It's fashionable to talk about how dystopian social media is, but in my experience, it pales in comparison with the pure hell that is trying to use ID.me and realizing that such a poorly engineered system sits between a loved one of mine and their social security payments.
I tried to help set a relative up a while back to receive his payments, which required authenticating with ID.me. Over and over again, the facial recognition feature would fail and prompt to take a new video. It took reaching out to a support line to assist, but they weren't particularly fast or helpful. I couldn't imagine being his age and trying to set this stuff up alone.
For every beautiful, artisinal website experience out there that takes UX seriously, there's an equally horrible one that stands between you and something you need and it's pretty clear that the people behind that system don't give a damn about you the user.
> I tried to help set a relative up a while back to receive his payments, which required authenticating with ID.me.
Isn't it weird for the US to rely on public services that are managed on the TLD (.me) of a foreign country?
I see the same stupidity with my own country's government where they use independent domain names for every service rather than a single, high value namespace (ex: gov.TLD). I guess I should just be happy they use our country's TLD. Lol.
The TLD is one of the only ways that's quick to teach as a way to verify a domain. It's absurd to use another country's -- especially as I've seen first hand how the actual operation can just be handled by a small and easily-infiltrated group (as sometimes the TLD is initially handled by a university group).
It was always funny seeing news about the instability of government in Libya and then also see a bunch of projects come out using the TLD (.ly)
It really does raise the question what other obvious (or not-so-obvious!) risks they ignored. How is "a foreign country can perform a DOS by using the DNS system as intended" not an obvious problem?
Imagine if the service was called who.ru. What could possibly go wrong?
It was pointed out to me, a millenial, that Social Security was created and administered in the Depression era before computers even existed. To think that they somehow created a working system without the tech that we throw at it today is interesting.
In some countries, the modern systems are byzantine.
In New Zealand, which is similar population to say Oregon, the modern systems absolutely spank the old systems.
Tax: the majority of people don’t need to file a tax return, instead it is all automatic. You only file if you have income from uncommon sources, such as foreign investments. Any questions, and I can call my tax department, and I get a person who answers the phone call, and answers the difficult questions correctly. They don’t treat you like a criminal: 10 years ago I personally did five years of unfiled tax returns simultaneously . . . I rang and asked questions of the tax department, and got my refunds without any trouble. I believe you can trust the tax department (YMMV).
Local government: I can walk in to their help desk and ask questions for free about the council rules and processes. I admit the help desk does not provide legally binding opinions, instead you need to go through formal processes. The local council may be slow and difficult for some things, but the process is fairly transparent and you can get closure on questions if you persist. The local council has restrictions on what it can do. There are automatic rights to house development, so if you follow the planning rules (setbacks, recession planes, etcetera), then it is unlikely for neighbours or local government to be able to chuck a spanner into your plans to build on your own property.
Passport renewal: last time I did it over the internet.
Mostly the government interactions New Zealand at least functional, and sometimes they are even pleasant.
The exception is our legal system, which is still mostly paper based, and archaic. Although anecdotally it works better than the US system.
I bet he's right in a lot of cases. I think the difference would be that back then you had actual humans making every decision and everything was local so the social and cultural expectations from everyone involved would have been more predictable.
Plus, I imagine everyone made more effort to be civil when interacting because everything was face-to-face.
I wonder if it's survivorship bias. Same as not every old building has survived the times, only the amazing ones did, maybe just the "amazing" government systems have survived, while the others have long since become forgotten. I put amazing into quotes because SSNs have plenty of problems, but at least they are successful in that they are used everywhere. This in turn creates the impression that government systems used to be better than they are now.
True, because those systems were designed for pre-computer technologies, and all we did when computers came along was put the same systems not designed for computers on computers. This is how we ended up using mice to sign signatures on 8x11 PDF forms that then have to go through an OCR to be input into other computer systems.
I just bought an Epson Ecotank printer. Supposed to have the advantages of a laser jet but not be nearly as expensive refills. The printer itself was $200, though.
Toner is cheaper per page than ink. But the quality of photo prints will be slightly better with inkjets. If you never print photos (on photo paper), a toner printer is perfect.
This os because procedures were repeatable, doable by a layman, and persisted in a way that was trivial to navigate.
(Paper file navigation is so easy my Gram can do it faster than me!)
Computers added:
-Hardware abstraction
-Software abstraction
-Storage abstraction
-Search abstraction
-Indexing abstraction
-Networking abstraction
-Legislative abstraction
(When you have a computer to program once instead of a workforce to train, people are more willing to complicate things instead of leaving well enough alone)
I have a theory about your dad's observation: i bet it's because a physically implemented system can't afford being realized through pulling in deeply nested dependencies, and their bugs and weird corner cases.
We also got to the moon without calculators. (This used to be well-known but may not be anymore - I'm not sure. Forgive me if I'm saying something obvious.) Pretty incredible how unnecessary most of our "technology" really is.
Can't find it now but one of my all-time favorite engineering memes goes something like, "modern engineer, cries when Matlab crashes; Roman engineer, built aqueducts by eyeballing them."
I mean, if we're talking about Apollo, they had IBM mainframes and I believe the Apollo guidance computer was actually the first computer made of integrated circuits which was crucial to fitting it within the power/weight budget. I'll bet a lot of work was still done with slide rules though.
> In 1935, the first group of female human computers were hired. Before electronic computers, all mathematical equations and computations would be done by hand by people, often known as human computers. With the advent of World War II, many male employees at NACA left to fight overseas. More and more women were needed to fill their roles, and soon African American women were hired to help with the shortfall.
> These African American women were sent to a segregated computing section known as the West Area Computing Unit, which was the center of the 2016 movie Hidden Figures. In April 1942, a memo was passed around stating that, “The engineers admit themselves that the girl computers do the work more rapidly and accurately than they could.” The women computers were becoming increasingly more valuable and doing incredible work along the way.
> the people behind that system don't give a damn about you the user
Or at least, the people buying the system don't have the technical ability to create it, and the contractors who won the lowest bid to create it don't care about anything other than having the project's completion signed off on.
That was exactly my experience as well! I was beyond frustrated.
Unfortunately I had to do this just to PAY MY TAXES since I had received some unemployment benefits and the relevant form was gated behind my Dept of Labor acct that had, of course, been long since locked due to scam attempts.
The more that you need a system the less the designers need to care about UX. If this one service is something you absolutely have to use, then you will use it regardless of awful UX, because you have to. Conversely, if the service is something that's simply nice or fun to use, or there are tons of alternatives, then the UX must be good or people will go without your service or use an alternative.
IRS’s use of ID.me [1] is one of the oddest public–private partnerships I’ve seen. Facial recognition aside, why should I provide my personal ID to a private company to verify myself with the government that issued that personal ID in the first place?
And similarly in absurdity is that the IRS does not have the ability to accept direct payments via credit card or debit card. There's a separate public-private partnership for that.[1]
I'm sure I got fucked this year: one of those sites said in big letters at the top "we attribute all transactions until midnight to today," so I chose them.
I gave them thousands of dollars (hoping to get some of it back as credit card points). I immediately got an email saying "Thanks for your payment at 1:30 AM (not my timezone, tomorrow)." I was livid, and I had no recourse.
I don't even know how to check for the fine and pay it. I'm just waiting for an IRS nastygram at this point, so I can contest their "processing fee" on my credit card.
In my experience, if you miss the deadline that closely, the fine from the IRS is negligible, or they ignore it entirely and move on because it's not worth the effort to follow up.
Though why you would leave it that close is something of a mystery to me. After all, you might have connectivity problems or an unexpected personal emergency or something. It's not like you didn't know the deadline was coming up.... just pay a day or two early and avoid the stress!
(I'm sure there are people who legitimately have to do it at the last moment for some reason. But I don't believe that's the common case.)
IRS Form 4868 (tax extension) exists for a reason [1]. The tax system is needlessly complex, especially if you're dealing with business ownership, salaries, or basically anything that creates additional tax complexity.
I've outsourced this clown show of an obligation to an accounting firm for the past 6 years or so, but for some that's simply not a feasible option. Nor should it be required -- an additional cost for the privilege of knowing how much you need to pay in to the government (who pretty much already knows this amount, in many/most instances, mind you) is beyond absurdity.
Tax filing in the US is archaic and like I've mentioned previously (but I'll say it again because it's a constant source of frustration for me) a needlessly complex process.
Honestly, I did them a couple days before and I was sleepy, so I wanted to look at them with fresh eyes before agreeing to spend a bunch of money in taxes.
Square Cash took over Credit Karma Tax this year, and their CA state form was atrocious.
They can do direct wire transfers and that actually concerns me more. I had zero interaction with my bank. I gave the IRS my bank routing and account number then told them how much to transfer. Not even a single email or text message from the bank at all. As far as I can tell there is no upper limit on how much they can withdraw. Ever since then I have been super careful what I keep in banks.
Yeah, that's how the banking system works. Every single check in your checkbook has your account number and routing number on it, and those two numbers are literally the only pieces of information necessary to transfer money out of your account.
What the system lacks in technical security is (supposedly) made up for by legal protections/processes--yeah, it's incredibly easy to take money out of an account, but that transaction _will_ get reversed if it was fraudulent.
It will get reversed if you notice it and report it soon enough. But the law only requires they give you 60 days after they transmit you a statement. I believe for businesses, you are only protected for 2 days.
I get that is how it works, just seems alarming that the bank didn't send me anything. If I typo my pin code in the grocery store I get an email and text right away. My debit card has limits how much one can withdraw. A wire transfer has no limits, yet an org that never did a wire transfer from my account shows up and pulls a large amount and I get nothing.
It's just a different type of transaction. Not sure about your bank, but mine has separate alert settings for ACH vs. Debit transactions. I have alerts set up for both (and wires for that matter).
Yep. Nowadays with cash-by-phone, it gets even scarier: I had $5000 withdrawn from my account due to bad OCR on a check. It took way too much effort to get it reversed as well, even though the picture of the check in the banking app showed obviously wrong information.
I wish they could do wire transfers easily, instead they don't say anywhere but their standard "pay by bank" is with ACH. You can quickly run into ACH limits with your bank and then end up paying your taxes late. This happened to a friend of mine.
To pay them with wire is extremely complicated and requires setting up an EFTPS account.
I wasn't referring to financing it. Nobody in their right mind would do that. If you pay your bill in full at the end of month you don't incur those usury rates. Many people treat a credit card like cash.
Well that's mostly what I was referring too. But regardless, the government also probably doesn't want you to pay your taxes with a payment method where you can easily issue chargebacks.
If you have the money to pay your taxes, less hassle for the government for you to not pay with debt. If you don't have the money better to just pay late.
>"But regardless, the government also probably doesn't want you to pay your taxes with a payment method where you can easily issue chargebacks."
You realize the IRS accepts check right? You could also just easily put a stop payment on a check or write a bad check. There would be no point in doing that of course just like there would be no point in in issuing a chargeback for a card payment.
The IRS accepts checks for historical reasons, and I guarantee you people have written bad checks for their tax payments. Alas people do silly things like that regardless of your assertion that it is pointless.
I spent hours and hours setting up an ID.me account (I'm a US citizen living abroad), had to use a VPN, numerous SMS verification failures (even using a US number), extreme hold times for a video interview, incorrectly OCRed US passport (issue date read as date of birth) resulting in immediate rejection with no workaround... I had to blur the date in order to get around the OCR (good luck to non-techies).
All to be a) spammed with 'deals' I did not sign up for the next day from id.me, and b) to access an IRS page that really isn't very useful.
It's a really stupid partnership which of course exists to avoid the government giving you a digital ID themselves and something something private enterprise something something, but of course ID.me has a monopoly so those points are moot.
Plus, if we go to all of this effort to have a secure, authenticated portal, it would make sense to then be able to actually use the portal to do things. Once logged in I can't change my address (send us a paper form!), I can't see the status of paper-submitted returns (received/processing/etc), nor can I see a digital record of communications from the IRS... they show 'some versions of IRS notices' but I still get paper letters from the IRS that are not on the portal (despite signing up for paperless communications).
(That's the ideological cover. The reality is that the public-private partnership funnels money from the state to the shareholders to the party donor class. Both parties.)
If youre at all familiar with Dick Cheney's role in the 90s as secretary of defense - this is exactly the framework he built for the MIC to funnel money out of the treasury and into private pockets.
This is also part of the reason for the ~$60B in aide to Ukraine and why all of a sudden senators are making "surprise visits" to Ukraine.
Tangentially related -- My wife recently had to provide her SSN, DoB and her fingerprint scanned by a third-party company [https://www.printscan.com/about-us/], which is "owned, and operated by active and retired Law Enforcement Officers". We both felt really uncomfortable providing such sensitive information to a third party company, but had no choice because Florida board of medicine [https://flboardofmedicine.gov/] uses PrintScan as a partner to do background checks. The fee was $125 for fingerprint scanning at one of their locations.
According to that company's 'About Us' page, "PrintScan’s certified fingerprint technicians undergo extensive background checks before being cleared with the FBI, NYS Department of Criminal Justice Services, Florida Department of Law Enforcement, and Homeland Security."
I looked up on the FBI website to see if they provide similar background check service, and sure they do for $18! I have a hard time figuring out why FL board of medicine uses a third party service instead of FBI to do background checks, and also wondered why shouldn't FBI background check be enough/sufficient for criminal activity (i.e. don't states share their criminal records with FBI?). All of this is to say that the existence of companies like PrintScan--and the fact that one of the state governments uses it--is definitely concerning to me.
I used to work with the FBI fingerprint system IAFIS.
It was a very complete system at the time and used in many situations for background checks for everything from LEOs to day care centers for cheap. We also had hard requirements around 99% of responses had to come back within 10 minutes.
Anyway, that's changed quite a bit the last few years..
More and more State & Local stopped participating in the system -
https://www.washingtonpost.com/crime-law/2021/12/09/fbi-poli... - so huge swathes of data just isn't available anymore. Then more DAs are choosing to prosecute fewer crimes and negotiating down serious crimes that would trigger alerts (usually felonies) to lesser crimes so the data that is there may not be representative of the situation. And finally, the overall crime statistics are being characterized as "racist" so the FBI is getting more cautious about what they release and how.
So.. less data, incomplete/wrong data, and less access to the data.
All of those mean "competitors" have room to operate.
I know you had several points in this comment but this stuck out to me
> Then more DAs are choosing to prosecute fewer crimes and negotiating down serious crimes that would trigger alerts (usually felonies) to lesser crimes so the data that is there may not be representative of the situation.
Isn’t this representative of the situation? They didn’t get a felony and the background check shows they didn’t get a felony? Are background checks supposed to be extra punishment on top of what the judicial system determines?
When the government goes soft on crime, you need to look deeper to find the truth about matters. And make no mistake, it has gone soft in some places. I would pay extra to have a background check turn up everything it can, so I can make my own determination.
I still think that’s not something you’d want to have come back from a government background check. As long as they they are dutifully reporting the truth of the matter in terms of how the government ruled on the case then that seems like enough.
What your describing sounds like it should stay out of government hands just on an ethical basis
The employer is asking for a background check to minimize losses/insurance payments due to employee theft. If the government background check does not reflect the risk of the individual being involved in theft in the past (for whatever reason), then the employer will find another, perhaps even less ethical provider of information to assess the risk.
It's a case of a measure ceasing to be a good measure because it became a target.
The purpose of running a background check is to predict if someone will be a problem. But they work by measuring interactions with the legal system (probably convictions in particular?). And if suddenly most of the behavior you care about stops generating records of interactions, well background checks just got a loss less useful.
One thing I’m not very happy about is that in the US, in order to get a background check of any kind, you need to get fingerprinted and have those prints enrolled in the FBI’s database regardless of if a match comes up. In many other countries, a background check is just querying the national criminal record database for your identity, which seems much more proportionate for most employment based background checks. I’m not thrilled about being enrolled in a fingerprint database because latent prints exist and are so inaccurate.
Any fingerprints submitted as a background check were required by law to be deleted pretty quickly (within hours, iirc). Fingerprints submitted as part of an arrest were different.
Unfortunately, that may have changed as many gun control advocates have pushed to keep fingerprints from background checks on file indefinitely. I don't know if they've been successful.
in the US, in order to get a background check of any kind, you need to get fingerprinted
This is false. I've had my background checked at least a dozen times. Most recently, just this past October, and I have never given my fingerprints to anyone.
I don't think there is any reason for involving a private company, aside from the kickback/corruption ones. I've had to get fingerprinted and background checked for several jobs in different states and all were done through the local police department.
Accessing government services should never result in your personal data being delivered into the hands of private for profit companies.
If they want us to hand over our facial recognition data (something that has never been needed before and isn't actually needed now) the government should create their own service where any data collected is never used for anything else.
I think it's just pure laziness and a total lack of concern for the public that government websites are full of Google trackers, but when I see a company like ID.me being used I assume somebody is getting a nice kickback somewhere for handing over the American public's data to a private company to exploit and enrich themselves with and all at the tax payers expense.
I think from the IRS' perspective, they wanted to reach a NIST-certified level of identity verification (NIST 800-63A IAL2 [1]), and there is no governmental service which offered the ability to do that[2], so they went to a private company.
I have a lot of notes around this whole dustup; it's my opinion that:
- The IRS acted in good faith trying to secure its website in the best way possible
- It's very unfortunate that the US government at the same time promotes a particular standard, but does not provide a service matching that standard and seems to currently have no plans to do so
[2]: login.gov is IAL1 but not IAL2 compliant; IAL2 compliance requires biometric verification and login.gov does not do this. I also think the IRS had concerns around scaling login.gov, but that the lack of biometric verification was decisive[3]
> It's very unfortunate that the US government at the same time promotes a particular standard, but does not provide a service matching that standard and seems to currently have no plans to do so
id.gov could be a great project for the US Digital Service [4] and 18F [5] who are the ones that delivered login.gov [6].
Yes, absolutely. However, they still have to work through the scaling issues and the govvies need to figure out how to deal with the fact that login.gov not only does not, but will not implement IAL2.
Does anyone else have regrets about being in the tech industry when things like this, privacy issues, leaks, etc seem to be a big thing on a nearly daily or at least weekly basis now?
I love what I do, I really do. But stories like this make me want to get a "boring" tech job that I am just maintaining something. Not innovating anymore and at the mercy of not technical people telling me to make horrible decisions.
I just find it disheartening. I am just curious if others ever feel this way?
> Does anyone else have regrets about being in the tech industry when things like this, privacy issues, leaks, etc seem to be a big thing on a nearly daily or at least weekly basis now?
I personally don't but I think the issue here is that things like ClearView AI and ID.me and the related controversies were inevitable. Just as we're seeing with the development of DeepFakes. An astute observer can probably pretty accurately pick out the differences but will that be true in five to ten years? Audio faking is already fairly good.
Once any technology is close, there will be people telling you it's solved. Look at self-driving cars. All these "we've solved it, autopilot is the greatest thing since sliced bread" takes are pushed as marketing, meanwhile the capabilities are substantially lower than human drivers. The bar for these kinds of things should be, at minimum better than a human.
The issue isn't with the tech itself but the actors involved. It's a tool, and like any others it can be abused. What makes it dangerous is that the limitations of these tools don't appear to be investigated at all, which is a failure of something or someone, I'm just not sure what or who (probably government).
Coupling a "not quite ready" tech with some snazzy marketing and shady practices seems to have been par for the course for a lot of technologies that emerged from the post-industrial revolution era, and in some cases even before then. Just chemical examples: Leaded gasoline, CFCs, DDT, Thalidomide, etc. You could look to something like cryptomining and its environmental and social impact as another more modern tech example.
I think a lot of what you said emphasizes my view on non technical people making decisions and/or being the public face of a very technical product. I don't mean everyone in this regard.
But I imagine many of us have been on the side of being told that marketing/user retention wants a dark pattern introduced. "User Research" wants all kinds of tracking introduced. Finance wants ads. Management wants something quicker so we cut corners (or worse they tell us to release something even though we say its not ready and very buggy but marketing was making a big deal about it... which I have personally been involved in. Will give one guess how that one went and then who was blamed). Or any other decision made by someone non technical that is a bad decision and is another controversy waiting to happen.
I still see technology as a great force. I still believe in it. I am lucky that my current job, I don't have to deal with any of these things. But we are not a consumer facing operation. But when I look to the future, I find myself asking myself. Where is the industry going and it feels like it's just constantly getting worse. I worry about being in a position of needing to be involved in that again.
The way I look at the most general version of the issue I believe you're raising is that technology is morally neutral. It's a tool, in some forms an amazingly powerful tool, and like all tools, that awesome power can be used for good or evil.
Technology is only neutral in the sense that guns, nuclear weapons, and neurotoxins are neutral. No, not all technology is the same, and much of it is evil. This loosely falls into the same fallacy of "it can either work or fail, so there's a 50% chance" - you are wildly misrepresenting the space in order to project a stance of neutrality.
I really think what you're saying is just something engineers tell themselves to feel better about what they do. I hear it more often from people at FAANG, defense contractors, and other morally ambiguous places than anywhere else.
Also, if you're the guy building a tool that's oppressing someone, you are the guy building the means to oppress someone. There's nothing neutral about that.
Using a gun on another human to defend my family from immediate threat. Moral.
Using a gun on another human to inflict harm on an innocent. Immoral.
Thus "tech is neutral, usage determines morality".
HOWEVER
what if we are in a society where using guns is the normal way to resolve conflict? Where everyone is required to carry a gun at all times and be prepared to use it to defend their family? Is the tech still neutral when it becomes a cornerstone of every interaction?
Well a lot of people would argue that guns are neutral, at least.
But that aside, I do mostly agree. It's nonsense to help produce something that you know will be misused and then absolve yourself of responsibility.
The problem is not that people like this crap, it's that building and selling it is absurdly profitable and people like money. I don't know how you address such a thing other than to have government step in and block it (see GDPR, tracking cookies etc)
I agree that technology, in the abstract, is usually morally neutral. But very few people work on abstract ideas for the sake of knowledge. Somebody's paying the salaries to develop and implement the technologies, and they're doing it to achieve a mission or earn a profit. If you're building a gadget or deploying a server, you likely have a goal.
To work for a company is to support their mission (unless you're a corporate spy or saboteur). The morality of your work should be partly decided by how much it improves or worsens the morality of the company's actions. Not "guilt by association," but "guilt by participation."
Personally, I think this logic also applies when the outcome of the technology is obvious. If you devote your life to making a mind control helmet, you can't play the "technology is morally neutral" card.
Philosophical disclaimer: None of this is meant to be black and white rules. There are always murky situations involving trollies and stolen loaves of bread.
I sometimes wonder if the "technology is morally neutral" argument holds up.
Some questions I ask myself
Certain technologies force a certain world view. If that world view is not moral, then the technology is not moral.
If a technology is inherently dehumanizing, how is it moral?
Does the technology have room for forgiveness, repentance, and redemption? If not, how is it moral?
The counter-counter arguments is to move up the stack. "computers are neutral, but a computerized system which does X is immoral. So we can only have computerized systems which do Y". But what if the problem is that computerizing something inherently makes it immoral?
A toy example: When something becomes a metric, it loses its value as a metric ("lines of code", "rankings of universities", ...). Computerizing things makes them standardized metrics.
Depends what you work on. If you are working on super privacy invasive projects and have regrets then at minimum that is a problem for you and reducing your quality of life.
I generally do not get disheartened by this sort of thing but you also probably will not ever see me working for Facebook for example.....
Does anyone else have regrets about being in the tech industry when things like this, privacy issues, leaks, etc seem to be a big thing on a nearly daily or at least weekly basis now?
Just an hour ago I was thinking to myself, "I wish I was good with my hands. I wish I could do anything but this."
Computers are the only talent I have, and changing careers would mean going back to entry-level pay, which I can't do at this point in my life.
It used to be that when you got fed up with your profession, you could go teach. But that doesn't pay jack squat anymore.
I totally understand how you feel, and have similar thoughts myself. I love programming and find technology fascinating on a technical level, but either hate or couldn't care less about most of what gets built with it.
Most people I talk with in the industry disagree with me on this but I firmly believe that most product/service updates are net negative for the user. They get done for the benefit of a company, with a lot of spin and marketing on top to make it sound like it's actually a good thing.
The short of it is during one of his investigative blog posts, he released the real life names of two security researchers who he believed (based on a single source from Twitter) ran a scam. Sean Hollister, a reporter for The Verge (among others) rightfully called out Krebs' actions as extremely misguided and potentially harmful [1].
In another case, he released the names and details of the people he believed were running the Coinhive cryptomining scam. He also compiled and released information on three people who he thought were connected to the Shadow Brokers group, although he has since unpublished that post (some analysis at [2]). There's even an urban dictionary term: 'krebbed' [3]. There's been discussion here, and elsewhere, although it's mainly back-and-forths on Twitter.
The issue I take with it is separate from whether or not he was correct, but that he is taking it upon himself to act as the judge, jury and executioner of potentially innocent people by releasing names and personal details of people on his blog and on Twitter.
Edit to add: He's even posted someone's passport before, which is kind of wild to think about [4].
[4] See his blog post "Meet the World’s Biggest ‘Bulletproof’ Hoster", where he still has the dudes passport picture (with all info, no redactions) up.
It's an expression that I thought most people would understand, but to make it abundantly clear: I do not think that Krebs is executing people. Nor do I think he has the legal training to be a judge. He might have been on a jury before, I'm not sure.
I am using it as an expression to state that he is taking upon himself the task that is normally reserved for either LEA and/or the court system, which is ascribing guilt.
Courts ascribe guilt by questioning private individuals for their testimony ascribing guilt.
"Costing an arm and a leg" is an idiom. "The disease cost her an arm and a leg" might be using the idiom to refer to the costs of medical treatment, or could refer to the literal amputation of limbs. Most people use context to understand this. For example, what was the disease?
Disapproval of doxxing is often specifically because of the danger it can pose to the life and well-being of the victim. In this context, a reference to execution does not seem like an innocent expression.
He appears to be acting as an investigative reporter. Such acts have a long history of naming and shaming people, even ones that were not previously public figures. That he writes for his own publication is not really material to the fact that he is acting as a reporter.
Funny enough to some, I disagree with any reporter who names private citizens with little proof and no avenue for recourse. Especially when they post things like a persons non-redacted passport, for example, which has plenty of personal information that is not material to the story in any which way.
If you have enough information to release a bunch of personal information on someone and tell thousands of people that they are guilty of something, you should go to the appropriate LEA and either take some care writing your story or wait until an actual investigation has happened, reporting on those results.
Edit to add: At least in this case, regarding Krebs, it would seem that at least one senior editor and journalist agrees with me that Krebs acted unethically (see the first comment for a link to a tweet by a senior editor at The Verge). Other major news organizations (e.g. CBC) have policies not to named those only accused of a crime, except in extenuating circumstances or after a charge is laid/legal proceedings have begun. They must also report on the outcome of the criminal investigation.
You’re fine. I’m a native English speaker and never knew this. I’ve seen “Democrat” used as a performative but only by their political rivals who do think the name is pejorative but it wouldn’t matter what name was used.
I can't even sign up for ID.me since they didn't contemplate the idea that my proof of residency documents would be in Japanese when I live in Japan, and their reps can't read Japanese nor will they accept annotated translations of them.
Let's not forget a huge problem in our modern world, and that is multiple, sovereign nation states willing to do anything and everything to get leverage against one another, including trying to infiltrate and hack every single piece of hardware and software produced. Gone are the days when human fail safes could catch each other. Now, any computer can be hacked so no amount of them will prevent attacks unlike a line of humans who have to vet the information.
Just a guess from using both of them. Login.gov does authentication, ID.me does authentication and visual verification. ID.me would have you take a video to do facial verification when doing any sensitive actions.
This is what happens when everything is just contracted out willy nilly with people running systems that have not kept up with the times and (at best) are reaching their own level of incompetence.
Or at worst there were big kickbacks involved and something nefarious is going on here.
I bet the images and videos collected by facial recognition partners doing KYC for crypto exchanges also wind up in various nations' law enforcement databases.
I don't know anything personally but I do have a friend who works as an engineer at ID.me and he explained to me that they really don't store any data.
The way it was explained to me, (apologies if there's anything factually inaccurate in here, this is my recollection from a while ago, just before the IRS very notably decided to cancel their contract for the 2021 tax year?) they had an army of people whose job was literally to visually compare the person's selfie to the ID they presented, and if I understood correctly, they also had some facility for verifying the presented ID was genuine. And that was it.
(Edit: I see from clicking through to the CyberScoop article "ID.me CEO backtracks ... on 1:many recognition use claims" that it may not be the case that's all they do with each selfie, and that in reality they do store the selfies, based on a regulatory requirement that they must do so for 7 years.)
I think based on that conversation (and sure, call me biased) the "invasion of privacy" concerns were way overblown. If you think the best way to implement an ID verification system is to hire more permanent government employees and have them do the job in-house, ... I'm on Hacker News, so I'm going to assume that nobody thought that.
If you have concerns about the truthfulness of this scheme (does it really happen without permanently storing any selfies?) I think those are fair concerns, and we should know the answer.
But is there anything to be really concerned about, if there's no permanent storage? I don't understand. Can someone explain it to me? I think that the "invasion of privacy" ship must have already sailed, the government has your photo ID in a database, and it's already on record there forever.
What does it matter if the verification is outsourced to a private company? Is there the capacity to do this already inside of our government? (Would you trust them to implement such a system efficiently and correctly without private help?)
What level of oversight would make this scheme appropriate, I guess is my question? Is there any ID verification system that people who are up in arms would accept here? I'm in favor of probing the questions but I am not surprised that wait times are longer and support staffing was evidently reduced, after the IRS cancelled their contract. "You reap what you sow."
> I think based on that conversation (and sure, call me biased) the "invasion of privacy" concerns were way overblown
I mean, that's why this calls for a probe, right? I also suspect they were overblown - but that's why you look into something.
> I think that the "invasion of privacy" ship must have already sailed, the government has your photo ID in a database, and it's already on record there forever.
I absolutely disagree with this framing of the question. It's false equivalence to suggest that once something exists somewhere "unprivate" that any other system would also be fine. We are going to need to dig into systems and understand if the reduction in privacy fulfills a necessary function and push back on all the systems where that isn't true.
There's no magic in "public" v.s. "private" companies - but each new layer introduces new potential for mismanagement and so you need to ask everyone to "get to the bottom" of what happened.
Years ago I read about a Russian product based on facial recognition. Their pitch was that you could take a picture of an attractive stranger, send them the picture, and for 100$ they would send you all of her information in a matter of minutes so that you could strike up a conversation. Of course this sound really creepy, but why? The information is public. Is it the amount of money? Police and governments want this sort of tool. We don't bat an eye when a cop uses such tools to pull all of your license/insurance information during a traffic stop. Is it more creepy or less creepy if such tools are also made available to the public?
>> We don't bat an eye when a cop uses such tools to pull all of your license/insurance information during a traffic stop.
In order to legally drive we basically enter into a contract with the state agreeing to the terms it set. Keeping a current license, registration, insurance etc. During a traffic stop, it is a requirement to hand over the documents, if asked, so they can verify you are within the law. Atleast in the parts of the US that I am familiar with. Same for travel and other government documents, if you want to legally move between borders, you agree to their terms or stay put.
Having random creep take a pic of someone and get their address so they can visit later on, would be a very big problem.
As far as I am aware I still need to agree to the terms that the state of TX has set in order to legally drive my truck on public roads within the state. Meaning a driver's license, current insurance, and current registration. I would not need those for driving US military vehicles, tractors or horses. If this is no longer the case, please show me where I can find that information as I would very much like to not deal with that regulatory mess any more.
That's the one. Setup by former intelligence operators iirc.
There is a flip side to this in places like Russia. If you are at a party and want to talk to someone, you might want to lookup whether she is the wife/girlfriend of the local crime boss/politician/general first.
The cop is in a position of public trust, and at least in theory is accountable to the public if they abuse that ability. Most people are actively aware that the government has their information, because they submit it themselves when they file taxes, apply for their license, etc. Even if you don't trust the police at all, their stated purpose for having and using this information is logical.
A private company is accountable to nobody, trusted by nobody, and likely accessing "public" information that was publicized by an entity other than the individual. They are collecting the information purely to make a profit, not to (again in theory) increase public safety. Their entire purpose is to abuse the information for purposes it was not intended for.
There was a scene in one of the Ironman movies. Tony Stark is at a party and his personal assistant is pointing out people for him. She is recognizing faces and telling him who is who before he talks to them. She is telling him their jobs and backgrounds. Just swap out the flesh-and-blood assistant for a service delivered to your phone. Why is the automated system so much more creepy?
(Such scenes are in probably 75% of all movies. It is an old device for introducing characters.)
Tony's personal assistant may have intimate knowledge of everyone at the party, but probably knows nothing about people outside the industry. And she probably spent a fair amount of time prepping for the party. So she's bound to an upper limit of what a person can reasonably do.
And his personal assistant is a person which is a building block that innately fits into society. Any given person has some level of morals and integrity which would limit what they were willing to do with their knowledge. And even if they don't, people can be brought to justice if they abuse their knowledge/skills or otherwise have some kind of public pressure used against them. An algorithm cannot be imprisoned or even really destroyed and doesn't care one bit what it's used for because it doesn't care about anything at all.
Some of these things seem inevitable, but that doesn't mean they aren't creepy!
That is massively different though, that is a subset of people that most likely were on an invite list before hand. Would be similar to social media recommending the friends you are already friends with in photos you upload. More of a convenience than anything else.
What you mention is any random person identifying any other random person (ignoring the creepiness of taking a picture of someone without their consent). And using that to track down identifying information about them.
It's the expression of unlimited power by tools more powerful than us, perfect vs. flawed in their realtime ability to judge and analyze you in real time. It a a shift further into a world totally controlled by perfect knowledge of all details about every person's life. I don't want to live in that world.
The difference is that at a party like that the people are public persons and used to being recognized. Many of them are probably business partners so he is essentially using his assistant as a CRM to do sales.
Big agencies have entire dossiers on their clients for the sole purpose of brushing up on your info before a meeting so they can come across as super friendly and high touch. Even your hairdresser probably does this.
Main difference being that it isn’t creepy to keep track of things you can’t remember when being friends with hundreds of people is part of your job.
We do bat an eye on such systems. All facial recognition systems are banned for government use in San Francisco. Police use of license plate readers is limited by law. Pretty ironic that people that build and export this tech all over the world are wary of it in their own backyards.
Facebook and other social media isn't far off of this. You really need a name to find someone's facebook profile (but people will usually give out their name to pretty much anyone), and you can of course set your profile to private (but many people don't).
I tried to help set a relative up a while back to receive his payments, which required authenticating with ID.me. Over and over again, the facial recognition feature would fail and prompt to take a new video. It took reaching out to a support line to assist, but they weren't particularly fast or helpful. I couldn't imagine being his age and trying to set this stuff up alone.
For every beautiful, artisinal website experience out there that takes UX seriously, there's an equally horrible one that stands between you and something you need and it's pretty clear that the people behind that system don't give a damn about you the user.