[HN Gopher] Senators Urge FTC to Probe ID.me over Selfie Data
___________________________________________________________________
Senators Urge FTC to Probe ID.me over Selfie Data
Author : todsacerdoti
Score : 167 points
Date : 2022-05-18 17:04 UTC (5 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| nerdjon wrote:
| Does anyone else have regrets about being in the tech industry
| when things like this, privacy issues, leaks, etc seem to be a
| big thing on a nearly daily or at least weekly basis now?
|
| I love what I do, I really do. But stories like this make me want
| to get a "boring" tech job that I am just maintaining something.
| Not innovating anymore and at the mercy of not technical people
| telling me to make horrible decisions.
|
| I just find it disheartening. I am just curious if others ever
| feel this way?
| _jal wrote:
| I have problems being associated with the rest of humanity,
| considering all the awful shit they get up to.
|
| I don't see a reason to call out tech as being worse than other
| industries I could name. It is uniquely awful in a number of
| ways, but so are others.
| reaperducer wrote:
| _Does anyone else have regrets about being in the tech industry
| when things like this, privacy issues, leaks, etc seem to be a
| big thing on a nearly daily or at least weekly basis now?_
|
| Just an hour ago I was thinking to myself, "I wish I was good
| with my hands. I wish I could do anything but this."
|
| Computers are the only talent I have, and changing careers
| would mean going back to entry-level pay, which I can't do at
| this point in my life.
|
| It used to be that when you got fed up with your profession,
| you could go teach. But that doesn't pay jack squat anymore.
| Melatonic wrote:
| Depends what you work on. If you are working on super privacy
| invasive projects and have regrets then at minimum that is a
| problem for you and reducing your quality of life.
|
| I generally do not get disheartened by this sort of thing but
| you also probably will not ever see me working for Facebook for
| example.....
| BeefWellington wrote:
| > Does anyone else have regrets about being in the tech
| industry when things like this, privacy issues, leaks, etc seem
| to be a big thing on a nearly daily or at least weekly basis
| now?
|
| I personally don't but I think the issue here is that things
| like ClearView AI and ID.me and the related controversies were
| inevitable. Just as we're seeing with the development of
| DeepFakes. An astute observer can probably pretty accurately
| pick out the differences but will that be true in five to ten
| years? Audio faking is already fairly good.
|
| Once any technology is close, there will be people telling you
| it's solved. Look at self-driving cars. All these "we've solved
| it, autopilot is the greatest thing since sliced bread" takes
| are pushed as marketing, meanwhile the capabilities are
| substantially lower than human drivers. The bar for these kinds
| of things should be, at minimum _better than a human_.
|
| The issue isn't with the tech itself but the actors involved.
| It's a tool, and like any others it can be abused. What makes
| it dangerous is that the limitations of these tools don't
| appear to be investigated at all, which is a failure of
| something or someone, I'm just not sure what or who (probably
| government).
|
| Coupling a "not quite ready" tech with some snazzy marketing
| and shady practices seems to have been par for the course for a
| lot of technologies that emerged from the post-industrial
| revolution era, and in some cases even before then. Just
| chemical examples: Leaded gasoline, CFCs, DDT, Thalidomide,
| etc. You could look to something like cryptomining and its
| environmental and social impact as another more modern tech
| example.
| nerdjon wrote:
| I think a lot of what you said emphasizes my view on non
| technical people making decisions and/or being the public
| face of a very technical product. I don't mean everyone in
| this regard.
|
| But I imagine many of us have been on the side of being told
| that marketing/user retention wants a dark pattern
| introduced. "User Research" wants all kinds of tracking
| introduced. Finance wants ads. Management wants something
| quicker so we cut corners (or worse they tell us to release
| something even though we say its not ready and very buggy but
| marketing was making a big deal about it... which I have
| personally been involved in. Will give one guess how that one
| went and then who was blamed). Or any other decision made by
| someone non technical that is a bad decision and is another
| controversy waiting to happen.
|
| I still see technology as a great force. I still believe in
| it. I am lucky that my current job, I don't have to deal with
| any of these things. But we are not a consumer facing
| operation. But when I look to the future, I find myself
| asking myself. Where is the industry going and it feels like
| it's just constantly getting worse. I worry about being in a
| position of needing to be involved in that again.
| user3939382 wrote:
| The way I look at the most general version of the issue I
| believe you're raising is that technology is morally neutral.
| It's a tool, in some forms an amazingly powerful tool, and like
| all tools, that awesome power can be used for good or evil.
| [deleted]
| BigBubbleButt wrote:
| Technology is only neutral in the sense that guns, nuclear
| weapons, and neurotoxins are neutral. No, not all technology
| is the same, and much of it _is_ evil. This loosely falls
| into the same fallacy of "it can either work or fail, so
| there's a 50% chance" - you are wildly misrepresenting the
| space in order to project a stance of neutrality.
|
| I really think what you're saying is just something engineers
| tell themselves to feel better about what they do. I hear it
| more often from people at FAANG, defense contractors, and
| other morally ambiguous places than anywhere else.
|
| Also, if you're the guy building a tool that's oppressing
| someone, you are the guy building the means to oppress
| someone. There's nothing neutral about that.
| [deleted]
| Melatonic wrote:
| This is what happens when everything is just contracted out willy
| nilly with people running systems that have not kept up with the
| times and (at best) are reaching their own level of incompetence.
|
| Or at worst there were big kickbacks involved and something
| nefarious is going on here.
|
| Regardless seems like a good thing to investigate
| xbar wrote:
| I thought ID.me was a government program.
| Layke1123 wrote:
| Let's not forget a huge problem in our modern world, and that is
| multiple, sovereign nation states willing to do anything and
| everything to get leverage against one another, including trying
| to infiltrate and hack every single piece of hardware and
| software produced. Gone are the days when human fail safes could
| catch each other. Now, any computer can be hacked so no amount of
| them will prevent attacks unlike a line of humans who have to vet
| the information.
| ziddoap wrote:
| ID.me has had quite a bit of controversy. Some interesting
| related non-Krebs (I don't support Krebs after his doxxing of
| innocent people) reads:
|
| https://www.techdirt.com/2022/02/01/idme-finally-admits-it-r...
|
| https://www.techdirt.com/2022/02/15/idme-doesnt-have-enough-...
| mig39 wrote:
| Can you elaborate on the Krebs doxxing innocent people thing?
| password4321 wrote:
| https://news.ycombinator.com/item?id=27440675#27448881
|
| > _https://itwire.com/business-it-news/security/infosec-
| researc..._ (2019)
|
| > _https://itwire.com/business-it-news/security/krebs-
| accused-o..._ (2020)
|
| https://hn.algolia.com/?query=krebs%20doxx&sort=byDate&type=.
| ..
| ziddoap wrote:
| The short of it is during one of his investigative blog
| posts, he released the real life names of two security
| researchers who he believed (based on a single source from
| Twitter) ran a scam. Sean Hollister, a reporter for The Verge
| (among others) rightfully called out Krebs' actions as
| extremely misguided and potentially harmful [1].
|
| In another case, he released the names and details of the
| people he believed were running the Coinhive cryptomining
| scam. He also compiled and released information on three
| people who he thought were connected to the Shadow Brokers
| group, although he has since unpublished that post (some
| analysis at [2]). There's even an urban dictionary term:
| 'krebbed' [3]. There's been discussion here, and elsewhere,
| although it's mainly back-and-forths on Twitter.
|
| The issue I take with it is separate from whether or not he
| was correct, but that he is taking it upon himself to act as
| the judge, jury and executioner of potentially innocent
| people by releasing names and personal details of people on
| his blog and on Twitter.
|
| Edit to add: He's even posted someone's passport before,
| which is kind of wild to think about [4].
|
| [1]
| https://twitter.com/StarFire2258/status/1283892893539635200
|
| [2] https://www.emptywheel.net/2017/11/28/the-russian-
| metadata-i...
|
| [3] https://www.urbandictionary.com/define.php?term=krebbed
|
| [4] See his blog post "Meet the World's Biggest 'Bulletproof'
| Hoster", where he still has the dudes passport picture (with
| all info, no redactions) up.
| vorpalhex wrote:
| It should be noted that posting someones identity is
| distinctly not the same as executing them.
| ziddoap wrote:
| If you need that noted, I'm worried.
|
| It's an expression that I _thought_ most people would
| understand, but to make it abundantly clear: I do not
| think that Krebs is executing people. Nor do I think he
| has the legal training to be a judge. He might have been
| on a jury before, I 'm not sure.
|
| I am using it as an expression to state that he is taking
| upon himself the task that is normally reserved for
| either LEA and/or the court system, which is ascribing
| guilt.
| chipsa wrote:
| He appears to be acting as an investigative reporter.
| Such acts have a long history of naming and shaming
| people, even ones that were not previously public
| figures. That he writes for his own publication is not
| really material to the fact that he is acting as a
| reporter.
| ziddoap wrote:
| Funny enough to some, I disagree with any reporter who
| names private citizens with little proof and no avenue
| for recourse. Especially when they post things like a
| persons non-redacted passport, for example, which has
| plenty of personal information that is not material to
| the story in any which way.
|
| If you have enough information to release a bunch of
| personal information on someone and tell thousands of
| people that they are guilty of something, you should go
| to the appropriate LEA and either take some care writing
| your story or wait until an actual investigation has
| happened, reporting on those results.
|
| Edit to add: At least in this case, regarding Krebs, it
| would seem that at least one senior editor and journalist
| agrees with me that Krebs acted unethically (see the
| first comment for a link to a tweet by a senior editor at
| The Verge). Other major news organizations (e.g. CBC)
| have policies not to named those only accused of a crime,
| except in extenuating circumstances or after a charge is
| laid/legal proceedings have begun. They must also report
| on the outcome of the criminal investigation.
| rkagerer wrote:
| I bet the images and videos collected by facial recognition
| partners doing KYC for crypto exchanges also wind up in various
| nations' law enforcement databases.
| monksy wrote:
| Lets not forget: your license for alcohol acceptance which
| includes your info on the card + your picture - Drizly and
| Instacart Collects that.
|
| Drizly had a massive databreach as well.
| JumpCrisscross wrote:
| Do we have any evidence for why ID.me was chosen over Login.gov?
| megaman821 wrote:
| Just a guess from using both of them. Login.gov does
| authentication, ID.me does authentication and visual
| verification. ID.me would have you take a video to do facial
| verification when doing any sensitive actions.
| [deleted]
| programmertote wrote:
| Tangentially related -- My wife recently had to provide her SSN,
| DoB and her fingerprint scanned by a third-party company
| [https://www.printscan.com/about-us/], which is "owned, and
| operated by active and retired Law Enforcement Officers". We both
| felt really uncomfortable providing such sensitive information to
| a third party company, but had no choice because Florida board of
| medicine [https://flboardofmedicine.gov/] uses PrintScan as a
| partner to do background checks. The fee was $125 for fingerprint
| scanning at one of their locations.
|
| According to that company's 'About Us' page, "PrintScan's
| certified fingerprint technicians undergo extensive background
| checks before being cleared with the FBI, NYS Department of
| Criminal Justice Services, Florida Department of Law Enforcement,
| and Homeland Security."
|
| I looked up on the FBI website to see if they provide similar
| background check service, and sure they do for $18! I have a hard
| time figuring out why FL board of medicine uses a third party
| service instead of FBI to do background checks, and also wondered
| why shouldn't FBI background check be enough/sufficient for
| criminal activity (i.e. don't states share their criminal records
| with FBI?). All of this is to say that the existence of companies
| like PrintScan--and the fact that one of the state governments
| uses it--is definitely concerning to me.
| rurp wrote:
| I don't think there is any reason for involving a private
| company, aside from the kickback/corruption ones. I've had to
| get fingerprinted and background checked for several jobs in
| different states and all were done through the local police
| department.
| nikanj wrote:
| Why? Because corruption
| user3939382 wrote:
| > PrintScan's certified fingerprint technicians undergo
| extensive background checks
|
| Uh huh. Just like these guys, right?
|
| "NSA staff used spy tools on spouses, ex-lovers: watchdog"
| https://www.reuters.com/article/us-usa-surveillance-watchdog...
|
| https://en.wikipedia.org/wiki/LOVEINT
| caseysoftware wrote:
| I used to work with the FBI fingerprint system IAFIS.
|
| It was a very complete system at the time and used in many
| situations for background checks for everything from LEOs to
| day care centers for cheap. We also had hard requirements
| around 99% of responses had to come back within 10 minutes.
|
| Anyway, that's changed quite a bit the last few years..
|
| More and more State & Local stopped participating in the system
| - https://www.washingtonpost.com/crime-law/2021/12/09/fbi-
| poli... - so huge swathes of data just isn't available anymore.
| Then more DAs are choosing to prosecute fewer crimes and
| negotiating down serious crimes that would trigger alerts
| (usually felonies) to lesser crimes so the data that _is_ there
| may not be representative of the situation. And finally, the
| overall crime statistics are being characterized as "racist"
| so the FBI is getting more cautious about what they release and
| how.
|
| So.. less data, incomplete/wrong data, and less access to the
| data.
|
| All of those mean "competitors" have room to operate.
| lovich wrote:
| I know you had several points in this comment but this stuck
| out to me
|
| > Then more DAs are choosing to prosecute fewer crimes and
| negotiating down serious crimes that would trigger alerts
| (usually felonies) to lesser crimes so the data that is there
| may not be representative of the situation.
|
| Isn't this representative of the situation? They didn't get a
| felony and the background check shows they didn't get a
| felony? Are background checks supposed to be extra punishment
| on top of what the judicial system determines?
| noodlesUK wrote:
| One thing I'm not very happy about is that in the US, in
| order to get a background check of any kind, you need to get
| fingerprinted and have those prints enrolled in the FBI's
| database regardless of if a match comes up. In many other
| countries, a background check is just querying the national
| criminal record database for your identity, which seems much
| more proportionate for most employment based background
| checks. I'm not thrilled about being enrolled in a
| fingerprint database because latent prints exist and are so
| inaccurate.
| caseysoftware wrote:
| When I was there, this was absolutely false.
|
| Any fingerprints submitted as a background check were
| _required by law_ to be deleted pretty quickly (within
| hours, iirc). Fingerprints submitted as part of an arrest
| were different.
|
| Unfortunately, that may have changed as many gun control
| advocates have pushed to keep fingerprints from background
| checks on file indefinitely. I don't know if they've been
| successful.
| reaperducer wrote:
| _in the US, in order to get a background check of any kind,
| you need to get fingerprinted_
|
| This is false. I've had my background checked at least a
| dozen times. Most recently, just this past October, and I
| have never given my fingerprints to anyone.
| noodlesUK wrote:
| You are correct. What I meant was a _government issued
| /recognized_ background check.
| xyzzyz wrote:
| I had background checks done on me by my previous
| employers, but none of them asked me for fingerprints.
| divbzero wrote:
| IRS's use of ID.me [1] is one of the oddest public-private
| partnerships I've seen. Facial recognition aside, why should I
| provide my personal ID to a private company to verify myself with
| the government that issued that personal ID in the first place?
|
| [1]: https://www.irs.gov/newsroom/new-online-identity-
| verificatio...
| bogomipz wrote:
| And similarly in absurdity is that the IRS does not have the
| ability to accept direct payments via credit card or debit
| card. There's a separate public-private partnership for
| that.[1]
|
| [1] https://www.fool.com/taxes/2019/04/13/heres-what-happens-
| whe...
| bsimpson wrote:
| I'm sure I got fucked this year: one of those sites said in
| big letters at the top "we attribute all transactions until
| midnight to today," so I chose them.
|
| I gave them thousands of dollars (hoping to get some of it
| back as credit card points). I immediately got an email
| saying "Thanks for your payment at 1:30 AM (not my timezone,
| tomorrow)." I was livid, and I had no recourse.
|
| I don't even know how to check for the fine and pay it. I'm
| just waiting for an IRS nastygram at this point, so I can
| contest their "processing fee" on my credit card.
| reaperducer wrote:
| In my experience, if you miss the deadline that closely,
| the fine from the IRS is negligible, or they ignore it
| entirely and move on because it's not worth the effort to
| follow up.
| jfk13 wrote:
| Though why you would leave it that close is something of
| a mystery to me. After all, you might have connectivity
| problems or an unexpected personal emergency or
| something. It's not like you didn't know the deadline was
| coming up.... just pay a day or two early and avoid the
| stress!
|
| (I'm sure there are people who legitimately have to do it
| at the last moment for some reason. But I don't believe
| that's the common case.)
| sandworm101 wrote:
| Years ago I read about a Russian product based on facial
| recognition. Their pitch was that you could take a picture of an
| attractive stranger, send them the picture, and for 100$ they
| would send you all of her information in a matter of minutes so
| that you could strike up a conversation. Of course this sound
| really creepy, but why? The information is public. Is it the
| amount of money? Police and governments want this sort of tool.
| We don't bat an eye when a cop uses such tools to pull all of
| your license/insurance information during a traffic stop. Is it
| more creepy or less creepy if such tools are also made available
| to the public?
| nicoburns wrote:
| Facebook and other social media isn't far off of this. You
| really need a name to find someone's facebook profile (but
| people will usually give out their name to pretty much anyone),
| and you can of course set your profile to private (but many
| people don't).
| monksy wrote:
| With facebook you didn't need that.
|
| You'd just need a picture.. and it would auto suggest who
| they are.
|
| That's what got them into trouble with the IL Biometric
| privacy law.
| tombrossman wrote:
| I believe this was called "FindFace" it became a mobile app and
| I remember reading this article about it at the time:
| https://www.theguardian.com/world/2016/apr/14/russian-photog...
| sandworm101 wrote:
| That's the one. Setup by former intelligence operators iirc.
|
| There is a flip side to this in places like Russia. If you
| are at a party and want to talk to someone, you might want to
| lookup whether she is the wife/girlfriend of the local crime
| boss/politician/general first.
| random-human wrote:
| >> We don't bat an eye when a cop uses such tools to pull all
| of your license/insurance information during a traffic stop.
|
| In order to legally drive we basically enter into a contract
| with the state agreeing to the terms it set. Keeping a current
| license, registration, insurance etc. During a traffic stop, it
| is a requirement to hand over the documents, if asked, so they
| can verify you are within the law. Atleast in the parts of the
| US that I am familiar with. Same for travel and other
| government documents, if you want to legally move between
| borders, you agree to their terms or stay put.
|
| Having random creep take a pic of someone and get their address
| so they can visit later on, would be a very big problem.
| [deleted]
| burkaman wrote:
| The cop is in a position of public trust, and at least in
| theory is accountable to the public if they abuse that ability.
| Most people are actively aware that the government has their
| information, because they submit it themselves when they file
| taxes, apply for their license, etc. Even if you don't trust
| the police at all, their stated purpose for having and using
| this information is logical.
|
| A private company is accountable to nobody, trusted by nobody,
| and likely accessing "public" information that was publicized
| by an entity other than the individual. They are collecting the
| information purely to make a profit, not to (again in theory)
| increase public safety. Their entire purpose is to abuse the
| information for purposes it was not intended for.
| Alupis wrote:
| It's difficult to image any level where this doesn't come
| across as creepy.
|
| What data was available? Where they live? Who their parents
| are? What school they went to? What car they drive? Or even
| creepier, like hobbies?
|
| There is no scenario where walking up to a stranger and
| starting a conversation about their personal information is
| going to come across as normal.
| sandworm101 wrote:
| There was a scene in one of the Ironman movies. Tony Stark is
| at a party and his personal assistant is pointing out people
| for him. She is recognizing faces and telling him who is who
| before he talks to them. She is telling him their jobs and
| backgrounds. Just swap out the flesh-and-blood assistant for
| a service delivered to your phone. Why is the automated
| system so much more creepy?
|
| (Such scenes are in probably 75% of all movies. It is an old
| device for introducing characters.)
| unethical_ban wrote:
| It's the expression of unlimited power by tools more
| powerful than us, perfect vs. flawed in their realtime
| ability to judge and analyze you in real time. It a a shift
| further into a world totally controlled by perfect
| knowledge of all details about every person's life. I don't
| want to live in that world.
| nerdjon wrote:
| That is massively different though, that is a subset of
| people that most likely were on an invite list before hand.
| Would be similar to social media recommending the friends
| you are already friends with in photos you upload. More of
| a convenience than anything else.
|
| What you mention is any random person identifying any other
| random person (ignoring the creepiness of taking a picture
| of someone without their consent). And using that to track
| down identifying information about them.
| tintor wrote:
| "Ignoring the creepiness of taking a picture of someone
| without their consent" In a public setting consent is not
| needed for photos.
| nerdjon wrote:
| It being creepy and legally needing consent are not the
| same thing. Consent is what makes it not creepy.
|
| Just because it may be legal, doesn't mean it isn't
| creepy for someone to take a picture of a random other
| person.
| sofixa wrote:
| Depends on the jurisdiction, it is needed in France.
| Swizec wrote:
| The difference is that at a party like that the people are
| public persons and used to being recognized. Many of them
| are probably business partners so he is essentially using
| his assistant as a CRM to do sales.
|
| Big agencies have entire dossiers on their clients for the
| sole purpose of brushing up on your info before a meeting
| so they can come across as super friendly and high touch.
| Even your hairdresser probably does this.
|
| Main difference being that it isn't creepy to keep track of
| things you can't remember when being friends with hundreds
| of people is part of your job.
| ridgered4 wrote:
| Tony's personal assistant may have intimate knowledge of
| everyone at the party, but probably knows nothing about
| people outside the industry. And she probably spent a fair
| amount of time prepping for the party. So she's bound to an
| upper limit of what a person can reasonably do.
|
| And his personal assistant is a person which is a building
| block that innately fits into society. Any given person has
| some level of morals and integrity which would limit what
| they were willing to do with their knowledge. And even if
| they don't, people can be brought to justice if they abuse
| their knowledge/skills or otherwise have some kind of
| public pressure used against them. An algorithm cannot be
| imprisoned or even really destroyed and doesn't care one
| bit what it's used for because it doesn't care about
| anything at all.
|
| Some of these things seem inevitable, but that doesn't mean
| they aren't creepy!
| paxys wrote:
| We do bat an eye on such systems. All facial recognition
| systems are banned for government use in San Francisco. Police
| use of license plate readers is limited by law. Pretty ironic
| that people that build and export this tech all over the world
| are wary of it in their own backyards.
| autoexec wrote:
| Accessing government services should never result in your
| personal data being delivered into the hands of private for
| profit companies.
|
| If they want us to hand over our facial recognition data
| (something that has never been needed before and isn't actually
| needed now) the government should create their own service where
| any data collected is never used for anything else.
|
| I think it's just pure laziness and a total lack of concern for
| the public that government websites are full of Google trackers,
| but when I see a company like ID.me being used I assume somebody
| is getting a nice kickback somewhere for handing over the
| American public's data to a private company to exploit and enrich
| themselves with and all at the tax payers expense.
| llimllib wrote:
| I think from the IRS' perspective, they wanted to reach a NIST-
| certified level of identity verification (NIST 800-63A IAL2
| [1]), and there is no governmental service which offered the
| ability to do that[2], so they went to a private company.
|
| I have a lot of notes around this whole dustup; it's my opinion
| that:
|
| - The IRS acted in good faith trying to secure its website in
| the best way possible
|
| - It's very unfortunate that the US government at the same time
| promotes a particular standard, but does not provide a service
| matching that standard and seems to currently have no plans to
| do so
|
| [1]: https://pages.nist.gov/800-63-3/sp800-63a.html
|
| [2]: login.gov is IAL1 but not IAL2 compliant; IAL2 compliance
| requires biometric verification and login.gov does not do this.
| I also think the IRS had concerns around scaling login.gov, but
| that the lack of biometric verification was decisive[3]
|
| [3]: https://twitter.com/llimllib/status/1490802056256532480
| tomrod wrote:
| I think the backlash also pole-vaulted login.gov to the
| forefront.
| divbzero wrote:
| > _It 's very unfortunate that the US government at the same
| time promotes a particular standard, but does not provide a
| service matching that standard and seems to currently have no
| plans to do so_
|
| _id.gov_ could be a great project for the US Digital Service
| [4] and 18F [5] who are the ones that delivered _login.gov_
| [6].
|
| [4]: https://www.usds.gov/
|
| [5]: https://18f.gsa.gov/
|
| [6]: https://digital.gov/2017/08/28/government-launches-
| login-gov...
| thr0wawayf00 wrote:
| It's fashionable to talk about how dystopian social media is, but
| in my experience, it pales in comparison with the pure hell that
| is trying to use ID.me and realizing that such a poorly
| engineered system sits between a loved one of mine and their
| social security payments.
|
| I tried to help set a relative up a while back to receive his
| payments, which required authenticating with ID.me. Over and over
| again, the facial recognition feature would fail and prompt to
| take a new video. It took reaching out to a support line to
| assist, but they weren't particularly fast or helpful. I couldn't
| imagine being his age and trying to set this stuff up alone.
|
| For every beautiful, artisinal website experience out there that
| takes UX seriously, there's an equally horrible one that stands
| between you and something you need and it's pretty clear that the
| people behind that system don't give a damn about you the user.
| hotpotamus wrote:
| It was pointed out to me, a millenial, that Social Security was
| created and administered in the Depression era before computers
| even existed. To think that they somehow created a working
| system without the tech that we throw at it today is
| interesting.
| _moof wrote:
| We also got to the moon without calculators. (This used to be
| well-known but may not be anymore - I'm not sure. Forgive me
| if I'm saying something obvious.) Pretty incredible how
| unnecessary most of our "technology" really is.
|
| Can't find it now but one of my all-time favorite engineering
| memes goes something like, "modern engineer, cries when
| Matlab crashes; Roman engineer, built aqueducts by eyeballing
| them."
| Melatonic wrote:
| We had computers - they were just teams of women crunching
| numbers in a room somewhere
| hotpotamus wrote:
| I mean, if we're talking about Apollo, they had IBM
| mainframes and I believe the Apollo guidance computer was
| actually the first computer made of integrated circuits
| which was crucial to fitting it within the power/weight
| budget. I'll bet a lot of work was still done with slide
| rules though.
| jfk13 wrote:
| My (96 year old) father is quite sure that _every_ such
| system worked far better before computers got involved.
|
| In some cases, perhaps he's right.
| tmp_anon_22 wrote:
| Better for the end-user, not better for administrators and
| accountants on the side of government services.
| donmcronald wrote:
| I bet he's right in a lot of cases. I think the difference
| would be that back then you had actual humans making every
| decision and everything was local so the social and
| cultural expectations from everyone involved would have
| been more predictable.
|
| Plus, I imagine everyone made more effort to be civil when
| interacting because everything was face-to-face.
| ModernMech wrote:
| True, because those systems were designed for pre-computer
| technologies, and all we did when computers came along was
| put the same systems not designed for computers on
| computers. This is how we ended up using mice to sign
| signatures on 8x11 PDF forms that then have to go through
| an OCR to be input into other computer systems.
| est31 wrote:
| I wonder if it's survivorship bias. Same as not every old
| building has survived the times, only the amazing ones did,
| maybe just the "amazing" government systems have survived,
| while the others have long since become forgotten. I put
| amazing into quotes because SSNs have plenty of problems,
| but at least they are successful in that they are used
| everywhere. This in turn creates the impression that
| government systems used to be better than they are now.
| whateveracct wrote:
| Paper works great in a lot of ways. I'm using my printer &
| notebooks more than ever nowadays.
| ge96 wrote:
| Haha I just dropped $60+ for black/color cartridges, I'll
| probably print a couple of docs and need to get new ones
| again. So annoying.
|
| I bought HP 61s
| wincy wrote:
| I just bought an Epson Ecotank printer. Supposed to have
| the advantages of a laser jet but not be nearly as
| expensive refills. The printer itself was $200, though.
| mminer237 wrote:
| Buy a toner printer instead?
| ge96 wrote:
| I'll look into that, don't know the difference offhand
| niij wrote:
| Take them out when not using the printer and store them
| with the plastic/sponge covers on. Inkjet carts last much
| longer that way.
| ge96 wrote:
| that's an interesting though, it drips or something while
| just sitting there?
| donmcronald wrote:
| > I tried to help set a relative up a while back to receive his
| payments, which required authenticating with ID.me.
|
| Isn't it weird for the US to rely on public services that are
| managed on the TLD (.me) of a foreign country?
|
| I see the same stupidity with my own country's government where
| they use independent domain names for every service rather than
| a single, high value namespace (ex: gov.TLD). I guess I should
| just be happy they use our country's TLD. Lol.
| paulryanrogers wrote:
| Hard agree. Even if they contract it out, it should at least
| live on CNAME under official gov TLD(s).
| ssalka wrote:
| > For every beautiful, artisinal website experience out there
| that takes UX seriously, there's an equally horrible one
|
| more like 10 equally horrible ones
| soupfordummies wrote:
| That was exactly my experience as well! I was beyond
| frustrated.
|
| Unfortunately I had to do this just to PAY MY TAXES since I had
| received some unemployment benefits and the relevant form was
| gated behind my Dept of Labor acct that had, of course, been
| long since locked due to scam attempts.
| hahaitsfunny wrote:
| ethbr0 wrote:
| > _the people behind that system don 't give a damn about you
| the user_
|
| Or at least, the people buying the system don't have the
| technical ability to create it, and the contractors who won the
| lowest bid to create it don't care about anything other than
| having the project's completion signed off on.
| hahaitsfunny wrote:
| [deleted]
| cato_the_elder wrote:
| These are all Democratic senators, but ID.me has quite a few
| critics among the senate Republicans too:
| https://www.finance.senate.gov/ranking-members-news/republic...
| ImPostingOnHN wrote:
| fun fact: the correct term is "Democratic" senator, as using
| "Democrat" as an adjective is a perjorative:
|
| https://en.m.wikipedia.org/wiki/Democrat_Party_(epithet)
| cato_the_elder wrote:
| Fixed. Sorry, I'm not a native speaker, and I don't always
| get these things right. Thanks for pointing that out.
| lovich wrote:
| You're fine. I'm a native English speaker and never knew
| this. I've seen "Democrat" used as a performative but only
| by their political rivals who do think the name is
| pejorative but it wouldn't matter what name was used.
| hsbauauvhabzb wrote:
| Identification systems that don't use PKI are fundamentally
| broken.
| paxys wrote:
| Identification systems that no one will use are fundamentally
| broken
| hsbauauvhabzb wrote:
| It would t be terribly hard to implement with good ux such
| that people use it.
| yebyen wrote:
| I don't know anything personally but I do have a friend who works
| as an engineer at ID.me and he explained to me that they really
| don't store any data.
|
| The way it was explained to me, (apologies if there's anything
| factually inaccurate in here, this is my recollection from a
| while ago, just before the IRS very notably decided to cancel
| their contract for the 2021 tax year?) they had an army of people
| whose job was literally to visually compare the person's selfie
| to the ID they presented, and if I understood correctly, they
| also had some facility for verifying the presented ID was
| genuine. And that was it.
|
| (Edit: I see from clicking through to the CyberScoop article
| "ID.me CEO backtracks ... on 1:many recognition use claims" that
| it may not be the case that's all they do with each selfie, and
| that in reality they do store the selfies, based on a regulatory
| requirement that they must do so for 7 years.)
|
| I think based on that conversation (and sure, call me biased) the
| "invasion of privacy" concerns were way overblown. If you think
| the best way to implement an ID verification system is to hire
| more permanent government employees and have them do the job in-
| house, ... I'm on Hacker News, so I'm going to assume that nobody
| thought that.
|
| If you have concerns about the truthfulness of this scheme (does
| it really happen without permanently storing any selfies?) I
| think those are fair concerns, and we should know the answer.
|
| But is there anything to be really concerned about, if there's no
| permanent storage? I don't understand. Can someone explain it to
| me? I think that the "invasion of privacy" ship must have already
| sailed, the government has your photo ID in a database, and it's
| already on record there forever.
|
| What does it matter if the verification is outsourced to a
| private company? Is there the capacity to do this already inside
| of our government? (Would you trust them to implement such a
| system efficiently and correctly without private help?)
|
| What level of oversight would make this scheme appropriate, I
| guess is my question? Is there any ID verification system that
| people who are up in arms would accept here? I'm in favor of
| probing the questions but I am not surprised that wait times are
| longer and support staffing was evidently reduced, after the IRS
| cancelled their contract. "You reap what you sow."
| aeturnum wrote:
| > _I think based on that conversation (and sure, call me
| biased) the "invasion of privacy" concerns were way overblown_
|
| I mean, that's why this calls for a probe, right? I also
| suspect they were overblown - but that's why you look into
| something.
|
| > _I think that the "invasion of privacy" ship must have
| already sailed, the government has your photo ID in a database,
| and it's already on record there forever._
|
| I absolutely disagree with this framing of the question. It's
| false equivalence to suggest that once something exists
| somewhere "unprivate" that any other system would also be fine.
| We are going to need to dig into systems and understand _if the
| reduction in privacy fulfills a necessary function_ and push
| back on all the systems where that isn 't true.
|
| There's no magic in "public" v.s. "private" companies - but
| each new layer introduces new potential for mismanagement and
| so you need to ask everyone to "get to the bottom" of what
| happened.
| [deleted]
___________________________________________________________________
(page generated 2022-05-18 23:00 UTC)