[HN Gopher] Senators Urge FTC to Probe ID.me over Selfie Data ___________________________________________________________________ Senators Urge FTC to Probe ID.me over Selfie Data Author : todsacerdoti Score : 167 points Date : 2022-05-18 17:04 UTC (5 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | nerdjon wrote: | Does anyone else have regrets about being in the tech industry | when things like this, privacy issues, leaks, etc seem to be a | big thing on a nearly daily or at least weekly basis now? | | I love what I do, I really do. But stories like this make me want | to get a "boring" tech job that I am just maintaining something. | Not innovating anymore and at the mercy of not technical people | telling me to make horrible decisions. | | I just find it disheartening. I am just curious if others ever | feel this way? | _jal wrote: | I have problems being associated with the rest of humanity, | considering all the awful shit they get up to. | | I don't see a reason to call out tech as being worse than other | industries I could name. It is uniquely awful in a number of | ways, but so are others. | reaperducer wrote: | _Does anyone else have regrets about being in the tech industry | when things like this, privacy issues, leaks, etc seem to be a | big thing on a nearly daily or at least weekly basis now?_ | | Just an hour ago I was thinking to myself, "I wish I was good | with my hands. I wish I could do anything but this." | | Computers are the only talent I have, and changing careers | would mean going back to entry-level pay, which I can't do at | this point in my life. | | It used to be that when you got fed up with your profession, | you could go teach. But that doesn't pay jack squat anymore. | Melatonic wrote: | Depends what you work on. If you are working on super privacy | invasive projects and have regrets then at minimum that is a | problem for you and reducing your quality of life. | | I generally do not get disheartened by this sort of thing but | you also probably will not ever see me working for Facebook for | example..... | BeefWellington wrote: | > Does anyone else have regrets about being in the tech | industry when things like this, privacy issues, leaks, etc seem | to be a big thing on a nearly daily or at least weekly basis | now? | | I personally don't but I think the issue here is that things | like ClearView AI and ID.me and the related controversies were | inevitable. Just as we're seeing with the development of | DeepFakes. An astute observer can probably pretty accurately | pick out the differences but will that be true in five to ten | years? Audio faking is already fairly good. | | Once any technology is close, there will be people telling you | it's solved. Look at self-driving cars. All these "we've solved | it, autopilot is the greatest thing since sliced bread" takes | are pushed as marketing, meanwhile the capabilities are | substantially lower than human drivers. The bar for these kinds | of things should be, at minimum _better than a human_. | | The issue isn't with the tech itself but the actors involved. | It's a tool, and like any others it can be abused. What makes | it dangerous is that the limitations of these tools don't | appear to be investigated at all, which is a failure of | something or someone, I'm just not sure what or who (probably | government). | | Coupling a "not quite ready" tech with some snazzy marketing | and shady practices seems to have been par for the course for a | lot of technologies that emerged from the post-industrial | revolution era, and in some cases even before then. Just | chemical examples: Leaded gasoline, CFCs, DDT, Thalidomide, | etc. You could look to something like cryptomining and its | environmental and social impact as another more modern tech | example. | nerdjon wrote: | I think a lot of what you said emphasizes my view on non | technical people making decisions and/or being the public | face of a very technical product. I don't mean everyone in | this regard. | | But I imagine many of us have been on the side of being told | that marketing/user retention wants a dark pattern | introduced. "User Research" wants all kinds of tracking | introduced. Finance wants ads. Management wants something | quicker so we cut corners (or worse they tell us to release | something even though we say its not ready and very buggy but | marketing was making a big deal about it... which I have | personally been involved in. Will give one guess how that one | went and then who was blamed). Or any other decision made by | someone non technical that is a bad decision and is another | controversy waiting to happen. | | I still see technology as a great force. I still believe in | it. I am lucky that my current job, I don't have to deal with | any of these things. But we are not a consumer facing | operation. But when I look to the future, I find myself | asking myself. Where is the industry going and it feels like | it's just constantly getting worse. I worry about being in a | position of needing to be involved in that again. | user3939382 wrote: | The way I look at the most general version of the issue I | believe you're raising is that technology is morally neutral. | It's a tool, in some forms an amazingly powerful tool, and like | all tools, that awesome power can be used for good or evil. | [deleted] | BigBubbleButt wrote: | Technology is only neutral in the sense that guns, nuclear | weapons, and neurotoxins are neutral. No, not all technology | is the same, and much of it _is_ evil. This loosely falls | into the same fallacy of "it can either work or fail, so | there's a 50% chance" - you are wildly misrepresenting the | space in order to project a stance of neutrality. | | I really think what you're saying is just something engineers | tell themselves to feel better about what they do. I hear it | more often from people at FAANG, defense contractors, and | other morally ambiguous places than anywhere else. | | Also, if you're the guy building a tool that's oppressing | someone, you are the guy building the means to oppress | someone. There's nothing neutral about that. | [deleted] | Melatonic wrote: | This is what happens when everything is just contracted out willy | nilly with people running systems that have not kept up with the | times and (at best) are reaching their own level of incompetence. | | Or at worst there were big kickbacks involved and something | nefarious is going on here. | | Regardless seems like a good thing to investigate | xbar wrote: | I thought ID.me was a government program. | Layke1123 wrote: | Let's not forget a huge problem in our modern world, and that is | multiple, sovereign nation states willing to do anything and | everything to get leverage against one another, including trying | to infiltrate and hack every single piece of hardware and | software produced. Gone are the days when human fail safes could | catch each other. Now, any computer can be hacked so no amount of | them will prevent attacks unlike a line of humans who have to vet | the information. | ziddoap wrote: | ID.me has had quite a bit of controversy. Some interesting | related non-Krebs (I don't support Krebs after his doxxing of | innocent people) reads: | | https://www.techdirt.com/2022/02/01/idme-finally-admits-it-r... | | https://www.techdirt.com/2022/02/15/idme-doesnt-have-enough-... | mig39 wrote: | Can you elaborate on the Krebs doxxing innocent people thing? | password4321 wrote: | https://news.ycombinator.com/item?id=27440675#27448881 | | > _https://itwire.com/business-it-news/security/infosec- | researc..._ (2019) | | > _https://itwire.com/business-it-news/security/krebs- | accused-o..._ (2020) | | https://hn.algolia.com/?query=krebs%20doxx&sort=byDate&type=. | .. | ziddoap wrote: | The short of it is during one of his investigative blog | posts, he released the real life names of two security | researchers who he believed (based on a single source from | Twitter) ran a scam. Sean Hollister, a reporter for The Verge | (among others) rightfully called out Krebs' actions as | extremely misguided and potentially harmful [1]. | | In another case, he released the names and details of the | people he believed were running the Coinhive cryptomining | scam. He also compiled and released information on three | people who he thought were connected to the Shadow Brokers | group, although he has since unpublished that post (some | analysis at [2]). There's even an urban dictionary term: | 'krebbed' [3]. There's been discussion here, and elsewhere, | although it's mainly back-and-forths on Twitter. | | The issue I take with it is separate from whether or not he | was correct, but that he is taking it upon himself to act as | the judge, jury and executioner of potentially innocent | people by releasing names and personal details of people on | his blog and on Twitter. | | Edit to add: He's even posted someone's passport before, | which is kind of wild to think about [4]. | | [1] | https://twitter.com/StarFire2258/status/1283892893539635200 | | [2] https://www.emptywheel.net/2017/11/28/the-russian- | metadata-i... | | [3] https://www.urbandictionary.com/define.php?term=krebbed | | [4] See his blog post "Meet the World's Biggest 'Bulletproof' | Hoster", where he still has the dudes passport picture (with | all info, no redactions) up. | vorpalhex wrote: | It should be noted that posting someones identity is | distinctly not the same as executing them. | ziddoap wrote: | If you need that noted, I'm worried. | | It's an expression that I _thought_ most people would | understand, but to make it abundantly clear: I do not | think that Krebs is executing people. Nor do I think he | has the legal training to be a judge. He might have been | on a jury before, I 'm not sure. | | I am using it as an expression to state that he is taking | upon himself the task that is normally reserved for | either LEA and/or the court system, which is ascribing | guilt. | chipsa wrote: | He appears to be acting as an investigative reporter. | Such acts have a long history of naming and shaming | people, even ones that were not previously public | figures. That he writes for his own publication is not | really material to the fact that he is acting as a | reporter. | ziddoap wrote: | Funny enough to some, I disagree with any reporter who | names private citizens with little proof and no avenue | for recourse. Especially when they post things like a | persons non-redacted passport, for example, which has | plenty of personal information that is not material to | the story in any which way. | | If you have enough information to release a bunch of | personal information on someone and tell thousands of | people that they are guilty of something, you should go | to the appropriate LEA and either take some care writing | your story or wait until an actual investigation has | happened, reporting on those results. | | Edit to add: At least in this case, regarding Krebs, it | would seem that at least one senior editor and journalist | agrees with me that Krebs acted unethically (see the | first comment for a link to a tweet by a senior editor at | The Verge). Other major news organizations (e.g. CBC) | have policies not to named those only accused of a crime, | except in extenuating circumstances or after a charge is | laid/legal proceedings have begun. They must also report | on the outcome of the criminal investigation. | rkagerer wrote: | I bet the images and videos collected by facial recognition | partners doing KYC for crypto exchanges also wind up in various | nations' law enforcement databases. | monksy wrote: | Lets not forget: your license for alcohol acceptance which | includes your info on the card + your picture - Drizly and | Instacart Collects that. | | Drizly had a massive databreach as well. | JumpCrisscross wrote: | Do we have any evidence for why ID.me was chosen over Login.gov? | megaman821 wrote: | Just a guess from using both of them. Login.gov does | authentication, ID.me does authentication and visual | verification. ID.me would have you take a video to do facial | verification when doing any sensitive actions. | [deleted] | programmertote wrote: | Tangentially related -- My wife recently had to provide her SSN, | DoB and her fingerprint scanned by a third-party company | [https://www.printscan.com/about-us/], which is "owned, and | operated by active and retired Law Enforcement Officers". We both | felt really uncomfortable providing such sensitive information to | a third party company, but had no choice because Florida board of | medicine [https://flboardofmedicine.gov/] uses PrintScan as a | partner to do background checks. The fee was $125 for fingerprint | scanning at one of their locations. | | According to that company's 'About Us' page, "PrintScan's | certified fingerprint technicians undergo extensive background | checks before being cleared with the FBI, NYS Department of | Criminal Justice Services, Florida Department of Law Enforcement, | and Homeland Security." | | I looked up on the FBI website to see if they provide similar | background check service, and sure they do for $18! I have a hard | time figuring out why FL board of medicine uses a third party | service instead of FBI to do background checks, and also wondered | why shouldn't FBI background check be enough/sufficient for | criminal activity (i.e. don't states share their criminal records | with FBI?). All of this is to say that the existence of companies | like PrintScan--and the fact that one of the state governments | uses it--is definitely concerning to me. | rurp wrote: | I don't think there is any reason for involving a private | company, aside from the kickback/corruption ones. I've had to | get fingerprinted and background checked for several jobs in | different states and all were done through the local police | department. | nikanj wrote: | Why? Because corruption | user3939382 wrote: | > PrintScan's certified fingerprint technicians undergo | extensive background checks | | Uh huh. Just like these guys, right? | | "NSA staff used spy tools on spouses, ex-lovers: watchdog" | https://www.reuters.com/article/us-usa-surveillance-watchdog... | | https://en.wikipedia.org/wiki/LOVEINT | caseysoftware wrote: | I used to work with the FBI fingerprint system IAFIS. | | It was a very complete system at the time and used in many | situations for background checks for everything from LEOs to | day care centers for cheap. We also had hard requirements | around 99% of responses had to come back within 10 minutes. | | Anyway, that's changed quite a bit the last few years.. | | More and more State & Local stopped participating in the system | - https://www.washingtonpost.com/crime-law/2021/12/09/fbi- | poli... - so huge swathes of data just isn't available anymore. | Then more DAs are choosing to prosecute fewer crimes and | negotiating down serious crimes that would trigger alerts | (usually felonies) to lesser crimes so the data that _is_ there | may not be representative of the situation. And finally, the | overall crime statistics are being characterized as "racist" | so the FBI is getting more cautious about what they release and | how. | | So.. less data, incomplete/wrong data, and less access to the | data. | | All of those mean "competitors" have room to operate. | lovich wrote: | I know you had several points in this comment but this stuck | out to me | | > Then more DAs are choosing to prosecute fewer crimes and | negotiating down serious crimes that would trigger alerts | (usually felonies) to lesser crimes so the data that is there | may not be representative of the situation. | | Isn't this representative of the situation? They didn't get a | felony and the background check shows they didn't get a | felony? Are background checks supposed to be extra punishment | on top of what the judicial system determines? | noodlesUK wrote: | One thing I'm not very happy about is that in the US, in | order to get a background check of any kind, you need to get | fingerprinted and have those prints enrolled in the FBI's | database regardless of if a match comes up. In many other | countries, a background check is just querying the national | criminal record database for your identity, which seems much | more proportionate for most employment based background | checks. I'm not thrilled about being enrolled in a | fingerprint database because latent prints exist and are so | inaccurate. | caseysoftware wrote: | When I was there, this was absolutely false. | | Any fingerprints submitted as a background check were | _required by law_ to be deleted pretty quickly (within | hours, iirc). Fingerprints submitted as part of an arrest | were different. | | Unfortunately, that may have changed as many gun control | advocates have pushed to keep fingerprints from background | checks on file indefinitely. I don't know if they've been | successful. | reaperducer wrote: | _in the US, in order to get a background check of any kind, | you need to get fingerprinted_ | | This is false. I've had my background checked at least a | dozen times. Most recently, just this past October, and I | have never given my fingerprints to anyone. | noodlesUK wrote: | You are correct. What I meant was a _government issued | /recognized_ background check. | xyzzyz wrote: | I had background checks done on me by my previous | employers, but none of them asked me for fingerprints. | divbzero wrote: | IRS's use of ID.me [1] is one of the oddest public-private | partnerships I've seen. Facial recognition aside, why should I | provide my personal ID to a private company to verify myself with | the government that issued that personal ID in the first place? | | [1]: https://www.irs.gov/newsroom/new-online-identity- | verificatio... | bogomipz wrote: | And similarly in absurdity is that the IRS does not have the | ability to accept direct payments via credit card or debit | card. There's a separate public-private partnership for | that.[1] | | [1] https://www.fool.com/taxes/2019/04/13/heres-what-happens- | whe... | bsimpson wrote: | I'm sure I got fucked this year: one of those sites said in | big letters at the top "we attribute all transactions until | midnight to today," so I chose them. | | I gave them thousands of dollars (hoping to get some of it | back as credit card points). I immediately got an email | saying "Thanks for your payment at 1:30 AM (not my timezone, | tomorrow)." I was livid, and I had no recourse. | | I don't even know how to check for the fine and pay it. I'm | just waiting for an IRS nastygram at this point, so I can | contest their "processing fee" on my credit card. | reaperducer wrote: | In my experience, if you miss the deadline that closely, | the fine from the IRS is negligible, or they ignore it | entirely and move on because it's not worth the effort to | follow up. | jfk13 wrote: | Though why you would leave it that close is something of | a mystery to me. After all, you might have connectivity | problems or an unexpected personal emergency or | something. It's not like you didn't know the deadline was | coming up.... just pay a day or two early and avoid the | stress! | | (I'm sure there are people who legitimately have to do it | at the last moment for some reason. But I don't believe | that's the common case.) | sandworm101 wrote: | Years ago I read about a Russian product based on facial | recognition. Their pitch was that you could take a picture of an | attractive stranger, send them the picture, and for 100$ they | would send you all of her information in a matter of minutes so | that you could strike up a conversation. Of course this sound | really creepy, but why? The information is public. Is it the | amount of money? Police and governments want this sort of tool. | We don't bat an eye when a cop uses such tools to pull all of | your license/insurance information during a traffic stop. Is it | more creepy or less creepy if such tools are also made available | to the public? | nicoburns wrote: | Facebook and other social media isn't far off of this. You | really need a name to find someone's facebook profile (but | people will usually give out their name to pretty much anyone), | and you can of course set your profile to private (but many | people don't). | monksy wrote: | With facebook you didn't need that. | | You'd just need a picture.. and it would auto suggest who | they are. | | That's what got them into trouble with the IL Biometric | privacy law. | tombrossman wrote: | I believe this was called "FindFace" it became a mobile app and | I remember reading this article about it at the time: | https://www.theguardian.com/world/2016/apr/14/russian-photog... | sandworm101 wrote: | That's the one. Setup by former intelligence operators iirc. | | There is a flip side to this in places like Russia. If you | are at a party and want to talk to someone, you might want to | lookup whether she is the wife/girlfriend of the local crime | boss/politician/general first. | random-human wrote: | >> We don't bat an eye when a cop uses such tools to pull all | of your license/insurance information during a traffic stop. | | In order to legally drive we basically enter into a contract | with the state agreeing to the terms it set. Keeping a current | license, registration, insurance etc. During a traffic stop, it | is a requirement to hand over the documents, if asked, so they | can verify you are within the law. Atleast in the parts of the | US that I am familiar with. Same for travel and other | government documents, if you want to legally move between | borders, you agree to their terms or stay put. | | Having random creep take a pic of someone and get their address | so they can visit later on, would be a very big problem. | [deleted] | burkaman wrote: | The cop is in a position of public trust, and at least in | theory is accountable to the public if they abuse that ability. | Most people are actively aware that the government has their | information, because they submit it themselves when they file | taxes, apply for their license, etc. Even if you don't trust | the police at all, their stated purpose for having and using | this information is logical. | | A private company is accountable to nobody, trusted by nobody, | and likely accessing "public" information that was publicized | by an entity other than the individual. They are collecting the | information purely to make a profit, not to (again in theory) | increase public safety. Their entire purpose is to abuse the | information for purposes it was not intended for. | Alupis wrote: | It's difficult to image any level where this doesn't come | across as creepy. | | What data was available? Where they live? Who their parents | are? What school they went to? What car they drive? Or even | creepier, like hobbies? | | There is no scenario where walking up to a stranger and | starting a conversation about their personal information is | going to come across as normal. | sandworm101 wrote: | There was a scene in one of the Ironman movies. Tony Stark is | at a party and his personal assistant is pointing out people | for him. She is recognizing faces and telling him who is who | before he talks to them. She is telling him their jobs and | backgrounds. Just swap out the flesh-and-blood assistant for | a service delivered to your phone. Why is the automated | system so much more creepy? | | (Such scenes are in probably 75% of all movies. It is an old | device for introducing characters.) | unethical_ban wrote: | It's the expression of unlimited power by tools more | powerful than us, perfect vs. flawed in their realtime | ability to judge and analyze you in real time. It a a shift | further into a world totally controlled by perfect | knowledge of all details about every person's life. I don't | want to live in that world. | nerdjon wrote: | That is massively different though, that is a subset of | people that most likely were on an invite list before hand. | Would be similar to social media recommending the friends | you are already friends with in photos you upload. More of | a convenience than anything else. | | What you mention is any random person identifying any other | random person (ignoring the creepiness of taking a picture | of someone without their consent). And using that to track | down identifying information about them. | tintor wrote: | "Ignoring the creepiness of taking a picture of someone | without their consent" In a public setting consent is not | needed for photos. | nerdjon wrote: | It being creepy and legally needing consent are not the | same thing. Consent is what makes it not creepy. | | Just because it may be legal, doesn't mean it isn't | creepy for someone to take a picture of a random other | person. | sofixa wrote: | Depends on the jurisdiction, it is needed in France. | Swizec wrote: | The difference is that at a party like that the people are | public persons and used to being recognized. Many of them | are probably business partners so he is essentially using | his assistant as a CRM to do sales. | | Big agencies have entire dossiers on their clients for the | sole purpose of brushing up on your info before a meeting | so they can come across as super friendly and high touch. | Even your hairdresser probably does this. | | Main difference being that it isn't creepy to keep track of | things you can't remember when being friends with hundreds | of people is part of your job. | ridgered4 wrote: | Tony's personal assistant may have intimate knowledge of | everyone at the party, but probably knows nothing about | people outside the industry. And she probably spent a fair | amount of time prepping for the party. So she's bound to an | upper limit of what a person can reasonably do. | | And his personal assistant is a person which is a building | block that innately fits into society. Any given person has | some level of morals and integrity which would limit what | they were willing to do with their knowledge. And even if | they don't, people can be brought to justice if they abuse | their knowledge/skills or otherwise have some kind of | public pressure used against them. An algorithm cannot be | imprisoned or even really destroyed and doesn't care one | bit what it's used for because it doesn't care about | anything at all. | | Some of these things seem inevitable, but that doesn't mean | they aren't creepy! | paxys wrote: | We do bat an eye on such systems. All facial recognition | systems are banned for government use in San Francisco. Police | use of license plate readers is limited by law. Pretty ironic | that people that build and export this tech all over the world | are wary of it in their own backyards. | autoexec wrote: | Accessing government services should never result in your | personal data being delivered into the hands of private for | profit companies. | | If they want us to hand over our facial recognition data | (something that has never been needed before and isn't actually | needed now) the government should create their own service where | any data collected is never used for anything else. | | I think it's just pure laziness and a total lack of concern for | the public that government websites are full of Google trackers, | but when I see a company like ID.me being used I assume somebody | is getting a nice kickback somewhere for handing over the | American public's data to a private company to exploit and enrich | themselves with and all at the tax payers expense. | llimllib wrote: | I think from the IRS' perspective, they wanted to reach a NIST- | certified level of identity verification (NIST 800-63A IAL2 | [1]), and there is no governmental service which offered the | ability to do that[2], so they went to a private company. | | I have a lot of notes around this whole dustup; it's my opinion | that: | | - The IRS acted in good faith trying to secure its website in | the best way possible | | - It's very unfortunate that the US government at the same time | promotes a particular standard, but does not provide a service | matching that standard and seems to currently have no plans to | do so | | [1]: https://pages.nist.gov/800-63-3/sp800-63a.html | | [2]: login.gov is IAL1 but not IAL2 compliant; IAL2 compliance | requires biometric verification and login.gov does not do this. | I also think the IRS had concerns around scaling login.gov, but | that the lack of biometric verification was decisive[3] | | [3]: https://twitter.com/llimllib/status/1490802056256532480 | tomrod wrote: | I think the backlash also pole-vaulted login.gov to the | forefront. | divbzero wrote: | > _It 's very unfortunate that the US government at the same | time promotes a particular standard, but does not provide a | service matching that standard and seems to currently have no | plans to do so_ | | _id.gov_ could be a great project for the US Digital Service | [4] and 18F [5] who are the ones that delivered _login.gov_ | [6]. | | [4]: https://www.usds.gov/ | | [5]: https://18f.gsa.gov/ | | [6]: https://digital.gov/2017/08/28/government-launches- | login-gov... | thr0wawayf00 wrote: | It's fashionable to talk about how dystopian social media is, but | in my experience, it pales in comparison with the pure hell that | is trying to use ID.me and realizing that such a poorly | engineered system sits between a loved one of mine and their | social security payments. | | I tried to help set a relative up a while back to receive his | payments, which required authenticating with ID.me. Over and over | again, the facial recognition feature would fail and prompt to | take a new video. It took reaching out to a support line to | assist, but they weren't particularly fast or helpful. I couldn't | imagine being his age and trying to set this stuff up alone. | | For every beautiful, artisinal website experience out there that | takes UX seriously, there's an equally horrible one that stands | between you and something you need and it's pretty clear that the | people behind that system don't give a damn about you the user. | hotpotamus wrote: | It was pointed out to me, a millenial, that Social Security was | created and administered in the Depression era before computers | even existed. To think that they somehow created a working | system without the tech that we throw at it today is | interesting. | _moof wrote: | We also got to the moon without calculators. (This used to be | well-known but may not be anymore - I'm not sure. Forgive me | if I'm saying something obvious.) Pretty incredible how | unnecessary most of our "technology" really is. | | Can't find it now but one of my all-time favorite engineering | memes goes something like, "modern engineer, cries when | Matlab crashes; Roman engineer, built aqueducts by eyeballing | them." | Melatonic wrote: | We had computers - they were just teams of women crunching | numbers in a room somewhere | hotpotamus wrote: | I mean, if we're talking about Apollo, they had IBM | mainframes and I believe the Apollo guidance computer was | actually the first computer made of integrated circuits | which was crucial to fitting it within the power/weight | budget. I'll bet a lot of work was still done with slide | rules though. | jfk13 wrote: | My (96 year old) father is quite sure that _every_ such | system worked far better before computers got involved. | | In some cases, perhaps he's right. | tmp_anon_22 wrote: | Better for the end-user, not better for administrators and | accountants on the side of government services. | donmcronald wrote: | I bet he's right in a lot of cases. I think the difference | would be that back then you had actual humans making every | decision and everything was local so the social and | cultural expectations from everyone involved would have | been more predictable. | | Plus, I imagine everyone made more effort to be civil when | interacting because everything was face-to-face. | ModernMech wrote: | True, because those systems were designed for pre-computer | technologies, and all we did when computers came along was | put the same systems not designed for computers on | computers. This is how we ended up using mice to sign | signatures on 8x11 PDF forms that then have to go through | an OCR to be input into other computer systems. | est31 wrote: | I wonder if it's survivorship bias. Same as not every old | building has survived the times, only the amazing ones did, | maybe just the "amazing" government systems have survived, | while the others have long since become forgotten. I put | amazing into quotes because SSNs have plenty of problems, | but at least they are successful in that they are used | everywhere. This in turn creates the impression that | government systems used to be better than they are now. | whateveracct wrote: | Paper works great in a lot of ways. I'm using my printer & | notebooks more than ever nowadays. | ge96 wrote: | Haha I just dropped $60+ for black/color cartridges, I'll | probably print a couple of docs and need to get new ones | again. So annoying. | | I bought HP 61s | wincy wrote: | I just bought an Epson Ecotank printer. Supposed to have | the advantages of a laser jet but not be nearly as | expensive refills. The printer itself was $200, though. | mminer237 wrote: | Buy a toner printer instead? | ge96 wrote: | I'll look into that, don't know the difference offhand | niij wrote: | Take them out when not using the printer and store them | with the plastic/sponge covers on. Inkjet carts last much | longer that way. | ge96 wrote: | that's an interesting though, it drips or something while | just sitting there? | donmcronald wrote: | > I tried to help set a relative up a while back to receive his | payments, which required authenticating with ID.me. | | Isn't it weird for the US to rely on public services that are | managed on the TLD (.me) of a foreign country? | | I see the same stupidity with my own country's government where | they use independent domain names for every service rather than | a single, high value namespace (ex: gov.TLD). I guess I should | just be happy they use our country's TLD. Lol. | paulryanrogers wrote: | Hard agree. Even if they contract it out, it should at least | live on CNAME under official gov TLD(s). | ssalka wrote: | > For every beautiful, artisinal website experience out there | that takes UX seriously, there's an equally horrible one | | more like 10 equally horrible ones | soupfordummies wrote: | That was exactly my experience as well! I was beyond | frustrated. | | Unfortunately I had to do this just to PAY MY TAXES since I had | received some unemployment benefits and the relevant form was | gated behind my Dept of Labor acct that had, of course, been | long since locked due to scam attempts. | hahaitsfunny wrote: | ethbr0 wrote: | > _the people behind that system don 't give a damn about you | the user_ | | Or at least, the people buying the system don't have the | technical ability to create it, and the contractors who won the | lowest bid to create it don't care about anything other than | having the project's completion signed off on. | hahaitsfunny wrote: | [deleted] | cato_the_elder wrote: | These are all Democratic senators, but ID.me has quite a few | critics among the senate Republicans too: | https://www.finance.senate.gov/ranking-members-news/republic... | ImPostingOnHN wrote: | fun fact: the correct term is "Democratic" senator, as using | "Democrat" as an adjective is a perjorative: | | https://en.m.wikipedia.org/wiki/Democrat_Party_(epithet) | cato_the_elder wrote: | Fixed. Sorry, I'm not a native speaker, and I don't always | get these things right. Thanks for pointing that out. | lovich wrote: | You're fine. I'm a native English speaker and never knew | this. I've seen "Democrat" used as a performative but only | by their political rivals who do think the name is | pejorative but it wouldn't matter what name was used. | hsbauauvhabzb wrote: | Identification systems that don't use PKI are fundamentally | broken. | paxys wrote: | Identification systems that no one will use are fundamentally | broken | hsbauauvhabzb wrote: | It would t be terribly hard to implement with good ux such | that people use it. | yebyen wrote: | I don't know anything personally but I do have a friend who works | as an engineer at ID.me and he explained to me that they really | don't store any data. | | The way it was explained to me, (apologies if there's anything | factually inaccurate in here, this is my recollection from a | while ago, just before the IRS very notably decided to cancel | their contract for the 2021 tax year?) they had an army of people | whose job was literally to visually compare the person's selfie | to the ID they presented, and if I understood correctly, they | also had some facility for verifying the presented ID was | genuine. And that was it. | | (Edit: I see from clicking through to the CyberScoop article | "ID.me CEO backtracks ... on 1:many recognition use claims" that | it may not be the case that's all they do with each selfie, and | that in reality they do store the selfies, based on a regulatory | requirement that they must do so for 7 years.) | | I think based on that conversation (and sure, call me biased) the | "invasion of privacy" concerns were way overblown. If you think | the best way to implement an ID verification system is to hire | more permanent government employees and have them do the job in- | house, ... I'm on Hacker News, so I'm going to assume that nobody | thought that. | | If you have concerns about the truthfulness of this scheme (does | it really happen without permanently storing any selfies?) I | think those are fair concerns, and we should know the answer. | | But is there anything to be really concerned about, if there's no | permanent storage? I don't understand. Can someone explain it to | me? I think that the "invasion of privacy" ship must have already | sailed, the government has your photo ID in a database, and it's | already on record there forever. | | What does it matter if the verification is outsourced to a | private company? Is there the capacity to do this already inside | of our government? (Would you trust them to implement such a | system efficiently and correctly without private help?) | | What level of oversight would make this scheme appropriate, I | guess is my question? Is there any ID verification system that | people who are up in arms would accept here? I'm in favor of | probing the questions but I am not surprised that wait times are | longer and support staffing was evidently reduced, after the IRS | cancelled their contract. "You reap what you sow." | aeturnum wrote: | > _I think based on that conversation (and sure, call me | biased) the "invasion of privacy" concerns were way overblown_ | | I mean, that's why this calls for a probe, right? I also | suspect they were overblown - but that's why you look into | something. | | > _I think that the "invasion of privacy" ship must have | already sailed, the government has your photo ID in a database, | and it's already on record there forever._ | | I absolutely disagree with this framing of the question. It's | false equivalence to suggest that once something exists | somewhere "unprivate" that any other system would also be fine. | We are going to need to dig into systems and understand _if the | reduction in privacy fulfills a necessary function_ and push | back on all the systems where that isn 't true. | | There's no magic in "public" v.s. "private" companies - but | each new layer introduces new potential for mismanagement and | so you need to ask everyone to "get to the bottom" of what | happened. | [deleted] ___________________________________________________________________ (page generated 2022-05-18 23:00 UTC)