Yet another scenario where we're collectively being bitten in the ass because most of the world is still lacking a proper digital identity system.
If you're thinking that sending pictures of identity documents or bills is going to fix it no, it's clown-tier identity verification and will just postpone the issue a tiny bit with massive human resource cost and false negatives.
A proper online identity framework is long due though. Maybe this is not the proper one but sending copies of my passport, electricity bills and lately selfie recordings as well to "prove my identity" doesn't seem right either.
Well, all this nonsense is just what happens when the provider of analog IDs (usually a federal, state, or local government) does not step up and provide a digital equivalent.
Online photo ID verification just does not make any sense at all: Identity documents usually have physically hard to forge features that just make no sense in a remote context, and that’s not even factoring in generative AI.
Looking at an ID document without a person standing next to it (whether online or in person) is one level of ridiculous beyond that.
But all of this is brought to you by the industry that thinks an SSN is a bearer authentication token, so I’m not too surprised.
Yah I am sure hardcore hackers are giving up the gig b/c they need a PHOTO of an ID! And now the ones who are legitimate have to trust a company with their IDs? This seems like a VERY weak stop-gap measure to a very difficult problem.
Still many sites require upload of a photo holding up a government ID as a proof of identification. Time to stop this nonsense and turn to real cryptographic solutions.
The use cases for digital identity are almost all pernicious. Sure, you can use it for nice things like public services, except we do that today quite expansively without one, and why do we need biometric level proofs for that?
A government digital identity means that every informal transaction in the economy that uses it relies on the state as an inline broker. We can see this today with vax passports, where just this month you have to check-in with the government before you can enter a restaurant. (only temporary, surely) It's designed to manage people like livestock, and we all know that some pigs are more equal than others. Even vax passports and so-called "mandates," have exploited loopholes in our high trust societies and assumed formlessness as to avoid being challenged legally. Digital identity regimes will use the same indirect methods. This is their strategy.
Why do you need to prove your identity unless you there is some intent to prosecute you? Most of the value in the economy is based on people taking on transaction risk on behalf of others, so replacing it with digital identity will destroy degrees of economic freedom and opportunity for your kids and grandkids. Identity does not create opportunity, it limits it.
Civilization doesn't survive malicious institutions that turn inward against the people they serve, and I hope other technologists think seriously about identity and consider the consequences of it falling into the hands of an enemy or evil institution, because having worked in identity, I guarantee it will.
Digital identity, digital identity, digital identity. Until digital identity is a first class citizen in the United States (with support through the various layers of gov from local to federal), private enterprise will continue to lean on suboptimal identity systems (SMS, pictures of government photo ID for proofing a la ID.me and Stripe Identity).
suuch a hard problem, esp for government that has to include 'everyone' and all the weird edgecases that forces on you.
Couple that with proof of identity being one of the few things that might have been issued 40, 50.. 60+ years ago (birth certificates) and never updated (unlike passports..) and when issued had no concept or sympathy that it might be used for digital verification in the future.
Without redefining the problem to avoid issues like birth certificates, i'm not sure this is solvable in the way stakeholders expect it to be. Stakeholders (like citizens paying for it) expect to be able to point technology at the problem and have it solved, 'its just an app right?' or 'lets use biometrics!' but so many other things have to adapt to make something like this successful.
Estonia had an interesting approach where they just issued everyone smartcards/certificates and used that as proof, this bypasses the 'birth certificate' problem but is expensive (Estonia has smallish population, newish government so ok) but such an approach itself has a root of trust problem.. who do I issue the smartcards to? It isn't directly transferable to other countries/governments.
You work around the root of trust problem by creating exceptions and alternate paths to verification, maybe do it in-person for people with disabilities etc. But then how long does that take to roll-out? How easily abused is such a system? How many of the identity moment can I use it for? Is in-person verification trusted less?
It is very easy for the resulting system to be quite brittle too and not reflect real use-cases, real world identity moments are very diverse and often have more flex than you'd think and it is very difficult to carve out the right chunk of the identity problem to solve and which to leave behind and still create something that improves the ecosystem.
> The clearest end point for this is some government issued digital ID that just asserts who you are, acts as a login etc.
Already exists in a bunch of countries. Works better in some than in others.
The issue is that you don't want everything tied to that ID. In a less than ideal world, ideally the ID would just attest that some random pseudo-ID is real. Like Webauthn, kinda.
Verifying pictures of people's physical ID cards is much more involved than using a digital standard.
It may be a big leap to say that implementing a Digital ID standard means that an ID-locked internet is the end goal, but it is a necessary step to reach that goal.
A much bigger flaw in their reasoning is that it's unclear who "they" is. Apple? Why would they care beyond maybe locking their own services behind ID? Government? Because they don't seem to be even making a uniform push to get things implemented.
You're absolutely right - everyone has offloaded the 'identity verification problem' to your email provider. Because doing it well is an intrinsically hard/expensive problem.
Replace 'government should provide a digital identity service' with 'government should provide an email service', and we're back at the same place. You still needs a way to prove that you are you - with legal protection and recourse.
This letter points out the increasingly obvious - that our online identities have become too important to be left to the customer support whims of one or two corporations. The idea that an innocent algorithmic mistake in a microservice running somewhere deep in Google's cloud could lock me out of my life is not the future we want.
I think you're being too dogmatic about this. For me it's a perfectly valid use case for identity verification. It prevents a big problem and only affects an extremely tiny subset of users.
A digital ID, if done properly, can actually increase privacy and anonymity, not decrease it.
Without digital ID, everyone who needs to verify your identity for legal reasons needs to get a lot of data about you and verify that manually. This increases costs, friction and the chances of a leak, after all, most of your data lives in dozens of private databases, some of them possibly insecure. Over here (in Poland), phone carriers need to verify your identity before selling you a SIM (for anti-terrorism reasons). The carrier me and my family have used in the past has recently had a leak, and we had to scramble to change our ID numbers and report the leak everywhere we could. Just because they had lots of data and pictures of our ID.
With a digital ID, a company can just ask the government to perform the needed checks, without ever storing any information about you. You want to do something that's only allowed for people over 18? The government can respond with a true/false response, without revealing any of your data to a company that has no business processing it in the first place.
Same for all kinds of verification. Instead of storing lots of personal data about you on company servers, store a unique, government-issued token that is tied to your identity. No one but the government knows who this token is tied to, or even what company requested it. You're effectively anonymous. Only when you commit a crime, a company passes the token to the court, which is able to retrieve the actual identity from government servers.
Those systems are far more secure than the mess we have now.
> Basically, the core problem is digital identities [...] are cheap to create [...] so fraud is easy. The solution could be just to make it "costly" to create new digital identities.
We already use this model in practice. It's why so many services require a phone number verification now - they are hard enough to get en-masse, especially if you block things like Google Voice. They even have a big advantage in that they are comparatively hard to hack, as the SIM card is effectively a weak form of physical security key.
I think the big problems this causes is discussed on HN quite often.
If you're thinking that sending pictures of identity documents or bills is going to fix it no, it's clown-tier identity verification and will just postpone the issue a tiny bit with massive human resource cost and false negatives.
reply