[vorpalhex]

We are still in the same universe where the OPM breach happened, right?

Like no, I don't trust the government to protect the big bucket of PII on everyone in digital form. Not because of lizard people but because the government can barely keep it's own sites secure. Giving them more dangerous data in the form of bulk PII is the wrong move.

Login.gov was the first thing, in a long time, that was well executed. I need to see more things like that to restore my faith. ID.me is the wrong direction.

[alistairSH]

The IRS already has almost all our PII. Not sure how adding a photo materially changes anything in that regard.

I do agree ID.me is the wrong approach. And login.gov should be used in some form over a private enterprise. But, my concern is two-fold… it’s a private entity that I don’t really want to do business with. And the process described by Krebs was impossible - can we really expect everybody to have email, valid phone (what if they aren’t the account owner for the phone), photo ID, and whatever else was required?

[Talanes]

My father doesn't have any sort of web-connected camera, which caused a whole set of problems with his unemployment that I can't remember how they got fixed.

On a similar note, I don't have a lot of documents tied to my name, so I had nothing that they wanted when my photo verification didn't work for whatever reason. Pretty sure I just never solved that one and left the last couple weeks I would have gotten unemployment on the table.

[vorpalhex]

The IRS has our PII, but lots of it is not in a big bucket, it's quite diffuse. If PII is dynamite (and it is) then we want it divided up in silos, with firewalls, and limited access where nobody has universal access. Ideally a lot of it is protected by differential privacy - if I am getting audited, the auditor only see's my returns and not my identity, and someone else gets only my identity.

[tomrod]

Check out 18F / US Digital Services.

GSA has really upped the game over the past 10 years for digital services delivery. Such as Login.gov. Look for other places 18F/USDS are involved, and you'll see significant improvements.

https://playbook.cio.gov/

[closeparen]

With a remotely sane identity system, knowing someone’s identifiers and basic biographical facts would not help you to impersonate them. PII has the sensitivity that it does in today’s world only because we abuse knowledge of PII as a poor man’s authentication mechanism.

[vorpalhex]

The danger of PII goes well beyond impersonation.

"Here is a list of every Jewish person in this zipcode with their home address..."

[closeparen]

Every characteristic needs to be secret just in case someone decides to murder everyone with that characteristic.

If that is going to happen in the US it is probably going to be a red/blue culture war thing. Shall we eliminate campaign finance transparency?

[vorpalhex]

Knowing where your Jewish friend lives is fine. Having a list of every Jewish person in your zipcode (or every X) is like holding a handgrenade.

When the Ashley Madison hack happened a whole mess of blackmail was the result.

I have had someone target me in an attempt of blackmail due to a forum breach (why they thought an anime forum was good blackmail beats me...)

Your browsing habits, which is a step removed from PII, even reveals your sexuality and pregnancy status.

And, we had an attack on Jewish people in the last month. We have not had anyone Democrat/Republican hunting.