The government cannot build a competent identity solution because a majority of voters believe that to do so presages something from genocide ("Papiere, bitte!") to the literal end of the world (“Mark of the Beast”).
We are still in the same universe where the OPM breach happened, right?
Like no, I don't trust the government to protect the big bucket of PII on everyone in digital form. Not because of lizard people but because the government can barely keep it's own sites secure. Giving them more dangerous data in the form of bulk PII is the wrong move.
Login.gov was the first thing, in a long time, that was well executed. I need to see more things like that to restore my faith. ID.me is the wrong direction.
The IRS already has almost all our PII. Not sure how adding a photo materially changes anything in that regard.
I do agree ID.me is the wrong approach. And login.gov should be used in some form over a private enterprise. But, my concern is two-fold… it’s a private entity that I don’t really want to do business with. And the process described by Krebs was impossible - can we really expect everybody to have email, valid phone (what if they aren’t the account owner for the phone), photo ID, and whatever else was required?
My father doesn't have any sort of web-connected camera, which caused a whole set of problems with his unemployment that I can't remember how they got fixed.
On a similar note, I don't have a lot of documents tied to my name, so I had nothing that they wanted when my photo verification didn't work for whatever reason. Pretty sure I just never solved that one and left the last couple weeks I would have gotten unemployment on the table.
The IRS has our PII, but lots of it is not in a big bucket, it's quite diffuse. If PII is dynamite (and it is) then we want it divided up in silos, with firewalls, and limited access where nobody has universal access. Ideally a lot of it is protected by differential privacy - if I am getting audited, the auditor only see's my returns and not my identity, and someone else gets only my identity.
GSA has really upped the game over the past 10 years for digital services delivery. Such as Login.gov. Look for other places 18F/USDS are involved, and you'll see significant improvements.
With a remotely sane identity system, knowing someone’s identifiers and basic biographical facts would not help you to impersonate them. PII has the sensitivity that it does in today’s world only because we abuse knowledge of PII as a poor man’s authentication mechanism.
Like no, I don't trust the government to protect the big bucket of PII on everyone in digital form. Not because of lizard people but because the government can barely keep it's own sites secure. Giving them more dangerous data in the form of bulk PII is the wrong move.
Login.gov was the first thing, in a long time, that was well executed. I need to see more things like that to restore my faith. ID.me is the wrong direction.