How incredible it is that a Federal Agency needs a private company to identify its own citizens. You guys really should get smart ID cards like every other sane country. They have a certificate on them and you can even buy a card reader to use the chip and identify yourself in state-ran online services. Come join us in 2017, it's cool here.
> You guys really should get smart ID cards like every other sane country.
We should not.
You don't have EU-issued ID, we don't need US-issued ID.
When you drop off your clothes at a dry cleaner, they give you a ticket that lets you pick them up again. They don't need an ID number that lets them correlate your dry cleaning with your Amazon purchases and your phone's location history and your medical records and your tax returns. And we shouldn't give them one.
If one exists then they'll use it without your permission. Or refuse service to anyone who doesn't provide it. Which means it needs to not exist.
> Doesn't mean the government should have issues identifying people when needed (for government services, for example).
Any government agency is free to give you an ID card used to identify you to that agency in the future, the same as any private entity -- but then companies can't require you to have one because not all citizens interact with any given agency. And then nothing stops you from closing any account in good standing and reopening a new one with a different ID number.
Correlating every interaction you have with government is not a feature. The IRS does not need to know who has applied for a hunting license or vice versa. The FBI should not have access to the list of books you've checked out from the public library. These things should all be separate from each other.
It's funny how some people call for separate IDs for each govt agency and some (different?) people then use such fragmented measures as a proof of govt inefficiency.
But I do think people are excessively paranoid / anti government today, so maybe just my bias is showing.
If I did have such a number, the dry cleaner could know when I was on my way to the store and bring my clothes up to the counter so they are ready when I arrive. And they could hold my amazon purchases for me to pick up at the same time.
In which case it no longer has any relationship with your Amazon purchases, which come from an entirely different place. And still doesn't require a national ID to implement.
There are systems like the one we use today where it doesn't have one, but that means each vendor has its own independent source of truth for things like your mailing address, delivery preferences, etc that are more convenient to maintain in only one place.
You're implying that the US is sane. If we tried smart ID cards here, half the population would have a meltdown over the Mark of the Beast of 1984 or "papers, please" or something.
Let's not forget the other half of the population that would scream how discriminatory the ID card requirement is against certain populations who can't easily get to the offices where they are given out.
We have this debate currently with requirements for ID at polling stations.
Except that debate is dishonest because if the republicans actually cared about voter security the obvious response to "minorities don't have access to ID" is "okay, lets fund a program to get everyone ID".
Of course the democrats fall for the trap every time, because using security as an excuse for taking away rights is almost as good as using child porn as an excuse for censorship and monitoring. People go "oh yeah, that sounds reasonable"
A national ID card would be better for those kinds of people. You'd get one once and then be able to vote with it and you wouldn't have people at polling stations lying to you about what ID you needed.
It wouldn't stop the issue of Republicans closing polling stations in minority communities, but it's a start.
what is the problem that needs to be solved differently?
IRS that collects TRILLIONS a year gave a $7.25 MILLION contract to connect a few dots to a company that can. Do you realize how little is $7.25m to USA? About 3-4 Tomahawk missiles and that money probably paid for itself several times over (probably to ID tax "cheaters".)
Smart ID cards? That's so last century. People have been replacing cards in ther wallet with apps on their phone.
What you need is CONTROL OVER YOUR OWN IDENTITY. YOU SHOULD HAVE DIFFERENT IDS IN DIFFERENT DOMAINS.
It is You who should choose to tell domain A that you are X on domain B. Tracking you across domains and cross-correlating databases shouldn't be as easy as looking for the same ID!
You should use devices under your control to store private keys that let you authenticate. YOU should provision other devices, and repudiate compromised ones. And YOU should be able to see your friends joining domains like porn.com ONLY IF THEY WANT YOU TO.
I've been astonished recently over how many people can't even get their own name right when logging onto a site, let alone their password, or even their email.
People are constantly unable to produce their identifying information - requiring them to have multiple IDs and remember which ones belong to which things is just never going to happen. I don't know what the solution is, but people in tech don't seem to realise just how hard the majority of people find it to recount anything with any accuracy.
I worked for a company that had an online store. When we updated our payment flow, our developer added a small javascript snippet to auto-detect card type from card number. Now we didn't need users to choose 'Visa' from the drop-down anymore, we just had fields for 'name on card', 'card number', etc. and then a set of faded-out card issuer icons that would highlight based on which card type you'd typed in.
A huge number of purchases started failing because users, confused, would type 'Visa' into the 'Name on card' field instead of their own name, and then wouldn't bother putting their own name into any of the other fields.
He ended up changing the HTML to have a drop-down which was completely ignored on the backend just so we wouldn't have failing purchases and a huge support load anymore.
In other words, when presented with a card form that didn't ask what type of card it was, people assumed that inputting the card type (which a graphic made very clear was highlighted already) was more important than putting the cardholder name in.
We learned a lot of other lessons on that project about not assuming people could ever figure things out on their own.
I always get my name wrong on legal websites because my legal name is Abdul-Rasheed Bustamam.
Many sites, like the DMV, don't allow hyphens in names. So my other name is Abdul Rasheed Bustamam.
Some sites don't like hyphens or spaces. So I become Abdul R Bustamam. R being my middle initial, and I don't have a middle name.
Then, some sites have a length limit so I often become Abdul Rashee Bustamam.
These are for organizations like insurance, government, credit cards; when I checked and froze my credit I counted about eight different "legal" names that I have.
I use a password/email manager to manage passwords, but unfortunately there's no name manager :)
Pet peeve as a Canadian: our postal codes are two sets of three characters, alternating letters and numbers (correctly written as A0B 1P0).
Websites invariably fail to accept my postal code because of one of two issues: I did put in a space, or I did not put in a space.
It's mind-blowing to me that website developers can't come up with a solution to this problem other than (mistakenly) telling me what my postal code should or should not look like, when the rules are pretty simple.
The other cardinal sin: Canada Post will sell you a gigantic database of postal codes and associated addresses, so you can look up an address for a given postal code. In many cases a postal code will tell you a specific street, specific side of the street, or in the case of condos or apartment buildings, will identify a specific building, so this is great for making sure the delivery address makes sense.
Unfortunately, new buildings and their postal codes are being created all the time, so I've had a few cases where I couldn't order something online because my (three year old) postal code wasn't in their database, so they just gave me an error saying "check your postal code and try again". I ended up having to get a friend of mine to order my wife's birthday present once because it wouldn't accept my postal code for either billing or shipping.
All of this because someone thought they'd be smart and fucked it up.
That's the thing. We have to move away from passwords and to private keys stored on devices. All you have to do is carry your device or smart watch to identify yourself.
If you don't have it, you can still authenticate via biometrics at those places where you previously made an account. But biometrics only works in person, because remotely it is susceptible to replay attacks.
Such cars could also probably be used as voter IDs, no?
And there wouldn't be any issue of "restricting certain people from voting" because the federal government would have to provide everyone with one anyway. It could also lead to safer and more verifiable voting on voting machines (even though I still believe nothing beats pen and paper at this).
This assumes that the version of democracy wanted in the U.S. is a version that allows everyone equal access to voting. You also make the mistake of assuming that the version of democracy that the people want is the same version that the government wants.
Yes, this stuff is crucial. In the US, many people say "what's wrong with requiring a specific ID for voting?" and in theory there isn't, except when you have to trek for half a day on public transit to get to a place where you can actually apply for ID. And you need ID in order to verify you are eligible for the ID! Not everyone has a driving license.
If it were done benevolently and with the best of intentions, it could work. But it isn't.
I'm a 30-something middle-class white male who works in tech in a large Canadian city with excellent public transit. I don't have a driver's license, and I'm constantly running into idiotic barriers because I don't have one. People and processes seem to assume that I do and when confronted with the contrary, a lot of people don't really know what to do.
I work in the same city and am in a similar situation, but there are non-drivers-license options[1] which you can use. I use my CareCard and US Passport Card until I'm able to get an enhanced ID/BCID.
Republicans don't want a national ID and Democrats don't want to anger their base.
I am not a huge fan of the idea (from the Republican side although I'm not a Republican) but at this point I don't even care because companies cannot be trusted to handle this.
> "the IRS has determined Equifax is the only business capable of providing this service."
Equifax and capable in the same sentence? Oh IRS...
The hackers should incorporate! Then two businesses would be capable of providing the service.
Would it be 'ethical hacking' if you hacked companies like Equifax so you could offer their data to tax-payer-funded clients for cheaper than companies like Equifax do?
> As noted in public records, the short-term contract was awarded to Equifax to prevent a lapse in service during a protest on another contract. The service relates to assisting in ongoing identity validation needs of the IRS. Equifax provided these identity proofing services to the IRS under a previous contract.
Well that's an obvious problem, because it means that whoever stole the equifax data, and whoever they sell it to, basically has the answer key to the IRS's identity verification questions.
yep, also the answer to questions asked when applying for a birth certificate from any US state, among other identity verification services provided by the credit agencies.
> "Perhaps this wouldn’t be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn’t."
That should be part of the authentication to enable the service (enter a code on the mailer to finalize setup). The fact that it doesn't send anything is just mind boggling.
"The no-bid contract, which pays $7.25 million, is listed as a “sole source” acquisition, meaning the IRS has determined Equifax is the only business capable of providing this service."
If they are the only business capable why not make them bid anyway just in case?
Because the functions of government bids are supposed to be clear and transparent. Large bidders over time build increasingly customized software for the government until there is lock-in.
The greater problem here is the theory of competition when it comes to government, since it is often the case that there is little or no competition, and entrenched monopoly providers of government services and services to the government (separate things).
Obvious to me that certain functions and competencies must remain inside the government and outside the profit motive. The inevitable outcome of niche provision of government services tends to be a parasitic relationship between government and corporate provider, and this ultimately costs citizens more in the long run - and not just taxes!
If the IRS thinks that Equifax is the sole source for identity verification, especially after their breach, then the IRS must have realized how bad their identity verification of taxpayers has been for years...
Presumably the 143 million identities are valid. Would be an epic troll if 99% were salt/fake only to detect and track use.
Authentication is verifying someone is the person represented by a valid ID
Authorization in this case is some authenticated person having the legal authority to look at or fill out someone's tax paperwork, not necessarily the same as the person under discussion, consider my accountant or my wife's PoA over her elderly uncle, doing taxes and financial things.
You can be super black pilled about the IRS or perhaps slightly more white pilled that they're only doing validation... if I live at 221B Baker Street and I type in 2218 Baker Street it would be nice if that could be caught and fixed. Yeah, yeah, I know, reality is probably some fuzzy location in between.
Although it sounds weird for a company based on gatekeeping "secret" data (which hasn't been secret in a long time) to allow its secret data to leak, its an old business model to create a problem which surprisingly enough you also have a profitable solution. Its highly likely in a year or two we'll all have Equifax smart chip ID cards. Like a military CAC card but with 100 times more users.
> Presumably the 143 million identities are valid. Would be an epic troll if 99% were salt/fake only to detect and track use.
The 143 million PII records likely represent almost every adult taxpayer in the US. These records didn't need to be released purposefully. Even if stolen, nothing but the possession of those records may be needed to authenticate as almost any one of the adult taxpayers in the US.
> Authentication is verifying someone is the person represented by a valid ID
Why do you believe that auth in this context requires validity of ID or even an ID of any kind?
> Its highly likely in a year or two we'll all have Equifax smart chip ID cards.
I'm not convinced this is a highly likely scenario.
We need to remember that this process probably started months ago before the hack. Also, remember that Equifax (while not really loved) was not really thought about as being a really bad company.
Yup, exactly. Every non-capitalist society ever crafted has been free from corruption and greed. Nothing but selfless politicians and happy citizens there.
