about it. But I think the reason behind it isn't some shadowy data harvesting plan by the USG; it's probably something between "we didn't want to do the paperwork to authorize, fund, and build this internally" and "someone's nephew works at ID.me."
I can see Palantir buying id.me for the giant confirmed datastore.
Interesting that link exists since their privacy policy says they don't sell information.
I already had a photo-verified-in-person account with ID.me as part of obtaining my California REAL ID driver's license. This involved a passport, proof of residence address, and in person validation.
Why was that not good enough for IRS?
How else are you able to data mine and milk the government for juicy contracts?
You had to do the whole verification over again?
At least it seems like the IRS registration is good enough to log into SSA.
Why does the IRS even think they need this? I feel like this was developed from an incident at a stripclub after a ritzy dinner, which was then proceeded by hookers - and less to do with practical scrupulous enforcement of the tax code.
> Why does the IRS even think they need this?
It is very common for the government to use its various arms to institute large data collection efforts in the name of national security. A selfie video of yourself on a modern day phone provides for the government a high definition facial recognition vector for identification purposes. I'm sure you can imagine all of the use cases of having this critical data.
Personal Story: My wife and I travelled abroad right before COVID in early 2020. On the way back, we didn't interface with any customs agents at the airport. Instead, there was a portable robot that took our pictures and advised us to proceed to exit. I can only imagine which image database it referenced for a perfect match to allow entry (passport, driver's license, social media?, etc). From a security standpoint, I would assume that the matching capability/requirement of such system had to have been best of the best.
Isn't the bigger story here that you were able to enter a country without a photo ID? Or did you not make the connection that it could simply compare you to the photo on your passport, like a person would do?
The IRS is facing massive online fraud and their budget probably doesn't allow internal development of... anything.
I would love to see how much this system actually costs taxpayers and how much it saves in fraud. Knowing a bit about both of these, I suspect it's lopsided in a bad way.
You have a point, but there are also second-order effects of letting fraud run wild.
Despite all the negativity on this thread, I'm pretty happy to hear they are reconsidering. Quite different than when the FCC was ignoring comments on net neutrality.
Just saying. It's important to speak up.
I'll be pretty annoyed if I have to go through a whole other registration after I already dealt with their old login and now id.me.
id.me blog post: https://insights.id.me/featured-viewpoint/stopping-massive-f...
One interesting quote is:
> Does ID.me maintain a database of faces that map back to original photos and who has access to the database?
> ID.me retains the selfie that was used during the identity verification process. ID.me is the only entity with access to this database. The only time biometric information is shared with a government agency is when there is apparent fraud and identity theft tied to the account associated with the agency.
I wonder if id.me keeps a copy of the photo of the government ID.
I would be more surprised if they allowed for frequent believable audits that they don't.
A lot of government agencies aren't too concerned with the quality of their services.
Things that discourage people from using thier system just makes their life easier. Theres's no consequence to the department and it's not their problem.
https://archive.fo/ySBCY
Related article, where the IRS's use of face recognition was first discussed here: https://news.ycombinator.com/item?id=29996614
Dang the federal government is really trying on those “1984” clichés like a nice pair of well-worn blue jeans. Jesus Christ when will they ever stop?
Australian government uses voice recognition to identify callers for calls to Services Australia, is this the same kind of thing?
It is completely inappropriate for the government to force people to give up their privacy and share so much with a third party. And it is completely unethical for this company, Id.me, to pursue it. I already am able to use banks and other devices successfully without this service, and I used the IRS website fine as well. Why do this? It smells a lot like corruption.
ID.me gets paid via taxpayer funds. Each taxpayer can't line-item-veto the spend. Treasury has the budget to spend. Treasury gets to tell Congress 'security, good'.
The spend cycle can slow if we radically reduce federal spending/income. Move truly necessary services to the States.
That won't happen, so opt out. Structure your life to avoid qualifying as a person who files a return.
> Structure your life to avoid qualifying as a person who files a return
Say what?
> Move truly necessary services to the States
The way some states behave, this is exactly what I don't want for America
Slaves do as they are told or they get punished by their owners who own the fruits of the labor of the slaves. Free people have the right to choose. Are you free or a slave? No choice, no freedom.