login.gov is open source! They also encrypt user data in a way that they can't access it without the user's password, precluding the formation of a national registry that could be used towards nefarious and anti-democratic purposes. As a result, account recovery looks a lot like re-registration, which I think is a great thing.
It's built on Rails, and I'm really impressed at the engineering decisions that were made here, from choice of technologies to level of transparency. I wish all public sector projects could exhibit the same leadership and competence demonstrated for login.gov--the interface is even a pleasure to use, which is hard to say for most government online services outside of the UK and parts of Canada in my experience. Bravo!
I don't even think a HIPAA-covered entity could hold their data to the standard of zero-knowledge encryption... since, you know, they have to be able to use patient data.
They could authorize an agent to authorize provider usage. The agent could apply provider-specific policies, and potentially monitor record requests to try to identify fraud, waste, or abuse, and so forth. The patient regularly reviews a report of actions taken by the agent to adjust configuration or revoke authorization. Could be an interesting approach!
All of the access audit information exists, afaik, albeit in non-standardized form. Because the law distinguishes between wilful and inadvertent releases, and assesses penalties on the basis of count and type, covered entities darn well better be able to produce an audit trail when asked.
It also needs to be a system that is workable when you scrape an unconscious person off the street with no next-of-kin available. It's not possible to have the patient or their agent hold the sole key for data that is created before the patient/agent is first available. Really, the best you can do in that situation is exactly what HIPAA requires.
Agent should not be individual it should be an third party service or organization( could even by governmental) which shouldn't have uptime concerns. The policy setup would be complex to do without expert assistance anyway.
I'd say the bigger issue isn't being allowed to use a third-party SSO, the issue is having the option to not use the third-party's SSO. We see enough horror stories about the impact of being locked out of a Google account.
Their 2FA was broken in a way that required me to delete my account, which is a pain as now I have to redo my resume for applying to federal jobs. I had an old account which worked fine but when trying to access it again it always said my 2FA code was incorrect.
Still I do prefer this to ID.me which I needed to use for CA unemployment.
Perhaps true user-friendliness is achieved not when the user can no longer have any bad experiences, but rather when the user's bad experiences are still superior to the alternative...?
How does encrypting user data preclude nefarious and anti-democratic purposes?
If disabling your login.gov account locks you out of you bank account, the ability to travel, your library account, your email account, your social media accounts, your school, your children's school, your mortgage, your ability to pay your rent and utilities, your ability to seek employment, vote...
When your life is consolidated to SSO, your life is controlled by those who control the SSO service. The fact that they encrypt your data doesn't change that reality.
> login.gov is open source! They also encrypt user data in a way that they can't access it without the user's password, precluding the formation of a national registry that could be used towards nefarious and anti-democratic purposes
The website is still full of Google trackers, so it looks like it's already handing some user data over to private for-profit 3rd parties. Not a great sign, but I guess we can be happy we're not being forced to give them face-scans, fingerprints, or DNA I guess.
> Do you expect the government to host their own analytics?
Yes. I do. There are alternatives to Google that work just fine (assuming they genuinely _need_ analytics in the first place). There's no reason using a government service should involve you handing data over to Google (or any private for-profit company).
>Do you expect the government to host their own analytics?
No analyzing your citizens behavior on a government site (that you paid) should be done by private company's (to make money out of your data)...what a question....
It looks great, though afaik they still encrypt on the server side, which means they handle unencrypted data, so it seems to protect more against data leaks, rather than surveillance. To be honest, this is federal government and they already have most of the data anyway.
The major problem with login.gov from the IRS' perspective is that it doesn't provide identity verification which is absolutely needed. We will see how they work around that, but they still may have to outsource that to someone like id.me.
Meanwhile, I’ve spent over a month trying to get verified as myself via ID.me and their broken process that can’t handle Americans living abroad, with foreign secondary documents.
A typical round with customer service takes about a week, and then I was told that someone will be able to verify electric bills that aren’t in English, but then that turned out to be weeks ago and it’s yet to happen.
This is all merely to set the stage for being ELIGIBLE for a human to do a video conference verification with me, which they hopefully will deign to do.
A singular corporation (ID.me) holds every American’s ability to login to their government tax profile hostage, and we pay them for the pleasure of this rotten monopoly and abuse of public trust.
I just want to pay my taxes, sigh.
It should be as easy as any other bill or process.
Making taxpayers suffer more does not generate extra revenue for the state.
There is literally no call nor need for all this extra stressful nonsense making people sweat every April.
It’s actually counterproductive to fund raising for state activities.
Bureaucracy steals lives and health for wasteful ends that do not benefit the group.
The likelihood of reforming our deliberately and absurdly arcane tax system is about as high as large corps and oligarchs paying their fair share, nevertheless we should insist.
That said, I’m cautiously optimistic about this excellent announcement to reduce future peoples suffering.
I also gladly submitted biometric video scans and it still wasn’t good enough for ID.me
So, I wonder if I’ll still be trying to get verified by the time this new system rolls out…
Same here. I hate ID.me and their piece of crap system. Never managed to get it working after wasting so much time. Luckily, I don't _need it_, so at the end I just gave up and used different methods. Would hate it if I'm actually unemployed and had to use that terrible firm.
I'm an American abroad and I spent roughly 8 hours spread across 5 days getting access to my irs.gov account. And yes, I actually recorded time spent on this chore.
The worst part was not the facial recognition. It was the fact that I had an address outside of the USA and they would not recognize a non-USA utility company for address verification. This was stupid for two reasons. The first being the obvious requirement that a non-resident have a contract with a utility company in the USA, and the second being that the IRS has been mailing me at my non-USA address for years. The IRS already had my address, but I had to verify it with ID.me.
The other worst part was they never told me WHY my various utility bills and bank statements were being rejected. At one point they told me I had to translate a bank statement, and that was the most feedback I ever got. But then I translated it and they rejected it for an unknown reason.
I eventually got my registration through them by getting a USA bank to recognize my foreign address. Luckily I also had an old W-2 laying around from years ago when I briefly worked in the states. Do they expect my current employer to give me a W-2?
Finally, on their stupid video call I was told I needed to have all of this documentation, which I dutifully prepared, and then all the person cared about was me holding my passport up to the camera.
Completely broken process for Americans abroad. To the point where they're likely breaking some US law by making it so difficult for non-residents to register for IRS access.
I hated it and I hope ID.me dies in a pit of bankruptcy.
It's not a good choice. The Canadian government still doesn't understand the internet. There should be no obligatory private intermediaries between a citizen and the government no matter online or offline.
It should provide an online identity service, just like it already provides offline government-issued IDs (e.g. passports) without involving banks or other private institutions.
> You can also create a stand-alone account with the CRA if you wish.
You can't reuse the CRA login with all other government services. I'm talking about a single identity provider accepted by any government service, like a driver's license or a health card.
And rather controversially require face recognition for login. Good idea in that having another secret only really you should own is good, poor execution in allowing a third party of collect and probably sell something so very personal. I'm glad they backed off.
This is a good move. While it does consolidate logins to one single location that a bad actor can attack, the time and effort put into securing it is much better used as a pool and covered by a single entity than having each individual department (and often times teams within a department) creating and maintaining their own login methods.
Good. There was something absurd about having to accept id.me's terms-of-service, which involved "deals, discounts, cash back rebates and employment and educational opportunities", to access government services online.
If you use Customs and Border Patrol's trusted traveler programs (or some other gov sites), you may already have a login.gov account since that is what they have been using for a few years now.
I just wonder what kind of extra hoops we'll have to go through to use an existing login.gov account with the IRS. I read in some article somewhere that the IRS didn't use login.gov because it isn't "as verified" or some kind of thing as the IRS needs.
Yet the reason I have a login.gov account is for my NEXUS enrollment which means I've been fingerprinted, background checked, had my passport number linked, and been interviewed in person by two different governments. That seems pretty identity verified to me.
If I have to go through some other step, especially if it involves yet another biometric or interview check, that's going to be annoying.
Yes, same here... background checked by two countries! Not to mention iris scanned, and they even passports from two countries for me. Hopefully it's not too onerous, like you said... they can be pretty damned sure who we are at this point.
Those steps were a prerequisite to get your NEXUS enrollment -- not to get a login.gov account.
The only thing you have to do to enroll in login.gov is verify your email address.
And optional feature of login.gov is to verify your identity further by uploading a photo of a state ID, and entering your SSN and phone number. When you validated your identity in person with CBP, this was not that.
> When you validated your identity in person with CBP, this was not that.
This isn't snarking at you directly, just all I'm really hearing is that the government will happily mix whatever it knows about me for its own purposes but when it comes to making things easier for me (wherein they've literally seen me in person and looked over a stack of my identifying documents), no way that's "violating my privacy."
If we are going to have an all-seeing panopticon can't it at least be convenient?
The premise of that sentiment is simply not true. There is no all-seeing panopticon. The government in the US is quite siloed. The federal government is pretty dang siloed itself, and the US is potentially the most siloed government on the planet if we also consider state and local governments.
IRS was trying to remotely validate you to an IAL2 level.
I believe that although you are validated to a higher level with a trusted traveller program, they cannot or have not been able to share that validation with IRS directly.
I think the IRS must already have a pretty good relationship with CBP. A few years ago, the IRS sent me a letter claiming I owed them a large quantity of money. It was a mistake, because my idiot broker messed up the paperwork. (Schwab equity awards. What a disaster.) At about the same time, I applied to renew Global Entry. Nothing happened on the Global Entry application for months, as I worked with a tax expert to correct my tax return. Several months later, I got mail from the IRS saying the case was resolved (they owed me $70, it turned out), and the same day my new Global Entry card arrived.
Maybe it's a coincidence but it seems like the two agencies work together. They also apparently withhold government services if they think you owe them money. Not sure if I think that's amazing, or petty. Leaning towards amazing though.
TreasuryDirect, the site that has case-insensitive passwords, disallows password managers, disallows the use of your actual keyboard to enter your password, and has this dumb on-screen keyboard with tiny keys that ultimately accomplishes nothing? Super trash.
It still amuses me how few people, even those who claim security expertise, don't understand that commercial malware is able to hook the driver stack (and or browser's network stack) and intercept pre-encrypted HTTPS traffic.
Hooking traffic rather than keystrokes is preferred because in order to resell that stolen data the data needs CONTEXT. A stream of keys is difficult to interpret into anything meaningful at scale, whereas "HTTPS POST Request to URI [xyz] with fields [X & Y] with values [J & W]" is very monetizable.
What I am saying is TreasuryDirect's on-screen keyboard "security" stuff is complete nonsense, it has no technical merit at all. None. Worse still it also hurts users of accessible technologies, touch-screens, or users using password managers (essentially promoting password re-use, a common problem).
The TreasuryDirect site makes me want to give the authority to the USDS/18F to proactively come in and say we're taking over your public facing website infrastructure to any executive branch agency. There's no excuse for something to look and behave like it hasn't been touched since 1996.
It’s been touched since then. Back in those days, their “MFA” was a wallet card that you had the match up for a code. It was like the old copy protection schemes used for games like Sim City.
Not that this should be necessary by any means but I usually right click the password input -> inspect element -> paste my password in the value from my password manager. The on screen keyboard is so ridiculous.
On top of everything you mentioned, TreasuryDirect also has an insanely aggravating issue where if you click a navigation button twice (e.g clicking next again reflexively before the next page has fully loaded), it displays an error about invalid navigation and forces you to login again and start from the beginning.
Even something as simple as disabling navigation links/buttons after being clicked before the next page load would mostly solve this and save hours of frustration having to re-login through their god awful signin flow every time.
I'm glad they are adopting it. Login.gov was always kind of funny, like here use this to login to all US govt resources...except for this service, and this service, and all these services...
The VA still uses ID.me - so most veterans have an account anyway (I needed one to get a certificate of eligibility for a VA home loan). I had to add an authorization for the IRS on my ID.me to stop the child credit advance checks from coming last year (that should have never been an opt-out). I also had a few other govt systems I needed to access when I was a defense worker that used it.
So hopefully other agencies will move away from ID.me as well.
If you check the previous stories tagged by ID.me (https://www.fedscoop.com/tag/id-me/), you'll see some awesome articles sponsored by the same about how Arizon has already saved $40 Billion and how this is great against cyber risk.
Sponsored News needs a much more prominent badge. #bringbacktheblinktag
The "FedRamp" contract overhaul pretty much locks in the requirements and specifications to these above implementations.
I have designed an API that revolves around and side-steps this that currently serves 60 million US civilians...but in the end, the security assessment pretty much comes down to the Privacy Acts interpretations and the common sense security landscape.
Someone said it best upthread: the incentives are different.
If you are a leader in the bureaucracy, your incentive is to not personally fail, which is not the same as to succeed.
There is an army of auditors waiting to question every decision, so the obvious way to avoid that is to not make any. Balancing the need to do something without deciding anything is an art of sorts.
Also, to be clear, those incentives aren't coming from within the bureaucracy. For example, let's say that a program tries to do something and it totally doesn't work. A news story about this will be roughly the same if $10,000 is spent as if $100,000 is spent as if $1,000,000 is spent.
That creates an incentive never to label anything a failure and just keep pumping good money after bad - that's how to avoid the negative article.
I spent a couple of years with the USDS (https://usds.gov/). USDS, along with 18F, are largely responsible for login.gov, as well as a lot of other really great projects. Overall fantastic experience if you're open to an adventure!
I could probably spend a week telling war stories, but the main takeaway is that you can't look at government as just another sector waiting to be brought up to speed. Government is an entire industry unto itself, with incentives that seem fully alien to anyone from the private sector. Money doesn't flow according to the laws of capitalist physics, but by byzantine congressional allocation. Understanding how things actually get done requires a ton of time, networking, study, and empathy.
Career government techies are extremely risk adverse (for a lot of very good reasons). If you want to make an impact, it helps to be able to take on a lot of the risk that nobody else wants to. For me, that meant promoting open-source alternatives to various entrenched products (cough, MS Access, cough) and accepting all the blame if the higher-ups don't like it. For this reason, it helps not to look at this as a career.
Going up against the entrenched interests can be frustratingly hard. It feels like everything is subtly working against you. Or, not so subtly- On more than one occasion I had teammates get singled out by the federal IT press. Somehow I managed to stay anonymous, but the threat was there. Fortunately, I felt a strong sense of support from my bosses, as well as a lot of righteous fury from seeing so many failed, hundred million dollar projects that could have just been a simple web app.
Granted, it's been about five years since I was in government. I would be curious to know if things are different nowadays :)
That's the one I had to use to sign up for GlobalEntry and TSA Precheck. Highly recommend if you travel a lot ... or plan to again at some point given the current state of affairs.
Why did they ever go with ID.me when they have their own comparable solution?
I’ve used both and both are solid, one is expensive and externally managed though..
Login.gov absolutely cares about your identity. Case in point: login.gov will share your SSN to the provider(irs.gov in this case), if appropriate permissions are requested.
Last time I tried to do something at the IRS website, I had to turn on my camera and have my face compared to the face they have on file to proceed. I don't think login.gov has that level of verification. Whether the IRS needs that level of verification is another question.
That's ID.me and login.gov works differently, but it does absolutely care about identity, they have multiple levels of identity permissions, one of them is , this person has a login.gov account. One of them includes an SSN #.
When does it ask for your identity? I just signed up and all it needed was my email, password, and my token. It doesn’t know who I am though. It didn’t even ask for my name.
I'm a foreigner (yes, I know, sorry, sorry) who is a "US Person" and thus needs to (and, to be perfectly clear, is happy to, I'm sorry, I'm not-sorry, I'm sorry about being not-sorry?) pay US income tax.
The IRS system is, by far, the worst I've ever had to deal with, and in this I'm comparing the US to countries like Rwanda, where, for some weird reason, I'm also required to pay taxes.
Getting an ITIN (sort-of like a SSN, except you're not supposed to use it like that, otherwise they will send Ted Cruz after you...) is an absolute pain, mostly because you can only request it by phone, and literally nobody you talk to is able to spell your name right, DESPITE you repeating it endlessly in just about any spelling alphabet possible.
So, you now have a dozen-or-so ITINs (again, like SSNs), all in different names, none of them yours. So, you file your taxes using the ITIN in the names that is closest to yours, and specify this on your tax forms.
You send in your forms, and your check, which is cashed immediately. Repeat the next year, and so on.
Now, after FOURTEEN years or so, you get sent a letter, informing you of a tax audit, and demanding you are physically present in Austin, Texas, two weeks from the postmark of the letter (never mind it reached you three months after that, and never mind you're located in Europe, which at that time was denied access to the US due to COVID-19).
So, you get a lawyer, which costs close to US$ 8000. The lawyer contacts the IRS, which continues to insist on an in-person interview in the past.
So, now you're out US$ 8000, and can never travel to the US again.
But, yeah, lovely that they now allow additional login tools...
The byzantine rules exist to create deductions and loopholes for different interest groups. Raising the standard deduction was actually a good move, as it simplified my tax filing for sure (I don't bother to itemize now) -- but I imagine the tax preparation industry (amongst others) was not pleased.
I mean, I'm happy to pay my US taxes. Heck, I'm even happy to pay someone to pay my US taxes. But... neither of those options seem to work?
I mean, just to back to Rwanda: it's an east-African country that is pretty much a dictatorship and had a real-life genocide less than 20 years ago.
Yet, in Rwanda, I can just use my native cell phone number as my tax identifier, pay then what I need to pay, and be done with it.
In the US, I am probably known under a dozen ITINs, and literally none of that is my fault: it's just that the IRS agents that created those ITINs were unaware of, like, any spelling alphabet ever. Even ITINs created using a fax (that's a TIFF-over-POTS, for you millennials) got completely misspelled.
And now I'm supposed to spend tens of thousands of dollars to prove I've paid my taxes?
OK, now I now the answer to my initial question...
There are some groups who oppose effectively all taxes and seek to make paying tax as hard as possible so that other people will agree with them that taxes are a pain. For example see Americans for Tax Reform working to torpedo California’s push to simplify state taxes a few years back.
You also have corporate interests that profit from convoluted tax filing and lobby the government to keep it confusing so individuals continue to use their products.
OK, I understand that some/many Americans dislike paying taxes. I do not exactly like it either.
But, it seem like a particular US infliction to make paying taxes as hard as possible? Plus, they sanction you in extreme ways if you don't manage to jump through all the hoops?
I pay taxes in many jurisdictions. Here is my experience: Netherlands (my home country): the tax authorities send me a proposal about payable taxes. This includes income from my business, my partner's job, our common investments, and some investments/business interests that are exclusive to me. I correct whatever is required (with the deadline being April 1st), and I'll get my final settlement sometime in June/July.
Germany/France: I provide the tax authorities with my Dutch tax identification number, and they confirm they're fine with that in 3-4 months time. Rwanda, Nigeria and Zimbabwe: I also provide my native tax details (sometimes using my mobile number, sometimes using my NL 'SSN'), and they're fine with that, sometimes after billing me a small percentage over some income.
US: I honestly have non idea where I stand. The IRS refuses to talk to me, yet summons me to physical meetings in the past that I cannot legally attend. I have hired several attorneys, none of which seem to be able to help.
I probably owe several HUNDREDS of dollars in US tax. I've not visited the US since 2004, and have not done any business there since 2002.
Yet... I'm apparently a much-wanted tax fugitive in the US. Does that count on a FAANG-inbound resume?
Is it possible to sue for conspiring to make life purposely difficult? For example if I interfere with someone's lawful use / enjoinment of their property it is a low level criminal offence. Should not that be the same for making / conspiring the life difficult for the purpose of extorting money?
At this point the IRS is completely confusing as to understanding whether they've received things. I've seen a non-profit where the IRS was sending them a request for what the letter said was an unfiled annual return, while at the same time, the IRS had the processed annual return they were requesting publicly available on their own website. This is without identifying number confusion. I can't imagine what it would be like with that.
I have to assume that they have some serious database problems that they are completely unable to handle, likely because of staffing and budget cuts that appear to have been intended to cripple them.
It actually is, too. There are two large, influential groups of stakeholders who purposefully lobby for a painful user experience.
The first, of course, is the tax-prep industry (e.g. Intuit/TurboTax and H&R Block). They make more money when people get fed up with bullshit and pay someone else to deal with it.
The second is the anti-tax activists. If taxes exist, they want the process of taxation to be painful. Not just in terms of the dollar amount. They want people to have an active and visceral reaction to taxes. As such, they lobby against anything streamlining taxes and push for the process to be as high-friction and frustrating as possible.
I used TurboTax for the first time recently so I could file taxes to get my ACP discount for cheap Internet for poor people. I needed to file a $0 tax return, but where I received stimulus payments. Their system just got stuck in a horrible loop because I was in some weird edge case. Their first "expert" was terribly rude to me. Luckily the second guy was super nice and we hacked away at the UI until we found a way out. tl;dr: TurboTax is as clunky as the IRS
Ah yes. Good to know that it’s not just the TSA i should dislike. I’m reminded of the line Logan Roy uses on Succession, something along the lines of “when i arrived in America there was nothing these people couldn’t do. Now they’ve pissed it all away”. Feels like it’ll be hard to see the US continue to be a major player unless it can get out of its own away at some point.
Can you name some countries you think are "major players" if the US isn't or won't be?
>it’s not just the TSA i should dislike.
You should try interacting with Australian or Canadian border forces if you want to see a true organization you should dislike. Hard to see Australia or Canada being even minor players if they can't deal with that dysfunction.
I was a US person with an ITIN and have become a naturalized citizen. ITINs are very different to SSN. Honestly I've found the USA very easy to deal with compared to the UK, France of South Africa where I've lived.
The challenge with an ITIN is it blurs into immigration, visa status, whether you are violating visa terms, whether your ITIN - which you can get on a tourist visa - is an indication that you're trying to build a life here when you're just supposed to be a tourist, and so on. That doesn't even get into property ownership, or being a director or shareholder in a US corporation with an ITIN and various visa types.
> Honestly I've found the USA very easy to deal with compared to the UK, France of South Africa where I've lived.
???
France as a foreigner:
You arrive in the country, your employer already declares all taxes for you. While you may not have a tax ID to log in to impots.gouv.fr yet, everything is already registered in your name (because you gave either your SSN, or your visa number, or anything else). You send a letter to ask for a username/password to use to log in on the website, which arrives about two weeks later.
Your taxes are collected monthly, and at the end of the year you pay the leftover/get paid what you overpaid. You can tell the state at any point how much you think you will earn, and it gets reevaluated. Your yearly tax filing is prefilled, and there's no need for any software.
As an employer, the URSSAF website is, while hell to navigate, very clear in how much you owe. Give out your SIRET/SIREN, your tax report, and your taxes are done.
To be fair, there are some small hurdles - you get issued a temporary SSN quickly, but it might take some time and documents ( like an original of your birth certificate less than 6 months old in French, or translated in France by an authorised translator which is a retarded thing to ask for and for which I've had to explain many obvious things to many French officials - they simply do not have the right to ask for that, any EU country's translation is acceptable by law), but it's fine. You don't even need the regular SSN for taxes or healthcare, actually.
Ah yes, the birth certificate thing is... impressive. Especially when it's being asked for someone coming from a country where you simply cannot update your birth certificate. France and inflexibility, especially in small mayor's offices are just standard.
And yeah, the SSN isn't necessary. It is however usable for SSO through ameli.fr, for your taxes and many other services.
Sorry, I'm not blurring my ITIN with immigration status or whatever. I have not visited the US since 2004, I have no desire to return, and I have not done any business there since 2002.
I just want an ITIN that is, like, actually in my name. Plus the IRS to agree that I do not owe any taxes in the 20-or-so ITINs that they have issued in various misspelled variations of my name.
But yeah, to get any clarity, I apparently need to go to Austin, Texas, in 2020.
And time machines are "easy to deal with", apparently?
Thanks for the passive-aggressive accusation there!
So, what more is there, exactly, to my story? My name is pretty simple, but, like many European names, has 3 parts, as well as some 'unexpected' letter combinations.
As far as I know, you can only request an ITIN by phone. Possibly, this can also be done online now, but that wasn't the case in the 1999-2009 period that I'm talking about here.
Also, the person that answers the phone... how do I say this? Is not exactly fluent in English... Or Spanish (which I can at least spell my name in as well)... Or any human language?
So, you get a new ITIN, with a random ASCII string as a name. And, to file a valid tax form, your ITIN needs to match your name... Which you provide in a PDF.
See where the problem lies here? You want me to upload a few scans of US government letters/forms with my actual name horribly misspellt? You want to see my attorney invoices? Certified PDFs only, I assume?
What, exactly, is the burden of proof you place upon me here?
As someone who uses his middle name, I've experienced only the tiniest bit of what you've gone through, but I can imagine your annoyance.
It's amazing how massive systems often have no viable process for "As an end user, some of the data in the system is incorrect, and I would like to get it corrected."
Once it's in the system via the setup process, it's there. And most people down the line working with it don't even know what system it's originally coming from.
Edit: F.ex. if someone lied about their age when getting their Social Security # (this before issue-at-birth, so it had to be applied for in person), so as to be considered old enough to work, and then decades later wanted to set the record straight to avoid collecting benefits at too young an actual age, they would probably be told by a Social Security employee that doing so was more trouble than it was worth. ... Hypothetically speaking.
The fundamental issue here is that there is no meaningful voice of expats in the US, so any attempt to fight a system which wants your money, no matter where you are and make them, in the world, is prone to failure. The only real option is to renounce citizenship.
The main issue is if it's required. Not so worried about myself - I'm a veteran which means my fingerprints and DNA are already on file with the feds somewhere :), but US Citizens with no particular connection to the federal government absolutely shouldn't have to need a "National ID."
And yet, everyone suffers because of it. We have endless SSN breaches because at the end of the day, having a unique ID for people is really valuable! We could have something way safer, but we get stuck with the status quo which satisfies no one.
I'd be perfectly fine with that. My ideal scenario would essentially be a national ID that's also a smart card with u2f/federation. I realize there's a ton of details with accessibility but like, we have the technology.
There are ways to solve that problem whilst still protecting privacy, but there's no benefit in that for the ruling class. Once the infrastructure is in place, we all know governments would eventually use it to track all sorts of additional information/activity about us.
> use it to track all sorts of additional information/activity about us.
They already do!
There is so many quasi-national tracking and gov approved monopolies that they already get what they need.
Everywhere is tracked with license plate scanners, so you can't go anywhere.
Everyone realistically uses VISA or mastercard, so you can't buy anything. If you don't you're still probably banked and connected to credit agencies, so you can still be tracked. Good luck getting cash without the gov knowing. Just look at the IRS data.
You register with the gov to drive, so your IDed already by someone.
NSA et al. track god knows what about you across the internet and abroad, and where they don't go some ad network goes.
I think the only thing that we don't track is guns... and thats probably something we should track.
It's strange how all this stuff worked when the records were on paper and plenty of people had been born at home and rarely recorded. A world of endless danger which satisfied no one.
We already need it. That's just the modern economy/world. So we get shitty ad-hoc solutions with bad security that waste tons of time and money, instead of a good one, because people are afraid of the good one. Not having a solution isn't an option.
> US Citizens with no particular connection to the federal government absolutely shouldn't have to need a "National ID."
Hard disagree. If you live in the US you have a connection to the federal government. I'm not saying everyone should have fingerprints or DNA on file but a national ID is something I'm fully behind. The shit show that is social security numbers, KYC, and other ways to identify a person are such a pain and for literally no good reason that I can see.
We are so weird about this. We already have national "identifier" - the social security number. Pretty much everyone must use it because of both social security and taxes, but also due to private use cases. We should just admit this is the case and manage it better. The man-in-woods scenarios where one can opt-out are just not very realistic.
Now as a matter of authentication - verifying the identifier, we have left this up to the states in the past, with opt-in federal IDs for various purposes. Though with RealID this is being standardized. Login.gov is a way to have a digital equivalent.
> the federal government absolutely shouldn't have to need a "National ID."
But every state has an ID system, and they're all known to each other, and tied to your SSN which is a national id number. We already essentially have all the parts, just messier.
> my fingerprints and DNA are already on file with the feds somewhere
Same. Probably same for lots of people.
> US Citizens with no particular connection to the federal government
One of the big issues with instituting an income tax is it changed the relationship of every citizen with the government. Other than the postal service, the average citizen almost never dealt with the federal government directly. Now, everyone knows and despises/fears the IRS.
who cares ? Thats not the world any significant group of persons have every lived in?
We first got an income tax during the civil war, and the 16th ammendment before the 1920s. Thats the relationship we've had with the government. How many people alive "almost never dealt with the federal government directly" at any point in their life?
Everyone is already issued a social security number. I'm not sure how a more modern, cryptographic ally secure version would be any more concerning in this regard.
Why would anyone want superfluous data stored by their government? What purpose does it have?
In my mind, governments are like companies both are comprised of people making decisions which may or may not align with my personal interests. I want a GDPR for the government.
The top entry for the list of cumulative non-disease or old age causes of death in the 20th century is "murdered by own government". Anything we can do to help prevent that is a good thing.
Interesting that you limit this claim to the century that saw two world wars and the largest ethnic extermination program in history. ID systems back then weren't any more thorough than the SSN every American is required to have and use for a litany of purposes today.
I do not really see how replacing your SSN with a public/private key pair that you use to cryptographically sign tax returns, loan applications, or election ballots would make a repeat of World War II any more or less likely; I just see it making identity theft a lot harder. Any government that decides it has the will and power to start a genocide isn't going to be stopped by antiquated blue paper cards.
"ID systems back then weren't any more thorough than the SSN every American is required to have and use for a litany of purposes today" would imply that a more formal way to record IDs, namely a centralized database of personal information would be an even more efficient way for a government to top the largest ethnic extermination program in history.
And before you say "but that can never happen!", stop for a second and rethink that. It has happened many, many times in human history, and it will absolutely happen again somewhere unless we do our best to confound it.
"a centralized database of personal information" already exists. That ship sailed a long time ago. The government issued your birth certificate and social security number. I'm advocating that we upgrade this with some semblance of security in mind, rather than continue to rely on an antiquated solution that was designed nearly a decade before the first electronic computer was turned on.
Unless you want to argue that the lack of security is a feature, and that rampant identity theft is somehow stopping the US government from perpetrating the next holocaust.
When it comes down to it the US has a fear driven culture, down to what essentially becomes paranoia.
US violent crime statistics are at near all-time lows. Yet I know many, many people that will not leave their house without at least one firearm. This is in small towns that haven't seen a violent crime justifying the use of deadly force in many years. Many of these same people refuse to "live in fear" of the coronavirus yet they live essentially petrified of violent crime to the point of carrying a deadly weapon for self-defense on their person at all times (not to mention the likely hundreds-thousands of rounds of ammunition and small arsenal they keep at home).
We're terrified of a national ID "because big brother" yet almost no one cared or batted an eye at the Snowden revelations "because terrorism". 9/11 was 20 years ago and killed 3,000 people. Tragedy for sure but never before in human history has the trajectory and cultural makeup of a country (let alone a superpower) been so drastically altered by what is essentially a rounding error in terms of deaths in two decades. If warrantlessly surveilling an entire population isn't big government/brother I don't know what is.
The ATF isn't allowed to have a searchable database because "the government is going to take away our guns" yet your entire life is accessible to the NSA.
> yet they live essentially petrified of violent crime to the point of carrying a deadly weapon for self-defense on their person at all times
That's an odd way of stating it. They're concerned, so they're arming themselves.. but continuing on with their lives. Sounds like the opposite of "petrified" to me.
What's odd about saying it's completely innumerate to carry a gun on your person at all times?
And don't for one second pretend Americans are "continuing on with their lives", what a joke; gun culture is huge in the US, people are absolutely obsessed with the things.
Hardly a more obvious "not over it" situation exists than Americans and their guns.
They won't go places (businesses, cities, etc) that don't allow guns. They routinely talk about and consider scenarios when, where, and how they'd fire on someone. They select clothes based on what will conceal a firearm (or select the daily firearm make/model based on what can be concealed with their clothing that day).
It's clearly a major driving force in their lives. Perhaps petrified wasn't the best use of words. I'll suggest terrified as an alternative but the actual reality is all the same.
I've been kidnapped and robbed at gunpoint in the US. I'm pretty sure if I had a firearm that situation would have been worse. I would have either gotten myself killed or suffered the trauma of killing someone and watching them die. This isn't a movie where you go bang and the bad guy cleanly falls to the ground. Death by firearm is brutal and changes you forever (as my ex-military friends will tell you). Life isn't Hollywood and anyone who thinks their life will be the same and just fine after using that weapon is either a bona fide psychopath or delusional.
I also can't imagine waking up everyday and strapping a gun to myself just to leave the house. I'd consider that fear winning and an event that I've long sense gotten over continuing to have an outsized amount of control and power over me. I got out of my traumatic event losing an iPhone and $100. After a few months of initial PTSD my life hasn't changed one bit. I won.
I am not going to debate generic gun carry but I completely support being able to own and carry guns / rifles in the wilderness for example. It is pathetic when for example in Canada bear attacks construction crew, pulls a women and kills her and the others are not able to protect since they were not allowed to carry.
Absolutely agree - I have no intention of debating guns generally (ownership or carry). I own guns, always have, and had a concealed carry permit for many years. However in my case the permit was more for practical reasons - I lived in an apartment and there are some weird grey areas with guns in "common areas" otherwise. I think I actually "concealed carried" a few times and was generally uncomfortable and put-off by it (personally).
I'm more speaking to the motivation behind absolute, 100% carry everyday. It's completely emotional, fear driven, and not in any way supported/justified by the data.
They're nominally "not ok" with it, unless it's couched in some piece of legislation like the PATRIOT Act or snuck into a Defense Authorization Act, particularly after a national tragedy happens. Then a lot (a majority?) of Americans will suddenly be ok with the "if you got nothing to hide you got nothing to fear" mantra.
I'm actually not a huge fan when people act like Americans are a a bunch of flag-waving morons, because I think that people who say that are often being extremely reductive to a borderline-offensive level [1], but in this case I do think Americans are uniquely ok with pretending their rights don't exist when they're convinced it's for a greater good.
> "if you got nothing to hide you got nothing to fear" mantra.
I know people like this and it's not a good mantra to follow. I have to remind them that all that needs to happen is to have political winds go the other direction and soon something they do regularly becomes illegal or suspicious. So dumb to give up privacy for safety.
That's always been my perspective. I'm going to take the radical position that not everyone in the government can be trusted, so we have to assume that there are bad actors who are going to abuse their power and use the questionably-obtained information to their advantage.
I'm not a fan of that, and the only way I can think of to avoid this being an issue is for them not to have the information in the first place.
Well I consider for example requirement to carry ID in France as the schizophrenia or worse from the government side. Brings out the worst associations
In the United States you are pretty much required to give your name to police if they ask for it. They will run that name and if it's doesn't check out, match the picture on their computer, etc you will be arrested for providing a false name. In many states they can also demand you present photo identification and skip all of that.
Practically speaking the United States has been a "papers please" country for a long time.
What we're talking about here is a standardized, national ID. It's currently a weird patchwork of driver's licenses, identification cards, etc - each of which are slightly different variants issued by each of the states. So we don't have a standardized national ID. We have at least 50 of them, all with different formats, different issuing criteria, different validity, etc. We've tried to have some bare minim standards for years (REAL ID act) but the mandatory compliance date for that keeps getting pushed (currently next year).
>"In the United States you are pretty much required to give your name to police if they ask for it. They will run that name and if it's doesn't check out, match the picture on their computer, etc you will be arrested for providing a false name. In many states they can also demand you present photo identification and skip all of that."
Stop and identify" statutes are laws in several U.S. states that authorize police to lawfully order people whom they reasonably suspect of a crime to state their name. If there is not reasonable suspicion that a crime has been committed, is being committed, or is about to be committed, an individual is not required to provide identification, even in these states
I've had to identify myself for flipping off a cop (unmarked car) who honked his horn at me because he didn't like me exercising my freedom of movement. This power gets abused all the time.
I know you're just sharing your anecdote, but the vast majority (over 80%) of Americans live in urban areas. Many cities do in fact see violent crime. Although I don't own a firearm myself, I totally understand why someone else would want one in my neighborhood. Violent crime is not unusual where I live.
Don't let your bubble from small town USA distort your view of the entire country.
It's disingenuous as hell to clump "cities" together, as if going to Anacostia in DC is the same as going to Georgetown.
If you live in a city and carry a gun, you're not protecting yourself, you're escalating the violence.
Getting robbed is exceedingly rare anywhere in the US, and trying to stop a robbery with a gun is among the stupidest things a person can do.
Further, robbing someone doesn't mean you should die, and killing someone over property is evil beyond comprehension. No society should support it, and very few do (nearly nowhere in the US, for example).
> It's disingenuous as hell to clump "cities" together, as if going to Anacostia in DC is the same as going to Georgetown.
I don't understand what you're arguing. Cities unequivocally see more crime than rural areas, even in nicer areas within a city (which may only be 1 mile from the "bad parts").
> Getting robbed is exceedingly rare anywhere in the US, and trying to stop a robbery with a gun is among the stupidest things a person can do.
> Further, robbing someone doesn't mean you should die, and killing someone over property is evil beyond comprehension. No society should support it, and very few do (nearly nowhere in the US, for example).
1. Not everywhere is the same. Just because you feel comfortable in your bubble doesn't mean that owning a firearm is a ridiculous proposition for all. In my past 10 years of living in Atlanta, I've witnessed or been a victim of enough crime to fully understand why some folks here choose to own a gun.
2. The second part is totally ridiculous. Nobody is arguing that all thieves should die.
Where are they arguing that? We’re moved far away from OP. The original point that Americans “live in fear” is what I object to.
You’ve turned the conversation into something else entirely. You think the entire country of 350M lives in fear? Seriously? I get that HN loves to shit on Americans but what exactly is your point here?
My first comment says “many cities see crime” somehow that became “all cities see crime everywhere” in your mind.
I'm American, and I firmly believe that anyone who carries a gun in their daily life is living in abject and completely irrational fear based on a fundamental, tragic innumeracy.
And if you think me saying "And no, “cities“ are not one solid, unbroken group" means “all cities see crime everywhere”, you've gotten yourself very lost, friend.
Exactly. In my age range (25-44) I'm more likely to die by heart disease (9.8%), cancer (10%), suicide (11%, most by firearm), and unintentional injury (34.2%) (plus "other" at 20%). Homicide is the cause of 6.2% of deaths in my age range and in the highest percentage of the population (10-24) it's still outpaced by suicide and unintentional injury. After age 45 homicide isn't even in the top 10.
Paradoxically, I don't have a single friend in Chicago, Denver, Miami, Los Angeles, etc that carries a gun. These cities run the spectrum of gun laws and all have higher crime rates than a small town yet fear of violent crime runs higher in communities where it's non-existent.
This is anecdotal but statistics back it up. Most gun ownership is rural, personal protection is often cited as the primary factor, most gun ownership is handguns (i.e. not hunting), and white males (small town friends) love guns and carry everyday.
> My bubble extends well beyond "small town USA".
Paradoxically, I don't have a single friend in Chicago, Denver, Miami, Los Angeles, etc that carries a gun.
And yet, I know people in each of those cities that own firearms.
> This is anecdotal but statistics back it up. Most gun ownership is rural...
The study you cited doesn't support that claim. What the study says is "Among those who live in rural areas, 46% say they are gun owners, compared with 28% of those who live in the suburbs and 19% in urban areas."
This means <10% of the population is a rural gun owner. Your study also states "When it comes to hunting, however, rural gun owners are far more likely than their urban or suburban counterparts to say it is as an important reason they own a gun; 48% of gun owners in rural areas say this." Also note the study says 30% of rural firearm owners do so for sport shooting, 15% as part of a collection, and 8% as a requirement for their job.
Less than half of rural gun owners do so solely for protection. All in all, <4% of the US population owns a gun in a rural area solely for protection. That's a pretty far cry from your original claim that Americans live in a culture of fear.
Especially when we already have social security numbers, which are used for nefarious purposes by non-government entities all the time. And if you're over ~25, odds are your SSN is out in the wild thanks to Equifax.
Replacing SSNs with an alternative built on public-key cryptography seems like the best way forward. I do not understand the opposition to this. Having citizens sign their tax returns, loan applications, etc. with their private key instead of just writing their SSN on it would eliminate most SSN-related identity theft and fraud.
I have a healthy (hopefully) paranoia about the government in general. Recently found out my ssn and other info was leaked to the dark web™ (not shocked). one of the steps to rectify it is sign up with Login.gov. i'm actually glad this thing exits, its perfect timing for myself.
Please don't post snarky nationalistic flamebait to HN, regardless of which country or people you have a problem with. It's against the site guidelines because it leads to tedious, nasty flamewars, which we don't want here.
login.gov is open source! They also encrypt user data in a way that they can't access it without the user's password, precluding the formation of a national registry that could be used towards nefarious and anti-democratic purposes. As a result, account recovery looks a lot like re-registration, which I think is a great thing.
https://github.com/18F/identity-idp
It's built on Rails, and I'm really impressed at the engineering decisions that were made here, from choice of technologies to level of transparency. I wish all public sector projects could exhibit the same leadership and competence demonstrated for login.gov--the interface is even a pleasure to use, which is hard to say for most government online services outside of the UK and parts of Canada in my experience. Bravo!
> They also encrypt user data in a way that they can't access it without the user's password
I love how low our standards for government sites have gotten where this is seen as a plus and not something that's expected
Isn't the US corporate standard even lower? Outside of maybe Google, Facebook, or HIPAA-covered entities.
Corporate customer databases I've seen have rarely even been need-to-know access limited, much less actually encrypted to internal users.
I don't even think a HIPAA-covered entity could hold their data to the standard of zero-knowledge encryption... since, you know, they have to be able to use patient data.
in theory they could but I doubt most patients want to have to remotely authorize their provider any time someone wants to access their record.
They could authorize an agent to authorize provider usage. The agent could apply provider-specific policies, and potentially monitor record requests to try to identify fraud, waste, or abuse, and so forth. The patient regularly reviews a report of actions taken by the agent to adjust configuration or revoke authorization. Could be an interesting approach!
All of the access audit information exists, afaik, albeit in non-standardized form. Because the law distinguishes between wilful and inadvertent releases, and assesses penalties on the basis of count and type, covered entities darn well better be able to produce an audit trail when asked.
It also needs to be a system that is workable when you scrape an unconscious person off the street with no next-of-kin available. It's not possible to have the patient or their agent hold the sole key for data that is created before the patient/agent is first available. Really, the best you can do in that situation is exactly what HIPAA requires.
Good point, implied consent does make such a system unworkable.
Agent should not be individual it should be an third party service or organization( could even by governmental) which shouldn't have uptime concerns. The policy setup would be complex to do without expert assistance anyway.
Maybe so, but that's a different thing than the zero-knowledge encryption that this branch of the comment thread was originally about.
Agent only handles the policy and access, they don't have access to the data itself It is still zero knowledge ?
In a healthcare context, the patient often may not physically be able to.
Absolutely. People do what they need, no more.
It’s getting better as people shift to cloud and inherit better controls, or implement better controls for cost avoidance reasons.
My country lets me use Google's SSO (arguably should probably also support Apple and have better 2FA options) - why wouldn't yours?
If someone wants to use facial recognition - why not? If someone wants to use insecure username/password and risk a compromise - let them do it.
FWIW big tech has probably 99.99% of people's faces, I'd guess at least 90% is tied to an identity.
I'd say the bigger issue isn't being allowed to use a third-party SSO, the issue is having the option to not use the third-party's SSO. We see enough horror stories about the impact of being locked out of a Google account.
Their 2FA was broken in a way that required me to delete my account, which is a pain as now I have to redo my resume for applying to federal jobs. I had an old account which worked fine but when trying to access it again it always said my 2FA code was incorrect.
Still I do prefer this to ID.me which I needed to use for CA unemployment.
Perhaps true user-friendliness is achieved not when the user can no longer have any bad experiences, but rather when the user's bad experiences are still superior to the alternative...?
That's an easy way to start a race to the bottom :)
That's assuming what's in the repo is the same code that is deployed.
You can make similar counterproductive claims about everything. How can you assume that your senses and all humans are not gaslighting you?
If you want to go down that rabbit hole, you may want to (re)read Ken Thompson's Reflections on Trusting Trust at https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
How does encrypting user data preclude nefarious and anti-democratic purposes?
If disabling your login.gov account locks you out of you bank account, the ability to travel, your library account, your email account, your social media accounts, your school, your children's school, your mortgage, your ability to pay your rent and utilities, your ability to seek employment, vote...
When your life is consolidated to SSO, your life is controlled by those who control the SSO service. The fact that they encrypt your data doesn't change that reality.
> login.gov is open source! They also encrypt user data in a way that they can't access it without the user's password, precluding the formation of a national registry that could be used towards nefarious and anti-democratic purposes
The website is still full of Google trackers, so it looks like it's already handing some user data over to private for-profit 3rd parties. Not a great sign, but I guess we can be happy we're not being forced to give them face-scans, fingerprints, or DNA I guess.
Do you expect the government to host their own analytics? Should they maintain data centers, CDNs, and serve from their own AZ as well?
> Do you expect the government to host their own analytics?
Yes. I do. There are alternatives to Google that work just fine (assuming they genuinely _need_ analytics in the first place). There's no reason using a government service should involve you handing data over to Google (or any private for-profit company).
>Do you expect the government to host their own analytics?
No analyzing your citizens behavior on a government site (that you paid) should be done by private company's (to make money out of your data)...what a question....
It looks great, though afaik they still encrypt on the server side, which means they handle unencrypted data, so it seems to protect more against data leaks, rather than surveillance. To be honest, this is federal government and they already have most of the data anyway.
The major problem with login.gov from the IRS' perspective is that it doesn't provide identity verification which is absolutely needed. We will see how they work around that, but they still may have to outsource that to someone like id.me.
Don't they? https://www.login.gov/help/verify-your-identity/overview/
Meanwhile, I’ve spent over a month trying to get verified as myself via ID.me and their broken process that can’t handle Americans living abroad, with foreign secondary documents. A typical round with customer service takes about a week, and then I was told that someone will be able to verify electric bills that aren’t in English, but then that turned out to be weeks ago and it’s yet to happen. This is all merely to set the stage for being ELIGIBLE for a human to do a video conference verification with me, which they hopefully will deign to do.
A singular corporation (ID.me) holds every American’s ability to login to their government tax profile hostage, and we pay them for the pleasure of this rotten monopoly and abuse of public trust. I just want to pay my taxes, sigh. It should be as easy as any other bill or process. Making taxpayers suffer more does not generate extra revenue for the state. There is literally no call nor need for all this extra stressful nonsense making people sweat every April. It’s actually counterproductive to fund raising for state activities. Bureaucracy steals lives and health for wasteful ends that do not benefit the group. The likelihood of reforming our deliberately and absurdly arcane tax system is about as high as large corps and oligarchs paying their fair share, nevertheless we should insist.
That said, I’m cautiously optimistic about this excellent announcement to reduce future peoples suffering.
I also gladly submitted biometric video scans and it still wasn’t good enough for ID.me So, I wonder if I’ll still be trying to get verified by the time this new system rolls out…
Same here. I hate ID.me and their piece of crap system. Never managed to get it working after wasting so much time. Luckily, I don't _need it_, so at the end I just gave up and used different methods. Would hate it if I'm actually unemployed and had to use that terrible firm.
I cannot upvote this comment enough!
I'm an American abroad and I spent roughly 8 hours spread across 5 days getting access to my irs.gov account. And yes, I actually recorded time spent on this chore.
The worst part was not the facial recognition. It was the fact that I had an address outside of the USA and they would not recognize a non-USA utility company for address verification. This was stupid for two reasons. The first being the obvious requirement that a non-resident have a contract with a utility company in the USA, and the second being that the IRS has been mailing me at my non-USA address for years. The IRS already had my address, but I had to verify it with ID.me.
The other worst part was they never told me WHY my various utility bills and bank statements were being rejected. At one point they told me I had to translate a bank statement, and that was the most feedback I ever got. But then I translated it and they rejected it for an unknown reason.
I eventually got my registration through them by getting a USA bank to recognize my foreign address. Luckily I also had an old W-2 laying around from years ago when I briefly worked in the states. Do they expect my current employer to give me a W-2?
Finally, on their stupid video call I was told I needed to have all of this documentation, which I dutifully prepared, and then all the person cared about was me holding my passport up to the camera.
Completely broken process for Americans abroad. To the point where they're likely breaking some US law by making it so difficult for non-residents to register for IRS access.
I hated it and I hope ID.me dies in a pit of bankruptcy.
I set up ID.me for somebody and at one step it asked me to confirm the proper spelling of their name.
Both options were incorrectly spelled. There was no way to proceed and spell the name correctly.
Their support desk basically told us it wasn't their fault and to go away.
I've not been able to get my credit report because of something incorrect in my credit report that they were asking me to verify...
In Canada, the Canada Revenue Agency (CRA) allows you you to leverage existing relationships with banks and credit unions, "Sign-in Partners":
* https://www.canada.ca/en/revenue-agency/services/e-services/...
* https://www.canada.ca/en/revenue-agency/services/e-services/...
* https://verified.me/government-sign-in-by-verified-me/
You can also create a stand-alone account with the CRA if you wish. Other federal agencies use the 'partner' system as well.
It's basically SAML.
Major difference in Canada is the # of banks. The big five dominate[1] unlike in the US where there are 100+[2]
[1] https://en.wikipedia.org/wiki/List_of_banks_and_credit_union... [2] https://en.wikipedia.org/wiki/List_of_largest_banks_in_the_U...
It's not a good choice. The Canadian government still doesn't understand the internet. There should be no obligatory private intermediaries between a citizen and the government no matter online or offline.
It should provide an online identity service, just like it already provides offline government-issued IDs (e.g. passports) without involving banks or other private institutions.
> There should be no obligatory private intermediaries between a citizen and the government no matter online or offline.
As I stated in my post:
> You can also create a stand-alone account with the CRA if you wish.
See Option 2:
* https://www.canada.ca/en/revenue-agency/services/e-services/...
The provinces of Alberta and BC also have identity providers (since they issue driver licenses and health cards) which the CRA allows (Option 3).
Quebec also has a login system (https://www.info.clicsequr.gouv.qc.ca/en/citoyens/), but it's only used for provincial services. Quite convenient, in any case.
> You can also create a stand-alone account with the CRA if you wish.
You can't reuse the CRA login with all other government services. I'm talking about a single identity provider accepted by any government service, like a driver's license or a health card.
My favourite part of the CRA website is it has operating hours! It actually closes during non-work hours! Crazy.
As mentioned in the article, the IRS had originally planned to use ID.me — a private company — before backing down. Previous discussion here:
https://news.ycombinator.com/item?id=30126118
And rather controversially require face recognition for login. Good idea in that having another secret only really you should own is good, poor execution in allowing a third party of collect and probably sell something so very personal. I'm glad they backed off.
Note that they are currently using ID.me. I had to use it today to login.
This is a good move. While it does consolidate logins to one single location that a bad actor can attack, the time and effort put into securing it is much better used as a pool and covered by a single entity than having each individual department (and often times teams within a department) creating and maintaining their own login methods.
IRS statement itself: https://www.irs.gov/newsroom/irs-statement-new-features-put-...
Good. There was something absurd about having to accept id.me's terms-of-service, which involved "deals, discounts, cash back rebates and employment and educational opportunities", to access government services online.
If you use Customs and Border Patrol's trusted traveler programs (or some other gov sites), you may already have a login.gov account since that is what they have been using for a few years now.
I just wonder what kind of extra hoops we'll have to go through to use an existing login.gov account with the IRS. I read in some article somewhere that the IRS didn't use login.gov because it isn't "as verified" or some kind of thing as the IRS needs.
Yet the reason I have a login.gov account is for my NEXUS enrollment which means I've been fingerprinted, background checked, had my passport number linked, and been interviewed in person by two different governments. That seems pretty identity verified to me.
If I have to go through some other step, especially if it involves yet another biometric or interview check, that's going to be annoying.
Yes, same here... background checked by two countries! Not to mention iris scanned, and they even passports from two countries for me. Hopefully it's not too onerous, like you said... they can be pretty damned sure who we are at this point.
Those steps were a prerequisite to get your NEXUS enrollment -- not to get a login.gov account.
The only thing you have to do to enroll in login.gov is verify your email address.
And optional feature of login.gov is to verify your identity further by uploading a photo of a state ID, and entering your SSN and phone number. When you validated your identity in person with CBP, this was not that.
> When you validated your identity in person with CBP, this was not that.
This isn't snarking at you directly, just all I'm really hearing is that the government will happily mix whatever it knows about me for its own purposes but when it comes to making things easier for me (wherein they've literally seen me in person and looked over a stack of my identifying documents), no way that's "violating my privacy."
If we are going to have an all-seeing panopticon can't it at least be convenient?
The premise of that sentiment is simply not true. There is no all-seeing panopticon. The government in the US is quite siloed. The federal government is pretty dang siloed itself, and the US is potentially the most siloed government on the planet if we also consider state and local governments.
IRS was trying to remotely validate you to an IAL2 level.
I believe that although you are validated to a higher level with a trusted traveller program, they cannot or have not been able to share that validation with IRS directly.
I think the IRS must already have a pretty good relationship with CBP. A few years ago, the IRS sent me a letter claiming I owed them a large quantity of money. It was a mistake, because my idiot broker messed up the paperwork. (Schwab equity awards. What a disaster.) At about the same time, I applied to renew Global Entry. Nothing happened on the Global Entry application for months, as I worked with a tax expert to correct my tax return. Several months later, I got mail from the IRS saying the case was resolved (they owed me $70, it turned out), and the same day my new Global Entry card arrived.
Maybe it's a coincidence but it seems like the two agencies work together. They also apparently withhold government services if they think you owe them money. Not sure if I think that's amazing, or petty. Leaning towards amazing though.
There’s zero evidence in your anecdote to suggest anything other than a coincidence. You’re basically just arbitrarily choosing to believe it wasn’t.
That's true.
Is this the same authentication platform that TreasuryDirect uses?
edit - looks like no. On the one hand a single sign on to both would have been nice, OTOH TreasuryDirect's authentication system is a PITA.
TD login is basically unusable in my view. I stopped using it simply because it was so painful.
TreasuryDirect, the site that has case-insensitive passwords, disallows password managers, disallows the use of your actual keyboard to enter your password, and has this dumb on-screen keyboard with tiny keys that ultimately accomplishes nothing? Super trash.
It still amuses me how few people, even those who claim security expertise, don't understand that commercial malware is able to hook the driver stack (and or browser's network stack) and intercept pre-encrypted HTTPS traffic.
Hooking traffic rather than keystrokes is preferred because in order to resell that stolen data the data needs CONTEXT. A stream of keys is difficult to interpret into anything meaningful at scale, whereas "HTTPS POST Request to URI [xyz] with fields [X & Y] with values [J & W]" is very monetizable.
What I am saying is TreasuryDirect's on-screen keyboard "security" stuff is complete nonsense, it has no technical merit at all. None. Worse still it also hurts users of accessible technologies, touch-screens, or users using password managers (essentially promoting password re-use, a common problem).
The TreasuryDirect site makes me want to give the authority to the USDS/18F to proactively come in and say we're taking over your public facing website infrastructure to any executive branch agency. There's no excuse for something to look and behave like it hasn't been touched since 1996.
It’s been touched since then. Back in those days, their “MFA” was a wallet card that you had the match up for a code. It was like the old copy protection schemes used for games like Sim City.
That almost makes it worse!
Not that this should be necessary by any means but I usually right click the password input -> inspect element -> paste my password in the value from my password manager. The on screen keyboard is so ridiculous.
On top of everything you mentioned, TreasuryDirect also has an insanely aggravating issue where if you click a navigation button twice (e.g clicking next again reflexively before the next page has fully loaded), it displays an error about invalid navigation and forces you to login again and start from the beginning.
Even something as simple as disabling navigation links/buttons after being clicked before the next page load would mostly solve this and save hours of frustration having to re-login through their god awful signin flow every time.
I am able to use Safari key chain to enter my password. Not sure about other password managers.
I'm glad they are adopting it. Login.gov was always kind of funny, like here use this to login to all US govt resources...except for this service, and this service, and all these services...
The VA still uses ID.me - so most veterans have an account anyway (I needed one to get a certificate of eligibility for a VA home loan). I had to add an authorization for the IRS on my ID.me to stop the child credit advance checks from coming last year (that should have never been an opt-out). I also had a few other govt systems I needed to access when I was a defense worker that used it.
So hopefully other agencies will move away from ID.me as well.
ID.me was founded by two veterans, so unlikely to move off of that anytime soon.
If you check the previous stories tagged by ID.me (https://www.fedscoop.com/tag/id-me/), you'll see some awesome articles sponsored by the same about how Arizon has already saved $40 Billion and how this is great against cyber risk.
Sponsored News needs a much more prominent badge. #bringbacktheblinktag
It's amazing they weren't going to do this originally. What a fiasco.
Now let’s hope the California DMV and health department make the same choice so ID.me isn’t further becoming a national ID replacement
Has anyone here worked on government websites or APIs?
I'm curious what the experience was like.
It's standards based just like any other SSO these days: OpenID Connect and SAML. Is there something specific you want to know?
This is correct.
The "FedRamp" contract overhaul pretty much locks in the requirements and specifications to these above implementations.
I have designed an API that revolves around and side-steps this that currently serves 60 million US civilians...but in the end, the security assessment pretty much comes down to the Privacy Acts interpretations and the common sense security landscape.
How is it different from working with a private company? Lots of stakeholders? More documented testing procedures?
Someone said it best upthread: the incentives are different.
If you are a leader in the bureaucracy, your incentive is to not personally fail, which is not the same as to succeed.
There is an army of auditors waiting to question every decision, so the obvious way to avoid that is to not make any. Balancing the need to do something without deciding anything is an art of sorts.
Also, to be clear, those incentives aren't coming from within the bureaucracy. For example, let's say that a program tries to do something and it totally doesn't work. A news story about this will be roughly the same if $10,000 is spent as if $100,000 is spent as if $1,000,000 is spent.
That creates an incentive never to label anything a failure and just keep pumping good money after bad - that's how to avoid the negative article.
French Connect, the French government SSO is open source and on GitHub if you're interested: https://github.com/france-connect
I spent a couple of years with the USDS (https://usds.gov/). USDS, along with 18F, are largely responsible for login.gov, as well as a lot of other really great projects. Overall fantastic experience if you're open to an adventure!
I could probably spend a week telling war stories, but the main takeaway is that you can't look at government as just another sector waiting to be brought up to speed. Government is an entire industry unto itself, with incentives that seem fully alien to anyone from the private sector. Money doesn't flow according to the laws of capitalist physics, but by byzantine congressional allocation. Understanding how things actually get done requires a ton of time, networking, study, and empathy.
Career government techies are extremely risk adverse (for a lot of very good reasons). If you want to make an impact, it helps to be able to take on a lot of the risk that nobody else wants to. For me, that meant promoting open-source alternatives to various entrenched products (cough, MS Access, cough) and accepting all the blame if the higher-ups don't like it. For this reason, it helps not to look at this as a career.
Going up against the entrenched interests can be frustratingly hard. It feels like everything is subtly working against you. Or, not so subtly- On more than one occasion I had teammates get singled out by the federal IT press. Somehow I managed to stay anonymous, but the threat was there. Fortunately, I felt a strong sense of support from my bosses, as well as a lot of righteous fury from seeing so many failed, hundred million dollar projects that could have just been a simple web app.
Granted, it's been about five years since I was in government. I would be curious to know if things are different nowadays :)
Not that different! Hi Alex. :)
Hey wslack! Hope you're well. Glad to hear you're still fighting the good fight.
Issues with login.gov don't make me very confident.
Try putting in 2 lower security passwords but then backspace deleting them and you get.
zxcvbn.feedback.use_a_few_words_avoid_common_phraseszxcvbn.feedback.no_need_for_symbols_digits_or_uppercase_letters
visible on the screen. I get it isn't a technical issue but still, doesn't give me confidence
They fixed that recently: https://github.com/18F/identity-idp/commit/873c71ca8c0cf61d3...
That's the one I had to use to sign up for GlobalEntry and TSA Precheck. Highly recommend if you travel a lot ... or plan to again at some point given the current state of affairs.
Why did they ever go with ID.me when they have their own comparable solution? I’ve used both and both are solid, one is expensive and externally managed though..
I thought it was that login.gov does single-sign-on (SSO) and ID.me does SSO and identify verification at both the signup and sign-in level.
Login.gov absolutely cares about your identity. Case in point: login.gov will share your SSN to the provider(irs.gov in this case), if appropriate permissions are requested.
Last time I tried to do something at the IRS website, I had to turn on my camera and have my face compared to the face they have on file to proceed. I don't think login.gov has that level of verification. Whether the IRS needs that level of verification is another question.
That's ID.me and login.gov works differently, but it does absolutely care about identity, they have multiple levels of identity permissions, one of them is , this person has a login.gov account. One of them includes an SSN #.
When does it ask for your identity? I just signed up and all it needed was my email, password, and my token. It doesn’t know who I am though. It didn’t even ask for my name.
They have two tiers. I love their system.
The lower tier is like and Internet account. Validate with a password and 2fa, etc.
The next tier is required to log in to certain sites and requires you to upload ID etc to verify.
Once you have verified with that, you have an extra set of attributes to do more sensitive things on certain sites.
Interesting. I’m looking forward to it when the IRS adopts it.
They should keep the data from id.me and migrate it instead of making people who used id.me sign up and verify all over again.
id.me probably wrote not doing this into their contract to prevent the IRS from trying to break it.
I'm a foreigner (yes, I know, sorry, sorry) who is a "US Person" and thus needs to (and, to be perfectly clear, is happy to, I'm sorry, I'm not-sorry, I'm sorry about being not-sorry?) pay US income tax.
The IRS system is, by far, the worst I've ever had to deal with, and in this I'm comparing the US to countries like Rwanda, where, for some weird reason, I'm also required to pay taxes.
Getting an ITIN (sort-of like a SSN, except you're not supposed to use it like that, otherwise they will send Ted Cruz after you...) is an absolute pain, mostly because you can only request it by phone, and literally nobody you talk to is able to spell your name right, DESPITE you repeating it endlessly in just about any spelling alphabet possible.
So, you now have a dozen-or-so ITINs (again, like SSNs), all in different names, none of them yours. So, you file your taxes using the ITIN in the names that is closest to yours, and specify this on your tax forms.
You send in your forms, and your check, which is cashed immediately. Repeat the next year, and so on.
Now, after FOURTEEN years or so, you get sent a letter, informing you of a tax audit, and demanding you are physically present in Austin, Texas, two weeks from the postmark of the letter (never mind it reached you three months after that, and never mind you're located in Europe, which at that time was denied access to the US due to COVID-19).
So, you get a lawyer, which costs close to US$ 8000. The lawyer contacts the IRS, which continues to insist on an in-person interview in the past.
So, now you're out US$ 8000, and can never travel to the US again.
But, yeah, lovely that they now allow additional login tools...
> The IRS system is, by far, the worst I've ever had to deal with
That's by design
The byzantine rules exist to create deductions and loopholes for different interest groups. Raising the standard deduction was actually a good move, as it simplified my tax filing for sure (I don't bother to itemize now) -- but I imagine the tax preparation industry (amongst others) was not pleased.
Yes, but WHY?
I mean, I'm happy to pay my US taxes. Heck, I'm even happy to pay someone to pay my US taxes. But... neither of those options seem to work?
I mean, just to back to Rwanda: it's an east-African country that is pretty much a dictatorship and had a real-life genocide less than 20 years ago.
Yet, in Rwanda, I can just use my native cell phone number as my tax identifier, pay then what I need to pay, and be done with it.
In the US, I am probably known under a dozen ITINs, and literally none of that is my fault: it's just that the IRS agents that created those ITINs were unaware of, like, any spelling alphabet ever. Even ITINs created using a fax (that's a TIFF-over-POTS, for you millennials) got completely misspelled.
And now I'm supposed to spend tens of thousands of dollars to prove I've paid my taxes?
OK, now I now the answer to my initial question...
There are some groups who oppose effectively all taxes and seek to make paying tax as hard as possible so that other people will agree with them that taxes are a pain. For example see Americans for Tax Reform working to torpedo California’s push to simplify state taxes a few years back.
You also have corporate interests that profit from convoluted tax filing and lobby the government to keep it confusing so individuals continue to use their products.
OK, I understand that some/many Americans dislike paying taxes. I do not exactly like it either.
But, it seem like a particular US infliction to make paying taxes as hard as possible? Plus, they sanction you in extreme ways if you don't manage to jump through all the hoops?
I pay taxes in many jurisdictions. Here is my experience: Netherlands (my home country): the tax authorities send me a proposal about payable taxes. This includes income from my business, my partner's job, our common investments, and some investments/business interests that are exclusive to me. I correct whatever is required (with the deadline being April 1st), and I'll get my final settlement sometime in June/July.
Germany/France: I provide the tax authorities with my Dutch tax identification number, and they confirm they're fine with that in 3-4 months time. Rwanda, Nigeria and Zimbabwe: I also provide my native tax details (sometimes using my mobile number, sometimes using my NL 'SSN'), and they're fine with that, sometimes after billing me a small percentage over some income.
US: I honestly have non idea where I stand. The IRS refuses to talk to me, yet summons me to physical meetings in the past that I cannot legally attend. I have hired several attorneys, none of which seem to be able to help.
I probably owe several HUNDREDS of dollars in US tax. I've not visited the US since 2004, and have not done any business there since 2002.
Yet... I'm apparently a much-wanted tax fugitive in the US. Does that count on a FAANG-inbound resume?
Is it possible to sue for conspiring to make life purposely difficult? For example if I interfere with someone's lawful use / enjoinment of their property it is a low level criminal offence. Should not that be the same for making / conspiring the life difficult for the purpose of extorting money?
At this point the IRS is completely confusing as to understanding whether they've received things. I've seen a non-profit where the IRS was sending them a request for what the letter said was an unfiled annual return, while at the same time, the IRS had the processed annual return they were requesting publicly available on their own website. This is without identifying number confusion. I can't imagine what it would be like with that.
I have to assume that they have some serious database problems that they are completely unable to handle, likely because of staffing and budget cuts that appear to have been intended to cripple them.
> That's by design
It actually is, too. There are two large, influential groups of stakeholders who purposefully lobby for a painful user experience.
The first, of course, is the tax-prep industry (e.g. Intuit/TurboTax and H&R Block). They make more money when people get fed up with bullshit and pay someone else to deal with it.
The second is the anti-tax activists. If taxes exist, they want the process of taxation to be painful. Not just in terms of the dollar amount. They want people to have an active and visceral reaction to taxes. As such, they lobby against anything streamlining taxes and push for the process to be as high-friction and frustrating as possible.
I used TurboTax for the first time recently so I could file taxes to get my ACP discount for cheap Internet for poor people. I needed to file a $0 tax return, but where I received stimulus payments. Their system just got stuck in a horrible loop because I was in some weird edge case. Their first "expert" was terribly rude to me. Luckily the second guy was super nice and we hacked away at the UI until we found a way out. tl;dr: TurboTax is as clunky as the IRS
Ah yes. Good to know that it’s not just the TSA i should dislike. I’m reminded of the line Logan Roy uses on Succession, something along the lines of “when i arrived in America there was nothing these people couldn’t do. Now they’ve pissed it all away”. Feels like it’ll be hard to see the US continue to be a major player unless it can get out of its own away at some point.
Can you name some countries you think are "major players" if the US isn't or won't be?
>it’s not just the TSA i should dislike.
You should try interacting with Australian or Canadian border forces if you want to see a true organization you should dislike. Hard to see Australia or Canada being even minor players if they can't deal with that dysfunction.
UK, China, Canada…uh there’s lots?
I’m both Australian and Canadian, so maybe I’m bias but comparing them to the TSA is a stretch imo.
Linguists might study that intro to see how much passive aggression you can fit in one sentence...
I think when being passive aggressive starts to harm readability, maybe you should just say what you're trying to say.
I was a US person with an ITIN and have become a naturalized citizen. ITINs are very different to SSN. Honestly I've found the USA very easy to deal with compared to the UK, France of South Africa where I've lived.
The challenge with an ITIN is it blurs into immigration, visa status, whether you are violating visa terms, whether your ITIN - which you can get on a tourist visa - is an indication that you're trying to build a life here when you're just supposed to be a tourist, and so on. That doesn't even get into property ownership, or being a director or shareholder in a US corporation with an ITIN and various visa types.
> Honestly I've found the USA very easy to deal with compared to the UK, France of South Africa where I've lived.
???
France as a foreigner:
You arrive in the country, your employer already declares all taxes for you. While you may not have a tax ID to log in to impots.gouv.fr yet, everything is already registered in your name (because you gave either your SSN, or your visa number, or anything else). You send a letter to ask for a username/password to use to log in on the website, which arrives about two weeks later.
Your taxes are collected monthly, and at the end of the year you pay the leftover/get paid what you overpaid. You can tell the state at any point how much you think you will earn, and it gets reevaluated. Your yearly tax filing is prefilled, and there's no need for any software.
As an employer, the URSSAF website is, while hell to navigate, very clear in how much you owe. Give out your SIRET/SIREN, your tax report, and your taxes are done.
To be fair, there are some small hurdles - you get issued a temporary SSN quickly, but it might take some time and documents ( like an original of your birth certificate less than 6 months old in French, or translated in France by an authorised translator which is a retarded thing to ask for and for which I've had to explain many obvious things to many French officials - they simply do not have the right to ask for that, any EU country's translation is acceptable by law), but it's fine. You don't even need the regular SSN for taxes or healthcare, actually.
Ah yes, the birth certificate thing is... impressive. Especially when it's being asked for someone coming from a country where you simply cannot update your birth certificate. France and inflexibility, especially in small mayor's offices are just standard.
And yeah, the SSN isn't necessary. It is however usable for SSO through ameli.fr, for your taxes and many other services.
Sorry, I'm not blurring my ITIN with immigration status or whatever. I have not visited the US since 2004, I have no desire to return, and I have not done any business there since 2002.
I just want an ITIN that is, like, actually in my name. Plus the IRS to agree that I do not owe any taxes in the 20-or-so ITINs that they have issued in various misspelled variations of my name.
But yeah, to get any clarity, I apparently need to go to Austin, Texas, in 2020.
And time machines are "easy to deal with", apparently?
Sounds like there’s a lot more to your story than you’ve shared here.
Thanks for the passive-aggressive accusation there!
So, what more is there, exactly, to my story? My name is pretty simple, but, like many European names, has 3 parts, as well as some 'unexpected' letter combinations.
As far as I know, you can only request an ITIN by phone. Possibly, this can also be done online now, but that wasn't the case in the 1999-2009 period that I'm talking about here.
Also, the person that answers the phone... how do I say this? Is not exactly fluent in English... Or Spanish (which I can at least spell my name in as well)... Or any human language?
So, you get a new ITIN, with a random ASCII string as a name. And, to file a valid tax form, your ITIN needs to match your name... Which you provide in a PDF.
See where the problem lies here? You want me to upload a few scans of US government letters/forms with my actual name horribly misspellt? You want to see my attorney invoices? Certified PDFs only, I assume?
What, exactly, is the burden of proof you place upon me here?
As someone who uses his middle name, I've experienced only the tiniest bit of what you've gone through, but I can imagine your annoyance.
It's amazing how massive systems often have no viable process for "As an end user, some of the data in the system is incorrect, and I would like to get it corrected."
Once it's in the system via the setup process, it's there. And most people down the line working with it don't even know what system it's originally coming from.
Edit: F.ex. if someone lied about their age when getting their Social Security # (this before issue-at-birth, so it had to be applied for in person), so as to be considered old enough to work, and then decades later wanted to set the record straight to avoid collecting benefits at too young an actual age, they would probably be told by a Social Security employee that doing so was more trouble than it was worth. ... Hypothetically speaking.
The fundamental issue here is that there is no meaningful voice of expats in the US, so any attempt to fight a system which wants your money, no matter where you are and make them, in the world, is prone to failure. The only real option is to renounce citizenship.
love that Americans are always worried about some sort of national ID/database of citizens being used for nefarious needs
It's in our history to worry about it :')
There also the instructive examples of how such things were (and are) used in Nazi Germany, the Soviet Bloc, China...
I'm not sure if this is sarcasm or not, but given history and human nature, it is not an unreasonable concern.
The main issue is if it's required. Not so worried about myself - I'm a veteran which means my fingerprints and DNA are already on file with the feds somewhere :), but US Citizens with no particular connection to the federal government absolutely shouldn't have to need a "National ID."
And yet, everyone suffers because of it. We have endless SSN breaches because at the end of the day, having a unique ID for people is really valuable! We could have something way safer, but we get stuck with the status quo which satisfies no one.
Use revokable public/private keypairs.
The two options presented before my comment are not the only ones.
I'd be perfectly fine with that. My ideal scenario would essentially be a national ID that's also a smart card with u2f/federation. I realize there's a ton of details with accessibility but like, we have the technology.
There are ways to solve that problem whilst still protecting privacy, but there's no benefit in that for the ruling class. Once the infrastructure is in place, we all know governments would eventually use it to track all sorts of additional information/activity about us.
> use it to track all sorts of additional information/activity about us.
They already do!
There is so many quasi-national tracking and gov approved monopolies that they already get what they need.
Everywhere is tracked with license plate scanners, so you can't go anywhere.
Everyone realistically uses VISA or mastercard, so you can't buy anything. If you don't you're still probably banked and connected to credit agencies, so you can still be tracked. Good luck getting cash without the gov knowing. Just look at the IRS data.
You register with the gov to drive, so your IDed already by someone.
NSA et al. track god knows what about you across the internet and abroad, and where they don't go some ad network goes.
I think the only thing that we don't track is guns... and thats probably something we should track.
Everytime you buy a gun, a background check is run (via NICS). Records of said checks are supposed to be destroyed.... are they really?
It's strange how all this stuff worked when the records were on paper and plenty of people had been born at home and rarely recorded. A world of endless danger which satisfied no one.
A citizen database says who exists and how to contact them.
Fingerprint and DNA are a completely different thing, and crazily intrusive to collect on a central location.
Get a job that requires you to get a federal Common Access Card, and you'll get fingerprinted.
DNA is collected on all military members. Ostensibly, they tell you it's to identify your remains if necessary. I'm sure it's used for that also :D
The most intrusive thing they did to me was the polygraph :)
We already need it. That's just the modern economy/world. So we get shitty ad-hoc solutions with bad security that waste tons of time and money, instead of a good one, because people are afraid of the good one. Not having a solution isn't an option.
> US Citizens with no particular connection to the federal government absolutely shouldn't have to need a "National ID."
Hard disagree. If you live in the US you have a connection to the federal government. I'm not saying everyone should have fingerprints or DNA on file but a national ID is something I'm fully behind. The shit show that is social security numbers, KYC, and other ways to identify a person are such a pain and for literally no good reason that I can see.
We are so weird about this. We already have national "identifier" - the social security number. Pretty much everyone must use it because of both social security and taxes, but also due to private use cases. We should just admit this is the case and manage it better. The man-in-woods scenarios where one can opt-out are just not very realistic.
Now as a matter of authentication - verifying the identifier, we have left this up to the states in the past, with opt-in federal IDs for various purposes. Though with RealID this is being standardized. Login.gov is a way to have a digital equivalent.
> the federal government absolutely shouldn't have to need a "National ID."
But every state has an ID system, and they're all known to each other, and tied to your SSN which is a national id number. We already essentially have all the parts, just messier.
> my fingerprints and DNA are already on file with the feds somewhere
Same. Probably same for lots of people.
> US Citizens with no particular connection to the federal government
We all have a connection... we live in the US!
One of the big issues with instituting an income tax is it changed the relationship of every citizen with the government. Other than the postal service, the average citizen almost never dealt with the federal government directly. Now, everyone knows and despises/fears the IRS.
who cares ? Thats not the world any significant group of persons have every lived in?
We first got an income tax during the civil war, and the 16th ammendment before the 1920s. Thats the relationship we've had with the government. How many people alive "almost never dealt with the federal government directly" at any point in their life?
Everyone is already issued a social security number. I'm not sure how a more modern, cryptographic ally secure version would be any more concerning in this regard.
...but US Citizens with no particular connection to the federal government...
By virtue of living here, you already have a connection. At minimum, you have to tax various taxes.
If it's just Uncle Sam that's the problem, then we use something like RealID at the state level.
Why would anyone want superfluous data stored by their government? What purpose does it have?
In my mind, governments are like companies both are comprised of people making decisions which may or may not align with my personal interests. I want a GDPR for the government.
the funny thing is we already have this. it's called Social Security, and it's absolutely useless as a national ID.
The top entry for the list of cumulative non-disease or old age causes of death in the 20th century is "murdered by own government". Anything we can do to help prevent that is a good thing.
Interesting that you limit this claim to the century that saw two world wars and the largest ethnic extermination program in history. ID systems back then weren't any more thorough than the SSN every American is required to have and use for a litany of purposes today.
I do not really see how replacing your SSN with a public/private key pair that you use to cryptographically sign tax returns, loan applications, or election ballots would make a repeat of World War II any more or less likely; I just see it making identity theft a lot harder. Any government that decides it has the will and power to start a genocide isn't going to be stopped by antiquated blue paper cards.
"ID systems back then weren't any more thorough than the SSN every American is required to have and use for a litany of purposes today" would imply that a more formal way to record IDs, namely a centralized database of personal information would be an even more efficient way for a government to top the largest ethnic extermination program in history.
And before you say "but that can never happen!", stop for a second and rethink that. It has happened many, many times in human history, and it will absolutely happen again somewhere unless we do our best to confound it.
"a centralized database of personal information" already exists. That ship sailed a long time ago. The government issued your birth certificate and social security number. I'm advocating that we upgrade this with some semblance of security in mind, rather than continue to rely on an antiquated solution that was designed nearly a decade before the first electronic computer was turned on.
Unless you want to argue that the lack of security is a feature, and that rampant identity theft is somehow stopping the US government from perpetrating the next holocaust.
When it comes down to it the US has a fear driven culture, down to what essentially becomes paranoia.
US violent crime statistics are at near all-time lows. Yet I know many, many people that will not leave their house without at least one firearm. This is in small towns that haven't seen a violent crime justifying the use of deadly force in many years. Many of these same people refuse to "live in fear" of the coronavirus yet they live essentially petrified of violent crime to the point of carrying a deadly weapon for self-defense on their person at all times (not to mention the likely hundreds-thousands of rounds of ammunition and small arsenal they keep at home).
We're terrified of a national ID "because big brother" yet almost no one cared or batted an eye at the Snowden revelations "because terrorism". 9/11 was 20 years ago and killed 3,000 people. Tragedy for sure but never before in human history has the trajectory and cultural makeup of a country (let alone a superpower) been so drastically altered by what is essentially a rounding error in terms of deaths in two decades. If warrantlessly surveilling an entire population isn't big government/brother I don't know what is.
The ATF isn't allowed to have a searchable database because "the government is going to take away our guns" yet your entire life is accessible to the NSA.
It's truly bizarre.
> yet they live essentially petrified of violent crime to the point of carrying a deadly weapon for self-defense on their person at all times
That's an odd way of stating it. They're concerned, so they're arming themselves.. but continuing on with their lives. Sounds like the opposite of "petrified" to me.
What's odd about saying it's completely innumerate to carry a gun on your person at all times?
And don't for one second pretend Americans are "continuing on with their lives", what a joke; gun culture is huge in the US, people are absolutely obsessed with the things.
Hardly a more obvious "not over it" situation exists than Americans and their guns.
They won't go places (businesses, cities, etc) that don't allow guns. They routinely talk about and consider scenarios when, where, and how they'd fire on someone. They select clothes based on what will conceal a firearm (or select the daily firearm make/model based on what can be concealed with their clothing that day).
It's clearly a major driving force in their lives. Perhaps petrified wasn't the best use of words. I'll suggest terrified as an alternative but the actual reality is all the same.
I've been kidnapped and robbed at gunpoint in the US. I'm pretty sure if I had a firearm that situation would have been worse. I would have either gotten myself killed or suffered the trauma of killing someone and watching them die. This isn't a movie where you go bang and the bad guy cleanly falls to the ground. Death by firearm is brutal and changes you forever (as my ex-military friends will tell you). Life isn't Hollywood and anyone who thinks their life will be the same and just fine after using that weapon is either a bona fide psychopath or delusional.
I also can't imagine waking up everyday and strapping a gun to myself just to leave the house. I'd consider that fear winning and an event that I've long sense gotten over continuing to have an outsized amount of control and power over me. I got out of my traumatic event losing an iPhone and $100. After a few months of initial PTSD my life hasn't changed one bit. I won.
I am not going to debate generic gun carry but I completely support being able to own and carry guns / rifles in the wilderness for example. It is pathetic when for example in Canada bear attacks construction crew, pulls a women and kills her and the others are not able to protect since they were not allowed to carry.
Absolutely agree - I have no intention of debating guns generally (ownership or carry). I own guns, always have, and had a concealed carry permit for many years. However in my case the permit was more for practical reasons - I lived in an apartment and there are some weird grey areas with guns in "common areas" otherwise. I think I actually "concealed carried" a few times and was generally uncomfortable and put-off by it (personally).
I'm more speaking to the motivation behind absolute, 100% carry everyday. It's completely emotional, fear driven, and not in any way supported/justified by the data.
> yet your entire life is accessible to the NSA.
I'll bet you money that most Americans are not okay with this either.
They're nominally "not ok" with it, unless it's couched in some piece of legislation like the PATRIOT Act or snuck into a Defense Authorization Act, particularly after a national tragedy happens. Then a lot (a majority?) of Americans will suddenly be ok with the "if you got nothing to hide you got nothing to fear" mantra.
I'm actually not a huge fan when people act like Americans are a a bunch of flag-waving morons, because I think that people who say that are often being extremely reductive to a borderline-offensive level [1], but in this case I do think Americans are uniquely ok with pretending their rights don't exist when they're convinced it's for a greater good.
[1] Disclosure, I'm American
>" I do think Americans are uniquely ok with pretending their rights don't exist when they're convinced it's for a greater good."
Check Canada. We are way more screwed up in this department
> "if you got nothing to hide you got nothing to fear" mantra.
I know people like this and it's not a good mantra to follow. I have to remind them that all that needs to happen is to have political winds go the other direction and soon something they do regularly becomes illegal or suspicious. So dumb to give up privacy for safety.
That's always been my perspective. I'm going to take the radical position that not everyone in the government can be trusted, so we have to assume that there are bad actors who are going to abuse their power and use the questionably-obtained information to their advantage.
I'm not a fan of that, and the only way I can think of to avoid this being an issue is for them not to have the information in the first place.
The NSA acting like a creepy Big Brother-secret police organization is a separate issue.
It's an example of American schizophrenia. No National ID because tyranny! Monitoring everyone constantly? That's keeping us safe!
Well I consider for example requirement to carry ID in France as the schizophrenia or worse from the government side. Brings out the worst associations
In the United States you are pretty much required to give your name to police if they ask for it. They will run that name and if it's doesn't check out, match the picture on their computer, etc you will be arrested for providing a false name. In many states they can also demand you present photo identification and skip all of that.
Practically speaking the United States has been a "papers please" country for a long time.
What we're talking about here is a standardized, national ID. It's currently a weird patchwork of driver's licenses, identification cards, etc - each of which are slightly different variants issued by each of the states. So we don't have a standardized national ID. We have at least 50 of them, all with different formats, different issuing criteria, different validity, etc. We've tried to have some bare minim standards for years (REAL ID act) but the mandatory compliance date for that keeps getting pushed (currently next year).
>"In the United States you are pretty much required to give your name to police if they ask for it. They will run that name and if it's doesn't check out, match the picture on their computer, etc you will be arrested for providing a false name. In many states they can also demand you present photo identification and skip all of that."
Stop and identify" statutes are laws in several U.S. states that authorize police to lawfully order people whom they reasonably suspect of a crime to state their name. If there is not reasonable suspicion that a crime has been committed, is being committed, or is about to be committed, an individual is not required to provide identification, even in these states
I've had to identify myself for flipping off a cop (unmarked car) who honked his horn at me because he didn't like me exercising my freedom of movement. This power gets abused all the time.
Police also commits crimes, what's your point? We are talking about the actual law here.
I know you're just sharing your anecdote, but the vast majority (over 80%) of Americans live in urban areas. Many cities do in fact see violent crime. Although I don't own a firearm myself, I totally understand why someone else would want one in my neighborhood. Violent crime is not unusual where I live.
Don't let your bubble from small town USA distort your view of the entire country.
It's disingenuous as hell to clump "cities" together, as if going to Anacostia in DC is the same as going to Georgetown.
If you live in a city and carry a gun, you're not protecting yourself, you're escalating the violence.
Getting robbed is exceedingly rare anywhere in the US, and trying to stop a robbery with a gun is among the stupidest things a person can do.
Further, robbing someone doesn't mean you should die, and killing someone over property is evil beyond comprehension. No society should support it, and very few do (nearly nowhere in the US, for example).
I think most people not from DC will not even know where Anacostia is, you can probably just say SE or something.
> It's disingenuous as hell to clump "cities" together, as if going to Anacostia in DC is the same as going to Georgetown.
I don't understand what you're arguing. Cities unequivocally see more crime than rural areas, even in nicer areas within a city (which may only be 1 mile from the "bad parts").
> Getting robbed is exceedingly rare anywhere in the US, and trying to stop a robbery with a gun is among the stupidest things a person can do.
> Further, robbing someone doesn't mean you should die, and killing someone over property is evil beyond comprehension. No society should support it, and very few do (nearly nowhere in the US, for example).
1. Not everywhere is the same. Just because you feel comfortable in your bubble doesn't mean that owning a firearm is a ridiculous proposition for all. In my past 10 years of living in Atlanta, I've witnessed or been a victim of enough crime to fully understand why some folks here choose to own a gun.
2. The second part is totally ridiculous. Nobody is arguing that all thieves should die.
Haha, yeah a lot of people are arguing that thieves should die.
And no, “cities“ are not one solid, unbroken group, they are not universally more dangerous than rural areas.
Where are they arguing that? We’re moved far away from OP. The original point that Americans “live in fear” is what I object to.
You’ve turned the conversation into something else entirely. You think the entire country of 350M lives in fear? Seriously? I get that HN loves to shit on Americans but what exactly is your point here?
My first comment says “many cities see crime” somehow that became “all cities see crime everywhere” in your mind.
I'm American, and I firmly believe that anyone who carries a gun in their daily life is living in abject and completely irrational fear based on a fundamental, tragic innumeracy.
And if you think me saying "And no, “cities“ are not one solid, unbroken group" means “all cities see crime everywhere”, you've gotten yourself very lost, friend.
This describes <1% of Americans.
You seem to be lost yourself. What exactly do you disagree with me on from the original comment?
You are still quite unlikely to be a victim of violent crime by a stranger if you are not actively involved in the drug trade in the city.
Violent crime rates in the city very low relative to the past.
You are much more likely to be injured or killed in a suburban car accident than an urban assault/murder/mugging.
Exactly. In my age range (25-44) I'm more likely to die by heart disease (9.8%), cancer (10%), suicide (11%, most by firearm), and unintentional injury (34.2%) (plus "other" at 20%). Homicide is the cause of 6.2% of deaths in my age range and in the highest percentage of the population (10-24) it's still outpaced by suicide and unintentional injury. After age 45 homicide isn't even in the top 10.
https://www.cdc.gov/nchs/data/nvsr/nvsr70/nvsr70-09-508.pdf
My bubble extends well beyond "small town USA".
Paradoxically, I don't have a single friend in Chicago, Denver, Miami, Los Angeles, etc that carries a gun. These cities run the spectrum of gun laws and all have higher crime rates than a small town yet fear of violent crime runs higher in communities where it's non-existent.
This is anecdotal but statistics back it up. Most gun ownership is rural, personal protection is often cited as the primary factor, most gun ownership is handguns (i.e. not hunting), and white males (small town friends) love guns and carry everyday.
https://www.pewresearch.org/social-trends/2017/06/22/the-dem...
> My bubble extends well beyond "small town USA". Paradoxically, I don't have a single friend in Chicago, Denver, Miami, Los Angeles, etc that carries a gun.
And yet, I know people in each of those cities that own firearms.
> This is anecdotal but statistics back it up. Most gun ownership is rural...
The study you cited doesn't support that claim. What the study says is "Among those who live in rural areas, 46% say they are gun owners, compared with 28% of those who live in the suburbs and 19% in urban areas."
You're failing to consider that <20% of the population lives in rural areas according to the latest 2010 census: https://www.census.gov/programs-surveys/geography/guidance/g...
This means <10% of the population is a rural gun owner. Your study also states "When it comes to hunting, however, rural gun owners are far more likely than their urban or suburban counterparts to say it is as an important reason they own a gun; 48% of gun owners in rural areas say this." Also note the study says 30% of rural firearm owners do so for sport shooting, 15% as part of a collection, and 8% as a requirement for their job.
Less than half of rural gun owners do so solely for protection. All in all, <4% of the US population owns a gun in a rural area solely for protection. That's a pretty far cry from your original claim that Americans live in a culture of fear.
So does France, hence the existence there of the CNIL (Commission Nationale de l'Informatique et des Libertes) [1], formed in 1978, to enforce that.
Because much of Europe has living memory of national registries used for fatal purposes.
[1] https://en.wikipedia.org/wiki/Commission_nationale_de_l%27in...
Especially when we already have social security numbers, which are used for nefarious purposes by non-government entities all the time. And if you're over ~25, odds are your SSN is out in the wild thanks to Equifax.
Replacing SSNs with an alternative built on public-key cryptography seems like the best way forward. I do not understand the opposition to this. Having citizens sign their tax returns, loan applications, etc. with their private key instead of just writing their SSN on it would eliminate most SSN-related identity theft and fraud.
I have a healthy (hopefully) paranoia about the government in general. Recently found out my ssn and other info was leaked to the dark web™ (not shocked). one of the steps to rectify it is sign up with Login.gov. i'm actually glad this thing exits, its perfect timing for myself.
We detached this subthread from https://news.ycombinator.com/item?id=30431203.
Please don't post snarky nationalistic flamebait to HN, regardless of which country or people you have a problem with. It's against the site guidelines because it leads to tedious, nasty flamewars, which we don't want here.
https://news.ycombinator.com/newsguidelines.html
We detached this subthread from https://news.ycombinator.com/item?id=30431203 and marked it off topic.