I've had to upload my ID card to send money, open a bank account online, verify my identity for a dating app, book an international flight, and ironically to register for the app to have an electronic version of my id on my phone, and weirdly to pay a traffic ticket (why do they care who pays it?), get a discount on my Amazon Prime subscription, and finally to reset my password for my ID.me login for government websites. So all of those are 'fine' I guess, but god forbid you upload it to a third party verification service (the same one that was used for one or more of the above cases where I uploaded my id) to watch pornography, that's where we draw the line?
You are being absurd.
I don't agree with this requirement, but I'm also not so dishonest that I would pretend that it's a security issue.
If you were able to do all of those things to prove your identity using your ID.. then any identity thief with a copy of your ID could use it to impersonate you in every one of those venues.
That means that somebody else can send your money wherever they wish.. create bank accounts to perform nefarious deeds that tie back to you.. book flights, and subscribe to services on your dime or on a stolen credit card behind your name so that after the chargebacks all debt collection activity aims at you. And finally convince the government to send your tax refunds to them.
In light of this what is absurd about being parsimonious with who and how we share copies of our ID, and why should virtually every website online be deputized into keeping copies of them to provide dog standard content services that might not always be suitable for all audiences?
Bro already has a disease, doesn't care if everyone else gets it too. What kind of argument is ... I already sent my ID all over the internet multiple times?
Its not the 'voluntary' services that may or may not want to see your ID, its the existence of any and all Mandatory legislation, which would be a nightmare.
This is a tech site so I imagine the average user has some deeper understanding than most(technically), but I guess imagination is off the table.
What this would do (requiring all sites) is basically be the end for any and all attempts against identity fraud protection. Indulge a bit of imagination for a moment. If EVERY site is now required to do some form of verification, than everyone's infrastructure now becomes prime targets for PII and troves of identity information, and wherein amazon, banks, and ID.me can be considered to be at or near the top (i'd hope) for keeping their machines tied down, the reality is that EVERYONE'S servers ARE NOT so will maintained.
They WILL be attacked, and shims inserted to steal such identity information, as people have ZERO idea, as they're being shunted around to all thees angel-invested ID startups, as to what is or isn't legit, during signup. Wholly, identical pages/domains, as are often seen to steal traditional PCI information, will now be repurposed to this. Its not that the reputable ones are likely to fall, its the small vendors who don't understand that once a customer is EXPECTED to fork over ID to sign up, any hiccup in the process will be unnoticed, and it'll be ripe for abuse if the server/service is ever compromised.
ID verification is done by 3rd parties. Nobody wants to hold a photo of your ID because it's a compliance nightmare. You aren't uploading your ID to some porn site, you are uploading it to some real-person verification company.
Not what I'm saying.
At any time before the legit handoff, there can be a decoy which users would be blissfully unaware of, shimmed in. How many times do domains change again during the singup process of whatever service you're using (page to page)? Thats a huge security issue, as it messes with what users expect, and they dont take notice one bit. At the very least its an opportunity to confuse users not to realize that the main service shouldn't hand-off at step 3, rather step 7.
The other option is services verify themselves (backend), but again, thats worse.
Designing secure services are not 'just' one and done by any means, this whole thing boils down to whether security is a trivial, and a done thing or a very hard problem, and it has always been a very hard problem.
Its one thing to hand over credit cards with very little liability and a charge back ability, its totally another to use irrevocable IDs which cant be resent in the mail in a few days. Then theres the inter-nationality angle. I refuse to use overseas services, who dont recognize a 'drivers license' and want my passport. Sorry, not going to be stuck somewhere because my passport gets leaked and now we need to vist the only embassy 7 hours away before i return home (with kids in tow). Universal Id requirement is a cozy idea but it opens far too many incompatibilities, not to mention country-to-country.
Do you think it's inherently so unsafe to use your ID in an online context that it is never a net benefit? Yes/No
If you think it is unsafe, what alternative do you propose? If you don't have one, or your idea requires some kind of massive simultaneous buy in by all stakeholders and jurisdictions, give up, your opinion is irrelevant.
Yes, forgive me I was trying to cram too many ideas into a short blurb, else I can ramble on forever.
We're just talking past each other, since there is nuance to your original statement I may be not addressing directly.
>Presenting government ID to random entities is literally what government ID's exist for. Paranoia about this is silly.
While this is not wrong, the problem is that with online entities (sites), the act of 'presenting' is the same as 'copying', so in order to present to a 3rd party 'site' you must do something which lets them (if they chose to) copy your ID, and easily allow someone to forge said ID and use it in other situations to 'forge' your identity, a very bad thing. This is critically different than when traditionally 'presenting' an ID when you're boarding a plane or buying alcohol which is an inherently fleeting act(serves its purpose and NOTHING more). Its also why people are uneasy about ID bar-code scanning but that's a huge whole other discussion.
>Do you think it's inherently so unsafe to use your ID in an online context that it is never a net benefit? Yes/No
Its not 'unsafe' on face value, but as with everything else it becomes very complicated very fast.
There MUST be safeguards that disallow the occurrence of my first point, otherwise we're in the camp of facilitating ID theft, again 'copying.'
One need not look farther than the credit card ecosystem. Stolen ones are lifted and sold by the thousands. And if you think, 'dedicated services' will be enough to stop increased theft then please let us all know why such a system doesn't solve the PCI problem. It cant and wont. The biggest travesty will be the average user becoming accustomed to scanning their ID (via picture because this is what the discussion is about) and largely getting caught up in slipstream scams like I outlined in previous posts. Id theft will get a boost, and become even more lucrative.
PCI theft is only made 'tolerable' by the fact that cards are trivially replaceable, and this is the important part, current IDs are NOT as trivially replaceable. Plus i can only have ONE, so if it gets pinched, i cant use my other ID to take out a loan. I am ME and cant change, so it makes sense that I may be a little uneasy to give it out to watch twitter cat memes. I don't even need to mention passports, as I’ve done earlier.
>I've had to upload my ID card to send money, open a bank account online, verify my identity for a dating app, book an international flight, and ironically to register for the app to have an electronic version of my id on my phone, and weirdly to pay a traffic ticket (why do they care who pays it?), get a discount on my Amazon Prime subscription, and finally to reset my password for my ID.me login for government websites.
Ok, well herein lies the disconnect, as I've never had to 'present' ID for most of these situations except for government sites in my country, taxes etc, and id like to keep it that way. Its not that I’m against any form if ID, its that it must be fit for purpose.
The whole argument, and this whole discussion is precipiced on the fact that for some reason public discourse is that the status quo, which has worked fine for several decades, must be completely overhauled and we must become accustomed to providing scans of all of our IDs on demand to all services as they are mandated to request them. This is insane. I do not work for an angel-invested ID verification service, therefore there IS NO benefit to myself in advocating for any such requirements, only negatives. It is a complete net loss to require IDs for sites which they are, mind you, completely unnecessary for. Yes, government .gov sites it makes sense, also when taking out loans or other financial information, as they already have huge security hurdles to jump though. Yes I've worked for them so I know. However, requirements for everyone else, INCLUDING PORN sites are unnecessary, the last of which has used credit cards for just such the verification since forever, but like so many other things on earth is inadequate all of a sudden!
Yes, I also do have children, and take the burden of their well-being very seriously. It does not grant me the impetus to persuade the state to try to do my job for me, while in the process creating huge burdensome negative side effects for everyone else.
Traditional IDs are not meant to be 'copied' as they are too costly to replace. This doesn't mean that there couldn't be token-based alternative security authentication services, but that is an entirely different discussion.
It would be a great thing, because it would finally force us to have somthing better than "I can present a piece of plastic with my picture and some numbers on it" as proof of identity.
Out of curiosity, I wanted to see how the five most popular porn sites handled age verification since I live in Florida. One of the states that require it. I started here (safe for work - just list of the most popular websites overall - not porn sites)
Or perhaps ideas need not only be had, but also pass through more layer of filters to make it into the world proper. Ideas that were had more than once had more than one chance. Ideas that made it into the world but were only once, were lucky. So that would mean there is a bias when looking at ideas that made it. So the correlation might be due to an inversed cause and effect.
Thanks for all the work that goes into this crucial service!
3% and "3,200 people manually unpaused issuance" does seem much higher than expected to me and no cause for celebration, especially at this scale.
Are there no better patterns to be exploited to identify 'zombies'? Running experiments with blocking and then unblocking to validate should work here.
I guess this falls into the bucket of: sure we can do that, given sufficient time and resources
Why do you think that this indicates a problem in identifying zombies? The pause may have simply been the reason that someone became aware there was even a problem. The zombie might have persisted, if it hadn't been paused.
> Why do you think that this indicates a problem in identifying zombies?
I understood a zombie to represent a client that is dead and will never come back to live again. Since they came back to live they were not actually zombies. So manual action from actually alive clients was required. That may be ok, since they behavior was not acceptable, but in the spirit of not penalizing it would be better to not block those clients if they can be identified and sufficient resources are available to shoulder their misbehaviour.
> The pause may have simply been the reason that someone became aware there was even a problem.
I didn't take that into account and it would be neat. But why would they become aware after this change? Because the error message(/code?) is now different?
When I had a robot vacuum cleaner it would sometimes leave a big ball of dust in the middle of a carpet or something. If I vacuum manually, I would have a harder time working under the sofas and tables, so one could argue that we both did 95% of a full sweep of the floor, just not leaving the same 5%. I think this is somewhat the same.
The camera/radar/sensor things are going to "see" and react to different things than humans while driving, and while I would never left the ball of dust in the middle of the room, in plain sight, the robot would not clean the floor under the sofa any less efficiently than the other parts of the floor. And perhaps this carries over to self driving, for now it will make certain mistakes that humans never will do, but as others have mentioned here, it would also not tire, not look at cell phone, not get distracted.
So I wonder if we are treating these 5%-cases differently just because we associate "cleaning" with "not leaving dust balls clearly visible" and driving with "not crashing into pedestrians in situation x,y,z" while somewhat accepting that people in situations r,s,t do kill others in traffic to a certain extent.
Every mutually exclusive choice is a tradeoff, by definition. Perhaps the better word is “driving better than human drivers as a collective” to refer to a lower auto collision/injury rate.
It might not be strictly more capable than a single ideal human always paying attention, but that is neither here nor there when comparing if software assisted driving is better than non software assisted driving.
The easiest way to analyze this is to see if auto insurance companies offer a discount for using the software assist, as they are most directly impacted by population wide changes in the metric we are interested in (although I don’t think Tesla shares sufficient data about when and if FSD was used for auto insurers to be able to discern this).
It's not a mutually exclusive choice. That's the point.
Let me counter your collective auto collision/injury rate. Let's suppose the only injuries sustained in a year are the deaths of school children exiting a school bus. There's no rhyme or reason to why sometimes the driver assist mows down children. BUT, collectively, there are far, far fewer deaths. Say 1,000 school children are killed per year, but those are the only deaths. That's far less than the 40,000 Americans killed per year in auto crashes. So that's good, right? No. Of course not.
We want these systems to not make the same mistakes humans make and to not make mistakes humans wouldn't make. Do that, and your fatalities will decrease in an acceptable manner.
There is no utility in spending time discussing the relative cost of 1,000 lives of children versus 40,000 Americans (presuming the Americans are made up of less than 1,000 children).
Although, note that the US government has long provided better medical care to old people (via Medicare’s higher reimbursement to healthcare providers) than to [poor] children (because Medicaid pays less).
In the 1990s, it was funny seeing my 80+ year old immigrant grandparents get tons of healthcare while my dad would tell me to play carefully because we couldn’t afford the doctor if I broke an arm or leg, or we couldn’t afford a dentist and braces (small business owner so Medicaid disqualified due to assets, yet insufficient cash flow to pay doctors).
> There's no rhyme or reason to why sometimes the driver assist mows down children.
If you are claiming a software engineer is throwing in a random kill/maim function in the driver software, then that would be worse as it could be implemented at scale (rather than individual drivers choosing to kill/maim).
Otherwise, I would classify injury caused by driver assist mechanisms as technical issues due to hardware/software, directly comparable to injury caused by human drivers due to say choosing to look at their phone or drive drunk. Or being 95 and lacking physical/cognitive capacity.
>That's far less than the 40,000 Americans killed per year in auto crashes. So that's good, right? No. Of course not.
>We want these systems to not make the same mistakes humans make and to not make mistakes humans wouldn't make. Do that, and your fatalities will decrease in an acceptable manner.
I don't think anyone is going to claim 1000 kids getting mowed down by automated cars is "good", but it's far preferable to 40k people getting mowed down normally. They are however, willing to accept the deaths of 1k kids if it meant saving the lives of 40k people.
> They are however, willing to accept the deaths of 1k kids if it meant saving the lives of 40k people.
I bet they're not. People instinctively reject utilitarian trade-offs, especially when it involves children. The idea of sacrificing a few for the many might make sense on paper, but in practice, it’s emotionally and politically untenable.
Note that 0-14 year olds make up 18% of the US population, so assuming the 40k deaths in the counterfactuals are evenly distributed, that'd imply 7.2k kids dying as well, still worse than the 1k.
In the United States, approximately 1,100 children under the age of 13 die each year in motor vehicle crashes. Not that it matters, because you're still making a utilitarian argument, and the majority of people, including Americans, reject that kind of reasoning.
More importantly, utilitarian arguments rarely persuade lawmakers. Policy decisions are driven by public sentiment, political incentives, and moral framing - not abstract cost-benefit calculations.
So Management went to ChatGPT and asked, "can you write a launch email about $event_x " and you then go there to ask, "what did management want to say in this email about $event_x"?
How likely is it that the output summary is mostly made of stuff that the LLM made up in the first expansion process? (eg, you're getting summarized noise if the original signal - the prompt - was much shorter than the email)
reply