Comment by jofla

Not what I'm saying. At any time before the legit handoff, there can be a decoy which users would be blissfully unaware of, shimmed in. How many times do domains change again during the singup process of whatever service you're using (page to page)? Thats a huge security issue, as it messes with what users expect, and they dont take notice one bit. At the very least its an opportunity to confuse users not to realize that the main service shouldn't hand-off at step 3, rather step 7. The other option is services verify themselves (backend), but again, thats worse.

Designing secure services are not 'just' one and done by any means, this whole thing boils down to whether security is a trivial, and a done thing or a very hard problem, and it has always been a very hard problem.

Its one thing to hand over credit cards with very little liability and a charge back ability, its totally another to use irrevocable IDs which cant be resent in the mail in a few days. Then theres the inter-nationality angle. I refuse to use overseas services, who dont recognize a 'drivers license' and want my passport. Sorry, not going to be stuck somewhere because my passport gets leaked and now we need to vist the only embassy 7 hours away before i return home (with kids in tow). Universal Id requirement is a cozy idea but it opens far too many incompatibilities, not to mention country-to-country.

Yes, forgive me I was trying to cram too many ideas into a short blurb, else I can ramble on forever.

We're just talking past each other, since there is nuance to your original statement I may be not addressing directly.

>Presenting government ID to random entities is literally what government ID's exist for. Paranoia about this is silly.

While this is not wrong, the problem is that with online entities (sites), the act of 'presenting' is the same as 'copying', so in order to present to a 3rd party 'site' you must do something which lets them (if they chose to) copy your ID, and easily allow someone to forge said ID and use it in other situations to 'forge' your identity, a very bad thing. This is critically different than when traditionally 'presenting' an ID when you're boarding a plane or buying alcohol which is an inherently fleeting act(serves its purpose and NOTHING more). Its also why people are uneasy about ID bar-code scanning but that's a huge whole other discussion.

>Do you think it's inherently so unsafe to use your ID in an online context that it is never a net benefit? Yes/No

Its not 'unsafe' on face value, but as with everything else it becomes very complicated very fast. There MUST be safeguards that disallow the occurrence of my first point, otherwise we're in the camp of facilitating ID theft, again 'copying.'

One need not look farther than the credit card ecosystem. Stolen ones are lifted and sold by the thousands. And if you think, 'dedicated services' will be enough to stop increased theft then please let us all know why such a system doesn't solve the PCI problem. It cant and wont. The biggest travesty will be the average user becoming accustomed to scanning their ID (via picture because this is what the discussion is about) and largely getting caught up in slipstream scams like I outlined in previous posts. Id theft will get a boost, and become even more lucrative.

PCI theft is only made 'tolerable' by the fact that cards are trivially replaceable, and this is the important part, current IDs are NOT as trivially replaceable. Plus i can only have ONE, so if it gets pinched, i cant use my other ID to take out a loan. I am ME and cant change, so it makes sense that I may be a little uneasy to give it out to watch twitter cat memes. I don't even need to mention passports, as I’ve done earlier.

>I've had to upload my ID card to send money, open a bank account online, verify my identity for a dating app, book an international flight, and ironically to register for the app to have an electronic version of my id on my phone, and weirdly to pay a traffic ticket (why do they care who pays it?), get a discount on my Amazon Prime subscription, and finally to reset my password for my ID.me login for government websites.

Ok, well herein lies the disconnect, as I've never had to 'present' ID for most of these situations except for government sites in my country, taxes etc, and id like to keep it that way. Its not that I’m against any form if ID, its that it must be fit for purpose.

The whole argument, and this whole discussion is precipiced on the fact that for some reason public discourse is that the status quo, which has worked fine for several decades, must be completely overhauled and we must become accustomed to providing scans of all of our IDs on demand to all services as they are mandated to request them. This is insane. I do not work for an angel-invested ID verification service, therefore there IS NO benefit to myself in advocating for any such requirements, only negatives. It is a complete net loss to require IDs for sites which they are, mind you, completely unnecessary for. Yes, government .gov sites it makes sense, also when taking out loans or other financial information, as they already have huge security hurdles to jump though. Yes I've worked for them so I know. However, requirements for everyone else, INCLUDING PORN sites are unnecessary, the last of which has used credit cards for just such the verification since forever, but like so many other things on earth is inadequate all of a sudden!

Yes, I also do have children, and take the burden of their well-being very seriously. It does not grant me the impetus to persuade the state to try to do my job for me, while in the process creating huge burdensome negative side effects for everyone else.

Traditional IDs are not meant to be 'copied' as they are too costly to replace. This doesn't mean that there couldn't be token-based alternative security authentication services, but that is an entirely different discussion.

ltbarcly3 5 days ago

You are making a vague argument.

Do you think it's inherently so unsafe to use your ID in an online context that it is never a net benefit? Yes/No

If you think it is unsafe, what alternative do you propose? If you don't have one, or your idea requires some kind of massive simultaneous buy in by all stakeholders and jurisdictions, give up, your opinion is irrelevant.

Reply View 1 reply

jofla_net 4 days ago

Yes, forgive me I was trying to cram too many ideas into a short blurb, else I can ramble on forever.
We're just talking past each other, since there is nuance to your original statement I may be not addressing directly.
>Presenting government ID to random entities is literally what government ID's exist for. Paranoia about this is silly.
While this is not wrong, the problem is that with online entities (sites), the act of 'presenting' is the same as 'copying', so in order to present to a 3rd party 'site' you must do something which lets them (if they chose to) copy your ID, and easily allow someone to forge said ID and use it in other situations to 'forge' your identity, a very bad thing. This is critically different than when traditionally 'presenting' an ID when you're boarding a plane or buying alcohol which is an inherently fleeting act(serves its purpose and NOTHING more). Its also why people are uneasy about ID bar-code scanning but that's a huge whole other discussion.
>Do you think it's inherently so unsafe to use your ID in an online context that it is never a net benefit? Yes/No
Its not 'unsafe' on face value, but as with everything else it becomes very complicated very fast. There MUST be safeguards that disallow the occurrence of my first point, otherwise we're in the camp of facilitating ID theft, again 'copying.'
One need not look farther than the credit card ecosystem. Stolen ones are lifted and sold by the thousands. And if you think, 'dedicated services' will be enough to stop increased theft then please let us all know why such a system doesn't solve the PCI problem. It cant and wont. The biggest travesty will be the average user becoming accustomed to scanning their ID (via picture because this is what the discussion is about) and largely getting caught up in slipstream scams like I outlined in previous posts. Id theft will get a boost, and become even more lucrative.
PCI theft is only made 'tolerable' by the fact that cards are trivially replaceable, and this is the important part, current IDs are NOT as trivially replaceable. Plus i can only have ONE, so if it gets pinched, i cant use my other ID to take out a loan. I am ME and cant change, so it makes sense that I may be a little uneasy to give it out to watch twitter cat memes. I don't even need to mention passports, as I’ve done earlier.
>I've had to upload my ID card to send money, open a bank account online, verify my identity for a dating app, book an international flight, and ironically to register for the app to have an electronic version of my id on my phone, and weirdly to pay a traffic ticket (why do they care who pays it?), get a discount on my Amazon Prime subscription, and finally to reset my password for my ID.me login for government websites.
Ok, well herein lies the disconnect, as I've never had to 'present' ID for most of these situations except for government sites in my country, taxes etc, and id like to keep it that way. Its not that I’m against any form if ID, its that it must be fit for purpose.
The whole argument, and this whole discussion is precipiced on the fact that for some reason public discourse is that the status quo, which has worked fine for several decades, must be completely overhauled and we must become accustomed to providing scans of all of our IDs on demand to all services as they are mandated to request them. This is insane. I do not work for an angel-invested ID verification service, therefore there IS NO benefit to myself in advocating for any such requirements, only negatives. It is a complete net loss to require IDs for sites which they are, mind you, completely unnecessary for. Yes, government .gov sites it makes sense, also when taking out loans or other financial information, as they already have huge security hurdles to jump though. Yes I've worked for them so I know. However, requirements for everyone else, INCLUDING PORN sites are unnecessary, the last of which has used credit cards for just such the verification since forever, but like so many other things on earth is inadequate all of a sudden!
Yes, I also do have children, and take the burden of their well-being very seriously. It does not grant me the impetus to persuade the state to try to do my job for me, while in the process creating huge burdensome negative side effects for everyone else.
Traditional IDs are not meant to be 'copied' as they are too costly to replace. This doesn't mean that there couldn't be token-based alternative security authentication services, but that is an entirely different discussion.

Reply View | 0 replies

Comment by jofla_net